aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/ghostscript-CVE-2023-36664-fixup.patch
diff options
context:
space:
mode:
authorLiliana Marie Prikler <liliana.prikler@gmail.com>2023-08-01 22:21:09 +0200
committerLiliana Marie Prikler <liliana.prikler@gmail.com>2023-08-01 22:21:09 +0200
commit8de4131b2ddd11faa3394cf497484563068c9e7a (patch)
treeed4ed9e586c7236f09c109afdd416dac18ba8cc3 /gnu/packages/patches/ghostscript-CVE-2023-36664-fixup.patch
parent15406013fe63f2ab238eec2d7a8adbc586806ac8 (diff)
parent45b7a8bfda5bde2e2daee4bec0ca092cd719d726 (diff)
downloadguix-8de4131b2ddd11faa3394cf497484563068c9e7a.tar.gz
guix-8de4131b2ddd11faa3394cf497484563068c9e7a.zip
Merge branch 'master' into emacs-team
Diffstat (limited to 'gnu/packages/patches/ghostscript-CVE-2023-36664-fixup.patch')
-rw-r--r--gnu/packages/patches/ghostscript-CVE-2023-36664-fixup.patch56
1 files changed, 56 insertions, 0 deletions
diff --git a/gnu/packages/patches/ghostscript-CVE-2023-36664-fixup.patch b/gnu/packages/patches/ghostscript-CVE-2023-36664-fixup.patch
new file mode 100644
index 0000000000..c2a222701f
--- /dev/null
+++ b/gnu/packages/patches/ghostscript-CVE-2023-36664-fixup.patch
@@ -0,0 +1,56 @@
+From 0974e4f2ac0005d3731e0b5c13ebc7e965540f4d Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 14 Jun 2023 09:08:12 +0100
+Subject: [PATCH] Bug 706778: 706761 revisit
+
+Two problems with the original commit. The first a silly typo inverting the
+logic of a test.
+
+The second was forgetting that we actually actually validate two candidate
+strings for pipe devices. One with the expected "%pipe%" prefix, the other
+using the pipe character prefix: "|".
+
+This addresses both those.
+---
+ base/gpmisc.c | 2 +-
+ base/gslibctx.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index 58511270e..2b0064bea 100644
+--- a/base/gpmisc.c
++++ b/base/gpmisc.c
+@@ -1081,7 +1081,7 @@ gp_validate_path_len(const gs_memory_t *mem,
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index d2a1aa91d..42af99090 100644
+--- a/base/gslibctx.c
++++ b/base/gslibctx.c
+@@ -743,7 +743,7 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+@@ -850,7 +850,7 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type,
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+--
+2.34.1
+