diff options
author | Pavel Vinogradov | 2019-03-22 17:47:01 -0400 |
---|---|---|
committer | Pavel Vinogradov | 2019-03-22 17:47:01 -0400 |
commit | 0108f1a8bde9c7f8f57f133eeeda50b17ec6216d (patch) | |
tree | 0e2f5827efe9fc348ab5a3d8423e9d0335e2bc66 /printer | |
parent | d6796d8dee8062db40f3624f17e6472d9384ec3e (diff) |
printer/ghostscript: SECURITY_PATCH++, (CVE-2019-3835 and CVE-2019-3838)
Diffstat (limited to 'printer')
-rwxr-xr-x | printer/ghostscript/DETAILS | 2 | ||||
-rw-r--r-- | printer/ghostscript/HISTORY | 4 | ||||
-rw-r--r-- | printer/ghostscript/patches/0007-cve-2019-3835-3838.patch | 270 | ||||
-rw-r--r-- | printer/ghostscript/patches/0008-cve-2019-3835-3838.patch | 162 |
4 files changed, 437 insertions, 1 deletions
diff --git a/printer/ghostscript/DETAILS b/printer/ghostscript/DETAILS index c7521a9ab3..ed84b33023 100755 --- a/printer/ghostscript/DETAILS +++ b/printer/ghostscript/DETAILS @@ -1,7 +1,7 @@ SPELL=ghostscript VERSION=9.26 SOURCE_HASH="sha512:3ddb83029edf32282357bf606f4045a9ac73df6543cd423cfad09158ec12ada083a0dbb5aac3b73ae24cbc6c1e9d7574257a5c1fae63ba8776fbb00150ef2a3e:UPSTREAM_HASH" - SECURITY_PATCH=6 + SECURITY_PATCH=7 SOURCE=$SPELL-$VERSION.tar.xz SOURCE_DIRECTORY="$BUILD_DIRECTORY/$SPELL-$VERSION" WEB_SITE=http://www.ghostscript.com/ diff --git a/printer/ghostscript/HISTORY b/printer/ghostscript/HISTORY index 31fa1d7806..333c3ab224 100644 --- a/printer/ghostscript/HISTORY +++ b/printer/ghostscript/HISTORY @@ -1,3 +1,7 @@ +2019-03-22 Pavel Vinogradov <public@sourcemage.org> + * DETAILS. patches/000{7,8}-cve-2019-3835-3838.patch: SECURITY_PATCH++, + (CVE-2019-3835 and CVE-2019-3838) + 2019-01-1-26 Treeve Jelbert <treeve@sourcemage.org> * CONFIGURE: acutally remove omni support diff --git a/printer/ghostscript/patches/0007-cve-2019-3835-3838.patch b/printer/ghostscript/patches/0007-cve-2019-3835-3838.patch new file mode 100644 index 0000000000..abb4b0f59c --- /dev/null +++ b/printer/ghostscript/patches/0007-cve-2019-3835-3838.patch @@ -0,0 +1,270 @@ +From 205591753126802da850ada6511a0ff8411aa287 Mon Sep 17 00:00:00 2001 +From: Ray Johnston <ray.johnston@artifex.com> +Date: Thu, 14 Feb 2019 10:20:03 -0800 +Subject: [PATCH] Fix bug 700585: Restrict superexec and remove it from + internals and gs_cet.ps + +Also while changing things, restructure the CETMODE so that it will +work with -dSAFER. The gs_cet.ps is now run when we are still at save +level 0 with systemdict writeable. Allows us to undefine .makeoperator +and .setCPSImode internal operators after CETMODE is handled. + +Change previous uses of superexec to using .forceput (with the usual +.bind executeonly to hide it). +--- + Resource/Init/gs_cet.ps | 37 ++++++++++++++----------------------- + Resource/Init/gs_dps1.ps | 2 +- + Resource/Init/gs_fonts.ps | 8 ++++---- + Resource/Init/gs_init.ps | 38 +++++++++++++++++++++++++++----------- + Resource/Init/gs_ttf.ps | 8 ++++---- + Resource/Init/gs_type1.ps | 6 +++--- + 6 files changed, 53 insertions(+), 46 deletions(-) + +diff --git a/Resource/Init/gs_cet.ps b/Resource/Init/gs_cet.ps +index d47febf..54f17c6 100644 +--- a/Resource/Init/gs_cet.ps ++++ b/Resource/Init/gs_cet.ps +@@ -1,28 +1,23 @@ + %!PS + % Set defaults for Ghostscript to match Adobe CPSI behaviour for CET + +-% do this in the server level so it is persistent across jobs +-//true 0 startjob not { +- (*** Warning: CET startup is not in server default) = flush +-} if ++% Note: this must be run at save level 0 and when systemdict is