import UBI ghostscript-9.54.0-17.el9_4
This commit is contained in:
parent
2c0bf4d4b5
commit
53572dbde0
@ -0,0 +1,79 @@
|
|||||||
|
From 3b1735085ecef20b29e8db3416ab36de93e86d1f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ken Sharp <Ken.Sharp@artifex.com>
|
||||||
|
Date: Thu, 21 Mar 2024 09:01:15 +0000
|
||||||
|
Subject: [PATCH] Uniprint device - prevent string configuration changes when
|
||||||
|
SAFER
|
||||||
|
|
||||||
|
Bug #707662
|
||||||
|
|
||||||
|
We cannot sanitise the string arguments used by the Uniprint device
|
||||||
|
because they can potentially include anything.
|
||||||
|
|
||||||
|
This commit ensures that these strings are locked and cannot be
|
||||||
|
changed by PostScript once SAFER is activated. Full configuration from
|
||||||
|
the command line is still possible (see the *.upp files in lib).
|
||||||
|
|
||||||
|
This addresses CVE-2024-29510
|
||||||
|
---
|
||||||
|
devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 31 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/devices/gdevupd.c b/devices/gdevupd.c
|
||||||
|
index c9389e7bc..016a9260a 100644
|
||||||
|
--- a/devices/gdevupd.c
|
||||||
|
+++ b/devices/gdevupd.c
|
||||||
|
@@ -1891,6 +1891,16 @@ out on this copies.
|
||||||
|
if(!upd_strings[i]) continue;
|
||||||
|
UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory);
|
||||||
|
if(0 == code) {
|
||||||
|
+ if (gs_is_path_control_active(udev->memory)) {
|
||||||
|
+ if (strings[i].size != value.size)
|
||||||
|
+ error = gs_error_invalidaccess;
|
||||||
|
+ else {
|
||||||
|
+ if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0)
|
||||||
|
+ error = gs_error_invalidaccess;
|
||||||
|
+ }
|
||||||
|
+ if (error < 0)
|
||||||
|
+ goto exit;
|
||||||
|
+ }
|
||||||
|
if(0 <= error) error |= UPD_PUT_STRINGS;
|
||||||
|
UPD_MM_DEL_PARAM(udev->memory, strings[i]);
|
||||||
|
if(!value.size) {
|
||||||
|
@@ -1908,6 +1918,26 @@ out on this copies.
|
||||||
|
if(!upd_string_a[i]) continue;
|
||||||
|
UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory);
|
||||||
|
if(0 == code) {
|
||||||
|
+ if (gs_is_path_control_active(udev->memory)) {
|
||||||
|
+ if (string_a[i].size != value.size)
|
||||||
|
+ error = gs_error_invalidaccess;
|
||||||
|
+ else {
|
||||||
|
+ int loop;
|
||||||
|
+ for (loop = 0;loop < string_a[i].size;loop++) {
|
||||||
|
+ gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]);
|
||||||
|
+ gs_param_string *tmp2 = (gs_param_string *)&value.data[loop];
|
||||||
|
+
|
||||||
|
+ if (tmp1->size != tmp2->size)
|
||||||
|
+ error = gs_error_invalidaccess;
|
||||||
|
+ else {
|
||||||
|
+ if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0)
|
||||||
|
+ error = gs_error_invalidaccess;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (error < 0)
|
||||||
|
+ goto exit;
|
||||||
|
+ }
|
||||||
|
if(0 <= error) error |= UPD_PUT_STRING_A;
|
||||||
|
UPD_MM_DEL_APARAM(udev->memory, string_a[i]);
|
||||||
|
if(!value.size) {
|
||||||
|
@@ -2102,6 +2132,7 @@ transferred into the device-structure. In the case of "uniprint", this may
|
||||||
|
if(0 > code) error = code;
|
||||||
|
}
|
||||||
|
|
||||||
|
+exit:
|
||||||
|
if(0 < error) { /* Actually something loaded without error */
|
||||||
|
|
||||||
|
if(!(upd = udev->upd)) {
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
43
SOURCES/gs-CVE-2024-33869.patch
Normal file
43
SOURCES/gs-CVE-2024-33869.patch
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
diff --git a/base/gpmisc.c b/base/gpmisc.c
|
||||||
|
index 2b43f89..186d9b7 100644
|
||||||
|
--- a/base/gpmisc.c
|
||||||
|
+++ b/base/gpmisc.c
|
||||||
|
@@ -1089,6 +1089,27 @@ gp_validate_path_len(const gs_memory_t *mem,
|
||||||
|
rlen = len;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
+ char *test = (char *)path, *test1;
|
||||||
|
+ uint tlen = len, slen;
|
||||||
|
+
|
||||||
|
+ /* Look for any pipe (%pipe% or '|' specifications between path separators
|
||||||
|
+ * Reject any path spec which has a %pipe% or '|' anywhere except at the start.
