rpms/ghostscript
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS ghostscript-9.54.0-13.el9

Browse Source
This commit is contained in:
eabdullin 2023-09-21 18:32:18 +00:00
parent 1f75f5dbf8
commit 3afeb7c14e
5 changed files with 341 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
SOURCES/ghostscript-9.54.0-CVE-2023-28879.patch Normal file
View File

@ -0,0 +1,44 @@
From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Fri, 24 Mar 2023 13:19:57 +0000
Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding
Bug #706494 "Buffer Overflow in s_xBCPE_process"
As described in detail in the bug report, if the write buffer is filled
to one byte less than full, and we then try to write an escaped
character, we overrun the buffer because we don't check before
writing two bytes to it.
This just checks if we have two bytes before starting to write an
escaped character and exits if we don't (replacing the consumed byte
of the input).
Up for further discussion; why do we even permit a BCP encoding filter
anyway ? I think we should remove this, at least when SAFER is true.
---
base/sbcp.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/base/sbcp.c b/base/sbcp.c
index 979ae0992..47fc233ec 100644
--- a/base/sbcp.c
+++ b/base/sbcp.c
@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr,
byte ch = *++p;
if (ch <= 31 && escaped[ch]) {
+ /* Make sure we have space to store two characters in the write buffer,
+ * if we don't then exit without consuming the input character, we'll process
+ * that on the next time round.
+ */
+ if (pw->limit - q < 2) {
+ p--;
+ break;
+ }
if (p == rlimit) {
p--;
break;
--
2.39.2

142
SOURCES/ghostscript-9.54.0-CVE-2023-36664.patch Normal file
View File

@ -0,0 +1,142 @@
From 505eab7782b429017eb434b2b95120855f2b0e3c Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 7 Jun 2023 10:23:06 +0100
Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission
validation
For regular file names, we try to simplfy relative paths before we use them.
Because the %pipe% device can, effectively, accept command line calls, we
shouldn't be simplifying that string, because the command line syntax can end
up confusing the path simplifying code. That can result in permitting a pipe
command which does not match what was originally permitted.
Special case "%pipe" in the validation code so we always deal with the entire
string.
---
base/gpmisc.c | 31 +++++++++++++++++++--------
base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++-------------
2 files changed, 64 insertions(+), 23 deletions(-)
diff --git a/base/gpmisc.c b/base/gpmisc.c
index 5f39ebba7..2fb87f769 100644
--- a/base/gpmisc.c
+++ b/base/gpmisc.c
@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *mem,
&& !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
prefix_len = 0;
}
- rlen = len+1;
- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
- if (bufferfull == NULL)
- return gs_error_VMerror;
-
- buffer = bufferfull + prefix_len;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len+1;
+ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+ if (bufferfull == NULL)
+ return gs_error_VMerror;
+
+ buffer = bufferfull + prefix_len;
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
while (1) {
switch (mode[0])
{
diff --git a/base/gslibctx.c b/base/gslibctx.c
index eb566ed06..d2a1aa91d 100644
--- a/base/gslibctx.c
+++ b/base/gslibctx.c
@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co
return gs_error_rangecheck;
}
- rlen = len+1;
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
- if (buffer == NULL)
- return gs_error_VMerror;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len + 1;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
n = control->num;
for (i = 0; i < n; i++)
@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type,
return gs_error_rangecheck;
}
- rlen = len+1;
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
- if (buffer == NULL)
- return gs_error_VMerror;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len+1;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
n = control->num;
for (i = 0; i < n; i++) {
--
2.41.0

27
SOURCES/ghostscript-9.54.0-CVE-2023-38559.patch Normal file
View File

@ -0,0 +1,27 @@
From d81b82c70bc1fb9991bb95f1201abb5dea55f57f Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Mon, 17 Jul 2023 14:06:37 +0100
Subject: [PATCH] Bug 706897: Copy pcx buffer overrun fix from
devices/gdevpcx.c
Bounds check the buffer, before dereferencing the pointer.
---
base/gdevdevn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/base/gdevdevn.c b/base/gdevdevn.c
index 7b14d9c71..6351fb77a 100644
--- a/base/gdevdevn.c
+++ b/base/gdevdevn.c
@@ -1983,7 +1983,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file
byte data = *from;
from += step;
- if (data != *from || from == end) {
+ if (from >= end || data != *from) {
if (data >= 0xc0)
gp_fputc(0xc1, file);
} else {
--
2.41.0

