diff options
Diffstat (limited to 'meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch')
| -rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch new file mode 100644 index 0000000000..e8c42f1deb --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch @@ -0,0 +1,60 @@ +From fb342fdb60391073a69147cb71af1ac416a81099 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Wed, 14 Jun 2023 09:08:12 +0100 +Subject: [PATCH] Bug 706778: 706761 revisit + +Two problems with the original commit. The first a silly typo inverting the +logic of a test. + +The second was forgetting that we actually actually validate two candidate +strings for pipe devices. One with the expected "%pipe%" prefix, the other +using the pipe character prefix: "|". + +This addresses both those. + +Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb342fdb60391073a69147cb71af1ac416a81099] +CVE: CVE-2023-36664 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + base/gpmisc.c | 2 +- + base/gslibctx.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/base/gpmisc.c b/base/gpmisc.c +index 09ac6b3..01d449f 100644 +--- a/base/gpmisc.c ++++ b/base/gpmisc.c +@@ -1050,7 +1050,7 @@ gp_validate_path_len(const gs_memory_t *mem, + /* "%pipe%" do not follow the normal rules for path definitions, so we + don't "reduce" them to avoid unexpected results + */ +- if (len > 5 && memcmp(path, "%pipe", 5) != 0) { ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { + bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path"); + if (buffer == NULL) + return gs_error_VMerror; +diff --git a/base/gslibctx.c b/base/gslibctx.c +index 355c0e3..d8f74a3 100644 +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -722,7 +722,7 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch + /* "%pipe%" do not follow the normal rules for path definitions, so we + don't "reduce" them to avoid unexpected results + */ +- if (len > 5 && memcmp(path, "%pipe", 5) != 0) { ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { + buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len"); + if (buffer == NULL) + return gs_error_VMerror; +@@ -819,7 +819,7 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const + /* "%pipe%" do not follow the normal rules for path definitions, so we + don't "reduce" them to avoid unexpected results + */ +- if (len > 5 && memcmp(path, "%pipe", 5) != 0) { ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { + buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len"); + if (buffer == NULL) + return gs_error_VMerror; +-- +2.25.1 + |