|
||||||
|
+ */
|
||||||
|
+ while (tlen > 0) {
|
||||||
|
+ if (test[0] == '|' || (tlen > 5 && memcmp(test, "%pipe", 5) == 0)) {
|
||||||
|
+ code = gs_note_error(gs_error_invalidfileaccess);
|
||||||
|
+ goto exit;
|
||||||
|
+ }
|
||||||
|
+ test1 = test;
|
||||||
|
+ slen = search_separator((const char **)&test, path + len, test1, 1);
|
||||||
|
+ if(slen == 0)
|
||||||
|
+ break;
|
||||||
|
+ test += slen;
|
||||||
|
+ tlen -= test - test1;
|
||||||
|
+ if (test >= path + len)
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
rlen = len+1;
|
||||||
|
bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
|
||||||
|
if (bufferfull == NULL)
|
||||||
|
@@ -1163,8 +1184,8 @@ gp_validate_path_len(const gs_memory_t *mem,
|
||||||
|
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
- else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
|
||||||
|
- buffer = bufferfull + cdirstrl + dirsepstrl;
|
||||||
|
+ else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull
|
||||||
|
+ && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
break;
|
69
SOURCES/gs-CVE-2024-33870.patch
Normal file
69
SOURCES/gs-CVE-2024-33870.patch
Normal file
@ -0,0 +1,69 @@
|
|||||||
|
diff --git a/base/gpmisc.c b/base/gpmisc.c
|
||||||
|
index f9a9230..2b43f89 100644
|
||||||
|
--- a/base/gpmisc.c
|
||||||
|
+++ b/base/gpmisc.c
|
||||||
|
@@ -1042,7 +1042,7 @@ gp_validate_path_len(const gs_memory_t *mem,
|
||||||
|
const uint len,
|
||||||
|
const char *mode)
|
||||||
|
{
|
||||||
|
- char *buffer, *bufferfull;
|
||||||
|
+ char *buffer, *bufferfull = NULL;
|
||||||
|
uint rlen;
|
||||||
|
int code = 0;
|
||||||
|
const char *cdirstr = gp_file_name_current();
|
||||||
|
@@ -1095,8 +1095,10 @@ gp_validate_path_len(const gs_memory_t *mem,
|
||||||
|
return gs_error_VMerror;
|
||||||
|
|
||||||
|
buffer = bufferfull + prefix_len;
|
||||||
|
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
|
||||||
|
- return gs_error_invalidfileaccess;
|
||||||
|
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) {
|
||||||
|
+ code = gs_note_error(gs_error_invalidfileaccess);
|
||||||
|
+ goto exit;
|
||||||
|
+ }
|
||||||
|
buffer[rlen] = 0;
|
||||||
|
}
|
||||||
|
while (1) {
|
||||||
|
@@ -1131,9 +1133,34 @@ gp_validate_path_len(const gs_memory_t *mem,
|
||||||
|
code = gs_note_error(gs_error_invalidfileaccess);
|
||||||
|
}
|
||||||
|
if (code < 0 && prefix_len > 0 && buffer > bufferfull) {
|
||||||
|
+ uint newlen = rlen + cdirstrl + dirsepstrl;
|
||||||
|
+ char *newbuffer;
|
||||||
|
+ int code;
|
||||||
|
+
|
||||||
|
buffer = bufferfull;
|
||||||
|
memcpy(buffer, cdirstr, cdirstrl);
|
||||||
|
memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl);
|
||||||
|
+
|
||||||
|
+ /* We've prepended a './' or similar for the current working directory. We need
|
||||||
|
+ * to execute file_name_reduce on that, to eliminate any '../' or similar from
|
||||||
|
+ * the (new) full path.
