From 040b22b22c7cbf1c02b551fbed49a5bfd76ceda5 Mon Sep 17 00:00:00 2001 From: "David Kaspar [Dee'Kej]" Date: Fri, 7 Oct 2016 14:55:13 +0200 Subject: [PATCH] Added 3 security fixes for: - CVE-2016-7979 (bug #1382305) - CVE-2016-7976 (bug #1382294) - CVE-2016-7978 (bug #1382300) --- ghostscript-9.20-cve-2016-7976.patch | 180 +++++++++++++++++++++++++++ ghostscript-9.20-cve-2016-7978.patch | 25 ++++ ghostscript-9.20-cve-2016-7979.patch | 43 +++++++ ghostscript.spec | 22 +++- 4 files changed, 269 insertions(+), 1 deletion(-) create mode 100644 ghostscript-9.20-cve-2016-7976.patch create mode 100644 ghostscript-9.20-cve-2016-7978.patch create mode 100644 ghostscript-9.20-cve-2016-7979.patch diff --git a/ghostscript-9.20-cve-2016-7976.patch b/ghostscript-9.20-cve-2016-7976.patch new file mode 100644 index 0000000..e39d169 --- /dev/null +++ b/ghostscript-9.20-cve-2016-7976.patch @@ -0,0 +1,180 @@ +From fee19fa8d4f6f351e5a76f5801884880249d6a45 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Wed, 5 Oct 2016 09:55:55 +0100 +Subject: [PATCH] Bug 697178: Add a file permissions callback + +For the rare occasions when the graphics library directly opens a file +(currently for reading), this allows us to apply any restrictions on +file access normally applied in the interpteter. +--- + base/gsicc_manage.c | 10 ++++++---- + base/gslibctx.c | 12 +++++++++++- + base/gslibctx.h | 7 +++++++ + psi/imain.c | 2 ++ + psi/int.mak | 2 +- + psi/zfile.c | 19 +++++++++++++++++++ + psi/zfile.h | 7 +++++++ + 7 files changed, 53 insertions(+), 6 deletions(-) + +diff --git a/base/gsicc_manage.c b/base/gsicc_manage.c +index 931c2a6..e9c09c3 100644 +--- a/base/gsicc_manage.c ++++ b/base/gsicc_manage.c +@@ -1124,10 +1124,12 @@ gsicc_open_search(const char* pname, int namelen, gs_memory_t *mem_gc, + } + + /* First just try it like it is */ +- str = sfopen(pname, "r", mem_gc); +- if (str != NULL) { +- *strp = str; +- return 0; ++ if (gs_check_file_permission(mem_gc, pname, namelen, "r") >= 0) { ++ str = sfopen(pname, "r", mem_gc); ++ if (str != NULL) { ++ *strp = str; ++ return 0; ++ } + } + + /* If that fails, try %rom% */ /* FIXME: Not sure this is needed or correct */ +diff --git a/base/gslibctx.c b/base/gslibctx.c +index fa4432a..f2c13e3 100644 +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -183,7 +183,7 @@ int gs_lib_ctx_init( gs_memory_t *mem ) + mem->gs_lib_ctx = NULL; + return -1; + } +- ++ pio->client_check_file_permission = NULL; + gp_get_realtime(pio->real_time_0); + + /* Set scanconverter to 1 (default) */ +@@ -336,3 +336,13 @@ void errflush(const gs_memory_t *mem) + fflush(mem->gs_lib_ctx->fstderr); + /* else nothing to flush */ + } ++ ++int ++gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission) ++{ ++ int code = 0; ++ if (mem->gs_lib_ctx->client_check_file_permission != NULL) { ++ code = mem->gs_lib_ctx->client_check_file_permission(mem, fname, len, permission); ++ } ++ return code; ++} +diff --git a/base/gslibctx.h b/base/gslibctx.h +index 84ec205..55eb4a6 100644 +--- a/base/gslibctx.h ++++ b/base/gslibctx.h +@@ -32,6 +32,9 @@ typedef struct gs_fapi_server_s gs_fapi_server; + # define gs_font_dir_DEFINED + typedef struct gs_font_dir_s gs_font_dir; + #endif ++ ++typedef int (*client_check_file_permission_t) (gs_memory_t *mem, const char *fname, const int len, const char *permission); ++ + typedef struct gs_lib_ctx_s + { + gs_memory_t *memory; /* mem->gs_lib_ctx->memory == mem */ +@@ -61,6 +64,7 @@ typedef struct gs_lib_ctx_s + struct gx_io_device_s **io_device_table; + int io_device_table_count; + int io_device_table_size; ++ client_check_file_permission_t client_check_file_permission; + /* Define the default