From patchwork Tue Apr 8 10:57:16 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 60979 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8F89FC3600C for ; Tue, 8 Apr 2025 10:57:49 +0000 (UTC) Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by mx.groups.io with SMTP id smtpd.web11.71916.1744109863786331177 for ; Tue, 08 Apr 2025 03:57:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=Dvd5t8+K; spf=pass (domain: mvista.com, ip: 209.85.214.173, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-2241053582dso67764885ad.1 for ; Tue, 08 Apr 2025 03:57:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1744109862; x=1744714662; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=dLSzQQl6g4HSKKUdNQmzh4MRed6GGXRVb5jr1zcj+vA=; b=Dvd5t8+KQOF+ErvOHSMTUcDwdyti0tobE22FRpf5A/dnqS9dgt3ape7V07NT2An24q wfAiEDYOSBUhuQM3M+bKHmLPpujEPVViJ6KKLaKuyep0hxOt/PK1hK5BedenWgmzt3r8 SxCWZXObrR56ONIUK/pLx6/z09hc61hN1y6zw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744109862; x=1744714662; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=dLSzQQl6g4HSKKUdNQmzh4MRed6GGXRVb5jr1zcj+vA=; b=KZfR15B5TjWwHWRggteEMjS0NJiOJRZ79SS1ox3q6GBfqJCARWPKSEM8p6U9iOGOLp GcZTJJflttAcfn+fYxUSA1HVVumctuXgZzQop+1mAkk3B6c73RM1EqldKPyi2x7e4NUR zZpDFvmW56bZL64ecnsdkko/NI6mrqVM/WlnlTQuUgLhe+sNgzRJ5KJ12TrmYKhOXw8C s2OzuNCKz3/74fSSUWUd/U2rPQmW9Thm9nOmvodsRfuwj591c9OdQNup9KhGoWfA1ApL HPCt7UL4BqIn4YfrwSUWR+AQijsk/FzWd+PopSOUKVSLrKRMy1ueYWiFMJOhSy70R2jl Wj7A== X-Gm-Message-State: AOJu0YxIhvzSVpSvN9oaUaULkMDlqulDr+PDtpdQ+gTahitzRd//UGnB Fkqcvgji3S1E4sfipflkaqcmBibwlRzMqM9eGgMQ9li3N+Y6E1txy+2W3rEIVXHv4ySSfHUos+f eQdk= X-Gm-Gg: ASbGncuhn0zHYRFk6Nx4pdBOWwUxQtPVhxoj+7jt0T7KTVeRyu4yWcKtpFKhjTyi9Uj 68N2I8RALrodd5MDooQOz3Qi7VwIxHJtA3tNypCWBbeOAvq9qZ+UHovOMTNbkxgQws35dbi8hy1 OeHg9OrK55QY7APHnGg+OtBq00j0RainrdzhXICzM3F56T7xJ70dKYktFu3LdyALzC345l9Na4d fW2dZ0uKOuRTBYKOnUnMgVIY3fNkk1/n5Fl/39SFJrCDc+iA/OyfuylPZ9rS3vO9AmZ2oP2qtJB A7/WC7rqsWyGgTl8UTZg5xTPvRXfAgaAaboDZyLSu+gjAWIVfTx6eNiM X-Google-Smtp-Source: AGHT+IGOZ53xuwLz01Hs2OSOVJSOiRR4BhhQhgUbdVUl4iqKjK7YnRzZIVwuYyRCX0L63P96UMw95Q== X-Received: by 2002:a17:902:f683:b0:220:be86:a421 with SMTP id d9443c01a7336-22a8a0a37b5mr252776035ad.38.1744109862592; Tue, 08 Apr 2025 03:57:42 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.204.161]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-229785bfe34sm97696255ad.67.2025.04.08.03.57.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Apr 2025 03:57:41 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 1/6] ghostscript: Fix CVE-2025-27830 Date: Tue, 8 Apr 2025 16:27:16 +0530 Message-Id: <20250408105721.1798123-1-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 08 Apr 2025 10:57:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/214526 From: Vijay Anusuri Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=8474e1d6b896e35741d3c608ea5c21deeec1078f] Signed-off-by: Vijay Anusuri --- .../ghostscript/CVE-2025-27830.patch | 79 +++++++++++++++++++ .../ghostscript/ghostscript_9.55.0.bb | 1 + 2 files changed, 80 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27830.patch diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27830.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27830.patch new file mode 100644 index 0000000000..a516b8ad41 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27830.patch @@ -0,0 +1,79 @@ +From 8474e1d6b896e35741d3c608ea5c21deeec1078f Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Mon, 13 Jan 2025 09:15:01 +0000 +Subject: [PATCH] Bug 708241: Fix potential Buffer overflow with DollarBlend + +During serializing a multiple master font for passing to Freetype. + +Use CVE-2025-27830 + +Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=8474e1d6b896e35741d3c608ea5c21deeec1078f] +CVE: CVE-2025-27830 +Signed-off-by: Vijay Anusuri +--- + base/write_t1.c | 7 ++++--- + psi/zfapi.c | 9 +++++++-- + 2 files changed, 11 insertions(+), 5 deletions(-) + +diff --git a/base/write_t1.c b/base/write_t1.c +index 52902be..d6b2454 100644 +--- a/base/write_t1.c ++++ b/base/write_t1.c +@@ -628,6 +628,7 @@ write_main_dictionary(gs_fapi_font * a_fapi_font, WRF_output * a_output, int Wri + WRF_wbyte(a_fapi_font->memory, a_output, '\n'); + if (is_MM_font(a_fapi_font)) { + short x, x2; ++ unsigned short ux; + float x1; + uint i, j, entries; + char Buffer[255]; +@@ -759,16 +760,16 @@ write_main_dictionary(gs_fapi_font * a_fapi_font, WRF_output * a_output, int Wri + */ + code = a_fapi_font->get_word(a_fapi_font, + gs_fapi_font_feature_DollarBlend_length, +- 0, (unsigned short *)&x); ++ 0, &ux); + if (code < 0) + return code; + +- if (x > 0) { ++ if (ux > 0) { + int len; + WRF_wstring(a_fapi_font->memory, a_output, "/$Blend {"); + + if (a_output->m_count) +- a_output->m_count += x; ++ a_output->m_count += ux; + len = a_fapi_font->get_proc(a_fapi_font, + gs_fapi_font_feature_DollarBlend, 