--- /dev/null
+From 3b1735085ecef20b29e8db3416ab36de93e86d1f Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Thu, 21 Mar 2024 09:01:15 +0000
+Subject: [PATCH 5/5] Uniprint device - prevent string configuration changes
+ when SAFER
+
+Bug #707662
+
+We cannot sanitise the string arguments used by the Uniprint device
+because they can potentially include anything.
+
+This commit ensures that these strings are locked and cannot be
+changed by PostScript once SAFER is activated. Full configuration from
+the command line is still possible (see the *.upp files in lib).
+
+This addresses CVE-2024-29510
+
+CVE: CVE-2024-29510
+
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=3b1735085ecef20b29e]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/devices/gdevupd.c b/devices/gdevupd.c
+index 740dae0..a50571a 100644
+--- a/devices/gdevupd.c
++++ b/devices/gdevupd.c
+@@ -1887,6 +1887,16 @@ out on this copies.
+ if(!upd_strings[i]) continue;
+ UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory);
+ if(0 == code) {
++ if (gs_is_path_control_active(udev->memory)) {
++ if (strings[i].size != value.size)
++ error = gs_error_invalidaccess;
++ else {
++ if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0)
++ error = gs_error_invalidaccess;
++ }
++ if (error < 0)
++ goto exit;
++ }
+ if(0 <= error) error |= UPD_PUT_STRINGS;
+ UPD_MM_DEL_PARAM(udev->memory, strings[i]);
+ if(!value.size) {
+@@ -1904,6 +1914,26 @@ out on this copies.
+ if(!upd_string_a[i]) continue;
+ UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory);
+ if(0 == code) {
++ if (gs_is_path_control_active(udev->memory)) {
++ if (string_a[i].size != value.size)
++ error = gs_error_invalidaccess;
++ else {
++ int loop;
++ for (loop = 0;loop < string_a[i].size;loop++) {
++ gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]);
++ gs_param_string *tmp2 = (gs_param_string *)&value.data[loop];
++
++ if (tmp1->size != tmp2->size)
++ error = gs_error_invalidaccess;
++ else {
++ if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0)
++ error = gs_error_invalidaccess;
++ }
++ }
++ }
++ if (error < 0)
++ goto exit;
++ }
+ if(0 <= error) error |= UPD_PUT_STRING_A;
+ UPD_MM_DEL_APARAM(udev->memory, string_a[i]);
+ if(!value.size) {
+@@ -2098,6 +2128,7 @@ transferred into the device-structure. In the case of "uniprint", this may
+ if(0 > code) error = code;
+ }
+
++exit:
+ if(0 < error) { /* Actually something loaded without error */
+
+ if(!(upd = udev->upd)) {
+--
+2.40.0
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
