--- /dev/null
+From 7145885041bb52cc23964f0aa2aec1b1c82b5908 Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Mon, 22 Apr 2024 13:33:47 +0100
+Subject: [PATCH 4/5] OPVP device - prevent unsafe parameter change with SAFER
+
+Bug #707754 "OPVP device - Arbitrary code execution via custom Driver library"
+
+The "Driver" parameter for the "opvp"/"oprp" device specifies the name
+of a dynamic library and allows any library to be loaded.
+
+The patch does not allow changing this parameter after activating path
+control.
+
+This addresses CVE-2024-33871
+
+CVE: CVE-2024-33871
+
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=7145885041bb52cc2396]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ contrib/opvp/gdevopvp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c
+index 74200cf..80eb23b 100644
+--- a/contrib/opvp/gdevopvp.c
++++ b/contrib/opvp/gdevopvp.c
+@@ -3456,6 +3456,12 @@ _put_params(gx_device *dev, gs_param_list *plist)
+ code = param_read_string(plist, pname, &vdps);
+ switch (code) {
+ case 0:
++ if (gs_is_path_control_active(dev->memory)
++ && (!opdev->globals.vectorDriver || strlen(opdev->globals.vectorDriver) != vdps.size
++ || memcmp(opdev->globals.vectorDriver, vdps.data, vdps.size) != 0)) {
++ param_signal_error(plist, pname, gs_error_invalidaccess);
++ return_error(gs_error_invalidaccess);
++ }
+ buff = realloc(buff, vdps.size + 1);
+ memcpy(buff, vdps.data, vdps.size);
+ buff[vdps.size] = 0;
+--
+2.40.0
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
