diff options
author | Pavel Vinogradov | 2019-09-01 03:36:28 -0400 |
---|---|---|
committer | Pavel Vinogradov | 2019-09-01 03:40:24 -0400 |
commit | eed5bc6fd73eccea8ded4765a6fc844087c45938 (patch) | |
tree | a6c89d8733ef21ba903c24630e9941ac304a02ab /printer | |
parent | 687a654728c43b48a59c154c5c01178800bae532 (diff) |
printer/ghostscript: SECURITY_PATCH++, (CVE-2019-14811, CVE-2019-14812, CVE-2019-14813, CVE-2019-14817)
Diffstat (limited to 'printer')
4 files changed, 283 insertions, 1 deletions
diff --git a/printer/ghostscript/DETAILS b/printer/ghostscript/DETAILS index eebf3eb7ca..40a66d8294 100755 --- a/printer/ghostscript/DETAILS +++ b/printer/ghostscript/DETAILS @@ -1,7 +1,7 @@ SPELL=ghostscript VERSION=9.27 SOURCE_HASH="sha512:5e67ad45a80f01c6ef0eabb1c76dfa8fb6e7f0fde8d82fd5daaf12f370c288a672f8fa69c74d9e30255582267e9a906e4e8b13655f8d993fefdfc8dbdb5d5401:UPSTREAM_HASH" - SECURITY_PATCH=8 + SECURITY_PATCH=9 SOURCE=$SPELL-$VERSION.tar.xz SOURCE_DIRECTORY="$BUILD_DIRECTORY/$SPELL-$VERSION" WEB_SITE=http://www.ghostscript.com/ diff --git a/printer/ghostscript/HISTORY b/printer/ghostscript/HISTORY index 8e529dec1b..33e5dc0fb0 100644 --- a/printer/ghostscript/HISTORY +++ b/printer/ghostscript/HISTORY @@ -1,3 +1,9 @@ +2019-09-01 Pavel Vinogradov <public@sourcemage.org> + * DETAILS. 0002-make-forceput-inaccessible.patch, + 0003-safer-mode-bypass-by-forceput-exposure-in-pdfexectoken.patch: + SECURITY_PATCH++, (CVE-2019-14811, CVE-2019-14812, CVE-2019-14813, + CVE-2019-14817) + 2019-08-16 Treeve Jelbert <treeve@sourcemage.org> * DEPENDS: delete ijs, we conflict with it diff --git a/printer/ghostscript/patches/0002-make-forceput-inaccessible.patch b/printer/ghostscript/patches/0002-make-forceput-inaccessible.patch new file mode 100644 index 0000000000..d50688fe4d --- /dev/null +++ b/printer/ghostscript/patches/0002-make-forceput-inaccessible.patch @@ -0,0 +1,59 @@ +From: Ken Sharp <ken.sharp@artifex.com> +Date: Tue, 20 Aug 2019 09:10:28 +0000 (+0100) +Subject: make .forceput inaccessible +X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33 + +make .forceput inaccessible + +Bug #701343, #701344, #701345 + +More defensive programming. We don't want people to access .forecput +even though it is no longer sufficient to bypass SAFER. The exploit +in #701343 didn't work anyway because of earlier work to stop the error +handler being used, but nevertheless, prevent access to .forceput from +.setuserparams2. +--- + +diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps +index 4cc7f82..0fd4164 100644 +--- a/Resource/Init/gs_lev2.ps ++++ b/Resource/Init/gs_lev2.ps +@@ -158,7 +158,7 @@ end + { + pop pop + } ifelse +- } forall ++ } executeonly forall + % A context switch might have occurred during the above loop, + % causing the interpreter-level parameters to be reset. + % Set them again to the new values. From here on, we are safe, +@@ -229,9 +229,9 @@ end + { pop pop + } + ifelse +- } ++ } executeonly + forall pop +-} .bind odef ++} .bind executeonly odef + + % Initialize the passwords. + % NOTE: the names StartJobPassword and SystemParamsPassword are known to +diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps +index c158a8f..422e66e 100644 +--- a/Resource/Init/gs_pdfwr.ps ++++ b/Resource/Init/gs_pdfwr.ps +@@ -658,11 +658,11 @@ currentdict /.pdfmarkparams .undef + systemdict /.pdf_hooked_DSC_Creator //true .forceput + } executeonly if + pop +- } if ++ } executeonly if + } { + pop + } ifelse +- } ++ } executeonly + { + pop + } ifelse diff --git a/printer/ghostscript/patches/0003-safer-mode-bypass-by-forceput-exposure-in-pdfexectoken.patch b/printer/ghostscript/patches/0003-safer-mode-bypass-by-forceput-exposure-in-pdfexectoken.patch new file mode 100644 index 0000000000..b6e4ab363b --- /dev/null +++ b/printer/ghostscript/patches/0003-safer-mode-bypass-by-forceput-exposure-in-pdfexectoken.patch @@ -0,0 +1,217 @@ +From: Ken Sharp <ken.sharp@artifex.com> +Date: Wed, 21 Aug 2019 09:10:51 +0000 (+0100) +Subject: PDF interpreter - review .forceput security +X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19 + +PDF interpreter - review .forceput security + +Bug #701450 "Safer Mode Bypass by .forceput Exposure in .pdfexectoken" + +By abusing the error handler it was possible to get the PDFDEBUG portion +of .pdfexectoken, which uses .forceput left readable. + +Add an executeonly appropriately