0, + (char *)a_output->m_pos); +diff --git a/psi/zfapi.c b/psi/zfapi.c +index 0b3ab1c..1ffef47 100644 +--- a/psi/zfapi.c ++++ b/psi/zfapi.c +@@ -682,7 +682,7 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fapi_font_feature var_id, int index, unsig + } + for (i = 0; i < r_size(DBlend); i++) { + if (array_get(ff->memory, DBlend, i, &Element) < 0) { +- *ret = 0; ++ length = 0; + break; + } + switch (r_btype(&Element)) { +@@ -709,7 +709,12 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fapi_font_feature var_id, int index, unsig + default: + break; + } +- } ++ ++ if (length > max_ushort) { ++ length = 0; ++ break; ++ } ++ } + *ret = length; + break; + } +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index 6d425710b5..dae8dff813 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb @@ -62,6 +62,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://CVE-2024-46953.patch \ file://CVE-2024-46955.patch \ file://CVE-2024-46956.patch \ + file://CVE-2025-27830.patch \ " SRC_URI = "${SRC_URI_BASE} \ From patchwork Tue Apr 8 10:57:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 60982 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 909E4C369A1 for ; Tue, 8 Apr 2025 10:57:59 +0000 (UTC) Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) by mx.groups.io with SMTP id smtpd.web11.71921.1744109869617477454 for ; Tue, 08 Apr 2025 03:57:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=GRqTvCGP; spf=pass (domain: mvista.com, ip: 209.85.214.169, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-223f4c06e9fso48819555ad.1 for ; Tue, 08 Apr 2025 03:57:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1744109868; x=1744714668; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=WDQkEKnw5KSWu5aqmG6//twBQ3CYTomBXPofGR5nn9o=; b=GRqTvCGPT8YoIp2O5hrGN2nRCSUdFjgfjl5vXp1r0d8t1KzpMnPh5GViDHWB9ZL+q8 WiFuvaFAMifdmo/vvx8T6Yuk05hheFFaN6unCrajXJyXR85FvtptpfTRjhn1OYofCQZZ Am+bixiaK2yIyIY855XJR20qNJF5nxS0cjPxc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744109868; x=1744714668; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WDQkEKnw5KSWu5aqmG6//twBQ3CYTomBXPofGR5nn9o=; b=k9xcBDkMTnwcyHYd1SJiREqt/VdF1lIkpWmUroVoZTqVRl4E+ge49sSTUA6VbrOu+O A90UJ2B3nC/siPLQT0T+N00qdKqz7znnpc3nYqATh0AJk9eMy99BE9J4ym/HWH7tQqnx qnd8/rRsoS93sOm9VR9rg5qycLstSxQ1WgUA2y1MPJ8ZAVfeYZm2qnluf9FV3H+uaPNU 7OEeL9Aeb7BvEOLruDOLAwfEuzbgieoc1cHZS/SnLF3h7uqvGMXWQZv6PFLLFIoeBdvs jfkxJcDjzMKHN1qwumY5a8IWGUkzO6DIy7ewwjwaj8LYfJ2FtwrjDj1atDhbitsZZfAG e+SQ== X-Gm-Message-State: AOJu0YxAUBQKlFUiZay6aiyKBDKlb4np6Eb56iRDAgbJbp26zfBCNi0G Zcat6B3yHcg234xsF1s694WZE/VIGOCfEABnGgjvgf0CTgstHD2vU2OuQNCiJXFx5eXCAsff0eW xwtM= X-Gm-Gg: ASbGncsVsFbFUr0R6Llz3ajheekXfZH9XsAmI4O68rX+MZ0tVgtz52ZuILuBOfzTbAe hHv8TTIPX5s51bighYlEJwLyUKb7f/bGeNKk9EcpIW3Umz62ZjMRMZcka4h1V9eWH62rfytV0Od K/Qa1idxXCkKnbLjaIR4986G8XD49/ythSJcf8CWcuoG0kbpZcpLgBqaOxVnfnr7SC1XmW4lmTr MLFv59pQNU4tayC0RJs/vtjmCKzNRXP6wJKQtRtScrR9JtuJY7ewoExXYy9DOgemmILA5alr8Yh Vl0DvBpKq/5WtQ5xhWzjDhfBE+lav+ZIlHI75Alp3rEHMyzwxGdcAMNtnxl2zdxuV4c= X-Google-Smtp-Source: AGHT+IEBwBRG6Z6VQ8d10m4LZwjzcDGoa5YygdoSxTysbMZAyYwJMxpPN5ZioK08FID744CiJsHOOQ== X-Received: by 2002:a17:902:d48d:b0:226:3392:3704 with SMTP id d9443c01a7336-22ab5e37788mr30641285ad.12.1744109868185; Tue, 08 Apr 2025 03:57:48 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.204.161]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-229785bfe34sm97696255ad.67.2025.04.08.03.57.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Apr 2025 03:57:47 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 2/6] ghostscript: Fix CVE-2025-27831 Date: Tue, 8 Apr 2025 16:27:17 +0530 Message-Id: <20250408105721.1798123-2-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250408105721.1798123-1-vanusuri@mvista.com> References: <20250408105721.1798123-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 08 Apr 2025 10:57:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/214527 From: Vijay Anusuri Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=bf79b61cb1677d6865c45d397435848a21e8a647 & https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=bf79b61cb1677d6865c45d397435848a21e8a647] Signed-off-by: Vijay Anusuri --- .../ghostscript/CVE-2025-27831-pre1.patch | 50 +++++++++++ .../ghostscript/CVE-2025-27831.patch | 84 +++++++++++++++++++ .../ghostscript/ghostscript_9.55.0.bb | 2 + 3 files changed, 136 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831-pre1.patch create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831.patch diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831-pre1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831-pre1.patch new file mode 100644 index 0000000000..bdf597f38e --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831-pre1.patch @@ -0,0 +1,50 @@ +Partial backport of: + +From