From 80b5bb86deb03af648d159998fc53454fea3c855 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=AE=81=E6=9D=B0?= Date: Tue, 5 Nov 2024 02:34:46 +0000 Subject: [PATCH] Fix CVE-2024-46952 --- backport-CVE-2024-46952.patch | 61 +++++++++++++++++++++++++++++++++++ ghostscript.spec | 9 +++++- 2 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-46952.patch diff --git a/backport-CVE-2024-46952.patch b/backport-CVE-2024-46952.patch new file mode 100644 index 0000000..e4ff84c --- /dev/null +++ b/backport-CVE-2024-46952.patch @@ -0,0 +1,61 @@ +From 1fb76aaddac34530242dfbb9579d9997dae41264 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Mon, 2 Sep 2024 15:14:01 +0100 +Subject: [PATCH] PDF interpreter - sanitise W array values in Xref streams + +Bug #708001 "Buffer overflow in PDF XRef stream" + +See bug report. I've chosen to fix this by checking the values in the +W array; these can (currently at least) only have certain relatively +small values. + +As a future proofing fix I've also updated field_size in +pdf_xref_stream_entries() to be a 64-bit integer. This is far bigger +than required, but matches the W array values and so prevents the +mismatch which could lead to a buffer overrun. + +CVE-2024-46952 +--- + pdf/pdf_xref.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/pdf/pdf_xref.c b/pdf/pdf_xref.c +index 7e61113..ad45852 100644 +--- a/pdf/pdf_xref.c ++++ b/pdf/pdf_xref.c +@@ -53,7 +53,7 @@ static int resize_xref(pdf_context *ctx, uint64_t new_size) + static int read_xref_stream_entries(pdf_context *ctx, pdf_c_stream *s, uint64_t first, uint64_t last, uint64_t *W) + { + uint i, j; +- uint field_width = 0; ++ uint64_t field_width = 0; + uint32_t type = 0; + uint64_t objnum = 0, gen = 0; + byte *Buffer; +@@ -297,6 +297,24 @@ static int pdfi_process_xref_stream(pdf_context *ctx, pdf_stream *stream_obj, pd + } + pdfi_countdown(a); + ++ /* W[0] is either: ++ * 0 (no type field) or a single byte with the type. ++ * W[1] is either: ++ * The object number of the next free object, the byte offset of this object in the file or the object5 number of the object stream where this object is stored. ++ * W[2] is either: ++ * The generation number to use if this object is used again, the generation number of the object or the index of this object within the object stream. ++ * ++ * Object and generation numbers are limited to unsigned 64-bit values, as are bytes offsets in the file, indexes of objects within the stream likewise (actually ++ * most of these are generally 32-bit max). So we can limit the field widths to 8 bytes, enough to hold a 64-bit number. ++ * Even if a later version of the spec makes these larger (which seems unlikely!) we still cna't cope with integers > 64-bits. ++ */ ++ if (W[0] > 1 || W[1] > 8 || W[2] > 8) { ++ pdfi_close_file(ctx, XRefStrm); ++ pdfi_countdown(ctx->xref_table); ++ ctx->xref_table = NULL; ++ return code; ++ } ++ + code = pdfi_dict_get_type(ctx, sdict, "Index", PDF_ARRAY, (pdf_obj **)&a); + if (code == gs_error_undefined) { + code = read_xref_stream_entries(ctx, XRefStrm, 0, size - 1, (uint64_t *)W); +-- +2.43.0 diff --git a/ghostscript.spec b/ghostscript.spec index 24a3b08..35fead3 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.55.0 -Release: 15 +Release: 16 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -47,6 +47,7 @@ Patch19: backport-CVE-2024-46953.patch Patch20: backport-CVE-2024-46956.patch Patch21: backport-CVE-2024-46955.patch Patch22: backport-CVE-2024-46951.patch +Patch23: backport-CVE-2024-46952.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -207,6 +208,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/dvipdf %changelog +* Tue Nov 05 2024 liningjie - 9.55.0-16 +- Type:CVE +- ID:NA +- SUG:NA +- DECS: Fix CVE-2024-46952 + * Fri Nov 01 2024 liningjie - 9.55.0-15 - Type:CVE - ID:NA -- Gitee