to make sure that clause isn't readable +no mstter what. + +Review all the uses of .forceput searching for similar cases, add +executeonly as required to secure those. All cases in the PostScript +support files seem to be covered already. +--- + +diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps +index 2e28cdd..02503ee 100644 +--- a/Resource/Init/pdf_base.ps ++++ b/Resource/Init/pdf_base.ps +@@ -157,7 +157,7 @@ currentdict /num-chars-dict .undef + { + dup ==only () = flush + } ifelse % PDFSTEP +- } if % PDFDEBUG ++ } executeonly if % PDFDEBUG + 2 copy .knownget { + exch pop exch pop exch pop exec + } { +diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps +index 11eb485..fe3fc56 100644 +--- a/Resource/Init/pdf_draw.ps ++++ b/Resource/Init/pdf_draw.ps +@@ -501,8 +501,8 @@ end + ( Output may be incorrect.\n) pdfformaterror + //pdfdict /.gs_warning_issued //true .forceput + PDFSTOPONERROR { /gs /undefined signalerror } if +- } if +- } ++ } executeonly if ++ } executeonly + ifelse + } bind executeonly def + +@@ -1152,7 +1152,7 @@ currentdict end readonly def + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput +@@ -1160,8 +1160,8 @@ currentdict end readonly def + pdfformaterror + } executeonly ifelse + end +- } ifelse +- } loop ++ } executeonly ifelse ++ } executeonly loop + { + (\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n) + //pdfdict /.Qqwarning_issued .knownget +@@ -1175,14 +1175,14 @@ currentdict end readonly def + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +- } if ++ } executeonly if + pop + + % restore pdfemptycount +diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps +index da07da5..81b7af1 100644 +--- a/Resource/Init/pdf_font.ps ++++ b/Resource/Init/pdf_font.ps +@@ -677,13 +677,13 @@ + currentglobal 2 index dup gcheck setglobal + /FontInfo 5 dict dup 5 1 roll .forceput + setglobal +- } if ++ } executeonly if + dup /GlyphNames2Unicode .knownget not { + //true % No existing G2U, make one +- } { ++ } executeonly { + dup wcheck { + //false % Existing, writeable G2U, don't make new one +- } { ++ } executeonly { + pop //true % Existing read only G2U, make new one + } ifelse + } ifelse +@@ -701,9 +701,9 @@ + } if + PDFDEBUG { + (.processToUnicode end) = +- } if +- } if +- } stopped ++ } executeonly if ++ } executeonly if ++ } executeonly stopped + { + .dstackdepth 1 countdictstack 1 sub + {pop end} for +@@ -1233,19 +1233,20 @@ + //pdfdict /.Qqwarning_issued //true .forceput + } executeonly if + Q +- } repeat ++ } executeonly repeat + Q +- } PDFfile fileposition 2 .execn % Keep pdfcount valid. ++ } executeonly PDFfile fileposition 2 .execn % Keep pdfcount valid. + PDFfile exch setfileposition +- } ifelse +- } { ++ } executeonly ifelse ++ } executeonly ++ { + % PDF Type 3 fonts don't use .notdef + % d1 implementation adjusts the width as needed + 0 0 0 0 0 0 + pdfopdict /d1 get exec + } ifelse + end end +- } bdef ++ } executeonly bdef + dup currentdict Encoding .processToUnicode + currentdict end .completefont exch pop + } bind executeonly odef +@@ -2045,9 +2046,9 @@ + (Will continue, but content may be missing.) = flush + } ifelse + } if +- } if ++ } executeonly if + /findresource cvx /undefined signalerror +- } loop ++ } executeonly loop + } bind executeonly odef + + /buildCIDType0 { % <CIDFontType0-font-resource> buildCIDType0 <font> +diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps +index 00d7e36..7690bae 100644 +--- a/Resource/Init/pdf_main.ps ++++ b/Resource/Init/pdf_main.ps +@@ -2771,15 +2771,15 @@ currentdict /PDF2PS_matrix_key undef + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +- } if +- } if ++ } executeonly if ++ } executeonly if + pop + count PDFexecstackcount sub { pop } repeat + (after exec) VMDEBUG +diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps +index a15c8c6..d594035 100644 +--- a/Resource/Init/pdf_ops.ps ++++ b/Resource/Init/pdf_ops.ps +@@ -192,14 +192,14 @@ currentdict /gput_always_allow .undef + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +- } if ++ } executeonly if + } bind executeonly odef + + % Save PDF gstate +@@ -446,11 +446,12 @@ currentdict /gput_always_allow .undef + dup type /booleantype eq { + .currentSMask type /dicttype eq { + .currentSMask /Processed 2 index .forceput ++ } executeonly ++ { ++ .setSMask ++ }ifelse + } executeonly + { +- .setSMask +- }ifelse +- }{ + .setSMask + }ifelse + |