bf79b61cb1677d6865c45d397435848a21e8a647 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Tue, 27 Sep 2022 13:03:57 +0100 +Subject: [PATCH] PCL interpreter - fix decode_glyph for Unicode + +The text extraction (and pdfwrite family) expect that decode_glyph +should always return pairs of bytes (an assumption that Unicode code +points are 2 bytes), and the return value from the routine should be +the number of bytes required to hold the value. + +The PCL decode_glyph routine however was simply returning 1, which +caused the text extraction code some difficulty since it wasn't +expecting that. + +This commit firstly alters the text extraction code to cope 'better' +with a decode_glyph routine which returns an odd value (basically +ignore it and fall back to using the character code). + +We also alter the pl_decode_glyph routine to return 2 instead of 1, +so that it correctly tells the caller that it is returning 2 bytes. +Finally we make sure that the returned value is big-endian, because the +text extraction code assumes it will be. + +Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=bf79b61cb1677d6865c45d397435848a21e8a647] +CVE: CVE-2025-27831 #Dependency Patch +Signed-off-by: Vijay Anusuri +--- + devices/vector/doc_common.c | 8 ++++++++ + pcl/pl/plfont.c | 12 +++++++++--- + 2 files changed, 17 insertions(+), 3 deletions(-) + +--- a/devices/vector/doc_common.c ++++ b/devices/vector/doc_common.c +@@ -513,6 +513,14 @@ int txt_get_unicode(gx_device *dev, gs_f + char *b, *u; + int l = length - 1; + ++ /* Real Unicode values should be at least 2 bytes. In fact I think the code assumes exactly ++ * 2 bytes. If we got an odd number, give up and return the character code. ++ */ ++ if (length & 1) { ++ *Buffer = fallback; ++ return 1; ++ } ++ + unicode = (ushort *)gs_alloc_bytes(dev->memory, length, "temporary Unicode array"); + length = font->procs.decode_glyph((gs_font *)font, glyph, ch, unicode, length); + #if ARCH_IS_BIG_ENDIAN diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831.patch new file mode 100644 index 0000000000..8956d276d1 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831.patch @@ -0,0 +1,84 @@ +From d6e713dda4f8d75c6a4ed8c7568a0d4f532dcb17 Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Thu, 21 Nov 2024 10:04:17 +0000 +Subject: Prevent Unicode decoding overrun + +Bug #708132 "Text buffer overflow with long characters" + +The txt_get_unicode function was copying too few bytes from the +fixed glyph name to unicode mapping tables. This was probably +causing incorrect Unicode code points in relatively rare cases but +not otherwise a problem. + +However, a badly formed GlyphNames2Unicode array attached to a font +could cause the decoding to spill over the assigned buffer. + +We really should rewrite the Unicode handling, but until we do just +checking that the length is no more than 4 Unicode code points is +enough to prevent an overrun. All the current clients allocate at least +4 code points per character code. + +Added a comment to explain the magic number. + +CVE-2025-27831 + +Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=d6e713dda4f8d75c6a4ed8c7568a0d4f532dcb17] +CVE: CVE-2025-27831 +Signed-off-by: Vijay Anusuri +--- + devices/vector/doc_common.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/devices/vector/doc_common.c b/devices/vector/doc_common.c +index 690f8eaed..05fb3d51f 100644 +--- a/devices/vector/doc_common.c ++++ b/devices/vector/doc_common.c +@@ -479,7 +479,7 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u + } + if (strlen(dentry->Glyph) == gnstr.size) { + if(memcmp(gnstr.data, dentry->Glyph, gnstr.size) == 0) { +- memcpy(Buffer, dentry->Unicode, 2); ++ memcpy(Buffer, dentry->Unicode, 2 * sizeof(unsigned short)); + return 2; + } + } +@@ -497,7 +497,7 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u + } + if (strlen(tentry->Glyph) == gnstr.size) { + if(memcmp(gnstr.data, tentry->Glyph, gnstr.size) == 0) { +- memcpy(Buffer, tentry->Unicode, 3); ++ memcpy(Buffer, tentry->Unicode, 3 * sizeof(unsigned short)); + return 3; + } + } +@@ -515,7 +515,7 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u + } + if (strlen(qentry->Glyph) == gnstr.size) { + if(memcmp(gnstr.data, qentry->Glyph, gnstr.size) == 0) { +- memcpy(Buffer, qentry->Unicode, 4); ++ memcpy(Buffer, qentry->Unicode, 4 * sizeof(unsigned short)); + return 4; + } + } +@@ -527,12 +527,16 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u + return 1; + } else { + char *b, *u; +- int l = length - 1; ++ int l; + + /* Real Unicode values should be at least 2 bytes. In fact I think the code assumes exactly + * 2 bytes. If we got an odd number, give up and return the character code. ++ * ++ * The magic number here is due to the clients calling this code. Currently txtwrite and docxwrite ++ * allow up to 4 Unicode values per