value of AccurateScreens that affects setscreen + and setcolorscreen. */ + bool screen_accurate_screens; +@@ -132,6 +136,9 @@ int + gs_lib_ctx_get_default_device_list(const gs_memory_t *mem, char** dev_list_str, + int *list_str_len); + ++int ++gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission); ++ + #define IS_LIBCTX_STDOUT(mem, f) (f == mem->gs_lib_ctx->fstdout) + #define IS_LIBCTX_STDERR(mem, f) (f == mem->gs_lib_ctx->fstderr) + +diff --git a/psi/imain.c b/psi/imain.c +index 9a9bb5d..6874128 100644 +--- a/psi/imain.c ++++ b/psi/imain.c +@@ -57,6 +57,7 @@ + #include "ivmspace.h" + #include "idisp.h" /* for setting display device callback */ + #include "iplugin.h" ++#include "zfile.h" + + #ifdef PACIFY_VALGRIND + #include "valgrind.h" +@@ -212,6 +213,7 @@ gs_main_init1(gs_main_instance * minst) + "the_gs_name_table"); + if (code < 0) + return code; ++ mem->gs_lib_ctx->client_check_file_permission = z_check_file_permissions; + } + code = obj_init(&minst->i_ctx_p, &idmem); /* requires name_init */ + if (code < 0) +diff --git a/psi/int.mak b/psi/int.mak +index 4654afc..bb30d51 100644 +--- a/psi/int.mak ++++ b/psi/int.mak +@@ -2024,7 +2024,7 @@ $(PSOBJ)imain.$(OBJ) : $(PSSRC)imain.c $(GH) $(memory__h) $(string__h)\ + $(ialloc_h) $(iconf_h) $(idebug_h) $(idict_h) $(idisp_h) $(iinit_h)\ + $(iname_h) $(interp_h) $(iplugin_h) $(isave_h) $(iscan_h) $(ivmspace_h)\ + $(iinit_h) $(main_h) $(oper_h) $(ostack_h)\ +- $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h)\ ++ $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h) $(zfile_h)\ + $(INT_MAK) $(MAKEDIRS) + $(PSCC) $(PSO_)imain.$(OBJ) $(C_) $(PSSRC)imain.c + +diff --git a/psi/zfile.c b/psi/zfile.c +index b6caea2..fd94f67 100644 +--- a/psi/zfile.c ++++ b/psi/zfile.c +@@ -197,6 +197,25 @@ check_file_permissions(i_ctx_t *i_ctx_p, const char *fname, int len, + return check_file_permissions_reduced(i_ctx_p, fname_reduced, rlen, permitgroup); + } + ++/* z_check_file_permissions: see zfile.h for explanation ++ */ ++int ++z_check_file_permissions(gs_memory_t *mem, const char *fname, const int len, const char *permission) ++{ ++ i_ctx_t *i_ctx_p = get_minst_from_memory(mem)->i_ctx_p; ++ gs_parsed_file_name_t pname; ++ const char *permitgroup = permission[0] == 'r' ? "PermitFileReading" : "PermitFileWriting"; ++ int code = gs_parse_file_name(&pname, fname, len, imemory); ++ if (code < 0) ++ return code; ++ ++ if (pname.iodev && i_ctx_p->LockFilePermissions && strcmp(pname.iodev->dname, "%pipe%") == 0) ++ return gs_error_invalidfileaccess; ++ ++ code = check_file_permissions(i_ctx_p, fname, len, permitgroup); ++ return code; ++} ++ + /* file */ + int /* exported for zsysvm.c */ + zfile(i_ctx_t *i_ctx_p) +diff --git a/psi/zfile.h b/psi/zfile.h +index fdf1373..a9399c7 100644 +--- a/psi/zfile.h ++++ b/psi/zfile.h +@@ -22,4 +22,11 @@ + int zopen_file(i_ctx_t *i_ctx_p, const gs_parsed_file_name_t *pfn, + const char *file_access, stream **ps, gs_memory_t *mem); + ++/* z_check_file_permissions: a callback (via mem->gs_lib_ctx->client_check_file_permission) ++ * to allow applying the above permissions checks when opening file(s) from ++ * the graphics library ++ */ ++int ++z_check_file_permissions(gs_memory_t *mem, const char *fname, ++ const int len, const char *permission); + #endif +-- +2.7.4 + diff --git a/ghostscript-9.20-cve-2016-7978.patch b/ghostscript-9.20-cve-2016-7978.patch new file mode 100644 index 0000000..74aa51c --- /dev/null +++ b/ghostscript-9.20-cve-2016-7978.patch @@ -0,0 +1,25 @@ +From 6f749c0c44e7b9e09737b9f29edf29925a34f0cf Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Wed, 5 Oct 2016 09:59:25 +0100 +Subject: [PATCH] Bug 697179: Reference count device icc profile + +when copying a device +--- + base/gsdevice.