import UBI ghostscript-9.54.0-17.el9_4

This commit is contained in:
eabdullin 2024-09-03 10:23:48 +00:00
parent 2c0bf4d4b5
commit 53572dbde0
4 changed files with 203 additions and 1 deletions

View File

@ -0,0 +1,79 @@
From 3b1735085ecef20b29e8db3416ab36de93e86d1f Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 21 Mar 2024 09:01:15 +0000
Subject: [PATCH] Uniprint device - prevent string configuration changes when
SAFER
Bug #707662
We cannot sanitise the string arguments used by the Uniprint device
because they can potentially include anything.
This commit ensures that these strings are locked and cannot be
changed by PostScript once SAFER is activated. Full configuration from
the command line is still possible (see the *.upp files in lib).
This addresses CVE-2024-29510
---
devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/devices/gdevupd.c b/devices/gdevupd.c
index c9389e7bc..016a9260a 100644
--- a/devices/gdevupd.c
+++ b/devices/gdevupd.c
@@ -1891,6 +1891,16 @@ out on this copies.
if(!upd_strings[i]) continue;
UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory);
if(0 == code) {
+ if (gs_is_path_control_active(udev->memory)) {
+ if (strings[i].size != value.size)
+ error = gs_error_invalidaccess;
+ else {
+ if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0)
+ error = gs_error_invalidaccess;
+ }
+ if (error < 0)
+ goto exit;
+ }
if(0 <= error) error |= UPD_PUT_STRINGS;
UPD_MM_DEL_PARAM(udev->memory, strings[i]);
if(!value.size) {
@@ -1908,6 +1918,26 @@ out on this copies.
if(!upd_string_a[i]) continue;
UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory);
if(0 == code) {
+ if (gs_is_path_control_active(udev->memory)) {
+ if (string_a[i].size != value.size)
+ error = gs_error_invalidaccess;
+ else {
+ int loop;
+ for (loop = 0;loop < string_a[i].size;loop++) {
+ gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]);
+ gs_param_string *tmp2 = (gs_param_string *)&value.data[loop];
+
+ if (tmp1->size != tmp2->size)
+ error = gs_error_invalidaccess;
+ else {
+ if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0)
+ error = gs_error_invalidaccess;
+ }
+ }
+ }
+ if (error < 0)
+ goto exit;
+ }
if(0 <= error) error |= UPD_PUT_STRING_A;
UPD_MM_DEL_APARAM(udev->memory, string_a[i]);
if(!value.size) {
@@ -2102,6 +2132,7 @@ transferred into the device-structure. In the case of "uniprint", this may
if(0 > code) error = code;
}
+exit:
if(0 < error) { /* Actually something loaded without error */
if(!(upd = udev->upd)) {
--
2.45.2

View File

@ -0,0 +1,43 @@
diff --git a/base/gpmisc.c b/base/gpmisc.c
index 2b43f89..186d9b7 100644
--- a/base/gpmisc.c
+++ b/base/gpmisc.c
@@ -1089,6 +1089,27 @@ gp_validate_path_len(const gs_memory_t *mem,
rlen = len;
}
else {
+ char *test = (char *)path, *test1;
+ uint tlen = len, slen;
+
+ /* Look for any pipe (%pipe% or '|' specifications between path separators
+ * Reject any path spec which has a %pipe% or '|' anywhere except at the start.
+ */
+ while (tlen > 0) {
+ if (test[0] == '|' || (tlen > 5 && memcmp(test, "%pipe", 5) == 0)) {
+ code = gs_note_error(gs_error_invalidfileaccess);
+ goto exit;
+ }
+ test1 = test;
+ slen = search_separator((const char **)&test, path + len, test1, 1);
+ if(slen == 0)
+ break;
+ test += slen;
+ tlen -= test - test1;
+ if (test >= path + len)
+ break;
+ }
+
rlen = len+1;
bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
if (bufferfull == NULL)
@@ -1163,8 +1184,8 @@ gp_validate_path_len(const gs_memory_t *mem,
continue;
}
- else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
- buffer = bufferfull + cdirstrl + dirsepstrl;
+ else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull
+ && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) {
continue;
}
break;

