Miroirs/slackware-current
1
0
Fork 0
mirror of git://slackware.nl/current.git synced 2024-12-31 10:28:29 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
slackware-current/patches/source/ghostscript/0974e4f2ac0005d3731e0b5c13ebc7e965540f4d.patch
Patrick J Volkerding 9f285815b9 Thu Mar 7 20:40:08 UTC 2024 
patches/packages/ghostscript-9.55.0-x86_64-2_slack15.0.txz:  Rebuilt.
  Fixes security issues:
  A vulnerability was identified in the way Ghostscript/GhostPDL called
  tesseract for the OCR devices, which could allow arbitrary code execution.
  Thanks to J_W for the heads-up.
  Mishandling of permission validation for pipe devices could allow arbitrary
  code execution.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36664
  (* Security fix *)
2024-03-08 13:30:42 +01:00

57 lines
2.4 KiB
Diff
Raw Blame History

From 0974e4f2ac0005d3731e0b5c13ebc7e965540f4d Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 14 Jun 2023 09:08:12 +0100
Subject: [PATCH] Bug 706778: 706761 revisit
Two problems with the original commit. The first a silly typo inverting the
logic of a test.
The second was forgetting that we actually actually validate two candidate
strings for pipe devices. One with the expected "%pipe%" prefix, the other
using the pipe character prefix: "|".
This addresses both those.
---
base/gpmisc.c | 2 +-
base/gslibctx.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/base/gpmisc.c b/base/gpmisc.c
index 58511270e..2b0064bea 100644
--- a/base/gpmisc.c
+++ b/base/gpmisc.c
@@ -1081,7 +1081,7 @@ gp_validate_path_len(const gs_memory_t *mem,
/* "%pipe%" do not follow the normal rules for path definitions, so we
don't "reduce" them to avoid unexpected results
*/
- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
if (buffer == NULL)
return gs_error_VMerror;
diff --git a/base/gslibctx.c b/base/gslibctx.c
index d2a1aa91d..42af99090 100644
--- a/base/gslibctx.c
+++ b/base/gslibctx.c
@@ -743,7 +743,7 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co
/* "%pipe%" do not follow the normal rules for path definitions, so we
don't "reduce" them to avoid unexpected results
*/
- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
if (buffer == NULL)
return gs_error_VMerror;
@@ -850,7 +850,7 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type,
/* "%pipe%" do not follow the normal rules for path definitions, so we
don't "reduce" them to avoid unexpected results
*/
- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
if (buffer == NULL)
return gs_error_VMerror;
--
2.34.1
Reference in a new issue View git blame Copy permalink