character/glyph, if the length would exceed that we can't ++ * write it. For now, again, fall back to the character code. + */ +- if (length & 1) { ++ if (length & 1 || length > 4 * sizeof(unsigned short)) { + *Buffer = fallback; + return 1; + } +-- +cgit v1.2.3 + diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index dae8dff813..94a21d1dce 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb @@ -63,6 +63,8 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://CVE-2024-46955.patch \ file://CVE-2024-46956.patch \ file://CVE-2025-27830.patch \ + file://CVE-2025-27831-pre1.patch \ + file://CVE-2025-27831.patch \ " SRC_URI = "${SRC_URI_BASE} \ From patchwork Tue Apr 8 10:57:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 60980 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A3654C369A6 for ; Tue, 8 Apr 2025 10:57:59 +0000 (UTC) Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.web11.71925.1744109873727928169 for ; Tue, 08 Apr 2025 03:57:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=Gx6Uhysp; spf=pass (domain: mvista.com, ip: 209.85.214.180, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-22928d629faso53540455ad.3 for ; Tue, 08 Apr 2025 03:57:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1744109873; x=1744714673; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=1xrKrlt0XLCs+xL/eWyDYAHXx/6z/RunVEje9WW9f1M=; b=Gx6Uhysph4jBZX5B3u9FMUD0lUlrZ1s1NJ2cDLZL5YGnnZBMz+RPkBt3+UpnLatWAi T+4BJGnpnpwXH6dJ898ln7WBAY46fnnbJojYbOIfwEoDMBnjZXyhpaufNpf8/eqrAh9T bHosxsF6LeqQWEdo4D9Lg3bbnOFxNUpnyJI8A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744109873; x=1744714673; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1xrKrlt0XLCs+xL/eWyDYAHXx/6z/RunVEje9WW9f1M=; b=K3rxLJXyGxYqnlpqJzw80kCRoV6FohQLdYdxYcgVGG4coJxdMwb9r+h2WsKAznLGl5 BAydD9NBsaGExo3js/P5zq7jxVvwMTa+M65n/GtUhPE5JREtGRtjPq1ns/ciP6uGKEg0 MfoSmLnzLPY3fvnwQtcgRPcVI48T6w059DhR9H2gaToOdNtkuOG3PJRLNjSg28x21mLt 2HaRKyxNTfhU77rAJQ3pNuT7qFG12BkOZWw4mlisgvfKoAv0FXZ51CPKfGQQWtqqfwOz xttGb1wrSIIu+WEXI2dfz1SInqQUgamqgq+tCuch3pGlRCtY3FAjedhhePJeldkLzq1o jNiQ== X-Gm-Message-State: AOJu0YyMO0fFJbdt7m9uC+vc2JXSH5xV3QD6gMoqcgiZB5IVeNU4gpWF Qqsc39V6tMGKL/jlxuXM26KrXHiE8S4QW4NhFUqUiyN4qJnbhHOHQI12DktWicUr9wrTnjTSIyC aVVY= X-Gm-Gg: ASbGncunizoy4Z2oCaLR45/dPSEWS9cSeMflQRKjIoCXCFcFO/+G88OaIivBaNm+X9n YV/yr26Uld13eeid54ezlqdh/oaUpHuly51ocDxFb8v2mTq+7VMU/ZLfm5ad6Ul/oCa/F/1cL2o Rv2hHgV928dstqmKcuxe6sw+pefKZgz6QLmXL1B2dlfrPfJ4EM+yf03tgIy63Ch3hDXMv+MoKOs bVygrUByvZ7bx+KeAY+wCbXNuG5M97EFLy2wpDBTeKnMK6Q1j8TmCGz6SDQBNyveE3WNEn5Q3Bp lW5b4qX5BNI5uXpvNt7/iYBZ7NkLUCVeXx+EicVs4BonrjlCi6WpfzYz X-Google-Smtp-Source: AGHT+IHog8IjfcUVNe8RIkDWYAdGJUNcM/jcSiTOR49cUWc706ZraLsBIgGD2hjUMHpTAWhrvzYr9g== X-Received: by 2002:a17:902:db07:b0:223:4d7e:e523 with SMTP id d9443c01a7336-22a8a8e45a0mr194313625ad.50.1744109872636; Tue, 08 Apr 2025 03:57:52 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.204.161]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-229785bfe34sm97696255ad.67.2025.04.08.03.57.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Apr 2025 03:57:52 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 3/6] ghostscript: Fix CVE-2025-27832 Date: Tue, 8 Apr 2025 16:27:18 +0530 Message-Id: <20250408105721.1798123-3-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250408105721.1798123-1-vanusuri@mvista.com> References: <20250408105721.1798123-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 08 Apr 2025 10:57:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/214528 From: Vijay Anusuri Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=57291c846334f1585552010faa42d7cb2cbd5c41] Signed-off-by: Vijay Anusuri --- .../ghostscript/CVE-2025-27832.patch | 45 +++++++++++++++++++ .../ghostscript/ghostscript_9.55.0.bb | 1 + 2 files changed, 46 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27832.patch diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27832.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27832.patch new file mode 100644 index 0000000000..c3a328bcc9 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27832.patch @@ -0,0 +1,45 @@ +From 57291c846334f1585552010faa42d7cb2cbd5c41 Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Wed, 20 Nov 2024 11:42:31 +0000 +Subject: Bug 708133: Avoid integer overflow leading to buffer overflow + +The calculation of the buffer size was being done with int values, and +overflowing that data type. By leaving the total size calculation to the +memory manager, the calculation ends up being done in size_t values, and +avoiding the overflow in this case, but also meaning the memory manager +overflow protection will be effective. + +CVE-2025-27832 + +Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=57291c846334f1585552010faa42d7cb2cbd5c41] +CVE: CVE-2025-27832 +Signed-off-by: Vijay Anusuri +--- + contrib/japanese/gdevnpdl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c +index 60065bacf..4967282bd 100644 +--- a/contrib/japanese/gdevnpdl.c ++++ b/contrib/japanese/gdevnpdl.c +@@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c + int code; + int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh; + +- if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"))) ++ if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)"))) + return_error(gs_error_VMerror); + + /* Initialize printer */ +@@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c + /* Form Feed */ + gp_fputs("\014", prn_stream); + +- gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"); ++ gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)"); + return 0; + } + +-- +cgit v1.2.3 + diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index 94a21d1dce..284ae3a28e 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb @@ -65,6 +65,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://CVE-2025-27830.patch \ file://CVE-2025-27831-pre1.patch \ file://CVE-2025-27831.patch \ + file://CVE-2025-27832.patch \ " SRC_URI = "${SRC_URI_BASE} \ From patchwork Tue Apr 8 10:57:19 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 60981 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9D81EC369A5 for ; Tue, 8 Apr 2025 10:57:59 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.web11.71927.1744109877852696143 for ; Tue, 08 Apr 2025 03:57:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=eP6065aN; spf=pass (domain: mvista.com, ip: 209.85.214.178, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-2241053582dso67767015ad.1 for ; Tue, 08 Apr 2025 03:57:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1744109877; x=1744714677; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+LJIZ9UoACqUpf1B5qaDBGQeyZFyoC0X07tD4xV9YyM=; b=eP6065aN8BiB1MxzMJgDzTEb6jZApLbntCjlx3J9Z+aymVdQOBSsFzUG8fFO/SzCXt /P4WOebvPzIvHmIWFN4m7joDS4fTy6w/hV6O/de/jZwmBML+fDe+bqcpvZeqZNpGpKO2 ZlcWbQ1qGOaGr1v/L6EEk+Em76kwR2we1gK54= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744109877; x=1744714677; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+LJIZ9UoACqUpf1B5qaDBGQeyZFyoC0X07tD4xV9YyM=; b=t5qVIcWSb4O+xRtCoBHb5m+u+j0tqtD2SgURxW/7Ddem/2G4k/f2VgY+MPfvN2AoHK 8yMz3YRu0s/8YuHGS9ToJLAf2AdJlnXGuydb/7F0oKOTm6ZUWqhIKkFL0xFW90QoYHFW 82FpDqqaVC+k4TxrQY7v6Hs/HYNNeqwb5GoacFX+aPn363AIztOzxNcxWx/x03DBKIsc qBwKGhbAOz2zFzkMG15KKTOz50jn2x+tk3RtbPy1MC4iW75/LzYmsrSPDNfzYiHqdRGP 41Q08ClL2rx3wa4ggOj2FoCQFBSg6m+c9a1eV7my8nns7ibM9Ab8hp1dKP+msbVciPr4 xGTQ== X-Gm-Message-State: AOJu0Yxis7ZIMBppyjiXP1Ia56nE1FiveHTZ4a8U/u+nS6SFyPerW7F8 FFr8vXIi0UyYWtLkcHcsS7q9fzx6szmrTlxLX6fhZX62XsMa4Bj1kYI7elxIzyhIire1ng6W/1f sQKI= X-Gm-Gg: ASbGncsTgfnPaPefqhtXdrQndj296v2EcMBhs46Cpd7k5g2OR06EQRlBxmIExz4YbUC k8aTuV8IwwA028veSg/dbmV4Miw6rMaA7mmXDJBqcf2ZdMPYLkeaWCFCsb2O/4CZpozreWabaMx amSjM5MNfpU+yV8ruRG2e07KlJyc4AJuYyhx+NmTcf8YOV9bF/yCr8ojD47JvHwYPGaWtJTiNIK s4Qv8Iv8m/UyyJSF30qfGqz018oKPqkjwTIqSWGUYb+2alnMd3eGg6Pp+OTN17ktBPeOjwrlpqL 8yX3dqrT2hivCUdFt0Xe81UTKHLZNlCfsu4kF/LXwV1DNhFWlkBlljy4FnM4X4cinF8= X-Google-Smtp-Source: AGHT+IEnVmboStCNJ1OU1rh5xmtc9PyBcGZpzVw500WuDW6X6NY2o2Q4Nt4xY9uXf2DAGGHFsKySow== X-Received: by 2002:a17:902:d584:b0:223:f639:69df with SMTP id d9443c01a7336-22a8a0a3ab2mr242441745ad.41.1744109876879; Tue, 08 Apr 2025 03:57:56 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.204.161]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-229785bfe34sm97696255ad.67.2025.04.08.03.57.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Apr 2025 03:57:56 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 4/6] ghostscript: Fix CVE-2025-27834 Date: Tue, 8 Apr 2025 16:27:19 +0530 Message-Id: <20250408105721.1798123-4-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250408105721.1798123-1-vanusuri@mvista.com> References: <20250408105721.1798123-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 08 Apr 2025 10:57:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/214529 From: Vijay Anusuri Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ef42ff180a04926e187d40faea40d4a43e304e3b] Signed-off-by: Vijay Anusuri --- .../ghostscript/CVE-2025-27834.patch | 57 +++++++++++++++++++ .../ghostscript/ghostscript_9.55.0.bb | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27834.patch diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27834.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27834.patch new file mode 100644 index 0000000000..66e13ca729 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27834.patch @@ -0,0 +1,57 @@ +From ef42ff180a04926e187d40faea40d4a43e304e3b Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Mon, 20 Jan 2025 16:13:46 +0000 +Subject: [PATCH] PDF interpreter - Guard against unsigned int overflow + +Bug #708253 - see bug report for details. + +CVE-2025-27834 + +Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ef42ff180a04926e187d40faea40d4a43e304e3b] +CVE: CVE-2025-27834 +Signed-off-by: Vijay Anusuri +--- + pdf/pdf_func.