|
||||||
|
+ */
|
||||||
|
+ newbuffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, newlen + 1, "gp_validate_path");
|
||||||
|
+ if (newbuffer == NULL) {
|
||||||
|
+ code = gs_note_error(gs_error_VMerror);
|
||||||
|
+ goto exit;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ memcpy(newbuffer, buffer, rlen + cdirstrl + dirsepstrl);
|
||||||
|
+ newbuffer[newlen] = 0x00;
|
||||||
|
+
|
||||||
|
+ code = gp_file_name_reduce(newbuffer, (uint)newlen, buffer, &newlen);
|
||||||
|
+ gs_free_object(mem->thread_safe_memory, newbuffer, "gp_validate_path");
|
||||||
|
+ if (code != gp_combine_success) {
|
||||||
|
+ code = gs_note_error(gs_error_invalidfileaccess);
|
||||||
|
+ goto exit;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
|
||||||
|
@@ -1152,6 +1179,7 @@ gp_validate_path_len(const gs_memory_t *mem,
|
||||||
|
gs_path_control_flag_is_scratch_file);
|
||||||
|
}
|
||||||
|
|
||||||
|
+exit:
|
||||||
|
gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path");
|
||||||
|
#ifdef EACCES
|
||||||
|
if (code == gs_error_invalidfileaccess)
|
@ -42,7 +42,7 @@
|
|||||||
Name: ghostscript
|
Name: ghostscript
|
||||||
Summary: Interpreter for PostScript language & PDF
|
Summary: Interpreter for PostScript language & PDF
|
||||||
Version: 9.54.0
|
Version: 9.54.0
|
||||||
Release: 16%{?dist}
|
Release: 17%{?dist}
|
||||||
|
|
||||||
License: AGPLv3+
|
License: AGPLv3+
|
||||||
|
|
||||||
@ -115,6 +115,12 @@ Patch010: ghostscript-9.54.0-CVE-2023-38559.patch
|
|||||||
Patch011: ghostscript-9.54.0-CVE-2023-43115.patch
|
Patch011: ghostscript-9.54.0-CVE-2023-43115.patch
|
||||||
# RHEL-39110 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
|
# RHEL-39110 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library
|
||||||
Patch012: gs-cve-2024-33871.patch
|
Patch012: gs-cve-2024-33871.patch
|
||||||
|
# RHEL-44759 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
|
||||||
|
Patch013: gs-CVE-2024-33870.patch
|
||||||
|
# RHEL-44745 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction
|
||||||
|
Patch014: gs-CVE-2024-33869.patch
|
||||||
|
# RHEL-44731 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass)
|
||||||
|
Patch015: 0001-Uniprint-device-prevent-string-configuration-changes.patch
|
||||||
|
|
||||||
# Downstream patches -- these should be always included when doing rebase:
|
# Downstream patches -- these should be always included when doing rebase:
|
||||||
# ------------------
|
# ------------------
|
||||||
@ -448,6 +454,11 @@ done
|
|||||||
# =============================================================================
|
# =============================================================================
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jul 08 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-17
|
||||||
|
- RHEL-44759 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths
|
||||||
|
- RHEL-44745 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction
|
||||||
|
- RHEL-44731 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass)
|
||||||
|
|
||||||
* Thu Jun 13 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-16
|
* Thu Jun 13 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-16
|
||||||
- RHEL-39110 fix regression discovered in OPVP device
|
- RHEL-39110 fix regression discovered in OPVP device
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user