Version in base suite: 10.0.0~dfsg-11+deb12u4 Base version: ghostscript_10.0.0~dfsg-11+deb12u4 Target version: ghostscript_10.0.0~dfsg-11+deb12u5 Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/ghostscript/ghostscript_10.0.0~dfsg-11+deb12u4.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/g/ghostscript/ghostscript_10.0.0~dfsg-11+deb12u5.dsc changelog | 13 patches/0014-Bug-707510-review-printing-of-pointers.patch | 301 ++++++++++ patches/0015-Fix-compiler-warning-in-optimised-build.patch | 37 + patches/0016-Coverity-IDs-414141-414145.patch | 29 patches/0017-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch | 37 + patches/0018-Bug-707510-don-t-use-strlen-on-passwords.patch | 42 + patches/0019-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch | 85 ++ patches/series | 6 8 files changed, 550 insertions(+) Unrecognised file line in .dsc: -----BEGIN PGP SIGNATURE----- diff -Nru ghostscript-10.0.0~dfsg/debian/changelog ghostscript-10.0.0~dfsg/debian/changelog --- ghostscript-10.0.0~dfsg/debian/changelog 2024-05-09 20:20:16.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/changelog 2024-08-24 19:29:52.000000000 +0000 @@ -1,3 +1,16 @@ +ghostscript (10.0.0~dfsg-11+deb12u5) bookworm-security; urgency=high + + * Non-maintainer upload by the Security Team. + * review printing of pointers (CVE-2024-29508) + * Fix compiler warning in optimised build + * Coverity IDs 414141 & 414145 + * Don't allow PDF files with bad Filters to overflow the debug buffer + (CVE-2024-29506) + * Don't use strlen on passwords (CVE-2024-29509) + * Bounds checks when using CIDFont related params (CVE-2024-29507) + + -- Salvatore Bonaccorso Sat, 24 Aug 2024 21:29:52 +0200 + ghostscript (10.0.0~dfsg-11+deb12u4) bookworm-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0014-Bug-707510-review-printing-of-pointers.patch ghostscript-10.0.0~dfsg/debian/patches/0014-Bug-707510-review-printing-of-pointers.patch --- ghostscript-10.0.0~dfsg/debian/patches/0014-Bug-707510-review-printing-of-pointers.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0014-Bug-707510-review-printing-of-pointers.patch 2024-08-24 19:09:33.000000000 +0000 @@ -0,0 +1,301 @@ +From: Ken Sharp +Date: Thu, 25 Jan 2024 11:53:44 +0000 +Subject: Bug 707510 - review printing of pointers +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ff1013a0ab485b66783b70145e342a82c670906a +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=707510 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-29508 + +This is for item 4 of the report, which is addressed by the change in +gdevpdtb.c. That change uses a fixed name for fonts which have no name +instead of using the pointer to the address of the font. + +The remaining changes are all due to reviewing the use of PRI_INTPTR. +In general we only use that for debugging purposes but there were a few +places which were printing pointers arbitrarily, even in a release build. + +We really don't want to do that so I've modified the places which were +printing pointer unconditionally so that they only do so if DEBUG is +set at compile time, or a specific debug flag is set. +--- + base/gsfont.c | 4 ++-- + base/gsicc_cache.c | 8 ++++---- + base/gsmalloc.c | 4 ++-- + base/gxclmem.c | 5 ++--- + base/gxcpath.c | 6 +++++- + base/gxpath.c | 8 +++++++- + base/szlibc.c | 4 +++- + devices/gdevupd.c | 7 ++++++- + devices/vector/gdevpdtb.c | 4 ++-- + psi/ialloc.c | 4 ++-- + psi/igc.c | 6 +++--- + psi/igcstr.c | 6 +++--- + psi/iinit.c | 6 +++++- + psi/imainarg.c | 5 +++-- + psi/isave.c | 4 ++-- + psi/iutil.c | 6 +++++- + 16 files changed, 56 insertions(+), 31 deletions(-) + +--- a/base/gsfont.c ++++ b/base/gsfont.c +@@ -791,7 +791,7 @@ gs_purge_font(gs_font * pfont) + else if (pdir->scaled_fonts == pfont) + pdir->scaled_fonts = next; + else { /* Shouldn't happen! */ +- lprintf1("purged font "PRI_INTPTR" not found\n", (intptr_t)pfont); ++ if_debug1m('u', pfont->memory, "purged font "PRI_INTPTR" not found\n", (intptr_t)pfont); + } + + /* Purge the font from the scaled font cache. */ +--- a/base/gsicc_cache.c ++++ b/base/gsicc_cache.c +@@ -161,7 +161,7 @@ icc_linkcache_finalize(const gs_memory_t + return; + while (link_cache->head != NULL) { + if (link_cache->head->ref_count != 0) { +- emprintf2(link_cache->memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", ++ if_debug2m(gs_debug_flag_icc, link_cache->memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", + (intptr_t)link_cache->head, link_cache->head->ref_count); + link_cache->head->ref_count = 0; /* force removal */ + } +@@ -586,7 +586,7 @@ gsicc_findcachelink(gsicc_hashlink_t has + /* that was building it failed to be able to complete building it. Try this only + a limited number of times before we bail. */ + if (curr->valid == false) { +- emprintf1(curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr); /* Breakpoint here */ ++ if_debug1m(gs_debug_flag_icc, curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr); /* Breakpoint here */ + } + gx_monitor_enter(icc_link_cache->lock); /* re-enter to loop and check */ + } +@@ -614,7 +614,7 @@ gsicc_remove_link(gsicc_link_t *link) + /* NOTE: link->ref_count must be 0: assert ? */ + gx_monitor_enter(icc_link_cache->lock); + if (link->ref_count != 0) { +- emprintf2(memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count); ++ if_debug2m(gs_debug_flag_icc, memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count); + } + curr = icc_link_cache->head; + prev = NULL; +--- a/base/gsmalloc.c ++++ b/base/gsmalloc.c +@@ -420,7 +420,7 @@ gs_heap_resize_string(gs_memory_t * mem, + client_name_t cname) + { + if (gs_heap_object_type(mem, data) != &st_bytes) +- lprintf2("%s: resizing non-string "PRI_INTPTR"!\n", ++ if_debug2m('a', mem, "%s: resizing non-string "PRI_INTPTR"!\n", + client_name_string(cname), (intptr_t)data); + return gs_heap_resize_object(mem, data, new_num, cname); + } +--- a/base/gxclmem.c ++++ b/base/gxclmem.c +@@ -490,8 +490,7 @@ memfile_fclose(clist_file_ptr cf, const + /* leaks if other users of the memfile don't 'fclose with delete=true */ + if (f->openlist != NULL || ((f->base_memfile != NULL) && f->base_memfile->is_open)) { + /* TODO: do the cleanup rather than just giving an error */ +- emprintf1(f->memory, +- "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n", ++ if_debug1(':', "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n", + (intptr_t)f); + return_error(gs_error_invalidfileaccess); + } else { +--- a/base/gxcpath.c ++++ b/base/gxcpath.c +@@ -175,8 +175,10 @@ gx_cpath_init_contained_shared(gx_clip_p + { + if (shared) { + if (shared->path.segments == &shared->path.local_segments) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + return_error(gs_error_Fatal); + } + *pcpath = *shared; +@@ -233,8 +235,10 @@ gx_cpath_init_local_shared_nested(gx_cli + if (shared) { + if ((shared->path.segments == &shared->path.local_segments) && + !safely_nested) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + return_error(gs_error_Fatal); + } + pcpath->path = shared->path; +--- a/base/gxpath.c ++++ b/base/gxpath.c +@@ -137,8 +137,10 @@ gx_path_init_contained_shared(gx_path * + { + if (shared) { + if (shared->segments == &shared->local_segments) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + return_error(gs_error_Fatal); + } + *ppath = *shared; +@@ -172,8 +174,10 @@ gx_path_alloc_shared(const gx_path * sha + ppath->procs = &default_path_procs; + if (shared) { + if (shared->segments == &shared->local_segments) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + gs_free_object(mem, ppath, cname); + return 0; + } +@@ -203,8 +207,10 @@ gx_path_init_local_shared(gx_path * ppat + { + if (shared) { + if (shared->segments == &shared->local_segments) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + return_error(gs_error_Fatal); + } + *ppath = *shared; +--- a/base/szlibc.c ++++ b/base/szlibc.c +@@ -110,7 +110,9 @@ s_zlib_free(void *zmem, void *data) + gs_free_object(mem, data, "s_zlib_free(data)"); + for (; ; block = block->next) { + if (block == 0) { ++#ifdef DEBUG + lprintf1("Freeing unrecorded data "PRI_INTPTR"!\n", (intptr_t)data); ++#endif + return; + } + if (block->data == data) +--- a/devices/gdevupd.c ++++ b/devices/gdevupd.c +@@ -1040,8 +1040,13 @@ upd_print_page(gx_device_printer *pdev, + */ + if(!upd || B_OK4GO != (upd->flags & (B_OK4GO | B_ERROR))) { + #if UPD_MESSAGES & (UPD_M_ERROR | UPD_M_TOPCALLS) ++#ifdef DEBUG + errprintf(pdev->memory, "CALL-REJECTED upd_print_page(" PRI_INTPTR "," PRI_INTPTR ")\n", + (intptr_t)udev,(intptr_t) out); ++#else ++ errprintf(pdev->memory, "CALL-REJECTED upd_print_page\n", ++ (intptr_t)udev,(intptr_t) out); ++#endif + #endif + return_error(gs_error_undefined); + } +--- a/devices/vector/gdevpdtb.c ++++ b/devices/vector/gdevpdtb.c +@@ -371,7 +371,7 @@ pdf_base_font_alloc(gx_device_pdf *pdev, + font_name.size -= SUBSET_PREFIX_SIZE; + } + } else { +- gs_snprintf(fnbuf, sizeof(fnbuf), ".F" PRI_INTPTR, (intptr_t)copied); ++ gs_snprintf(fnbuf, sizeof(fnbuf), "Anonymous"); + font_name.data = (byte *)fnbuf; + font_name.size = strlen(fnbuf); + } +--- a/psi/ialloc.c ++++ b/psi/ialloc.c +@@ -386,7 +386,7 @@ gs_free_ref_array(gs_ref_memory_t * mem, + size = num_refs * sizeof(ref); + break; + default: +- lprintf3("Unknown type 0x%x in free_ref_array(%u,"PRI_INTPTR")!", ++ if_debug3('A', "Unknown type 0x%x in free_ref_array(%u,"PRI_INTPTR")!", + r_type(parr), num_refs, (intptr_t)obj); + return; + } +--- a/psi/igc.c ++++ b/psi/igc.c +@@ -1062,7 +1062,7 @@ gc_extend_stack(gc_mark_stack * pms, gc_ + + if (cp == 0) { /* We were tracing outside collectible */ + /* storage. This can't happen. */ +- lprintf1("mark stack overflowed while outside collectible space at "PRI_INTPTR"!\n", ++ if_debug1('6', "mark stack overflowed while outside collectible space at "PRI_INTPTR"!\n", + (intptr_t)cptr); + gs_abort(pstate->heap); + } +@@ -1291,7 +1291,7 @@ igc_reloc_struct_ptr(const void /*obj_he + + if (cp != 0 && cp->cbase <= (byte *)obj && (byte *)obj ctop) { + if (back > (cp->ctop - cp->cbase) >> obj_back_shift) { +- lprintf2("Invalid back pointer %u at "PRI_INTPTR"!\n", ++ if_debug2('6', "Invalid back pointer %u at "PRI_INTPTR"!