[kirkstone,2/6] ghostscript: ignore CVE-2024-29507

Message ID	5c9f3c244971aadee65a98d83668e3d5d63825a0.1746806788.git.steve@sakoman.com
State	RFC
Delegated to:	Steve Sakoman
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.210.175, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 2/6] ghostscript: ignore CVE-2024-29507 Date: Fri, 9 May 2025 09:16:40 -0700 Message-ID: <5c9f3c244971aadee65a98d83668e3d5d63825a0.1746806788.git.steve@sakoman.com> In-Reply-To: <cover.1746806788.git.steve@sakoman.com> References: <cover.1746806788.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,1/6] ghostscript: ignore CVE-2025-27837 \| expand [kirkstone,1/6] ghostscript: ignore CVE-2025-27837 [kirkstone,2/6] ghostscript: ignore CVE-2024-29507 [kirkstone,3/6] connman :fix CVE-2025-32743 [kirkstone,4/6] busybox: fix CVE-2023-39810 [kirkstone,5/6] qemu: ignore CVE-2023-1386 [kirkstone,6/6] glibc: Add single-threaded fast path to rand()

Message ID

5c9f3c244971aadee65a98d83668e3d5d63825a0.1746806788.git.steve@sakoman.com

State

RFC

Delegated to:

Steve Sakoman

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 2/6] ghostscript: ignore CVE-2024-29507
Date: Fri,  9 May 2025 09:16:40 -0700
Message-ID: 
 <5c9f3c244971aadee65a98d83668e3d5d63825a0.1746806788.git.steve@sakoman.com>
In-Reply-To: <cover.1746806788.git.steve@sakoman.com>
References: <cover.1746806788.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,1/6] ghostscript: ignore CVE-2025-27837 | expand

Commit Message

Steve Sakoman May 9, 2025, 4:16 p.m. UTC

From: Peter Marko <peter.marko@siemens.com>

Fix for this CVE is [3] (per [1] and [2]).
It fixes cidfsubstfont handling which is not present in 9.55.0 yet.
It was introduced (as cidsubstpath) in 9.56.0 via [4] and later modified
to cidfsubstfont in [5].
Since this recipe has version 9.55.0, mark it as not affected yet.

[1] https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=7745dbe24514710b0cfba925e608e607dee9eb0f
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-29507
[3] https://security-tracker.debian.org/tracker/CVE-2024-29507
[4] https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=82efed6cae8b0f2a3d10593b21083be1e7b1ab23
[5] https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=4422012f6b40f0627d3527dba92f3a1ba30017d3

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index fd0506f438..e872fbe88c 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -25,7 +25,7 @@  CVE_CHECK_IGNORE += "CVE-2013-6629"
 # Issue in the GhostPCL. GhostPCL not part of this GhostScript recipe.
 CVE_CHECK_IGNORE += "CVE-2023-38560 CVE-2024-46954"
 # Vulnerable code was introduced in 9.56.0, so 9.55.0 is not affected yet
-CVE_CHECK_IGNORE += "CVE-2025-27833"
+CVE_CHECK_IGNORE += "CVE-2024-29507 CVE-2025-27833"
 # Only impacts codepaths relevant for Windows builds
 CVE_CHECK_IGNORE += "CVE-2025-27837"

[kirkstone,2/6] ghostscript: ignore CVE-2024-29507

Commit Message

Patch