diff options
| author |   Lee Chee Yang <chee.yang.lee@intel.com> | 2020-08-06 17:46:17 +0800 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-08-08 09:17:35 +0100 |
| commit | d70012e8971a4762ea402c3c843938640b9ab9fc (patch) | |
| tree | 40fa6a5b5bd4c8ce33132447116be299664c758e /meta/recipes-extended | |
| parent | 8682f6bc7e3e8d5fcf682647526f1a8430d08768 (diff) | |
| download | openembedded-core-contrib-d70012e8971a4762ea402c3c843938640b9ab9fc.tar.gz | |
ghostscript: fix CVE-2020-15900
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended')
| -rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch | 54 | ||||
| -rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript_9.52.bb | 1 |
2 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch new file mode 100644 index 0000000000..d7c5f034e5 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch @@ -0,0 +1,54 @@ +From 5d499272b95a6b890a1397e11d20937de000d31b Mon Sep 17 00:00:00 2001 +From: Ray Johnston <ray.johnston@artifex.com> +Date: Wed, 22 Jul 2020 09:57:54 -0700 +Subject: [PATCH] Bug 702582, CVE 2020-15900 Memory Corruption in Ghostscript + 9.52 + +Fix the 'rsearch' calculation for the 'post' size to give the correct +size. Previous calculation would result in a size that was too large, +and could underflow to max uint32_t. Also fix 'rsearch' to return the +correct 'pre' string with empty string match. + +A future change may 'undefine' this undocumented, non-standard operator +during initialization as we do with the many other non-standard internal +PostScript operators and procedures. + +Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b] +CVE: CVE-2020-15900 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + psi/zstring.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/psi/zstring.c b/psi/zstring.c +index 33662dafa..58e1af2b3 100644 +--- a/psi/zstring.c ++++ b/psi/zstring.c +@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward) + return 0; + found: + op->tas.type_attrs = op1->tas.type_attrs; +- op->value.bytes = ptr; +- r_set_size(op, size); ++ op->value.bytes = ptr; /* match */ ++ op->tas.rsize = size; /* match */ + push(2); +- op[-1] = *op1; +- r_set_size(op - 1, ptr - op[-1].value.bytes); +- op1->value.bytes = ptr + size; +- r_set_size(op1, count + (!forward ? (size - 1) : 0)); ++ op[-1] = *op1; /* pre */ ++ op[-3].value.bytes = ptr + size; /* post */ ++ if (forward) { ++ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */ ++ op[-3].tas.rsize = count; /* post */ ++ } else { ++ op[-1].tas.rsize = count; /* pre */ ++ op[-3].tas.rsize -= count + size; /* post */ ++ } + make_true(op); + return 0; + } +-- +2.17.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb index 4cdb6e00d8..65135f5821 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb @@ -34,6 +34,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d SRC_URI = "${SRC_URI_BASE} \ file://ghostscript-9.21-prevent_recompiling.patch \ file://cups-no-gcrypt.patch \ + file://CVE-2020-15900.patch \ " SRC_URI_class-native = "${SRC_URI_BASE} \ |