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/pdf/pdf_func.c b/pdf/pdf_func.c +index 9b7d5bb..423e544 100644 +--- a/pdf/pdf_func.c ++++ b/pdf/pdf_func.c +@@ -153,6 +153,9 @@ pdfi_parse_type4_func_stream(pdf_context *ctx, pdf_c_stream *function_stream, in + byte *p = (ops ? ops + *size : NULL); + + do { ++ if (*size > max_uint / 2) ++ return gs_note_error(gs_error_VMerror); ++ + code = pdfi_read_bytes(ctx, &c, 1, 1, function_stream); + if (code < 0) + break; +@@ -318,6 +321,11 @@ pdfi_build_function_4(pdf_context *ctx, gs_function_params_t * mnDR, + if (code < 0) + goto function_4_error; + ++ if (size > max_uint - 1) { ++ code = gs_note_error(gs_error_VMerror); ++ goto function_4_error; ++ } ++ + ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_function_4(ops)"); + if (ops == NULL) { + code = gs_error_VMerror; +@@ -816,6 +824,11 @@ int pdfi_build_halftone_function(pdf_context *ctx, gs_function_t ** ppfn, byte * + if (code < 0) + goto halftone_function_error; + ++ if (size > max_uint - 1) { ++ code = gs_note_error(gs_error_VMerror); ++ goto halftone_function_error; ++ } ++ + ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_halftone_function(ops)"); + if (ops == NULL) { + code = gs_error_VMerror; +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index 284ae3a28e..376d4a300e 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb @@ -66,6 +66,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://CVE-2025-27831-pre1.patch \ file://CVE-2025-27831.patch \ file://CVE-2025-27832.patch \ + file://CVE-2025-27834.patch \ " SRC_URI = "${SRC_URI_BASE} \ From patchwork Tue Apr 8 10:57:20 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 60983 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 909C6C369A1 for ; Tue, 8 Apr 2025 10:58:09 +0000 (UTC) Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) by mx.groups.io with SMTP id smtpd.web11.71930.1744109883093412952 for ; Tue, 08 Apr 2025 03:58:03 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=gSEHtYzn; spf=pass (domain: mvista.com, ip: 209.85.214.175, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-225df540edcso63147185ad.0 for ; Tue, 08 Apr 2025 03:58:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1744109882; x=1744714682; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=oasI7UhluOg4pk04ifFBY3SZ96Yynq9s0guCTArpU1M=; b=gSEHtYzn2F1WAXBSI9oB3llOFgWRikwW63VTqXY0vFrUm05rnb/8aijUCjhPPqSh+R S9G9rui2z1E11H54W1Aw90RZeswZRNj1m0dUOkzc5OX7hRWOOc+yTDW2J2qzqCxUMxic wBP+tHKhxQ3tz6GSq/MLTHZBqVP4uFgjCZ5XA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744109882; x=1744714682; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oasI7UhluOg4pk04ifFBY3SZ96Yynq9s0guCTArpU1M=; b=O6c04UokOoZCBL+f75wH3Yn8FZE8v6U89K20O+f4bMJkGSDrN/6v4s2tbJq0vToFrb h02rWu6byzcby3QXnhWSK0jR+wbZllTyfGV4MlchPGCGUx878cNXQe+zU5BXE9WFeieo CDTV2nCIgCByvW3N7j9AholT49pWbEBQUJWsM4W0mdLadq6e5Am3daNWx76mjlkv/w8n 3z5zypRrQsJ3kEgHCEpEad4xeUOFHy3F7uoI3udn1ab2Th4ieBdWJavmKWv2xWzhzzND l0aQgLtOzzKuAI8jgyZmkUwI9cO5Y8J5z/WgRGBotmhfA4A1gIrfh3TW4clHkumDGur1 Skbg== X-Gm-Message-State: AOJu0Yz0cm7lf0g9UeaNSlrFhQOEqxplO3+4ksaIWRGnOq4SM5LLnPnY zPnbs773ZHeMFHmofAwPNa18u0SfdkmeULOoFZeqmyPGXq7YRi0f9yLrv8w24oHE2bPE2157zI9 Nnsk= X-Gm-Gg: ASbGncsTz1HmkbnyY8+ejJx+BwJTYWyfIMJq+Lse2RWJfB699XH1Xpe9sCEKibh7KYr XWEs/vWqPbDZRksguP7bp8dMXDxSlX0ubE9msA3WgtrFtdfPuJbwu3/zyr30vlW2wigV/eLKXF2 OtmEN8xr5PfRHinBAHs7duFCbC6cB8wK+rsVaxtOlCft6dupLQEQzaN3KQaK3cYd7NHYO3bcyN4 GjMH4W/Px2p+lgGHjpAfLrZvjub8peid5QFb8FneqApWqN/IVhGpx7qgVh90biF6V2RN/ATKFHp VKRtlxxxlu4CbHQpqjefvVPUYg0vA8ZBOItH2yXuimJcZuHoR8CPOJCi X-Google-Smtp-Source: AGHT+IEjwDWVlVT9FGVl2zsUA6AHu+YJ53lziWjMZFtgR/9asVMuv3JHYIYTuGQ44i4CVZVM6W5++Q== X-Received: by 2002:a17:903:185:b0:223:3394:3a2e with SMTP id d9443c01a7336-22ab5e68900mr36126615ad.18.1744109881569; Tue, 08 Apr 2025 03:58:01 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.204.161]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-229785bfe34sm97696255ad.67.2025.04.08.03.57.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Apr 2025 03:58:01 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 5/6] ghostscript: Fix CVE-2025-27835 Date: Tue, 8 Apr 2025 16:27:20 +0530 Message-Id: <20250408105721.1798123-5-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250408105721.1798123-1-vanusuri@mvista.com> References: <20250408105721.1798123-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 08 Apr 2025 10:58:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/214530 From: Vijay Anusuri Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=de900010a6f2310d1fd54e99eeba466693da0e13] Signed-off-by: Vijay Anusuri --- .../ghostscript/CVE-2025-27835.patch | 34 +++++++++++++++++++ .../ghostscript/ghostscript_9.55.0.bb | 1 + 2 files changed, 35 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27835.patch diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27835.