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/base/gsdevice.c b/base/gsdevice.c +index 778106f..aea986a 100644 +--- a/base/gsdevice.c ++++ b/base/gsdevice.c +@@ -614,6 +614,7 @@ gx_device_init(gx_device * dev, const gx_device * proto, gs_memory_t * mem, + dev->memory = mem; + dev->retained = !internal; + rc_init(dev, mem, (internal ? 0 : 1)); ++ rc_increment(dev->icc_struct); + } + + void +-- +2.7.4 + diff --git a/ghostscript-9.20-cve-2016-7979.patch b/ghostscript-9.20-cve-2016-7979.patch new file mode 100644 index 0000000..5b2738a --- /dev/null +++ b/ghostscript-9.20-cve-2016-7979.patch @@ -0,0 +1,43 @@ +From 875a0095f37626a721c7ff57d606a0f95af03913 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Wed, 5 Oct 2016 10:10:58 +0100 +Subject: [PATCH] DSC parser - validate parameters + +Bug #697190 ".initialize_dsc_parser doesn't validate the parameter is a dict type before using it." + +Regardless of any security implications, its simply wrong for a PostScript +operator not to validate its parameter(s). + +No differences expected. +--- + psi/zdscpars.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/psi/zdscpars.c b/psi/zdscpars.c +index c05e154..9b4b605 100644 +--- a/psi/zdscpars.c ++++ b/psi/zdscpars.c +@@ -150,11 +150,16 @@ zinitialize_dsc_parser(i_ctx_t *i_ctx_p) + ref local_ref; + int code; + os_ptr const op = osp; +- dict * const pdict = op->value.pdict; +- gs_memory_t * const mem = (gs_memory_t *)dict_memory(pdict); +- dsc_data_t * const data = +- gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init"); ++ dict *pdict; ++ gs_memory_t *mem; ++ dsc_data_t *data; + ++ check_read_type(*op, t_dictionary); ++ ++ pdict = op->value.pdict; ++ mem = (gs_memory_t *)dict_memory(pdict); ++ ++ data = gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init"); + if (!data) + return_error(gs_error_VMerror); + data->document_level = 0; +-- +2.7.4 + diff --git a/ghostscript.spec b/ghostscript.spec index 7cb1896..cd8877f 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -5,7 +5,7 @@ Summary: A PostScript interpreter and renderer Name: ghostscript Version: %{gs_ver} -Release: 1%{?dist} +Release: 2%{?dist} # Included CMap data is Redistributable, no modification permitted, # see http://bugzilla.redhat.com/487510 @@ -21,6 +21,11 @@ Patch2: ghostscript-9.20-runlibfileifexists.patch Patch3: ghostscript-9.20-run-dvipdf-securely.patch Patch4: ghostscript-9.20-urw-fonts-naming.patch +# Security patches: +Patch5: ghostscript-9.20-cve-2016-7979.patch +Patch6: ghostscript-9.20-cve-2016-7976.patch +Patch7: ghostscript-9.20-cve-2016-7978.patch + Requires: %{name}-core%{?_isa} = %{version}-%{release} Requires: %{name}-x11%{?_isa} = %{version}-%{release} BuildRequires: xz @@ -121,6 +126,15 @@ rm -rf expat freetype icclib jasper jpeg jpegxr lcms lcms2 libpng openjpeg zlib # Use old names for urw-fonts (bug #1207577). %patch4 -p1 +# DSC parser - validate parameters (bug #1382305): +%patch5 -p1 + +# Add a file permissions callaback (bug #1382294): +%patch6 -p1 + +# Reference count device icc profile (bug #1382300): +%patch7 -p1 + # Convert manual pages to UTF-8 from8859_1() { iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_" @@ -317,6 +331,12 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libgs.so %changelog +* Fri Oct 7 2016 David Kaspar [Dee'Kej] - 9.20-2 +- Added security fixes for: + - CVE-2016-7979 (bug #1382305) + - CVE-2016-7976 (bug #1382294) + - CVE-2016-7978 (bug #1382300) + * Fri Oct 7 2016 David Kaspar [Dee'Kej] - 9.20-1 - Rebase to latest ghostscript-9.20. Major changes in this rebase: - OpenJPEG support has been re-enabled