diff mbox series

[kirkstone,01/19] ghostscript: fix CVE-2023-46361

Message ID 3e9018fb14466495be7472a8620918347c732e86.1731467662.git.steve@sakoman.com
State RFC
Delegated to: Steve Sakoman
Headers show
Series [kirkstone,01/19] ghostscript: fix CVE-2023-46361 | expand

Commit Message

Steve Sakoman Nov. 13, 2024, 3:15 a.m. UTC
From: Archana Polampalli <archana.polampalli@windriver.com>

Artifex Software jbig2dec v0.20 was discovered to contain a SEGV vulnerability
via jbig2_error at /jbig2dec/jbig2.c.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ghostscript/CVE-2023-46361.patch          | 32 +++++++++++++++++++
 .../ghostscript/ghostscript_9.55.0.bb         |  1 +
 2 files changed, 33 insertions(+)
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-46361.patch
diff mbox series

Patch

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-46361.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-46361.patch
new file mode 100644
index 0000000000..d91a94e9d0
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-46361.patch
@@ -0,0 +1,32 @@ 
+From 44ca5b9d023e1de33fcb8984c85bb29619c4db7e Mon Sep 17 00:00:00 2001
+From: Sebastian Rasmussen <sebras@gmail.com>
+Date: Sun, 5 Nov 2023 12:21:52 +0100
+Subject: [PATCH] Bug 705041: jbig2dec: Avoid uninitialized allocator in
+ command-line tool.
+
+This fixes CVE-2023-46361.
+
+CVE: CVE-2023-46361
+
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=44ca5b9d023e1de33fcb8984c85bb29619c4db7e]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ jbig2dec/jbig2dec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/jbig2dec/jbig2dec.c b/jbig2dec/jbig2dec.c
+index dc1fd56..78c8e89 100644
+--- a/jbig2dec/jbig2dec.c
++++ b/jbig2dec/jbig2dec.c
+@@ -567,7 +567,7 @@ main(int argc, char **argv)
+ {
+     jbig2dec_params_t params;
+     jbig2dec_error_callback_state_t error_callback_state;
+-    jbig2dec_allocator_t allocator_;
++    jbig2dec_allocator_t allocator_ = { 0 };
+     jbig2dec_allocator_t *allocator = &allocator_;
+     Jbig2Ctx *ctx = NULL;
+     FILE *f = NULL, *f_page = NULL;
+--
+2.40.0
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index 969e637f5e..9f368a291f 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -56,6 +56,7 @@  SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                 file://CVE-2024-29506.patch \
                 file://CVE-2024-29508-1.patch \
                 file://CVE-2024-29508-2.patch \
+                file://CVE-2023-46361.patch \
 "
 
 SRC_URI = "${SRC_URI_BASE} \