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27835.patch new file mode 100644 index 0000000000..9cdefc5201 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27835.patch @@ -0,0 +1,34 @@ +From de900010a6f2310d1fd54e99eeba466693da0e13 Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Wed, 20 Nov 2024 11:27:52 +0000 +Subject: Bug 708131: Fix confusion between bytes and shorts + +We were copying data from a string in multiple of shorts, rather than multiple +of bytes, leading to both an read (probably benign, given the memory manager) +and write buffer overflow. + +CVE-2025-27835 + +Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=de900010a6f2310d1fd54e99eeba466693da0e13] +CVE: CVE-2025-27835 +Signed-off-by: Vijay Anusuri +--- + psi/zbfont.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/psi/zbfont.c b/psi/zbfont.c +index acffb39ef..5850ab54d 100644 +--- a/psi/zbfont.c ++++ b/psi/zbfont.c +@@ -253,7 +253,7 @@ gs_font_map_glyph_to_unicode(gs_font *font, gs_glyph glyph, int ch, ushort *u, u + if (l > length) + return l; + +- memcpy(unicode_return, v->value.const_bytes, l * sizeof(short)); ++ memcpy(unicode_return, v->value.const_bytes, l); + return l; + } + if (r_type(v) == t_integer) { +-- +cgit v1.2.3 + diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index 376d4a300e..abc0238ddc 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb @@ -67,6 +67,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://CVE-2025-27831.patch \ file://CVE-2025-27832.patch \ file://CVE-2025-27834.patch \ + file://CVE-2025-27835.patch \ " SRC_URI = "${SRC_URI_BASE} \ From patchwork Tue Apr 8 10:57:21 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 60984 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 90375C3600C for ; Tue, 8 Apr 2025 10:58:09 +0000 (UTC) Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) by mx.groups.io with SMTP id smtpd.web10.72380.1744109887451373770 for ; Tue, 08 Apr 2025 03:58:07 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=SCyaCN+2; spf=pass (domain: mvista.com, ip: 209.85.214.169, mailfrom: vanusuri@mvista.com) Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-2241053582dso67768505ad.1 for ; Tue, 08 Apr 2025 03:58:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1744109886; x=1744714686; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=rZib1ookCcGDpjNEkPvtgbSXDS7RL4Re5WtCX7rtgNg=; b=SCyaCN+2oP7coWpkRQuQBJD/RbnQktE44FngOZApTza/6IcYXxS0PPEUfvfKo8SRrR S38MXupo+zblakAUgcUZz/wuNN7553qNfvyEVUIl+k6R0jREOXGKneoygsUmi6TSy2z0 NFYJPXSDbK+yZdAqm3onPtVP0SF8pbxYmolic= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744109886; x=1744714686; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rZib1ookCcGDpjNEkPvtgbSXDS7RL4Re5WtCX7rtgNg=; b=JgSryZ7PXWDuoWSyVS6yYi8RaV3SqyCo7VeEPPStJa7Rs9YsV2ZxERu58cvmhC+cTz jAnLQxTJVN2tL/KYPTu0EUmDY4HBOTP83BBIKe0io77nf+nG+zKa9ZqTFzaCZsdN61tq WGIZezo3CvuzGwTho2LbTi0mE54x2Szas4lAvzsWAra4I0tkMY5iFSyQW0xS9t36+kXI q5/9VT7oyjCs/OgY+krUVwwKz9ckKMZBL8EOJ2NoUwc40yEOD8FbuPZQZCYY8rGSSPU6 UZ93wnurncE7k1MskHi0dS38YPV4juNBsyRrRWSL+othH+M4qEcPpfuRFrJK9thSNysc /dJg== X-Gm-Message-State: AOJu0Yx9mLsOh0QYN1gUsNUXBZTfQF8OGAIlC+eNF9WzsxGjDm6XsBd6 RqW14LXif0vwzA+wQQz8emuX+kuMBTDCpMM/vzSq/Qm+5to8CA0Um/CoRFGHxM3S0fAXaUxcwaC uWS8= X-Gm-Gg: ASbGnctTmi3xMOfq4LQE+WD5PlV8YyQcygJr/EQ3YYOu4R3yfhirMo9v5eXuhvCWDpN ovhDCENndos3pPrVEsl5LH+xHvh5l0AVsIPjhQL5J1J41a+GzQ1shFPLsLyXLUjIaLG0fdTbWPd 9roViXoR+O/Nz5YXjU9x1d9R2qAx7tKKZ1rrR4e4NqfkN92VHbwDLtGGagk5ihncs5Ehr3uZM+s b/TT+hUEGH4/6FWtkFTnHnH8QYg00xPtENQyT7nugrpHu9PoCTW/PBlfhjouwfGT4LRZhjQexFZ yj5mtdrQexq4esgb91blKNhpnBLhBJpC6gia7pqB//QDgWgvHOON0nJ3 X-Google-Smtp-Source: AGHT+IE95CwITunaROV8s2kSyIgjRp55WgKIKSODCHRrTnqrEycvI2xeRhfwnPqPpYmI6P5BLVjNig== X-Received: by 2002:a17:903:8c7:b0:21f:71b4:d2aa with SMTP id d9443c01a7336-22a8a042b20mr235977095ad.5.1744109886259; Tue, 08 Apr 2025 03:58:06 -0700 (PDT) Received: from MVIN00020.mvista.com ([49.207.204.161]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-229785bfe34sm97696255ad.67.2025.04.08.03.58.