writeable ++currentglobal //true setglobal ++systemdict dup dup dup ++/version (3017.102) readonly .forceput % match CPSI 3017.102 ++/product (PhotoPRINT SE 5.0v2) readonly .forceput % match CPSI 3017.102 ++/revision 0 put % match CPSI 3017.103 Tek shows revision 5 ++/serialnumber dup {233640} readonly .makeoperator .forceput % match CPSI 3017.102 Tek shows serialnumber 1401788461 ++ ++systemdict /.odef { % <name> <proc> odef - ++ 1 index exch //.makeoperator def ++} .bind .forceput % this will be undefined at the end + + 300 .sethiresscreen % needed for language switch build since it + % processes gs_init.ps BEFORE setting the resolution + + 0 array 0 setdash % CET 09-08 wants local setdash + +-currentglobal //true setglobal +- +-{ +- systemdict dup dup dup +- /version (3017.102) readonly put % match CPSI 3017.102 +- /product (PhotoPRINT SE 5.0v2) readonly put % match CPSI 3017.102 +- /revision 0 put % match CPSI 3017.103 Tek shows revision 5 +- /serialnumber dup {233640} readonly .makeoperator put % match CPSI 3017.102 Tek shows serialnumber 1401788461 +- systemdict /deviceinfo undef % for CET 20-23-1 +-% /UNROLLFORMS true put % CET files do unreasonable things inside forms +-} 1183615869 internaldict /superexec get exec +- + /UNROLLFORMS true def + + { } bind dup +@@ -106,6 +101,7 @@ + } ifelse + ofnfa + } bind def +-% end of slightly nasty hack to give consistent cluster results + +-//false 0 startjob pop % re-enter encapsulated mode ++systemdict /.odef .undef ++ ++% end of slightly nasty hack to give consistent cluster results +diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps +index 0b0dff3..7cf29b4 100644 +--- a/Resource/Init/gs_dps1.ps ++++ b/Resource/Init/gs_dps1.ps +@@ -89,7 +89,7 @@ level2dict begin + % definition, copy it into the local directory. + //systemdict /SharedFontDirectory .knownget + { 1 index .knownget +- { //.FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly ++ { //.FontDirectory 2 index 3 -1 roll .forceput } % readonly + if + } + if +diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps +index 541b20c..0ec95eb 100644 +--- a/Resource/Init/gs_fonts.ps ++++ b/Resource/Init/gs_fonts.ps +@@ -521,11 +521,11 @@ buildfontdict 3 /.buildfont3 cvx put + % the font in LocalFontDirectory. + .currentglobal + { //systemdict /LocalFontDirectory .knownget +- { 2 index 2 index { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly ++ { 2 index 2 index .forceput } % readonly + if + } + if +- dup //.FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly ++ dup //.FontDirectory 4 -2 roll .forceput % readonly + % If the font originated as a resource, register it. + currentfile .currentresourcefile eq { dup .registerfont } if + readonly +@@ -1193,13 +1193,13 @@ $error /SubstituteFont { } put + //.FontDirectory 1 index known not { + 2 dict dup /FontName 3 index put + dup /FontType 1 put +- //.FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly ++ //.FontDirectory 3 1 roll //.forceput exec % readonly + } { + pop + } ifelse + } forall + } forall +- } ++ } executeonly % hide .forceput + FAKEFONTS { exch } if pop def % don't bind, .current/setglobal get redefined + + % Install initial fonts from Fontmap. +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index dce6ed4..bfda301 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -2204,9 +2204,6 @@ SAFER { .setsafeglobal } if + /.endtransparencygroup % transparency-example.ps + /.setdotlength % Bug687720.ps + /.sort /.setdebug /.mementolistnewblocks /getenv +- +- /.makeoperator /.setCPSImode % gs_cet.ps, this won't work on cluster with -dSAFER +- + /unread + ] + {systemdict exch .forceundef} forall +@@ -2296,7 +2293,6 @@ SAFER { .setsafeglobal } if + + % Used by our own test suite files + %/.fileposition %image-qa.ps +- %/.makeoperator /.setCPSImode % gs_cet.ps + + % Either our code uses these in ways which mean they can't be undefined, or they are used directly by + % test files/utilities, or engineers expressed a desire to keep them visible. +@@ -2476,6 +2472,16 @@ end + /vmreclaim where + { pop NOGC not { 2 .vmreclaim 0 vmreclaim } if + } if ++ ++% Do this before systemdict is locked (see below for additional CETMODE setup using gs_cet.ps) ++systemdict /CETMODE .knownget { ++ { ++ (gs_cet.ps) runlibfile ++ } if ++} if ++systemdict /.makeoperator .undef % must be after gs_cet.ps ++systemdict /.setCPSImode .undef % must be after gs_cet.ps ++ + DELAYBIND not { + systemdict /.bindnow .undef % We only need this for DELAYBIND + systemdict /.forcecopynew .undef % remove temptation +@@ -2483,16 +2489,29 @@ DELAYBIND not { + systemdict /.forceundef .undef % ditto + } if + +-% Move superexec to internaldict if superexec is defined. +-systemdict /superexec .knownget { +- 1183615869 internaldict /superexec 3 -1 roll put +- systemdict /superexec .undef ++% Move superexec to internaldict if superexec is defined. (Level 2 or later) ++systemdict /superexec known { ++ % restrict superexec to single known use by PScript5.dll ++ % We could do this only for SAFER mode, but internaldict and superexec are ++ % not very well documented, and we don't want them to be used. ++ 1183615869 internaldict /superexec { ++ 2 index /Private eq % first check for typical use in PScript5.dll ++ 1 index length 1 eq and % expected usage is: dict /Private <value> {put} superexec ++ 1 index 0 get systemdict /put get eq and ++ { ++ //superexec exec % the only usage we allow ++ } { ++ /superexec load /invalidaccess signalerror ++ } ifelse ++ } bind cvx executeonly put ++ systemdict /superexec .undef % get rid of the dangerous (unrestricted) operator + } if + + % Can't remove this one until the last minute :-) + DELAYBIND not { + systemdict /.undef .undef + } if ++ + WRITESYSTEMDICT { + SAFER { + (\n *** WARNING - you have selected SAFER, indicating you want Ghostscript\n) print +diff --git a/Resource/Init/gs_ttf.ps b/Resource/Init/gs_ttf.ps +index 95b5cca..135ce93 100644 +--- a/Resource/Init/gs_ttf.ps ++++ b/Resource/Init/gs_ttf.ps +@@ -1301,7 +1301,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef + TTFDEBUG { (\n1 setting alias: ) print dup ==only + ( to be the same as ) print 2 index //== exec } if + +- 7 index 2 index 3 -1 roll exch //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse ++ 7 index 2 index 3 -1 roll exch .forceput + } forall + pop pop pop + } +@@ -1319,7 +1319,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef + exch pop + TTFDEBUG { (\n2 setting alias: ) print 1 index ==only + ( to use glyph index: ) print dup //== exec } if +- 5 index 3 1 roll //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse ++ 5 index 3 1 roll .forceput + //false + } + { +@@ -1336,7 +1336,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef + { % CharStrings(dict) isunicode(boolean) cmap(dict) RAGL(dict) gname(name) codep(integer) gindex(integer) + TTFDEBUG { (\3 nsetting alias: ) print 1 index ==only + ( to be index: ) print dup //== exec } if +- exch pop 5 index 3 1 roll //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse ++ exch pop 5 index 3 1 roll .forceput + } + { + pop pop +@@ -1486,7 +1486,7 @@ + } ifelse + ] + TTFDEBUG { (Encoding: ) print dup === flush } if +-} bind def ++} .bind executeonly odef % hides .forceput + + % to be removed 9.09...... + currentdict /postalias undef +diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps +index a680ac1..a03d48e 100644 +--- a/Resource/Init/gs_type1.ps ++++ b/Resource/Init/gs_type1.ps +@@ -116,7 +116,7 @@ + { % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname aglname + CFFDEBUG { (\nsetting alias: ) print dup ==only + ( to be the same as glyph: ) print 1 index //== exec } if +- 3 index exch 3 index //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse ++ 3 index exch 3 index .forceput + % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname + } + {pop} ifelse +@@ -135,7 +135,7 @@ + 3 1 roll pop pop + } if + pop +- dup /.AGLprocessed~GS //true //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse ++ dup /.AGLprocessed~GS //true .forceput + } if + + %% We need to excute the C .buildfont1 in a stopped context so that, if there +@@ -148,7 +148,7 @@ + {//.buildfont1} stopped + 4 3 roll .setglobal + {//.buildfont1 $error /errorname get signalerror} if +- } bind def ++ } .bind executeonly def % hide .forceput + + % container for CloseSource flag (default //true to prevent buildup of file handles) + /closesourcedict mark +-- +2.9.1 + diff --git a/printer/ghostscript/patches/0008-cve-2019-3835-3838.patch b/printer/ghostscript/patches/0008-cve-2019-3835-3838.patch new file mode 100644 index 0000000000..f41f591d4c --- /dev/null +++ b/printer/ghostscript/patches/0008-cve-2019-3835-3838.patch @@ -0,0 +1,162 @@ +From d683d1e6450d74619e6277efeebfc222d9a5cb91 Mon Sep 17 00:00:00 2001 +From: Ray Johnston <ray.johnston@artifex.com> +Date: Sun, 24 Feb 2019 22:01:04 -0800 +Subject: [PATCH] Bug 700585: Obliterate "superexec". We don't need it, nor do + any known apps. + +We were under the impression that the Windows driver 'PScript5.dll' used +superexec, but after testing with our extensive suite of PostScript file, +and analysis of the PScript5 "Adobe CoolType ProcSet, it does not appear +that this operator is needed anymore. Get rid of superexec and all of the +references to it, since it is a potential security hole. +--- + Resource/Init/gs_init.ps | 18 ------------------ + psi/icontext.c | 1 - + psi/icstate.h | 1 - + psi/zcontrol.c | 30 ------------------------------ + psi/zdict.c | 6 ++---- + psi/zgeneric.c | 3 +-- + 6 files changed, 3 insertions(+), 56 deletions(-) + +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index 4102d0d..1ca2775 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -2563,24 +2563,6 @@ DELAYBIND not { + systemdict /.forceundef .undef % ditto + } if + +-% Move superexec to internaldict if superexec is defined. (Level 2 or later) +-systemdict /superexec known { +- % restrict superexec to single known use by PScript5.dll +- % We could do this only for SAFER mode, but internaldict and superexec are +- % not very well documented, and we don't want them to be used. +- 1183615869 internaldict /superexec { +- 2 index /Private eq % first check for typical use in PScript5.dll +- 1 index length 1 eq and % expected usage is: dict /Private <value> {put} superexec +- 1 index 0 get systemdict /put get eq and +- { +- //superexec exec % the only usage we allow +- } { +- /superexec load /invalidaccess signalerror +- } ifelse +- } bind cvx