Debian 12 GhostScript OPVP regression due to CVE fix backport

WoaaAAAH IT BROKE AGAIN

2025-12-30 10:11

CVE-2024-33871 security vulnerability fix in Ghostscript package of Debian 12 Bookworm has broke OPVP module support, which is used by proprietary Canon printer drivers (Canon CAPT libcanonc3pl.so, libcanoncapt.so).

In other words, after the security issue fix, Canon CAPT printers using OPVP can no longer print.

Triaging the issue

At first, I took the exact version of Ghostscript which is used in Debian from the official website, and compiled it manually. It did not crash.

Then I applied all the Debian patches found in debian/patches directory of Debian packaging archive to the same application version, and it started to crash.
This means that the issue somewhere in Debian patches on top of the original source.

Quick manual bisecting & recompiling process found the culprit: CVE-2024-33871 fix which ended in the 10.0.0~dfsg-11+deb12u8 Debian package version.

But why newer Ghostscript version don't crash? That's because the regression has been spotted and fixed in commit b721bd1, which hasn't been included in the Debian package.

Don't include the NULL terminator in a param string

For some reason, the opvp/oprp device get_params method adds one to the
value of strlen() when return it's parameter strings, even though
gs_param_string contents are not null terminated. That causes the length
validation of the "Driver" parameter to fail, and to throw a spurious error.

So remove the "+ 1" for that param string. I've left the rest of the strings
as is until I have time to do more comprehensive testing.

Reporting the issue to Debian

Debian bug tracking system works over email.
You either need to use reportbug utility or to create the email structure manually, which is a tedious process.
You can't report bugs using the web interface. You can only see messages and status updates, but can't post over web.

Running reportbug on Debian Bookworm in a Docker container has generated the .eml message, which I sent using Thunderbird.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124297

Timeline

The bug has been quickly tagged and assigned to the appropriate maintainer on 30 Dec 2025

No changes since then yet.