Fix CVE-2025-27832, CVE-2025-27835, CVE-2025-27836
This commit is contained in:
Funda Wang
parent
e09858a0d3
commit
551fe3173f
41
backport-CVE-2025-27832.patch
Normal file
41
backport-CVE-2025-27832.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From 36ac25fca7ba65a2a24d96d553e8dd63990210b9 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Hutyra <zhutyra@centrum.cz>
|
||||
Date: Wed, 20 Nov 2024 11:42:31 +0000
|
||||
Subject: Bug 708133: Avoid integer overflow leading to buffer overflow
|
||||
|
||||
The calculation of the buffer size was being done with int values, and
|
||||
overflowing that data type. By leaving the total size calculation to the
|
||||
memory manager, the calculation ends up being done in size_t values, and
|
||||
avoiding the overflow in this case, but also meaning the memory manager
|
||||
overflow protection will be effective.
|
||||
|
||||
CVE-2025-27832
|
||||
---
|
||||
contrib/japanese/gdevnpdl.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c
|
||||
index 60065bacf..4967282bd 100644
|
||||
--- a/contrib/japanese/gdevnpdl.c
|
||||
+++ b/contrib/japanese/gdevnpdl.c
|
||||
@@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c
|
||||
int code;
|
||||
int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh;
|
||||
|
||||
- if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)")))
|
||||
+ if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)")))
|
||||
return_error(gs_error_VMerror);
|
||||
|
||||
/* Initialize printer */
|
||||
@@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c
|
||||
/* Form Feed */
|
||||
gp_fputs("\014", prn_stream);
|
||||
|
||||
- gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)");
|
||||
+ gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)");
|
||||
return 0;
|
||||
}
|
||||
|
||||
--
|
||||
cgit v1.2.3
|
||||
|
||||
30
backport-CVE-2025-27835.patch
Normal file
30
backport-CVE-2025-27835.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From 920fae688705b3a25a1f8925f3837219a6243565 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Hutyra <zhutyra@centrum.cz>
|
||||
Date: Wed, 20 Nov 2024 11:27:52 +0000
|
||||
Subject: Bug 708131: Fix confusion between bytes and shorts
|
||||
|
||||
We were copying data from a string in multiple of shorts, rather than multiple
|
||||
of bytes, leading to both an read (probably benign, given the memory manager)
|
||||
and write buffer overflow.
|
||||
|
||||
CVE-2025-27835
|
||||
---
|
||||
psi/zbfont.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/psi/zbfont.c b/psi/zbfont.c
|
||||
index acffb39ef..5850ab54d 100644
|
||||
--- a/psi/zbfont.c
|
||||
+++ b/psi/zbfont.c
|
||||
@@ -253,7 +253,7 @@ gs_font_map_glyph_to_unicode(gs_font *font, gs_glyph glyph, int ch, ushort *u, u
|
||||
if (l > length)
|
||||
return l;
|
||||
|
||||
- memcpy(unicode_return, v->value.const_bytes, l * sizeof(short));
|
||||
+ memcpy(unicode_return, v->value.const_bytes, l);
|
||||
return l;
|
||||
}
|
||||
if (r_type(v) == t_integer) {
|
||||
--
|
||||
cgit v1.2.3
|
||||
|
||||
60
backport-CVE-2025-27836.patch
Normal file
60
backport-CVE-2025-27836.patch
Normal file
@ -0,0 +1,60 @@
|
||||
From db77f4c0ce0298625f75059cb6b8c31e61350753 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Hutyra <zhutyra@centrum.cz>
|
||||
Date: Mon, 13 Jan 2025 09:07:57 +0000
|
||||
Subject: Bug 708192: Fix potential print buffer overflow
|
||||
|
||||
CVE-2025-27836
|
||||
---
|
||||
contrib/japanese/gdev10v.c | 22 ++++++++++++++++------
|
||||
1 file changed, 16 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/contrib/japanese/gdev10v.c b/contrib/japanese/gdev10v.c
|
||||
index 0bd3cec02..9d27573dc 100644
|
||||
--- a/contrib/japanese/gdev10v.c
|
||||
+++ b/contrib/japanese/gdev10v.c
|
||||
@@ -199,17 +199,25 @@ bj10v_print_page(gx_device_printer *pdev, gp_file *prn_stream)
|
||||
int bytes_per_column = bits_per_column / 8;
|
||||
int x_skip_unit = bytes_per_column * (xres / 180);
|
||||
int y_skip_unit = (yres / 180);
|
||||
- byte *in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)");
|
||||
- /* We need one extra byte in <out> for our sentinel. */
|
||||
- byte *out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)");
|
||||
+ byte *in, *out;
|
||||
int lnum = 0;
|
||||
int y_skip = 0;
|
||||
int code = 0;
|
||||
int blank_lines = 0;
|
||||
int bytes_per_data = ((xres == 360) && (yres == 360)) ? 1 : 3;
|
||||
|
||||
- if ( in == 0 || out == 0 )
|
||||
- return -1;
|
||||
+ if (bits_per_column == 0 || line_size > (max_int - 1) / bits_per_column) {
|
||||
+ code = gs_note_error(gs_error_rangecheck);
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
+ in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)");
|
||||
+ /* We need one extra byte in <out> for our sentinel. */
|
||||
+ out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)");
|
||||
+ if ( in == NULL || out == NULL ) {
|
||||
+ code = gs_note_error(gs_error_VMerror);
|
||||
+ goto error;
|
||||
+ }
|
||||
|
||||
/* Initialize the printer. */
|
||||
prn_puts(pdev, "\033@");
|
||||
@@ -320,8 +328,10 @@ notz:
|
||||
}
|
||||
|
||||
/* Eject the page */
|
||||
-xit: prn_putc(pdev, 014); /* form feed */
|
||||
+xit:
|
||||
+ prn_putc(pdev, 014); /* form feed */
|
||||
prn_flush(pdev);
|
||||
+error:
|
||||
gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)");
|
||||
gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)");
|
||||
return code;
|
||||
--
|
||||
cgit v1.2.3
|
||||
|
||||
@ -9,7 +9,7 @@
|
||||
|
||||
Name: ghostscript
|
||||
Version: 9.52
|
||||
Release: 20
|
||||
Release: 21
|
||||
Summary: An interpreter for PostScript and PDF files
|
||||
License: AGPLv3+
|
||||
URL: https://ghostscript.com/
|
||||
@ -64,6 +64,9 @@ Patch45: backport-CVE-2024-46953.patch
|
||||
Patch46: backport-CVE-2024-46956.patch
|
||||
Patch47: backport-CVE-2024-46955.patch
|
||||
Patch48: backport-CVE-2024-46951.patch
|
||||
Patch49: backport-CVE-2025-27832.patch
|
||||
Patch50: backport-CVE-2025-27835.patch
|
||||
Patch60: backport-CVE-2025-27836.patch
|
||||
|
||||
BuildRequires: automake gcc
|
||||
BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel
|
||||
@ -224,6 +227,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
|
||||
%{_bindir}/dvipdf
|
||||
|
||||
%changelog
|
||||
* Thu Mar 27 2025 Funda Wang <fundawang@yeah.net> - 9.52-21
|
||||
- Type:CVE
|
||||
- ID:NA
|
||||
- SUG:NA
|
||||
- DECS: Fix CVE-2025-27832, CVE-2025-27835, CVE-2025-27836
|
||||
|
||||
* Fri Nov 01 2024 liningjie <liningjie@xfusion.com> - 9.52-20
|
||||
- Type:CVE
|
||||
- ID:NA
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user