Version in base suite: 10.0.0~dfsg-11+deb12u7 Base version: ghostscript_10.0.0~dfsg-11+deb12u7 Target version: ghostscript_10.0.0~dfsg-11+deb12u8 Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/ghostscript/ghostscript_10.0.0~dfsg-11+deb12u7.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/g/ghostscript/ghostscript_10.0.0~dfsg-11+deb12u8.dsc changelog | 10 patches/0039-Bug-708606-Catch-a-null-file-pointer-closing-pdfwrit.patch | 46 +++ patches/0040-pdfwrite-bounds-check-some-strings.patch | 43 +++ patches/0041-pdfwrite-avoid-buffer-overrun.patch | 136 ++++++++++ patches/series | 3 5 files changed, 238 insertions(+) diff -Nru ghostscript-10.0.0~dfsg/debian/changelog ghostscript-10.0.0~dfsg/debian/changelog --- ghostscript-10.0.0~dfsg/debian/changelog 2025-03-26 09:10:35.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/changelog 2025-10-05 08:11:09.000000000 +0000 @@ -1,3 +1,13 @@ +ghostscript (10.0.0~dfsg-11+deb12u8) bookworm-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Catch a null file pointer closing pdfwrite (CVE-2025-7462) + (Closes: #1109270) + * pdfwrite - bounds check some strings (CVE-2025-59799) (Closes: #1116443) + * pdfwrite - avoid buffer overrun (CVE-2025-59798) (Closes: #1116444) + + -- Salvatore Bonaccorso Sun, 05 Oct 2025 10:11:09 +0200 + ghostscript (10.0.0~dfsg-11+deb12u7) bookworm-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0039-Bug-708606-Catch-a-null-file-pointer-closing-pdfwrit.patch ghostscript-10.0.0~dfsg/debian/patches/0039-Bug-708606-Catch-a-null-file-pointer-closing-pdfwrit.patch --- ghostscript-10.0.0~dfsg/debian/patches/0039-Bug-708606-Catch-a-null-file-pointer-closing-pdfwrit.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0039-Bug-708606-Catch-a-null-file-pointer-closing-pdfwrit.patch 2025-10-05 08:04:50.000000000 +0000 @@ -0,0 +1,46 @@ +From: Chris Liddell +Date: Wed, 25 Jun 2025 13:23:41 +0100 +Subject: Bug 708606: Catch a null file pointer closing pdfwrite. +Origin: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=619a106ba4c4abed95110f84d5efcd7aee38c7cb +Bug-Debian: https://bugs.debian.org/1109270 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=708606 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-7462 + +In the event of an error opening a new output file. + +[Salvatore Bonaccorso: Adapt context for version which do not have yet +1a98e7bf843e ("pdfwrite - Implement XRefStm and ObjStm support") in +ghostpdl-10.03.0rc1] +--- + devices/vector/gdevpdf.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/devices/vector/gdevpdf.c ++++ b/devices/vector/gdevpdf.c +@@ -933,7 +933,12 @@ pdf_open(gx_device * dev) + static int + pdf_ferror(gx_device_pdf *pdev) + { +- gp_fflush(pdev->file); ++ int code = 0; ++ ++ if (pdev->file != NULL) { ++ gp_fflush(pdev->file); ++ code = gp_ferror(pdev->file); ++ } + gp_fflush(pdev->xref.file); + if (pdev->strm->file != NULL) + sflush(pdev->strm); +@@ -943,9 +948,9 @@ pdf_ferror(gx_device_pdf *pdev) + sflush(pdev->streams.strm); + if (pdev->pictures.strm->file != NULL) + sflush(pdev->pictures.strm); +- return gp_ferror(pdev->file) || gp_ferror(pdev->xref.file) || +- gp_ferror(pdev->asides.file) || gp_ferror(pdev->streams.file) || +- gp_ferror(pdev->pictures.file); ++ return gp_ferror(pdev->xref.file) || gp_ferror(pdev->asides.file) || ++ gp_ferror(pdev->streams.file) || gp_ferror(pdev->pictures.file) || ++ code; + } + + /* Compute the dominant text orientation of a page. */ diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0040-pdfwrite-bounds-check-some-strings.patch ghostscript-10.0.0~dfsg/debian/patches/0040-pdfwrite-bounds-check-some-strings.patch --- ghostscript-10.0.0~dfsg/debian/patches/0040-pdfwrite-bounds-check-some-strings.