106
SOURCES/ghostscript-9.54.0-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch Normal file
View File

@ -0,0 +1,106 @@
From 346f12459aa67cdb5ff9e267c2c8cccc17f4a376 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 15 Mar 2023 15:38:29 +0000
Subject: [PATCH] Bug 706478: pdfwrite: Substituted TTF CIDFont CID handling
The PS interpreter callback that handles converting a CID to a TTF GID did
not handle the case of substituted CIDFonts.
It requires looking up the CID on the Decoding (to get a Unicode code point),
and then looking up the code point in the TTF cmap table to get the GID.
The rendering code already handled it.
---
psi/zfcid1.c | 73 +++++++++++++++++++++++++++++++++-------------------
1 file changed, 46 insertions(+), 27 deletions(-)
diff --git a/psi/zfcid1.c b/psi/zfcid1.c
index fd502ff12..55de85d45 100644
--- a/psi/zfcid1.c
+++ b/psi/zfcid1.c
@@ -77,37 +77,56 @@
int gdbytes = pfont->cidata.common.GDBytes;
int gnum = 0;
const byte *data;
- int i, code;
+ int i, code = -1;
ref rcid;
ref *prgnum;
+ ref *p, *fdict = pfont_dict(pfont);
+
+ if (r_has_type(fdict, t_dictionary) && dict_find_string(fdict, "Path", &p)) {
+ ref *Decoding = NULL, *TT_cmap = NULL, *SubstNWP = NULL, src_type, dst_type;
+ uint c;
+
+ code = dict_find_string(fdict, "Decoding", &Decoding);
+ if (code > 0)
+ code = dict_find_string(fdict, "TT_cmap", &TT_cmap);
+ if (code > 0)
+ code = dict_find_string(fdict, "SubstNWP", &SubstNWP);
+ if (code > 0) {
+ code = cid_to_TT_charcode(pfont->memory, Decoding, TT_cmap, SubstNWP, cid, &c, &src_type, &dst_type);
+ if (code >= 0)
+ gnum = c;
+ }
+ }
- switch (r_type(pcidmap)) {
- case t_string:
- if (cid >= r_size(pcidmap) / gdbytes)
- return_error(gs_error_rangecheck);
- data = pcidmap->value.const_bytes + cid * gdbytes;
- break;
- case t_integer:
- return cid + pcidmap->value.intval;
- case t_dictionary:
- make_int(&rcid, cid);
- code = dict_find(pcidmap, &rcid, &prgnum);
- if (code <= 0)
- return (code < 0 ? code : gs_note_error(gs_error_undefined));
- if (!r_has_type(prgnum, t_integer))
- return_error(gs_error_typecheck);
- return prgnum->value.intval;
- default: /* array type */
- code = string_array_access_proc(pfont->memory, pcidmap, 1, cid * gdbytes,
- gdbytes, NULL, NULL, &data);
+ if (code < 0) {
+ switch (r_type(pcidmap)) {
+ case t_string:
+ if (cid >= r_size(pcidmap) / gdbytes)
+ return_error(gs_error_rangecheck);
+ data = pcidmap->value.const_bytes + cid * gdbytes;
+ break;
+ case t_integer:
+ return cid + pcidmap->value.intval;
+ case t_dictionary:
+ make_int(&rcid, cid);
+ code = dict_find(pcidmap, &rcid, &prgnum);
+ if (code <= 0)
+ return (code < 0 ? code : gs_note_error(gs_error_undefined));
+ if (!r_has_type(prgnum, t_integer))
+ return_error(gs_error_typecheck);
+ return prgnum->value.intval;
+ default: /* array type */
+ code = string_array_access_proc(pfont->memory, pcidmap, 1, cid * gdbytes,
+ gdbytes, NULL, NULL, &data);
- if (code < 0)
- return code;
- if ( code > 0 )
- return_error(gs_error_invalidfont);
+ if (code < 0)
+ return code;
+ if ( code > 0 )
+ return_error(gs_error_invalidfont);
+ }
+ for (i = 0; i < gdbytes; ++i)
+ gnum = (gnum << 8) + data[i];
}
- for (i = 0; i < gdbytes; ++i)
- gnum = (gnum << 8) + data[i];
if (gnum >= pfont->data.trueNumGlyphs)
return_error(gs_error_invalidfont);
return gnum;
--
2.39.2

23
SPECS/ghostscript.spec
View File

@ -42,7 +42,7 @@
Name: ghostscript
Summary: Interpreter for PostScript language & PDF
Version: 9.54.0
Release: 9%{?dist}
Release: 13%{?dist}
License: AGPLv3+
@ -108,6 +108,10 @@ Patch003: ghostscript-9.54.0-covscan-fixes.patch
Patch004: ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch
Patch005: ghostscript-9.54.0-Deal-with-different-VM-modes-during-CIDFont-loading.patch
Patch006: ghostscript-9.54.0-ESC-Page-driver-does-not-set-page-size-correctly.patch
Patch007: ghostscript-9.54.0-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch
Patch008: ghostscript-9.54.0-CVE-2023-28879.patch
Patch009: ghostscript-9.54.0-CVE-2023-36664.patch
Patch010: ghostscript-9.54.0-CVE-2023-38559.patch
# Downstream patches -- these should be always included when doing rebase:
# ------------------
@ -441,6 +445,23 @@ done
# =============================================================================
%changelog
* Fri Aug 04 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-13
- fix for CVE-2023-38559
- Resolves: rhbz#2224372
* Tue Aug 01 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-12
- fix for CVE-2023-36664
- Resolves: rhbz#2217810
* Fri May 05 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-11
- fix for CVE-2023-28879
- Resolves: rhbz#2188300
* Fri Mar 17 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-10
- fix embedding of CIDFonts
- Resolves: rhbz#2179023
* Thu Feb 02 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-9
- set the page size for A4 correctly in ESC/Page driver
- Resolves: rhbz#2164613