* [Buildroot] [PATCH 1/1] package/ghostscript: security bump to version 10.02.0
@ 2023-09-20 17:07 Fabrice Fontaine
2023-09-20 17:33 ` Yann E. MORIN
2023-09-25 5:40 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2023-09-20 17:07 UTC (permalink / raw)
To: buildroot; +Cc: Bernd Kuhls, Fabrice Fontaine
- Fix CVE-2023-36664: Artifex Ghostscript through 10.01.2 mishandles
permission validation for pipe devices (with the %pipe% prefix or the |
pipe character prefix).
- Fix CVE-2023-38559: A buffer overflow flaw was found in
base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This
issue may allow a local attacker to cause a denial of service via
outputting a crafted PDF file for a DEVN device with gs.
- Fix CVE-2023-38560: An integer overflow flaw was found in
pcl/pl/plfont.c:418 in pl_glyph_name in ghostscript. This issue may
allow a local attacker to cause a denial of service via transforming a
crafted PCL file to PDF format.
https://ghostscript.readthedocs.io/en/gs10.02.0/News.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
.../0001-Fix-build-without-BUILD_PDF.patch | 34 +++++++++++++++++++
package/ghostscript/ghostscript.hash | 4 +--
package/ghostscript/ghostscript.mk | 2 +-
3 files changed, 37 insertions(+), 3 deletions(-)
create mode 100644 package/ghostscript/0001-Fix-build-without-BUILD_PDF.patch
diff --git a/package/ghostscript/0001-Fix-build-without-BUILD_PDF.patch b/package/ghostscript/0001-Fix-build-without-BUILD_PDF.patch
new file mode 100644
index 0000000000..af69cd3670
--- /dev/null
+++ b/package/ghostscript/0001-Fix-build-without-BUILD_PDF.patch
@@ -0,0 +1,34 @@
+From 088f3cd6e58cff5fa51e072d1829f7691a5f6681 Mon Sep 17 00:00:00 2001
+From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+Date: Wed, 20 Sep 2023 13:44:28 +0100
+Subject: [PATCH] Fix build without BUILD_PDF
+
+The PDFSetParams PostScript extension operator was missing a stub function definition
+when the PDF interpreter is not built in.
+
+ Author: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+Upstream: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=088f3cd6e58cff5fa51e072d1829f7691a5f6681
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ psi/zpdfops.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/psi/zpdfops.c b/psi/zpdfops.c
+index e7e0a42ee..271687a18 100644
+--- a/psi/zpdfops.c
++++ b/psi/zpdfops.c
+@@ -1507,6 +1507,11 @@ static int zPDFdrawannots(i_ctx_t *i_ctx_p)
+ return_error(gs_error_undefined);
+ }
+
++static int zPDFSetParams(i_ctx_t *i_ctx_p)
++{
++ return_error(gs_error_undefined);
++}
++
+ static int zPDFInit(i_ctx_t *i_ctx_p)
+ {
+ return_error(gs_error_undefined);
+--
+2.34.1
+
diff --git a/package/ghostscript/ghostscript.hash b/package/ghostscript/ghostscript.hash
index 2e4b6ac750..77c8faccbe 100644
--- a/package/ghostscript/ghostscript.hash
+++ b/package/ghostscript/ghostscript.hash
@@ -1,5 +1,5 @@
-# From https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10012/SHA512SUMS
-sha512 ee20f0e12f553a3d04578e71a0d45defebc71117ce4dc2c14043985bfe7348ad7f8b2fe98fc9b4f5b935ecb32e50dc340be67d6ef58190542ec6d0f9da1de380 ghostscript-10.01.2.tar.xz
+# From https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10020/SHA512SUMS
+sha512 c49344151063e915add55a0a842c2a645d8362a5cbca663bd07638f4bd3699a08cade37a9efe905ad5a41e014353e5e1b1268b7925e43128ad30d5b031396b71 ghostscript-10.02.0.tar.xz
# Hash for license file:
sha256 8ce064f423b7c24a011b6ebf9431b8bf9861a5255e47c84bfb23fc526d030a8b LICENSE
diff --git a/package/ghostscript/ghostscript.mk b/package/ghostscript/ghostscript.mk
index 8a39d4b695..161521f970 100644
--- a/package/ghostscript/ghostscript.mk
+++ b/package/ghostscript/ghostscript.mk
@@ -4,7 +4,7 @@
#
################################################################################
-GHOSTSCRIPT_VERSION = 10.01.2
+GHOSTSCRIPT_VERSION = 10.02.0
GHOSTSCRIPT_SOURCE = ghostscript-$(GHOSTSCRIPT_VERSION).tar.xz
GHOSTSCRIPT_SITE = https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs$(subst .,,$(GHOSTSCRIPT_VERSION))
GHOSTSCRIPT_LICENSE = AGPL-3.0
--
2.40.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/ghostscript: security bump to version 10.02.0
2023-09-20 17:07 [Buildroot] [PATCH 1/1] package/ghostscript: security bump to version 10.02.0 Fabrice Fontaine
@ 2023-09-20 17:33 ` Yann E. MORIN
2023-09-25 5:40 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Yann E. MORIN @ 2023-09-20 17:33 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Bernd Kuhls, buildroot
Fabrice, All,
On 2023-09-20 19:07 +0200, Fabrice Fontaine spake thusly:
> - Fix CVE-2023-36664: Artifex Ghostscript through 10.01.2 mishandles
> permission validation for pipe devices (with the %pipe% prefix or the |
> pipe character prefix).
> - Fix CVE-2023-38559: A buffer overflow flaw was found in
> base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This
> issue may allow a local attacker to cause a denial of service via
> outputting a crafted PDF file for a DEVN device with gs.