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Apr 2025 03:58:05 -0700 (PDT) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 6/6] ghostscript: Fix CVE-2025-27836 Date: Tue, 8 Apr 2025 16:27:21 +0530 Message-Id: <20250408105721.1798123-6-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250408105721.1798123-1-vanusuri@mvista.com> References: <20250408105721.1798123-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 08 Apr 2025 10:58:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/214531 From: Vijay Anusuri Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=8b6d19b2b4079da6863ef25f2370f25d4b054919 & https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=d84efb73723384a8b7fb3989c824cfa218060085] Signed-off-by: Vijay Anusuri --- .../ghostscript/CVE-2025-27836-1.patch | 64 +++++++++++++++++++ .../ghostscript/CVE-2025-27836-2.patch | 46 +++++++++++++ .../ghostscript/ghostscript_9.55.0.bb | 2 + 3 files changed, 112 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-1.patch create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-2.patch diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-1.patch new file mode 100644 index 0000000000..bd32456b99 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-1.patch @@ -0,0 +1,64 @@ +From 8b6d19b2b4079da6863ef25f2370f25d4b054919 Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Mon, 13 Jan 2025 09:07:57 +0000 +Subject: Bug 708192: Fix potential print buffer overflow + +CVE-2025-27836 + +Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=8b6d19b2b4079da6863ef25f2370f25d4b054919] +CVE: CVE-2025-27836 +Signed-off-by: Vijay Anusuri +--- + contrib/japanese/gdev10v.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/contrib/japanese/gdev10v.c b/contrib/japanese/gdev10v.c +index 0bd3cec02..9d27573dc 100644 +--- a/contrib/japanese/gdev10v.c ++++ b/contrib/japanese/gdev10v.c +@@ -199,17 +199,25 @@ bj10v_print_page(gx_device_printer *pdev, gp_file *prn_stream) + int bytes_per_column = bits_per_column / 8; + int x_skip_unit = bytes_per_column * (xres / 180); + int y_skip_unit = (yres / 180); +- byte *in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)"); +- /* We need one extra byte in for our sentinel. */ +- byte *out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)"); ++ byte *in, *out; + int lnum = 0; + int y_skip = 0; + int code = 0; + int blank_lines = 0; + int bytes_per_data = ((xres == 360) && (yres == 360)) ? 1 : 3; + +- if ( in == 0 || out == 0 ) +- return -1; ++ if (bits_per_column == 0 || line_size > (max_int - 1) / bits_per_column) { ++ code = gs_note_error(gs_error_rangecheck); ++ goto error; ++ } ++ ++ in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)"); ++ /* We need one extra byte in for our sentinel. */ ++ out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)"); ++ if ( in == NULL || out == NULL ) { ++ code = gs_note_error(gs_error_VMerror); ++ goto error; ++ } + + /* Initialize the printer. */ + prn_puts(pdev, "\033@"); +@@ -320,8 +328,10 @@ notz: + } + + /* Eject the page */ +-xit: prn_putc(pdev, 014); /* form feed */ ++xit: ++ prn_putc(pdev, 014); /* form feed */ + prn_flush(pdev); ++error: + gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)"); + gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)"); + return code; +-- +cgit v1.2.3 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-2.patch new file mode 100644 index 0000000000..2e3817bdae --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-2.patch @@ -0,0 +1,46 @@ +From d84efb73723384a8b7fb3989c824cfa218060085 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 13 Mar 2025 11:01:16 +0000 +Subject: Fix Coverity IDs 457699 and 457700 + +Not sure if Coverity has been updated, this is ancient contrib code +which has not changed for a long time. + +However, fix the warning by initialising the pointers to NULL, and then +avoid trying to free them if they are NULL. + +Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=d84efb73723384a8b7fb3989c824cfa218060085] +CVE: CVE-2025-27836 +Signed-off-by: Vijay Anusuri +--- + contrib/japanese/gdev10v.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/contrib/japanese/gdev10v.c b/contrib/japanese/gdev10v.c +index 9d27573dc..4d47200e5 100644 +--- a/contrib/japanese/gdev10v.c ++++ b/contrib/japanese/gdev10v.c +@@ -199,7 +199,7 @@ bj10v_print_page(gx_device_printer *pdev, gp_file *prn_stream) + int bytes_per_column = bits_per_column / 8; + int x_skip_unit = bytes_per_column * (xres / 180); + int y_skip_unit = (yres / 180); +- byte *in, *out; ++ byte *in = NULL, *out = NULL; + int lnum = 0; + int y_skip = 0; + int code = 0; +@@ -332,7 +332,9 @@ xit: + prn_putc(pdev, 014); /* form feed */ + prn_flush(pdev); + error: +- gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)"); +- gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)"); ++ if (out != NULL) ++ gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)"); ++ if (in != NULL) ++ gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)"); + return code; + } +-- +cgit v1.2.3 + diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index abc0238ddc..8499bb3676 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb @@ -68,6 +68,8 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://CVE-2025-27832.patch \ file://CVE-2025-27834.patch \ file://CVE-2025-27835.patch \ + file://CVE-2025-27836-1.patch \ + file://CVE-2025-27836-2.patch \ " SRC_URI = "${SRC_URI_BASE} \