[mickledore][oe-core][PATCH 1/1] ghostscript: fix CVE-2023-28879
From: Joe Slater Backport from tag ghostpdl-10.01.1-gse-10174 which is after 10.01.1. Signed-off-by: Joe Slater Signed-off-by: Luca Ceresoli Signed-off-by: Richard Purdie (cherry picked from commit 8a70d6935afa38173dbf012b8e1c3d59228504df) --- .../ghostscript/cve-2023-28879.patch | 60 +++ .../ghostscript/ghostscript_10.0.0.bb | 1 + 2 files changed, 61 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch diff --git a/meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch b/meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch new file mode 100644 index 00..604b927521 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch @@ -0,0 +1,60 @@ +From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Fri, 24 Mar 2023 13:19:57 + +Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding + +Bug #706494 "Buffer Overflow in s_xBCPE_process" + +As described in detail in the bug report, if the write buffer is filled +to one byte less than full, and we then try to write an escaped +character, we overrun the buffer because we don't check before +writing two bytes to it. + +This just checks if we have two bytes before starting to write an +escaped character and exits if we don't (replacing the consumed byte +of the input). + +Up for further discussion; why do we even permit a BCP encoding filter +anyway ? I think we should remove this, at least when SAFER is true. +--- +CVE: CVE-2023-28879 + +Upstream-Status: Backport [see text] + +git://git.ghostscript.com/ghostpdl +cherry-pick + +Signed-off-by: Joe Slater limit - q < 2) { ++p--; ++break; ++} + if (p == rlimit) { + p--; + break; +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb index 56a93632e2..86ecdbe24a 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb @@ -34,6 +34,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://avoid-host-contamination.patch \ file://mkdir-p.patch \ file://cross-compile.patch \ +file://cve-2023-28879.patch \ " SRC_URI = "${SRC_URI_BASE} \ -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#180978): https://lists.openembedded.org/g/openembedded-core/message/180978 Mute This Topic: https://lists.openembedded.org/mt/98714349/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [v2][oe-core][PATCH 1/1] ghostscript: fix CVE-2023-28879
Thanks for fixing the sender address. I modified my git config, but this has never happened before and I think might be because the Signed-off-by in the original patch is malformed -- it's missing the terminating ">". Joe > -Original Message- > From: Luca Ceresoli > Sent: Monday, April 24, 2023 11:36 AM > To: Joe Slater via lists.openembedded.org > > Cc: Slater, Joseph ; openembedded- > c...@lists.openembedded.org; MacLeod, Randy > > Subject: Re: [v2][oe-core][PATCH 1/1] ghostscript: fix CVE-2023-28879 > > On Mon, 24 Apr 2023 10:34:32 -0700 > "Joe Slater via lists.openembedded.org" > wrote: > ^^^ > > As you can see your sender address has been mangled, and as a result the patch > is rejected by the the openembedded git server. This is not your fault, but we > need you to modify your git configuration to prevent this from happening in > the > future. Have a look at the wiki for more info and how to solve that: > > https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbe > dded#Fixing_your_From_identity > > I'm taking your patch for testing on the autobuilders, fixing it manually so > you > don't need to resend your patch this time. > > Best regards, > Luca > > -- > Luca Ceresoli, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#180368): https://lists.openembedded.org/g/openembedded-core/message/180368 Mute This Topic: https://lists.openembedded.org/mt/98476248/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [v2][oe-core][PATCH 1/1] ghostscript: fix CVE-2023-28879
On Mon, 24 Apr 2023 10:34:32 -0700 "Joe Slater via lists.openembedded.org" wrote: ^^^ As you can see your sender address has been mangled, and as a result the patch is rejected by the the openembedded git server. This is not your fault, but we need you to modify your git configuration to prevent this from happening in the future. Have a look at the wiki for more info and how to solve that: https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded#Fixing_your_From_identity I'm taking your patch for testing on the autobuilders, fixing it manually so you don't need to resend your patch this time. Best regards, Luca -- Luca Ceresoli, Bootlin Embedded Linux and Kernel engineering https://bootlin.com -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#180362): https://lists.openembedded.org/g/openembedded-core/message/180362 Mute This Topic: https://lists.openembedded.org/mt/98476248/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[v2][oe-core][PATCH 1/1] ghostscript: fix CVE-2023-28879
Backport from tag ghostpdl-10.01.1-gse-10174 which is after 10.01.1. Signed-off-by: Joe Slater --- .../ghostscript/cve-2023-28879.patch | 60 +++ .../ghostscript/ghostscript_10.0.0.bb | 1 + 2 files changed, 61 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch diff --git a/meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch b/meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch new file mode 100644 index 00..604b927521 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch @@ -0,0 +1,60 @@ +From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Fri, 24 Mar 2023 13:19:57 + +Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding + +Bug #706494 "Buffer Overflow in s_xBCPE_process" + +As described in detail in the bug report, if the write buffer is filled +to one byte less than full, and we then try to write an escaped +character, we overrun the buffer because we don't check before +writing two bytes to it. + +This just checks if we have two bytes before starting to write an +escaped character and exits if we don't (replacing the consumed byte +of the input). + +Up for further discussion; why do we even permit a BCP encoding filter +anyway ? I think we should remove this, at least when SAFER is true. +--- +CVE: CVE-2023-28879 + +Upstream-Status: Backport [see text] + +git://git.ghostscript.com/ghostpdl +cherry-pick + +Signed-off-by: Joe Slater limit - q < 2) { ++p--; ++break; ++} + if (p == rlimit) { + p--; + break; +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb index 56a93632e2..86ecdbe24a 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb @@ -34,6 +34,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://avoid-host-contamination.patch \ file://mkdir-p.patch \ file://cross-compile.patch \ +file://cve-2023-28879.patch \ " SRC_URI = "${SRC_URI_BASE} \ -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#180360): https://lists.openembedded.org/g/openembedded-core/message/180360 Mute This Topic: https://lists.openembedded.org/mt/98476248/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[oe-core][PATCH 1/1] ghostscript: fix CVE-2023-28879
Backport from tag ghostpdl-10.01.1-gse-10174 which is after 10.01.1. Signed-off-by: Joe Slater --- meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb index 56a93632e2..86ecdbe24a 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb @@ -34,6 +34,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://avoid-host-contamination.patch \ file://mkdir-p.patch \ file://cross-compile.patch \ +file://cve-2023-28879.patch \ " SRC_URI = "${SRC_URI_BASE} \ -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#180359): https://lists.openembedded.org/g/openembedded-core/message/180359 Mute This Topic: https://lists.openembedded.org/mt/98476159/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-