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0040-pdfwrite-bounds-check-some-strings.patch 2025-10-05 08:08:18.000000000 +0000 @@ -0,0 +1,43 @@ +From: Piotr Kajda +Date: Thu, 8 May 2025 11:37:09 +0100 +Subject: pdfwrite - bounds check some strings +Origin: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=6dab38fb211f15226c242ab7a83fa53e4b0ff781 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=708517 +Bug-Debian: https://bugs.debian.org/1116443 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-59799 + +Bug #708517 + +This differs very slightly from the proposed patch in the bug report, I +had a quick scout through the C file and found another similar case. + +Both fixed here. +--- + devices/vector/gdevpdfm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/devices/vector/gdevpdfm.c b/devices/vector/gdevpdfm.c +index 5aa3644e2ec4..4b1d7d89c3e9 100644 +--- a/devices/vector/gdevpdfm.c ++++ b/devices/vector/gdevpdfm.c +@@ -200,6 +200,8 @@ pdfmark_coerce_dest(gs_param_string *dstr, char dest[MAX_DEST_STRING]) + { + const byte *data = dstr->data; + uint size = dstr->size; ++ if (size > MAX_DEST_STRING) ++ return_error(gs_error_limitcheck); + if (size == 0 || data[0] != '(') + return 0; + /****** HANDLE ESCAPES ******/ +@@ -868,6 +870,8 @@ pdfmark_put_ao_pairs(gx_device_pdf * pdev, cos_dict_t *pcd, + char buf[30]; + int d0, d1; + ++ if (Action[1].size > 29) ++ return_error(gs_error_rangecheck); + memcpy(buf, Action[1].data, Action[1].size); + buf[Action[1].size] = 0; + if (sscanf(buf, "%d %d R", &d0, &d1) == 2) +-- +2.51.0 + diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0041-pdfwrite-avoid-buffer-overrun.patch ghostscript-10.0.0~dfsg/debian/patches/0041-pdfwrite-avoid-buffer-overrun.patch --- ghostscript-10.0.0~dfsg/debian/patches/0041-pdfwrite-avoid-buffer-overrun.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0041-pdfwrite-avoid-buffer-overrun.patch 2025-10-05 08:10:00.000000000 +0000 @@ -0,0 +1,136 @@ +From: Ken Sharp +Date: Thu, 22 May 2025 12:25:41 +0100 +Subject: pdfwrite - avoid buffer overrun +Origin: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=0cae41b23a9669e801211dd4cf97b6dadd6dbdd7 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=708539 +Bug-Debian: https://bugs.debian.org/1116444 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-59798 + +Bug #708539 "Buffer overflow in pdf_write_cmap" + +The proposed fix in the report solves the buffer overrun, but does not +tackle a number of other problems. + +This commit checks the result of stream_puts() in +pdf_write_cid_system_info_to_stream() and correctly signals an error to +the caller if that fails. + +In pdf_write_cid_system_info we replace a (rather small!) fixed size +buffer with a dynamically allocated one using the lengths of the strings +which pdf_write_cid_system_info_to_stream() will write, and a small +fixed overhead to deal with the keys and initial byte '/'. + +Because 'buf' is used in the stream 's', if it is too small to hold all +the CIDSystemInfo then we would get an error which was simply discarded +previously. + +We now should avoid the potential error by ensuring the buffer is large +enough for all the information, and if we do get an error we no longer +silently ignore it, which would write an invalid PDF file. +--- + devices/vector/gdevpdtw.c | 52 ++++++++++++++++++++++++++++++--------- + 1 file changed, 41 insertions(+), 11 deletions(-) + +diff --git a/devices/vector/gdevpdtw.c b/devices/vector/gdevpdtw.c +index ced15c9b2bbe..fe24dd73accf 100644 +--- a/devices/vector/gdevpdtw.c ++++ b/devices/vector/gdevpdtw.c +@@ -703,7 +703,8 @@ static int + pdf_write_cid_system_info_to_stream(gx_device_pdf *pdev, stream *s, + const gs_cid_system_info_t *pcidsi, gs_id object_id) + { +- byte *Registry, *Ordering; ++ byte *Registry = NULL, *Ordering = NULL; ++ int code = 0; + + Registry = gs_alloc_bytes(pdev->pdf_memory, pcidsi->Registry.size, "temporary buffer for Registry"); + if (!Registry) +@@ -734,14 +735,19 @@ pdf_write_cid_system_info_to_stream(gx_device_pdf *pdev, stream *s, + } + s_arcfour_process_buffer(&sarc4, Ordering, pcidsi->Ordering.size); + } +- stream_puts(s, "<<\n/Registry"); ++ code = stream_puts(s, "<<\n/Registry"); ++ if (code < 0) ++ goto error; + s_write_ps_string(s, Registry, pcidsi->Registry.size, PRINT_HEX_NOT_OK); +- stream_puts(s, "\n/Ordering"); ++ code = stream_puts(s, "\n/Ordering"); ++ if(code < 0) ++ goto error; + s_write_ps_string(s, Ordering, pcidsi->Ordering.size, PRINT_HEX_NOT_OK); ++error: + pprintd1(s, "\n/Supplement %d\n>>\n", pcidsi->Supplement); + gs_free_object(pdev->pdf_memory, Registry, "free temporary Registry buffer"); + gs_free_object(pdev->pdf_memory, Ordering, "free temporary Ordering buffer"); +- return 0; ++ return code; + } + + int +@@ -786,31 +792,55 @@ pdf_write_cmap(gx_device_pdf *pdev, const gs_cmap_t *pcmap, + *ppres = writer.pres; + writer.pres->where_used = 0; /* CMap isn't a PDF resource. */ + if (!pcmap->ToUnicode) { +- byte buf[200]; ++ byte *buf = NULL; ++ uint64_t buflen = 0; + cos_dict_t *pcd = (cos_dict_t *)writer.pres->object; + stream s; + ++ /* We use 'buf' for the stream 's' below and that needs to have some extra ++ * space for the CIDSystemInfo. We also need an extra byte for the leading '/' ++ * 100 bytes is ample for the overhead. ++ */ ++ buflen = pcmap->CIDSystemInfo->Registry.size + pcmap->CIDSystemInfo->Ordering.size + pcmap->CMapName.size + 100; ++ if (buflen > max_uint) ++ return_error(gs_error_limitcheck); ++ ++ buf = gs_alloc_bytes(pdev->memory, buflen, "pdf_write_cmap"); ++ if (buf == NULL) ++ return_error(gs_error_VMerror); ++ + code = cos_dict_put_c_key_int(pcd, "/WMode", pcmap->WMode); +- if (code < 0) ++ if (code < 0) { ++ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); + return code; ++ } + buf[0] = '/'; + memcpy(buf + 1, pcmap->CMapName.data, pcmap->CMapName.size); + code = cos_dict_put_c_key_string(pcd, "/CMapName", + buf, pcmap->CMapName.size + 1); +- if (code < 0) ++ if (code < 0) { ++ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); + return code; ++ } + s_init(&s, pdev->memory); +- swrite_string(&s, buf, sizeof(buf)); ++ swrite_string(&s, buf, buflen); + code = pdf_write_cid_system_info_to_stream(pdev, &s, pcmap->CIDSystemInfo, 0); +- if (code < 0) ++ if (code < 0) { ++ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); + return code; ++ } + code = cos_dict_put_c_key_string(pcd, "/CIDSystemInfo", + buf, stell(&s)); +- if (code < 0) ++ if (code < 0) { ++ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); + return code; ++ } + code = cos_dict_put_string_copy(pcd, "/Type", "/CMap"); +- if (code < 0) ++ if (code < 0) { ++ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); + return code; ++ } ++ gs_free_object(pdev->memory, buf, "pdf_write_cmap"); + } + if (pcmap->CMapName.size == 0) { + /* Create an arbitrary name (for ToUnicode CMap). */ +-- +2.51.0 + diff -Nru ghostscript-10.0.0~dfsg/debian/patches/series ghostscript-10.0.0~dfsg/debian/patches/series --- ghostscript-10.0.0~dfsg/debian/patches/series 2025-03-26 09:10:17.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/series 2025-10-05 08:10:10.000000000 +0000 @@ -36,6 +36,9 @@ 0036-Bug-708259-Check-TTF-name-size-before-copying-to-buf.patch 0037-PDF-interpreter-Guard-against-unsigned-int-overflow.patch 0038-Fix-Coverity-IDs-457699-and-457700.patch +0039-Bug-708606-Catch-a-null-file-pointer-closing-pdfwrit.patch +0040-pdfwrite-bounds-check-some-strings.patch +0041-pdfwrite-avoid-buffer-overrun.patch 1004_enable_spot_devices.patch 2001_docdir_fix_for_debian.patch 2002_gs_man_fix_debian.patch