ghostscript: patch CVE-2025-59799

author Peter Marko <peter.marko@siemens.com>

Tue, 7 Oct 2025 22:11:11 +0000 (00:11 +0200)

committer Steve Sakoman <steve@sakoman.com>

Thu, 9 Oct 2025 19:25:56 +0000 (12:25 -0700)
author Peter Marko <peter.marko@siemens.com>
Tue, 7 Oct 2025 22:11:11 +0000 (00:11 +0200)
committer Steve Sakoman <steve@sakoman.com>
Thu, 9 Oct 2025 19:25:56 +0000 (12:25 -0700)
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch

new file mode 100644 (file)

index 0000000..9401474
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch
@@ -0,0 +1,41 @@
+From 6dab38fb211f15226c242ab7a83fa53e4b0ff781 Mon Sep 17 00:00:00 2001
+From: Piotr Kajda <petermasterperfect@gmail.com>
+Date: Thu, 8 May 2025 11:37:09 +0100
+Subject: [PATCH] pdfwrite - bounds check some strings
+
+Bug #708517
+
+This differs very slightly from the proposed patch in the bug report, I
+had a quick scout through the C file and found another similar case.
+
+Both fixed here.
+
+CVE: CVE-2025-59799
+Upstream-Status: Backport [https://github.com/ArtifexSoftware/ghostpdl/commit/6dab38fb211f15226c242ab7a83fa53e4b0ff781]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ devices/vector/gdevpdfm.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/devices/vector/gdevpdfm.c b/devices/vector/gdevpdfm.c
+index 5aa3644e2..4b1d7d89c 100644
+--- a/devices/vector/gdevpdfm.c
++++ b/devices/vector/gdevpdfm.c
+@@ -199,6 +199,8 @@ pdfmark_coerce_dest(gs_param_string *dstr, char dest[MAX_DEST_STRING])
+ {
+     const byte *data = dstr->data;
+     uint size = dstr->size;
++    if (size > MAX_DEST_STRING)
++        return_error(gs_error_limitcheck);
+     if (size == 0 || data[0] != '(')
+         return 0;
+     /****** HANDLE ESCAPES ******/
+@@ -859,6 +861,8 @@ pdfmark_put_ao_pairs(gx_device_pdf * pdev, cos_dict_t *pcd,
+             char buf[30];
+             int d0, d1;
+ 
++            if (Action[1].size > 29)
++                return_error(gs_error_rangecheck);
+             memcpy(buf, Action[1].data, Action[1].size);
+             buf[Action[1].size] = 0;
+             if (sscanf(buf, "%d %d R", &d0, &d1) == 2)
diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb

index 0ae939e7806e820d7340915efa9df96230c1aa11..0f123d48991b859e91ab95067b8f586d80eb0472 100644 (file)
--- a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
@@ -26,6 +26,7 @@ SRC_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/downlo
             file://ghostscript-9.16-Werror-return-type.patch \
             file://avoid-host-contamination.patch \
             file://CVE-2025-59798.patch \
+           file://CVE-2025-59799.patch \
             "
  
  SRC_URI[sha256sum] = "121861b6d29b2461dec6575c9f3cab665b810bd408d4ec02c86719fa708b0a49"
author	Peter Marko <peter.marko@siemens.com>
	Tue, 7 Oct 2025 22:11:11 +0000 (00:11 +0200)
committer	Steve Sakoman <steve@sakoman.com>
	Thu, 9 Oct 2025 19:25:56 +0000 (12:25 -0700)
meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch	[new file with mode: 0644]	patch \| blob
meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb		patch \| blob \| blame \| history