executeonly put +- systemdict /superexec .undef % get rid of the dangerous (unrestricted) operator +-} if +- + % Can't remove this one until the last minute :-) + DELAYBIND not { + systemdict /.undef .undef +diff --git a/psi/icontext.c b/psi/icontext.c +index c4110ca..a48d8d8 100644 +--- a/psi/icontext.c ++++ b/psi/icontext.c +@@ -151,7 +151,6 @@ + pcst->rand_state = rand_state_initial; + pcst->usertime_total = 0; + pcst->keep_usertime = false; +- pcst->in_superexec = 0; + pcst->plugin_list = 0; + make_t(&pcst->error_object, t__invalid); + { /* +diff --git a/psi/icstate.h b/psi/icstate.h +index ba207cf..b06ba3f 100644 +--- a/psi/icstate.h ++++ b/psi/icstate.h +@@ -54,7 +54,6 @@ + long usertime_total; /* total accumulated usertime, */ + /* not counting current time if running */ + bool keep_usertime; /* true if context ever executed usertime */ +- int in_superexec; /* # of levels of superexec */ + /* View clipping is handled in the graphics state. */ + ref error_object; /* t__invalid or error object from operator */ + ref userparams; /* t_dictionary */ +diff --git a/psi/zcontrol.c b/psi/zcontrol.c +index e95d39b..8f7f6d0 100644 +--- a/psi/zcontrol.c ++++ b/psi/zcontrol.c +@@ -158,34 +158,6 @@ zexecn(i_ctx_t *i_ctx_p) + return o_push_estack; + } + +-/* <obj> superexec - */ +-static int end_superexec(i_ctx_t *); +-static int +-zsuperexec(i_ctx_t *i_ctx_p) +-{ +- os_ptr op = osp; +- es_ptr ep; +- +- check_op(1); +- if (!r_has_attr(op, a_executable)) +- return 0; /* literal object just gets pushed back */ +- check_estack(2); +- ep = esp += 3; +- make_mark_estack(ep - 2, es_other, end_superexec); /* error case */ +- make_op_estack(ep - 1, end_superexec); /* normal case */ +- ref_assign(ep, op); +- esfile_check_cache(); +- pop(1); +- i_ctx_p->in_superexec++; +- return o_push_estack; +-} +-static int +-end_superexec(i_ctx_t *i_ctx_p) +-{ +- i_ctx_p->in_superexec--; +- return 0; +-} +- + /* <array> <executable> .runandhide <obj> */ + /* before executing <executable>, <array> is been removed from */ + /* the operand stack and placed on the execstack with attributes */ +@@ -971,8 +943,6 @@ const op_def zcontrol3_op_defs[] = { + {"0%loop_continue", loop_continue}, + {"0%repeat_continue", repeat_continue}, + {"0%stopped_push", stopped_push}, +- {"1superexec", zsuperexec}, +- {"0%end_superexec", end_superexec}, + {"2.runandhide", zrunandhide}, + {"0%end_runandhide", end_runandhide}, + op_def_end(0) +diff --git a/psi/zdict.c b/psi/zdict.c +index 33be181..48fcc00 100644 +--- a/psi/zdict.c ++++ b/psi/zdict.c +@@ -212,8 +212,7 @@ zundef(i_ctx_t *i_ctx_p) + int code; + + check_type(*op1, t_dictionary); +- if (i_ctx_p->in_superexec == 0) +- check_dict_write(*op1); ++ check_dict_write(*op1); + code = idict_undef(op1, op); + if (code < 0 && code != gs_error_undefined) /* ignore undefined error */ + return code; +@@ -504,8 +503,7 @@ zsetmaxlength(i_ctx_t *i_ctx_p) + int code; + + check_type(*op1, t_dictionary); +- if (i_ctx_p->in_superexec == 0) +- check_dict_write(*op1); ++ check_dict_write(*op1); + check_type(*op, t_integer); + if (op->value.intval < 0) + return_error(gs_error_rangecheck); +diff --git a/psi/zgeneric.c b/psi/zgeneric.c +index 43c4bc4..3a5e398 100644 +--- a/psi/zgeneric.c ++++ b/psi/zgeneric.c +@@ -204,8 +204,7 @@ zput(i_ctx_t *i_ctx_p) + + switch (r_type(op2)) { + case t_dictionary: +- if (i_ctx_p->in_superexec == 0) +- check_dict_write(*op2); ++ check_dict_write(*op2); + { + int code = idict_put(op2, op1, op); + +-- +2.9.1 + |