diff --git a/bugfix-for-cve-2025-27831.patch b/bugfix-for-cve-2025-27831.patch new file mode 100644 index 0000000000000000000000000000000000000000..36762d600162be0f22f6648afb0a82f5c7d4560b --- /dev/null +++ b/bugfix-for-cve-2025-27831.patch @@ -0,0 +1,80 @@ +From e4db46d7529a13b93a96d2f59f34f8286a1124a6 Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Thu, 21 Nov 2024 10:04:17 +0000 +Subject: Prevent Unicode decoding overrun + +Bug #708132 "Text buffer overflow with long characters" + +The txt_get_unicode function was copying too few bytes from the +fixed glyph name to unicode mapping tables. This was probably +causing incorrect Unicode code points in relatively rare cases but +not otherwise a problem. + +However, a badly formed GlyphNames2Unicode array attached to a font +could cause the decoding to spill over the assigned buffer. + +We really should rewrite the Unicode handling, but until we do just +checking that the length is no more than 4 Unicode code points is +enough to prevent an overrun. All the current clients allocate at least +4 code points per character code. + +Added a comment to explain the magic number. + +CVE-2025-27831 +--- + devices/vector/doc_common.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/devices/vector/doc_common.c b/devices/vector/doc_common.c +index 690f8eaed..05fb3d51f 100644 +--- a/devices/vector/doc_common.c ++++ b/devices/vector/doc_common.c +@@ -479,7 +479,7 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u + } + if (strlen(dentry->Glyph) == gnstr.size) { + if(memcmp(gnstr.data, dentry->Glyph, gnstr.size) == 0) { +- memcpy(Buffer, dentry->Unicode, 2); ++ memcpy(Buffer, dentry->Unicode, 2 * sizeof(unsigned short)); + return 2; + } + } +@@ -497,7 +497,7 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u + } + if (strlen(tentry->Glyph) == gnstr.size) { + if(memcmp(gnstr.data, tentry->Glyph, gnstr.size) == 0) { +- memcpy(Buffer, tentry->Unicode, 3); ++ memcpy(Buffer, tentry->Unicode, 3 * sizeof(unsigned short)); + return 3; + } + } +@@ -515,7 +515,7 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u + } + if (strlen(qentry->Glyph) == gnstr.size) { + if(memcmp(gnstr.data, qentry->Glyph, gnstr.size) == 0) { +- memcpy(Buffer, qentry->Unicode, 4); ++ memcpy(Buffer, qentry->Unicode, 4 * sizeof(unsigned short)); + return 4; + } + } +@@ -527,12 +527,16 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u + return 1; + } else { + char *b, *u; +- int l = length - 1; ++ int l; + + /* Real Unicode values should be at least 2 bytes. In fact I think the code assumes exactly + * 2 bytes. If we got an odd number, give up and return the character code. ++ * ++ * The magic number here is due to the clients calling this code. Currently txtwrite and docxwrite ++ * allow up to 4 Unicode values per character/glyph, if the length would exceed that we can't ++ * write it. For now, again, fall back to the character code. + */ +- if (length & 1) { ++ if (length & 1 || length > 4 * sizeof(unsigned short)) { + *Buffer = fallback; + return 1; + } +-- +cgit v1.2.3 + diff --git a/ghostscript-10.02.1.tar.xz b/ghostscript-10.03.0.tar.xz similarity index 84% rename from ghostscript-10.02.1.tar.xz rename to ghostscript-10.03.0.tar.xz index 54364a456a2a57d31e02d57719a54ce6edb02e3d..09029738e4b27ed686e0875559e69fc31150ce05 100644 Binary files a/ghostscript-10.02.1.tar.xz and b/ghostscript-10.03.0.tar.xz differ diff --git a/ghostscript.spec b/ghostscript.spec index 75e684d8ce868c06c160ac0e821b4a6f0abdeb39..f8c36f590cd4588fbf1c89874abbf9677bde52eb 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -1,4 +1,4 @@ -%define anolis_release 3 +%define anolis_release 1 %global _hardened_build 1 %global _docdir_fmt %{name} @@ -9,7 +9,7 @@ Name: ghostscript Summary: Interpreter for PostScript language & PDF -Version: 10.02.1 +Version: 10.03.0 Release: %{anolis_release}%{?dist} License: AGPLv3+ URL: https://ghostscript.com/ @@ -19,11 +19,10 @@ BuildRequires: gcc gcc-c++ automake autoconf BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel BuildRequires: google-droid-sans-fonts urw-base35-fonts-devel BuildRequires: cups-devel dbus-devel fontconfig-devel freetype-devel -BuildRequires: jbig2dec-devel = %{jbig2dec_version} jbig2dec-libs = %{jbig2dec_version} BuildRequires: lcms2-devel libidn2-devel libjpeg-turbo-devel libpng-devel BuildRequires: libpaper-devel libtiff-devel openjpeg2-devel zlib-devel BuildRequires: gtk3-devel libXt-devel make -Requires: libgs = %{version}-%{release} jbig2dec-libs = %{jbig2dec_version} +Requires: libgs = %{version}-%{release} Requires: %{name}-tools-fonts = %{version}-%{release} Requires: %{name}-tools-printing = %{version}-%{release} @@ -58,7 +57,12 @@ Patch4: Bugfix-for-CVE-2024-33871.patch # Tracking bug: https://bugs.ghostscript.com/show_bug.cgi?id=708241 # Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=dc17ab3fe8c Patch5: bugfix-for-cve-2025-27830.patch - + +# CVE-2025-27831 +# Tracking bug: https://bugs.ghostscript.com/show_bug.cgi?id=708132 +# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=e4db46d7529a +Patch6: bugfix-for-cve-2025-27831.patch + %description Ghostscript is an interpreter for PostScript® and Portable Document Format (PDF) files. @@ -141,7 +145,7 @@ This package provides detailed documentation files for Ghostscript software. %prep %autosetup -p1 -for f in cups/libs freetype jbig2dec jpeg lcms2* leptonica libpng openjpeg tesseract tiff windows zlib +for f in cups/libs freetype jpeg lcms2* leptonica libpng openjpeg tesseract tiff windows zlib do rm -rf $f done @@ -253,6 +257,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %changelog +* Mon Apr 22 2025 zjl02254423 - 10.03.0-1 +- Update vesion to fix CVE-2024-29508 + +* Thu Apr 17 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 10.02.1-4 +- Fix CVE-2025-27831 + * Tue Apr 15 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 10.02.1-3 - Fix CVE-2025-27830