\n", + back, (intptr_t)obj); + gs_abort(NULL); + } +--- a/psi/igcstr.c ++++ b/psi/igcstr.c +@@ -152,7 +152,7 @@ gc_string_mark(const byte * ptr, uint si + return false; + #ifdef DEBUG + if (ptr < cp->ctop) { +- lprintf4("String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n", ++ if_debug4('6', "String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n", + (intptr_t)ptr, size, (intptr_t)cp->ctop, (intptr_t)cp->climit); + return false; + } else if (ptr + size > cp->climit) { /* +@@ -171,7 +171,7 @@ gc_string_mark(const byte * ptr, uint si + while (ptr == scp->climit && scp->outer != 0) + scp = scp->outer; + if (ptr + size > scp->climit) { +- lprintf4("String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n", ++ if_debug4('6', "String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n", + (intptr_t)ptr, size, + (intptr_t)scp->ctop, (intptr_t)scp->climit); + return false; +--- a/psi/iinit.c ++++ b/psi/iinit.c +@@ -395,8 +395,12 @@ zop_init(i_ctx_t *i_ctx_p) + if (def->proc != 0) { + code = def->proc(i_ctx_p); + if (code < 0) { ++#ifdef DEBUG + lprintf2("op_init proc "PRI_INTPTR" returned error %d!\n", + (intptr_t)def->proc, code); ++#else ++ lprintf("op_init proc returned error !\n"); ++#endif + return code; + } + } +--- a/psi/imainarg.c ++++ b/psi/imainarg.c +@@ -229,7 +229,8 @@ gs_main_init_with_args01(gs_main_instanc + if (gs_debug[':'] && !have_dumped_args) { + int i; + +- dmprintf1(minst->heap, "%% Args passed to instance "PRI_INTPTR": ", ++ if (gs_debug_c(gs_debug_flag_init_details)) ++ dmprintf1(minst->heap, "%% Args passed to instance "PRI_INTPTR": ", + (intptr_t)minst); + for (i=1; iheap, "%s ", argv[i]); +--- a/psi/isave.c ++++ b/psi/isave.c +@@ -487,7 +487,7 @@ alloc_save_change_in(gs_ref_memory_t *me + else if (r_is_struct(pcont)) + cp->offset = (byte *) where - (byte *) pcont->value.pstruct; + else { +- lprintf3("Bad type %u for save! pcont = "PRI_INTPTR", where = "PRI_INTPTR"\n", ++ if_debug3('u', "Bad type %u for save! pcont = "PRI_INTPTR", where = "PRI_INTPTR"\n", + r_type(pcont), (intptr_t) pcont, (intptr_t) where); + gs_abort((const gs_memory_t *)mem); + } +--- a/psi/iutil.c ++++ b/psi/iutil.c +@@ -537,7 +537,11 @@ other: + break; + } + /* Internal operator, no name. */ ++#if DEBUG + gs_snprintf(buf, sizeof(buf), "@"PRI_INTPTR, (intptr_t) op->value.opproc); ++#else ++ gs_snprintf(buf, sizeof(buf), "@anonymous_operator", (intptr_t) op->value.opproc); ++#endif + break; + } + case t_real: diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0015-Fix-compiler-warning-in-optimised-build.patch ghostscript-10.0.0~dfsg/debian/patches/0015-Fix-compiler-warning-in-optimised-build.patch --- ghostscript-10.0.0~dfsg/debian/patches/0015-Fix-compiler-warning-in-optimised-build.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0015-Fix-compiler-warning-in-optimised-build.patch 2024-08-24 19:12:40.000000000 +0000 @@ -0,0 +1,37 @@ +From: Chris Liddell +Date: Wed, 14 Feb 2024 14:03:22 +0000 +Subject: Fix compiler warning in optimised build +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=147e5abd63d82c9ec3587c6f67a5d8ec7dc38e61 + +We were declaring a local memory pointer only used in a debug build, use the +pointer from the structure directly instead. +--- + base/gsicc_cache.