> - Fix CVE-2023-38560: An integer overflow flaw was found in
> pcl/pl/plfont.c:418 in pl_glyph_name in ghostscript. This issue may
> allow a local attacker to cause a denial of service via transforming a
> crafted PCL file to PDF format.
>
> https://ghostscript.readthedocs.io/en/gs10.02.0/News.html
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> .../0001-Fix-build-without-BUILD_PDF.patch | 34 +++++++++++++++++++
> package/ghostscript/ghostscript.hash | 4 +--
> package/ghostscript/ghostscript.mk | 2 +-
> 3 files changed, 37 insertions(+), 3 deletions(-)
> create mode 100644 package/ghostscript/0001-Fix-build-without-BUILD_PDF.patch
>
> diff --git a/package/ghostscript/0001-Fix-build-without-BUILD_PDF.patch b/package/ghostscript/0001-Fix-build-without-BUILD_PDF.patch
> new file mode 100644
> index 0000000000..af69cd3670
> --- /dev/null
> +++ b/package/ghostscript/0001-Fix-build-without-BUILD_PDF.patch
> @@ -0,0 +1,34 @@
> +From 088f3cd6e58cff5fa51e072d1829f7691a5f6681 Mon Sep 17 00:00:00 2001
> +From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> +Date: Wed, 20 Sep 2023 13:44:28 +0100
> +Subject: [PATCH] Fix build without BUILD_PDF
> +
> +The PDFSetParams PostScript extension operator was missing a stub function definition
> +when the PDF interpreter is not built in.
> +
> + Author: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> +Upstream: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=088f3cd6e58cff5fa51e072d1829f7691a5f6681
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> +---
> + psi/zpdfops.c | 5 +++++
> + 1 file changed, 5 insertions(+)
> +
> +diff --git a/psi/zpdfops.c b/psi/zpdfops.c
> +index e7e0a42ee..271687a18 100644
> +--- a/psi/zpdfops.c
> ++++ b/psi/zpdfops.c
> +@@ -1507,6 +1507,11 @@ static int zPDFdrawannots(i_ctx_t *i_ctx_p)
> + return_error(gs_error_undefined);
> + }
> +
> ++static int zPDFSetParams(i_ctx_t *i_ctx_p)
> ++{
> ++ return_error(gs_error_undefined);
> ++}
> ++
> + static int zPDFInit(i_ctx_t *i_ctx_p)
> + {
> + return_error(gs_error_undefined);
> +--
> +2.34.1
> +
> diff --git a/package/ghostscript/ghostscript.hash b/package/ghostscript/ghostscript.hash
> index 2e4b6ac750..77c8faccbe 100644
> --- a/package/ghostscript/ghostscript.hash
> +++ b/package/ghostscript/ghostscript.hash
> @@ -1,5 +1,5 @@
> -# From https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10012/SHA512SUMS
> -sha512 ee20f0e12f553a3d04578e71a0d45defebc71117ce4dc2c14043985bfe7348ad7f8b2fe98fc9b4f5b935ecb32e50dc340be67d6ef58190542ec6d0f9da1de380 ghostscript-10.01.2.tar.xz
> +# From https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10020/SHA512SUMS
> +sha512 c49344151063e915add55a0a842c2a645d8362a5cbca663bd07638f4bd3699a08cade37a9efe905ad5a41e014353e5e1b1268b7925e43128ad30d5b031396b71 ghostscript-10.02.0.tar.xz
>
> # Hash for license file:
> sha256 8ce064f423b7c24a011b6ebf9431b8bf9861a5255e47c84bfb23fc526d030a8b LICENSE
> diff --git a/package/ghostscript/ghostscript.mk b/package/ghostscript/ghostscript.mk
> index 8a39d4b695..161521f970 100644
> --- a/package/ghostscript/ghostscript.mk
> +++ b/package/ghostscript/ghostscript.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -GHOSTSCRIPT_VERSION = 10.01.2
> +GHOSTSCRIPT_VERSION = 10.02.0
> GHOSTSCRIPT_SOURCE = ghostscript-$(GHOSTSCRIPT_VERSION).tar.xz
> GHOSTSCRIPT_SITE = https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs$(subst .,,$(GHOSTSCRIPT_VERSION))
> GHOSTSCRIPT_LICENSE = AGPL-3.0
> --
> 2.40.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/ghostscript: security bump to version 10.02.0
2023-09-20 17:07 [Buildroot] [PATCH 1/1] package/ghostscript: security bump to version 10.02.0 Fabrice Fontaine
2023-09-20 17:33 ` Yann E. MORIN
@ 2023-09-25 5:40 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2023-09-25 5:40 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Bernd Kuhls, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> - Fix CVE-2023-36664: Artifex Ghostscript through 10.01.2 mishandles
> permission validation for pipe devices (with the %pipe% prefix or the |
> pipe character prefix).
> - Fix CVE-2023-38559: A buffer overflow flaw was found in
> base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This
> issue may allow a local attacker to cause a denial of service via
> outputting a crafted PDF file for a DEVN device with gs.
> - Fix CVE-2023-38560: An integer overflow flaw was found in
> pcl/pl/plfont.c:418 in pl_glyph_name in ghostscript. This issue may
> allow a local attacker to cause a denial of service via transforming a
> crafted PCL file to PDF format.
> https://ghostscript.readthedocs.io/en/gs10.02.0/News.html
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2023.02.x, 2023.05.x and 2023.08.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-09-25 5:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-09-20 17:07 [Buildroot] [PATCH 1/1] package/ghostscript: security bump to version 10.02.0 Fabrice Fontaine
2023-09-20 17:33 ` Yann E. MORIN
2023-09-25 5:40 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox