This commit is contained in:
Zdenek Dohnal 2020-03-12 14:35:34 +01:00
parent 5a6c75f6fb
commit 5e7ab74206
10 changed files with 164 additions and 377 deletions

1
.gitignore vendored
View File

@ -54,3 +54,4 @@ ghostscript-8.71.tar.xz
/ghostscript-9.25.tar.xz /ghostscript-9.25.tar.xz
/ghostscript-9.26.tar.xz /ghostscript-9.26.tar.xz
/ghostscript-9.27.tar.xz /ghostscript-9.27.tar.xz
/ghostscript-9.50.tar.xz

View File

@ -0,0 +1,58 @@
From 53ab3ecee8a60d412c2bf1406340bf9cb228e106 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 4 Dec 2019 12:23:02 +0000
Subject: [PATCH] Bug 701969: Fix fontconfig path permissions handling
The paths from fontconfig to be added to the permit file reading list was not
having the trailing directory separator added to indicate we want to allow
the directory to be read.
Also, tweak the path/filename splitting (for the permit file read list) when
parsing the cidfmap so it matches the improved version in gs_fonts.ps
---
Resource/Init/gs_cidfm.ps | 4 ++--
base/gp_unix.c | 6 +++++-
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/Resource/Init/gs_cidfm.ps b/Resource/Init/gs_cidfm.ps
index cd9ed883f..e123bfc1c 100644
--- a/Resource/Init/gs_cidfm.ps
+++ b/Resource/Init/gs_cidfm.ps
@@ -141,7 +141,7 @@ currentdict end def
% <dir.../base.extn> .basename <dir>
/.splitdirname {
(/) rsearch { //true } { (\\) rsearch } ifelse
- {3 -2 roll pop pop //true}{//false} ifelse
+ {exch concatstrings exch pop //true}{//false} ifelse
} bind def
% <file> .addcidfmappath -
@@ -214,7 +214,7 @@ currentdict end def
} loop
} forall
currentdict end
- {exch pop (/) concatstrings /PermitFileReading exch .addcontrolpath} forall
+ {exch pop /PermitFileReading exch .addcontrolpath} forall
% Checks for vicious substitution cycles.
dup length dict copy % <<map>>
diff --git a/base/gp_unix.c b/base/gp_unix.c
index 6d2b8b163..ecf0e8a63 100644
--- a/base/gp_unix.c
+++ b/base/gp_unix.c
@@ -356,7 +356,11 @@ void *gp_enumerate_fonts_init(gs_memory_t *mem)
*/
code = 0;
while ((dirstr = FcStrListNext(fdirlist)) != NULL && code >= 0) {
- code = gs_add_control_path(mem, gs_permit_file_reading, (char *)dirstr);
+ char dirstr2[gp_file_name_sizeof];
+ dirstr2[0] = '\0';
+ strncat(dirstr2, (char *)dirstr, gp_file_name_sizeof - 1);
+ strncat(dirstr2, "/", gp_file_name_sizeof);
+ code = gs_add_control_path(mem, gs_permit_file_reading, (char *)dirstr2);
}
FcStrListDone(fdirlist);
if (code < 0) {
--
2.24.1

View File

@ -1,22 +1,10 @@
From 91c9c6d17d445781ee572c281b8b9d75d96f9df8 Mon Sep 17 00:00:00 2001
From: "David Kaspar [Dee'Kej]" <dkaspar@redhat.com>
Date: Fri, 7 Oct 2016 13:57:01 +0200
Subject: [PATCH] Make sure 'dvipdf' is being run securely
---
lib/dvipdf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/dvipdf b/lib/dvipdf diff --git a/lib/dvipdf b/lib/dvipdf
index 802aeab..c92dfb0 100755 index f643087..078292b 100755
--- a/lib/dvipdf --- a/lib/dvipdf
+++ b/lib/dvipdf +++ b/lib/dvipdf
@@ -43,4 +43,4 @@ fi @@ -43,4 +43,4 @@ fi
# We have to include the options twice because -I only takes effect if it # We have to include the options twice because -I only takes effect if it
# appears before other options. # appears before other options.
-exec dvips -Ppdf $DVIPSOPTIONS -q -f "$infile" | $GS_EXECUTABLE $OPTIONS -q -P- -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr -sOutputFile="$outfile" $OPTIONS -c .setpdfwrite - -exec dvips -Ppdf $DVIPSOPTIONS -q -f "$infile" | $GS_EXECUTABLE $OPTIONS -q -P- -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr -sOutputFile="$outfile" $OPTIONS
+exec dvips -R -Ppdf $DVIPSOPTIONS -q -f "$infile" | $GS_EXECUTABLE $OPTIONS -q -P- -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr -sOutputFile="$outfile" $OPTIONS -c .setpdfwrite - +exec dvips -R -Ppdf $DVIPSOPTIONS -q -f "$infile" | $GS_EXECUTABLE $OPTIONS -q -P- -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr -sOutputFile="$outfile" $OPTIONS -
--
2.14.3

View File

@ -0,0 +1,94 @@
diff --git a/base/gp_unix.c b/base/gp_unix.c
index c576566..4165654 100644
--- a/base/gp_unix.c
+++ b/base/gp_unix.c
@@ -402,42 +402,50 @@ int gp_enumerate_fonts_next(void *enum_state, char **fontname, char **path)
return 0; /* gp_enumerate_fonts_init failed for some reason */
}
- if (state->index == state->font_list->nfont) {
- return 0; /* we've run out of fonts */
- }
-
- /* Bits of the following were borrowed from Red Hat's
- * fontconfig patch for Ghostscript 7 */
- font = state->font_list->fonts[state->index];
+ /* We use the loop so we can skip over fonts that return errors */
+ while(1) {
+ if (state->index == state->font_list->nfont) {
+ return 0; /* we've run out of fonts */
+ }
- result = FcPatternGetString (font, FC_FAMILY, 0, &family_fc);
- if (result != FcResultMatch || family_fc == NULL) {
- dmlprintf(state->mem, "DEBUG: FC_FAMILY mismatch\n");
- return 0;
- }
+ /* Bits of the following were borrowed from Red Hat's
+ * fontconfig patch for Ghostscript 7 */
+ font = state->font_list->fonts[state->index];
+ state->index++;
+
+ /* We do the FC_FILE first because this *should* never fail
+ * and it gives us a string to use in later debug prints
+ */
+ result = FcPatternGetString (font, FC_FILE, 0, &file_fc);
+ if (result != FcResultMatch || file_fc == NULL) {
+ dmlprintf(state->mem, "DEBUG: FC_FILE mismatch\n");
+ continue;
+ }
- result = FcPatternGetString (font, FC_FILE, 0, &file_fc);
- if (result != FcResultMatch || file_fc == NULL) {
- dmlprintf(state->mem, "DEBUG: FC_FILE mismatch\n");
- return 0;
- }
+ result = FcPatternGetString (font, FC_FAMILY, 0, &family_fc);
+ if (result != FcResultMatch || family_fc == NULL) {
+ dmlprintf1(state->mem, "DEBUG: FC_FAMILY mismatch in %s\n", (char *)file_fc);
+ continue;
+ }
- result = FcPatternGetBool (font, FC_OUTLINE, 0, &outline_fc);
- if (result != FcResultMatch) {
- dmlprintf1(state->mem, "DEBUG: FC_OUTLINE failed to match on %s\n", (char*)family_fc);
- return 0;
- }
+ result = FcPatternGetBool (font, FC_OUTLINE, 0, &outline_fc);
+ if (result != FcResultMatch) {
+ dmlprintf2(state->mem, "DEBUG: FC_OUTLINE failed to match on %s in %s\n", (char*)family_fc, (char *)file_fc);
+ continue;
+ }
- result = FcPatternGetInteger (font, FC_SLANT, 0, &slant_fc);
- if (result != FcResultMatch) {
- dmlprintf(state->mem, "DEBUG: FC_SLANT didn't match\n");
- return 0;
- }
+ result = FcPatternGetInteger (font, FC_SLANT, 0, &slant_fc);
+ if (result != FcResultMatch) {
+ dmlprintf1(state->mem, "DEBUG: FC_SLANT didn't match in %s\n", (char *)file_fc);
+ continue;
+ }
- result = FcPatternGetInteger (font, FC_WEIGHT, 0, &weight_fc);
- if (result != FcResultMatch) {
- dmlprintf(state->mem, "DEBUG: FC_WEIGHT didn't match\n");
- return 0;
+ result = FcPatternGetInteger (font, FC_WEIGHT, 0, &weight_fc);
+ if (result != FcResultMatch) {
+ dmlprintf1(state->mem, "DEBUG: FC_WEIGHT didn't match in %s\n", (char *)file_fc);
+ continue;
+ }
+ break;
}
/* Gross hack to work around Fontconfig's inability to tell
@@ -450,7 +458,6 @@ int gp_enumerate_fonts_next(void *enum_state, char **fontname, char **path)
/* return the font path straight out of fontconfig */
*path = (char*)file_fc;
- state->index ++;
return 1;
#else
return 0;

View File

@ -1,43 +0,0 @@
From 5b85ddd19a8420a1bd2d5529325be35d78e94234 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Fri, 2 Aug 2019 15:18:26 +0100
Subject: Bug 701394: protect use of .forceput with executeonly
diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps
index 6c7735bc0c..a039ccee35 100644
--- a/Resource/Init/gs_type1.ps
+++ b/Resource/Init/gs_type1.ps
@@ -118,25 +118,25 @@
( to be the same as glyph: ) print 1 index //== exec } if
3 index exch 3 index .forceput
% scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
- }
+ }executeonly
{pop} ifelse
- } forall
+ } executeonly forall
pop pop
- }
+ } executeonly
{
pop pop pop
} ifelse
- }
+ } executeonly
{
% scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
pop pop
} ifelse
- } forall
+ } executeonly forall
3 1 roll pop pop
- } if
+ } executeonly if
pop
dup /.AGLprocessed~GS //true .forceput
- } if
+ } executeonly if
%% We need to excute the C .buildfont1 in a stopped context so that, if there
%% are errors we can put the stack back sanely and exit. Otherwise callers won't

View File

@ -1,56 +0,0 @@
From 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Tue, 20 Aug 2019 10:10:28 +0100
Subject: make .forceput inaccessible
Bug #701343, #701344, #701345
More defensive programming. We don't want people to access .forecput
even though it is no longer sufficient to bypass SAFER. The exploit
in #701343 didn't work anyway because of earlier work to stop the error
handler being used, but nevertheless, prevent access to .forceput from
.setuserparams2.
diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
index 4cc7f820f..0fd416465 100644
--- a/Resource/Init/gs_lev2.ps
+++ b/Resource/Init/gs_lev2.ps
@@ -158,7 +158,7 @@ end
{
pop pop
} ifelse
- } forall
+ } executeonly forall
% A context switch might have occurred during the above loop,
% causing the interpreter-level parameters to be reset.
% Set them again to the new values. From here on, we are safe,
@@ -229,9 +229,9 @@ end
{ pop pop
}
ifelse
- }
+ } executeonly
forall pop
-} .bind odef
+} .bind executeonly odef
% Initialize the passwords.
% NOTE: the names StartJobPassword and SystemParamsPassword are known to
diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps
index c158a8faf..422e66e1a 100644
--- a/Resource/Init/gs_pdfwr.ps
+++ b/Resource/Init/gs_pdfwr.ps
@@ -658,11 +658,11 @@ currentdict /.pdfmarkparams .undef
systemdict /.pdf_hooked_DSC_Creator //true .forceput
} executeonly if
pop
- } if
+ } executeonly if
} {
pop
} ifelse
- }
+ } executeonly
{
pop
} ifelse

View File

@ -1,216 +0,0 @@
From 3b65a4569a7b8da4678890b842e368daf85d6887 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Wed, 21 Aug 2019 10:10:51 +0100
Subject: [PATCH] PDF interpreter - review .forceput security
Bug #701450 "Safer Mode Bypass by .forceput Exposure in .pdfexectoken"
By abusing the error handler it was possible to get the PDFDEBUG portion
of .pdfexectoken, which uses .forceput left readable.
Add an executeonly appropriately to make sure that clause isn't readable
no mstter what.
Review all the uses of .forceput searching for similar cases, add
executeonly as required to secure those. All cases in the PostScript
support files seem to be covered already.
---
Resource/Init/pdf_base.ps | 2 +-
Resource/Init/pdf_draw.ps | 14 +++++++-------
Resource/Init/pdf_font.ps | 23 ++++++++++++-----------
Resource/Init/pdf_main.ps | 6 +++---
Resource/Init/pdf_ops.ps | 11 ++++++-----
5 files changed, 29 insertions(+), 27 deletions(-)
diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps
index 1a218f4..cffde5c 100644
--- a/Resource/Init/pdf_base.ps
+++ b/Resource/Init/pdf_base.ps
@@ -157,7 +157,7 @@ currentdict /num-chars-dict .undef
{
dup ==only () = flush
} ifelse % PDFSTEP
- } if % PDFDEBUG
+ } executeonly if % PDFDEBUG
2 copy .knownget {
exch pop exch pop exch pop exec
} {
diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
index e18a7c2..0a3924c 100644
--- a/Resource/Init/pdf_draw.ps
+++ b/Resource/Init/pdf_draw.ps
@@ -501,8 +501,8 @@ end
( Output may be incorrect.\n) pdfformaterror
//pdfdict /.gs_warning_issued //true .forceput
PDFSTOPONERROR { /gs /undefined signalerror } if
- } if
- }
+ } executeonly if
+ } executeonly
ifelse
} bind executeonly def
@@ -1142,7 +1142,7 @@ currentdict end readonly def
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
@@ -1150,8 +1150,8 @@ currentdict end readonly def
pdfformaterror
} executeonly ifelse
end
- } ifelse
- } loop
+ } executeonly ifelse
+ } executeonly loop
{
(\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
//pdfdict /.Qqwarning_issued .knownget
@@ -1165,14 +1165,14 @@ currentdict end readonly def
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
.setglobal
pdfformaterror
} executeonly ifelse
- } if
+ } executeonly if
pop
% restore pdfemptycount
diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps
index 9fb85f6..357ba30 100644
--- a/Resource/Init/pdf_font.ps
+++ b/Resource/Init/pdf_font.ps
@@ -677,7 +677,7 @@ currentdict end readonly def
currentglobal 2 index dup gcheck setglobal
/FontInfo 5 dict dup 5 1 roll .forceput
setglobal
- } if
+ } executeonly if
dup /GlyphNames2Unicode .knownget not {
//true % No existing G2U, make one
} {
@@ -701,9 +701,9 @@ currentdict end readonly def
} if
PDFDEBUG {
(.processToUnicode end) =
- } if
- } if
- } stopped
+ } executeonly if
+ } executeonly if
+ } executeonly stopped
{
.dstackdepth 1 countdictstack 1 sub
{pop end} for
@@ -1233,19 +1233,20 @@ currentdict /eexec_pdf_param_dict .undef
//pdfdict /.Qqwarning_issued //true .forceput
} executeonly if
Q
- } repeat
+ } executeonly repeat
Q
- } PDFfile fileposition 2 .execn % Keep pdfcount valid.
+ } executeonly PDFfile fileposition 2 .execn % Keep pdfcount valid.
PDFfile exch setfileposition
- } ifelse
- } {
+ } executeonly ifelse
+ } executeonly
+ {
% PDF Type 3 fonts don't use .notdef
% d1 implementation adjusts the width as needed
0 0 0 0 0 0
pdfopdict /d1 get exec
} ifelse
end end
- } bdef
+ } executeonly bdef
dup currentdict Encoding .processToUnicode
currentdict end .completefont exch pop
} bind executeonly odef
@@ -2045,9 +2046,9 @@ currentdict /CMap_read_dict undef
(Will continue, but content may be missing.) = flush
} ifelse
} if
- } if
+ } executeonly if
/findresource cvx /undefined signalerror
- } loop
+ } executeonly loop
} bind executeonly odef
/buildCIDType0 { % <CIDFontType0-font-resource> buildCIDType0 <font>
diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps
index 5305ea6..a59e63c 100644
--- a/Resource/Init/pdf_main.ps
+++ b/Resource/Init/pdf_main.ps
@@ -2749,15 +2749,15 @@ currentdict /PDF2PS_matrix_key undef
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
.setglobal
pdfformaterror
} executeonly ifelse
- } if
- } if
+ } executeonly if
+ } executeonly if
pop
count PDFexecstackcount sub { pop } repeat
(after exec) VMDEBUG
diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps
index 285e582..6c1f100 100644
--- a/Resource/Init/pdf_ops.ps
+++ b/Resource/Init/pdf_ops.ps
@@ -186,14 +186,14 @@ currentdict /gput_always_allow .undef
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
.setglobal
pdfformaterror
} executeonly ifelse
- } if
+ } executeonly if
} bind executeonly odef
% Save PDF gstate
@@ -440,11 +440,12 @@ currentdict /gput_always_allow .undef
dup type /booleantype eq {
.currentSMask type /dicttype eq {
.currentSMask /Processed 2 index .forceput
+ } executeonly
+ {
+ .setSMask
+ }ifelse
} executeonly
{
- .setSMask
- }ifelse
- }{
.setSMask
}ifelse
--
2.20.1

View File

@ -1,40 +0,0 @@
diff --git a/Resource/Init/gs_ttf.ps b/Resource/Init/gs_ttf.ps
index e34967d..5354ff0 100644
--- a/Resource/Init/gs_ttf.ps
+++ b/Resource/Init/gs_ttf.ps
@@ -1301,7 +1301,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef
TTFDEBUG { (\n1 setting alias: ) print dup ==only
( to be the same as ) print 2 index //== exec } if
- 7 index 2 index 3 -1 roll exch .forceput
+ 7 index 2 index 3 -1 roll exch put
} forall
pop pop pop
}
@@ -1319,7 +1319,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef
exch pop
TTFDEBUG { (\n2 setting alias: ) print 1 index ==only
( to use glyph index: ) print dup //== exec } if
- 5 index 3 1 roll .forceput
+ 5 index 3 1 roll put
//false
}
{
@@ -1336,7 +1336,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef
{ % CharStrings(dict) isunicode(boolean) cmap(dict) RAGL(dict) gname(name) codep(integer) gindex(integer)
TTFDEBUG { (\3 nsetting alias: ) print 1 index ==only
( to be index: ) print dup //== exec } if
- exch pop 5 index 3 1 roll .forceput
+ exch pop 5 index 3 1 roll put
}
{
pop pop
@@ -1366,7 +1366,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef
} ifelse
]
TTFDEBUG { (Encoding: ) print dup === flush } if
-} .bind executeonly odef % hides .forceput
+} .bind odef
% ---------------- CIDFontType 2 font loading ---------------- %

View File

@ -42,8 +42,8 @@
Name: ghostscript Name: ghostscript
Summary: Interpreter for PostScript language & PDF Summary: Interpreter for PostScript language & PDF
Version: 9.27 Version: 9.50
Release: 3%{?dist} Release: 1%{?dist}
License: AGPLv3+ License: AGPLv3+
@ -93,10 +93,8 @@ BuildRequires: libXt-devel
# Upstream patches -- official upstream patches released by upstream since the # Upstream patches -- official upstream patches released by upstream since the
# ---------------- last rebase that are necessary for any reason: # ---------------- last rebase that are necessary for any reason:
#Patch000: example000.patch #Patch000: example000.patch
Patch000: ghostscript-cve-2019-10216.patch Patch000: 0001-Bug-701969-Fix-fontconfig-path-permissions-handling.patch
Patch001: ghostscript-cve-2019-14811-14812-14813.patch Patch001: ghostscript-9.50-enumerate-all-fonts.patch
Patch002: ghostscript-cve-2019-14817.patch
Patch003: ghostscript-cve-2019-14869.patch
# Downstream patches -- these should be always included when doing rebase: # Downstream patches -- these should be always included when doing rebase:
@ -462,6 +460,9 @@ done
# ============================================================================= # =============================================================================
%changelog %changelog
* Wed Mar 11 2020 Zdenek Dohnal <zdohnal@redhat.com> - 9.50-1
- 9.50
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 9.27-3 * Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 9.27-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild

View File

@ -1 +1 @@
SHA512 (ghostscript-9.27.tar.xz) = 5e67ad45a80f01c6ef0eabb1c76dfa8fb6e7f0fde8d82fd5daaf12f370c288a672f8fa69c74d9e30255582267e9a906e4e8b13655f8d993fefdfc8dbdb5d5401 SHA512 (ghostscript-9.50.tar.xz) = 3c1e5db519a427f4b6bfb8d93f3c3dfb67d5ec9ccd19c7afa7670deb768515f3fc617c5588e54934bbfbedfdf8609ce2ffa36dd7da3cb618937fe034f64f43ee