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/base/gsicc_cache.c b/base/gsicc_cache.c +index c3026c1364c5..c1fe3082184c 100644 +--- a/base/gsicc_cache.c ++++ b/base/gsicc_cache.c +@@ -606,15 +606,14 @@ gsicc_remove_link(gsicc_link_t *link) + { + gsicc_link_t *curr, *prev; + gsicc_link_cache_t *icc_link_cache = link->icc_link_cache; +- const gs_memory_t *memory = link->memory; + +- if_debug2m(gs_debug_flag_icc, memory, ++ if_debug2m(gs_debug_flag_icc, link->memory, + "[icc] Removing link = "PRI_INTPTR" memory = "PRI_INTPTR"\n", +- (intptr_t)link, (intptr_t)memory); ++ (intptr_t)link, (intptr_t)link->memory); + /* NOTE: link->ref_count must be 0: assert ? */ + gx_monitor_enter(icc_link_cache->lock); + if (link->ref_count != 0) { +- if_debug2m(gs_debug_flag_icc, memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count); ++ if_debug2m(gs_debug_flag_icc, link->memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count); + } + curr = icc_link_cache->head; + prev = NULL; +-- +2.45.2 + diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0016-Coverity-IDs-414141-414145.patch ghostscript-10.0.0~dfsg/debian/patches/0016-Coverity-IDs-414141-414145.patch --- ghostscript-10.0.0~dfsg/debian/patches/0016-Coverity-IDs-414141-414145.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0016-Coverity-IDs-414141-414145.patch 2024-08-24 19:14:43.000000000 +0000 @@ -0,0 +1,29 @@ +From: Ken Sharp +Date: Sat, 27 Jan 2024 09:30:30 +0000 +Subject: Coverity IDs 414141 & 414145 +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=d084021e06ba1caa1373fbbcf24a8510f43830ab + +These are the same problem reported two different ways. I forgot to +remove the arguments to errprintf when I removed the format specifiers +from the string as part of reviewing the pointer printing. +--- + devices/gdevupd.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/devices/gdevupd.c b/devices/gdevupd.c +index cb479d21f8eb..c9389e7bc76d 100644 +--- a/devices/gdevupd.c ++++ b/devices/gdevupd.c +@@ -1044,8 +1044,7 @@ upd_print_page(gx_device_printer *pdev, gp_file *out) + errprintf(pdev->memory, "CALL-REJECTED upd_print_page(" PRI_INTPTR "," PRI_INTPTR ")\n", + (intptr_t)udev,(intptr_t) out); + #else +- errprintf(pdev->memory, "CALL-REJECTED upd_print_page\n", +- (intptr_t)udev,(intptr_t) out); ++ errprintf(pdev->memory, "CALL-REJECTED upd_print_page\n"); + #endif + #endif + return_error(gs_error_undefined); +-- +2.45.2 + diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0017-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch ghostscript-10.0.0~dfsg/debian/patches/0017-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch --- ghostscript-10.0.0~dfsg/debian/patches/0017-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0017-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch 2024-08-24 19:29:52.000000000 +0000 @@ -0,0 +1,37 @@ +From: Ken Sharp +Date: Thu, 25 Jan 2024 11:55:49 +0000 +Subject: Bug 707510 - don't allow PDF files with bad Filters to overflow the + debug buffer +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=77dc7f699beba606937b7ea23b50cf5974fa64b1 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=707510 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-29506 + +Item #2 of the report. + +Allocate a buffer to hold the filter name, instead of assuming it will +fit in a fixed buffer. + +Reviewed all the other PDFDEBUG cases, no others use a fixed buffer like +this. +--- + pdf/pdf_file.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/pdf/pdf_file.c ++++ b/pdf/pdf_file.c +@@ -777,10 +777,14 @@ static int pdfi_apply_filter(pdf_context + + if (ctx->args.pdfdebug) + { +- char str[100]; ++ char *str; ++ str = gs_alloc_bytes(ctx->memory, n->length + 1, "temp string for debug"); ++ if (str == NULL) ++ return_error(gs_error_VMerror); + memcpy(str, (const char *)n->data, n->length); + str[n->length] = '\0'; + dmprintf1(ctx->memory, "FILTER NAME:%s\n", str); ++ gs_free_object(ctx->memory, str, "temp string for debug"); + } + + if (pdfi_name_is(n, "RunLengthDecode")) { diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0018-Bug-707510-don-t-use-strlen-on-passwords.patch ghostscript-10.0.0~dfsg/debian/patches/0018-Bug-707510-don-t-use-strlen-on-passwords.patch --- ghostscript-10.0.0~dfsg/debian/patches/0018-Bug-707510-don-t-use-strlen-on-passwords.