From: Vijay Anusuri Date: Tue, 8 Apr 2025 10:57:16 +0000 (+0530) Subject: ghostscript: Fix CVE-2025-27830 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bc74ad209b243b131ea5467b871339f1773ba64b;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git ghostscript: Fix CVE-2025-27830 Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=8474e1d6b896e35741d3c608ea5c21deeec1078f] Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27830.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27830.patch new file mode 100644 index 00000000000..a516b8ad41e --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27830.patch @@ -0,0 +1,79 @@ +From 8474e1d6b896e35741d3c608ea5c21deeec1078f Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Mon, 13 Jan 2025 09:15:01 +0000 +Subject: [PATCH] Bug 708241: Fix potential Buffer overflow with DollarBlend + +During serializing a multiple master font for passing to Freetype. + +Use CVE-2025-27830 + +Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=8474e1d6b896e35741d3c608ea5c21deeec1078f] +CVE: CVE-2025-27830 +Signed-off-by: Vijay Anusuri +--- + base/write_t1.c | 7 ++++--- + psi/zfapi.c | 9 +++++++-- + 2 files changed, 11 insertions(+), 5 deletions(-) + +diff --git a/base/write_t1.c b/base/write_t1.c +index 52902be..d6b2454 100644 +--- a/base/write_t1.c ++++ b/base/write_t1.c +@@ -628,6 +628,7 @@ write_main_dictionary(gs_fapi_font * a_fapi_font, WRF_output * a_output, int Wri + WRF_wbyte(a_fapi_font->memory, a_output, '\n'); + if (is_MM_font(a_fapi_font)) { + short x, x2; ++ unsigned short ux; + float x1; + uint i, j, entries; + char Buffer[255]; +@@ -759,16 +760,16 @@ write_main_dictionary(gs_fapi_font * a_fapi_font, WRF_output * a_output, int Wri + */ + code = a_fapi_font->get_word(a_fapi_font, + gs_fapi_font_feature_DollarBlend_length, +- 0, (unsigned short *)&x); ++ 0, &ux); + if (code < 0) + return code; + +- if (x > 0) { ++ if (ux > 0) { + int len; + WRF_wstring(a_fapi_font->memory, a_output, "/$Blend {"); + + if (a_output->m_count) +- a_output->m_count += x; ++ a_output->m_count += ux; + len = a_fapi_font->get_proc(a_fapi_font, + gs_fapi_font_feature_DollarBlend, 0, + (char *)a_output->m_pos); +diff --git a/psi/zfapi.c b/psi/zfapi.c +index 0b3ab1c..1ffef47 100644 +--- a/psi/zfapi.c ++++ b/psi/zfapi.c +@@ -682,7 +682,7 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fapi_font_feature var_id, int index, unsig + } + for (i = 0; i < r_size(DBlend); i++) { + if (array_get(ff->memory, DBlend, i, &Element) < 0) { +- *ret = 0; ++ length = 0; + break; + } + switch (r_btype(&Element)) { +@@ -709,7 +709,12 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fapi_font_feature var_id, int index, unsig + default: + break; + } +- } ++ ++ if (length > max_ushort) { ++ length = 0; ++ break; ++ } ++ } + *ret = length; + break; + } +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index 6d425710b59..dae8dff813e 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb @@ -62,6 +62,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://CVE-2024-46953.patch \ file://CVE-2024-46955.patch \ file://CVE-2024-46956.patch \ + file://CVE-2025-27830.patch \ " SRC_URI = "${SRC_URI_BASE} \