--- /dev/null
+From 5ae2e320d69a7d0973011796bd388cd5befa1a43 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Tue, 26 Mar 2024 12:02:57 +0000
+Subject: [PATCH 2/5] Bug #707691
+
+Part 1; when stripping a potential Current Working Dirctory specifier
+from a path, make certain it really is a CWD, and not simply large
+ebough to be a CWD.
+
+Reasons are in the bug thread, this is not (IMO) serious.
+
+This is part of the fix for CVE-2024-33869
+
+CVE: CVE-2024-33869
+
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=5ae2e320d69a7d0973]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ base/gpmisc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index c4a69b0..1d4d5d8 100644
+--- a/base/gpmisc.c
++++ b/base/gpmisc.c
+@@ -1164,8 +1164,8 @@ gp_validate_path_len(const gs_memory_t *mem,
+
+ continue;
+ }
+- else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
+- buffer = bufferfull + cdirstrl + dirsepstrl;
++ else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull
++ && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) {
+ continue;
+ }
+ break;
+--
+2.40.0
--- /dev/null
+From f5336e5b4154f515ac83bc5b9eba94302e6618d4 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Tue, 26 Mar 2024 12:07:18 +0000
+Subject: [PATCH 3/5] Bug 707691 part 2
+
+See bug thread for details
+
+This is the second part of the fix for CVE-2024-33869
+
+CVE: CVE-2024-33869
+
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f5336e5b4154f515ac83]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ base/gpmisc.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index 1d4d5d8..b0d5c71 100644
+--- a/base/gpmisc.c
++++ b/base/gpmisc.c
+@@ -1090,6 +1090,27 @@ gp_validate_path_len(const gs_memory_t *mem,
+ rlen = len;
+ }
+ else {
++ char *test = (char *)path, *test1;
++ uint tlen = len, slen;
++
++ /* Look for any pipe (%pipe% or '|' specifications between path separators
++ * Reject any path spec which has a %pipe% or '|' anywhere except at the start.
++ */
++ while (tlen > 0) {
++ if (test[0] == '|' || (tlen > 5 && memcmp(test, "%pipe", 5) == 0)) {
++ code = gs_note_error(gs_error_invalidfileaccess);
++ goto exit;
++ }
++ test1 = test;
++ slen = search_separator((const char **)&test, path + len, test1, 1);
++ if(slen == 0)
++ break;
++ test += slen;
++ tlen -= test - test1;
++ if (test >= path + len)
++ break;
++ }
++
+ rlen = len+1;
+ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+ if (bufferfull == NULL)
+--
+2.40.0
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