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0018-Bug-707510-don-t-use-strlen-on-passwords.patch 2024-08-24 19:29:52.000000000 +0000 @@ -0,0 +1,42 @@ +From: Ken Sharp +Date: Thu, 25 Jan 2024 11:58:22 +0000 +Subject: Bug 707510 - don't use strlen on passwords +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=917b3a71fb20748965254631199ad98210d6c2fb +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=707510 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-29509 + +Item #1 of the report. This looks like an oversight when first coding +the routine. We should use the PostScript string length, because +PostScript strings may not be NULL terminated (and as here may contain +internal NULL characters). + +Fix the R6 handler which has the same problem too. +--- + pdf/pdf_sec.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/pdf/pdf_sec.c b/pdf/pdf_sec.c +index e968b89c5a00..e02e040f94ef 100644 +--- a/pdf/pdf_sec.c ++++ b/pdf/pdf_sec.c +@@ -1283,7 +1283,7 @@ static int check_password_R5(pdf_context *ctx, char *Password, int PasswordLen, + /* If the supplied Password fails as the user *and* owner password, maybe its in + * the locale, not UTF-8, try converting to UTF-8 + */ +- code = pdfi_object_alloc(ctx, PDF_STRING, strlen(ctx->encryption.Password), (pdf_obj **)&P); ++ code = pdfi_object_alloc(ctx, PDF_STRING, PasswordLen, (pdf_obj **)&P); + if (code < 0) + return code; + memcpy(P->data, Password, PasswordLen); +@@ -1330,7 +1330,7 @@ static int check_password_R6(pdf_context *ctx, char *Password, int PasswordLen, + /* If the supplied Password fails as the user *and* owner password, maybe its in + * the locale, not UTF-8, try converting to UTF-8 + */ +- code = pdfi_object_alloc(ctx, PDF_STRING, strlen(ctx->encryption.Password), (pdf_obj **)&P); ++ code = pdfi_object_alloc(ctx, PDF_STRING, PasswordLen, (pdf_obj **)&P); + if (code < 0) + return code; + memcpy(P->data, Password, PasswordLen); +-- +2.45.2 + diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0019-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch ghostscript-10.0.0~dfsg/debian/patches/0019-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch --- ghostscript-10.0.0~dfsg/debian/patches/0019-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0019-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch 2024-08-24 19:29:52.000000000 +0000 @@ -0,0 +1,85 @@ +From: Chris Liddell +Date: Wed, 24 Jan 2024 18:25:12 +0000 +Subject: Bug 707510(3): Bounds checks when using CIDFont related params +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=7745dbe24514710b0cfba925e608e607dee9eb0f +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=707510 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-29507 + +Specifically, for CIDFont substitution. +--- + pdf/pdf_font.c | 45 +++++++++++++++++++++++++++++++++++++++------ + pdf/pdf_warnings.h | 1 + + 2 files changed, 40 insertions(+), 6 deletions(-) + +--- a/pdf/pdf_font.c ++++ b/pdf/pdf_font.c +@@ -237,22 +237,55 @@ pdfi_open_CIDFont_substitute_file(pdf_co + memcpy(fontfname, fsprefix, fsprefixlen); + } + else { +- memcpy(fontfname, ctx->args.cidfsubstpath.data, ctx->args.cidfsubstpath.size); +- fsprefixlen = ctx->args.cidfsubstpath.size; ++ if (ctx->args.cidfsubstpath.size + 1 > gp_file_name_sizeof) { ++ code = gs_note_error(gs_error_rangecheck); ++ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDFSubstPath parameter too long"); ++ if (ctx->args.pdfstoponwarning != 0) { ++ goto exit; ++ } ++ code = 0; ++ memcpy(fontfname, fsprefix, fsprefixlen); ++ } ++ else { ++ memcpy(fontfname, ctx->args.cidfsubstpath.data, ctx->args.cidfsubstpath.size); ++ fsprefixlen = ctx->args.cidfsubstpath.size; ++ } + } + + if (ctx->args.cidfsubstfont.data == NULL) { + int len = 0; +- if (gp_getenv("CIDFSUBSTFONT", (char *)0, &len) < 0 && len + fsprefixlen + 1 < gp_file_name_sizeof) { +- (void)gp_getenv("CIDFSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen); ++ if (gp_getenv("CIDFSUBSTFONT", (char *)0, &len) < 0) { ++ if (len + fsprefixlen + 1 > gp_file_name_sizeof) { ++ code = gs_note_error(gs_error_rangecheck); ++ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDFSUBSTFONT environment variable too long"); ++ if (ctx->args.pdfstoponwarning != 0) { ++ goto exit; ++ } ++ code = 0; ++ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen); ++ } ++ else { ++ (void)gp_getenv("CIDFSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen); ++ } + } + else { + memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen); + } + } + else { +- memcpy(fontfname, ctx->args.cidfsubstfont.data, ctx->args.cidfsubstfont.size); +- defcidfallacklen = ctx->args.cidfsubstfont.size; ++ if (ctx->args.cidfsubstfont.size > gp_file_name_sizeof - 1) { ++ code = gs_note_error(gs_error_rangecheck); ++ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDFSubstFont parameter too long"); ++ if (ctx->args.pdfstoponwarning != 0) { ++ goto exit; ++ } ++ code = 0; ++ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen); ++ } ++ else { ++ memcpy(fontfname, ctx->args.cidfsubstfont.data, ctx->args.cidfsubstfont.size); ++ defcidfallacklen = ctx->args.cidfsubstfont.size; ++ } + } + fontfname[fsprefixlen + defcidfallacklen] = '\0'; + +--- a/pdf/pdf_warnings.h ++++ b/pdf/pdf_warnings.h +@@ -68,4 +68,5 @@ PARAM(W_PDF_INT_AS_REAL, "fou + PARAM(PDF_W_NO_TREE_LIMITS, "Name tree node missing required Limits entry"), + PARAM(PDF_W_BAD_TREE_LIMITS, "Name tree node Limits array does not have 2 entries"), + PARAM(PDF_W_NAMES_ARRAY_SIZE, "Name tree Names array size not a mulitple of 2"), ++PARAM(W_PDF_BAD_CONFIG, "A configuration or command line parameter was invalid or incorrect."), + #undef PARAM diff -Nru ghostscript-10.0.0~dfsg/debian/patches/series ghostscript-10.0.0~dfsg/debian/patches/series --- ghostscript-10.0.0~dfsg/debian/patches/series 2024-05-09 20:16:57.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/series 2024-08-24 19:29:52.000000000 +0000 @@ -11,6 +11,12 @@ 0011-Bug-707691-part-2.patch 0012-Bug-707686.patch 0013-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch +0014-Bug-707510-review-printing-of-pointers.patch +0015-Fix-compiler-warning-in-optimised-build.patch +0016-Coverity-IDs-414141-414145.patch +0017-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch +0018-Bug-707510-don-t-use-strlen-on-passwords.patch +0019-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch 1004_enable_spot_devices.patch 2001_docdir_fix_for_debian.patch 2002_gs_man_fix_debian.patch