View File

@ -0,0 +1,69 @@
diff --git a/base/gpmisc.c b/base/gpmisc.c
index f9a9230..2b43f89 100644
--- a/base/gpmisc.c
+++ b/base/gpmisc.c
@@ -1042,7 +1042,7 @@ gp_validate_path_len(const gs_memory_t *mem,
const uint len,
const char *mode)
{
- char *buffer, *bufferfull;
+ char *buffer, *bufferfull = NULL;
uint rlen;
int code = 0;
const char *cdirstr = gp_file_name_current();
@@ -1095,8 +1095,10 @@ gp_validate_path_len(const gs_memory_t *mem,
return gs_error_VMerror;
buffer = bufferfull + prefix_len;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) {
+ code = gs_note_error(gs_error_invalidfileaccess);
+ goto exit;
+ }
buffer[rlen] = 0;
}
while (1) {
@@ -1131,9 +1133,34 @@ gp_validate_path_len(const gs_memory_t *mem,
code = gs_note_error(gs_error_invalidfileaccess);
}
if (code < 0 && prefix_len > 0 && buffer > bufferfull) {
+ uint newlen = rlen + cdirstrl + dirsepstrl;
+ char *newbuffer;
+ int code;
+
buffer = bufferfull;
memcpy(buffer, cdirstr, cdirstrl);
memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl);
+
+ /* We've prepended a './' or similar for the current working directory. We need
+ * to execute file_name_reduce on that, to eliminate any '../' or similar from
+ * the (new) full path.
+ */
+ newbuffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, newlen + 1, "gp_validate_path");
+ if (newbuffer == NULL) {
+ code = gs_note_error(gs_error_VMerror);
+ goto exit;
+ }
+
+ memcpy(newbuffer, buffer, rlen + cdirstrl + dirsepstrl);
+ newbuffer[newlen] = 0x00;
+
+ code = gp_file_name_reduce(newbuffer, (uint)newlen, buffer, &newlen);
+ gs_free_object(mem->thread_safe_memory, newbuffer, "gp_validate_path");
+ if (code != gp_combine_success) {
+ code = gs_note_error(gs_error_invalidfileaccess);
+ goto exit;
+ }
+
continue;
}
else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
@@ -1152,6 +1179,7 @@ gp_validate_path_len(const gs_memory_t *mem,
gs_path_control_flag_is_scratch_file);
}
+exit:
gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path");
#ifdef EACCES
if (code == gs_error_invalidfileaccess)

View File

@ -42,7 +42,7 @@
Name: ghostscript Name: ghostscript
Summary: Interpreter for PostScript language & PDF Summary: Interpreter for PostScript language & PDF
Version: 9.54.0 Version: 9.54.0
Release: 16%{?dist} Release: 17%{?dist}
License: AGPLv3+ License: AGPLv3+
@ -115,6 +115,12 @@ Patch010: ghostscript-9.54.0-CVE-2023-38559.patch
Patch011: ghostscript-9.54.0-CVE-2023-43115.patch Patch011: ghostscript-9.54.0-CVE-2023-43115.patch
# RHEL-39110 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library # RHEL-39110 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
Patch012: gs-cve-2024-33871.patch Patch012: gs-cve-2024-33871.patch
# RHEL-44759 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
Patch013: gs-CVE-2024-33870.patch
# RHEL-44745 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction
Patch014: gs-CVE-2024-33869.patch
# RHEL-44731 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass)
Patch015: 0001-Uniprint-device-prevent-string-configuration-changes.patch
# Downstream patches -- these should be always included when doing rebase: # Downstream patches -- these should be always included when doing rebase:
# ------------------ # ------------------
@ -448,6 +454,11 @@ done
# ============================================================================= # =============================================================================
%changelog %changelog
* Mon Jul 08 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-17
- RHEL-44759 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
- RHEL-44745 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction
- RHEL-44731 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass)
* Thu Jun 13 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-16 * Thu Jun 13 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-16
- RHEL-39110 fix regression discovered in OPVP device - RHEL-39110 fix regression discovered in OPVP device