fix for CVE-2023-36664
Resolves: rhbz#2217810
This commit is contained in:
		
							parent
							
								
									261ad2cc5f
								
							
						
					
					
						commit
						6709e45c5d
					
				
							
								
								
									
										142
									
								
								ghostscript-9.54.0-CVE-2023-36664.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										142
									
								
								ghostscript-9.54.0-CVE-2023-36664.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,142 @@ | |||||||
|  | From 505eab7782b429017eb434b2b95120855f2b0e3c Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Chris Liddell <chris.liddell@artifex.com> | ||||||
|  | Date: Wed, 7 Jun 2023 10:23:06 +0100 | ||||||
|  | Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission | ||||||
|  |  validation | ||||||
|  | 
 | ||||||
|  | For regular file names, we try to simplfy relative paths before we use them. | ||||||
|  | 
 | ||||||
|  | Because the %pipe% device can, effectively, accept command line calls, we | ||||||
|  | shouldn't be simplifying that string, because the command line syntax can end | ||||||
|  | up confusing the path simplifying code. That can result in permitting a pipe | ||||||
|  | command which does not match what was originally permitted. | ||||||
|  | 
 | ||||||
|  | Special case "%pipe" in the validation code so we always deal with the entire | ||||||
|  | string. | ||||||
|  | ---
 | ||||||
|  |  base/gpmisc.c   | 31 +++++++++++++++++++-------- | ||||||
|  |  base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++------------- | ||||||
|  |  2 files changed, 64 insertions(+), 23 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/base/gpmisc.c b/base/gpmisc.c
 | ||||||
|  | index 5f39ebba7..2fb87f769 100644
 | ||||||
|  | --- a/base/gpmisc.c
 | ||||||
|  | +++ b/base/gpmisc.c
 | ||||||
|  | @@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *mem,
 | ||||||
|  |               && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) { | ||||||
|  |            prefix_len = 0; | ||||||
|  |      } | ||||||
|  | -    rlen = len+1;
 | ||||||
|  | -    bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
 | ||||||
|  | -    if (bufferfull == NULL)
 | ||||||
|  | -        return gs_error_VMerror;
 | ||||||
|  | -
 | ||||||
|  | -    buffer = bufferfull + prefix_len;
 | ||||||
|  | -    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
 | ||||||
|  | -        return gs_error_invalidfileaccess;
 | ||||||
|  | -    buffer[rlen] = 0;
 | ||||||
|  |   | ||||||
|  | +    /* "%pipe%" do not follow the normal rules for path definitions, so we
 | ||||||
|  | +       don't "reduce" them to avoid unexpected results
 | ||||||
|  | +     */
 | ||||||
|  | +    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
 | ||||||
|  | +        bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
 | ||||||
|  | +        if (buffer == NULL)
 | ||||||
|  | +            return gs_error_VMerror;
 | ||||||
|  | +        memcpy(buffer, path, len);
 | ||||||
|  | +        buffer[len] = 0;
 | ||||||
|  | +        rlen = len;
 | ||||||
|  | +    }
 | ||||||
|  | +    else {
 | ||||||
|  | +        rlen = len+1;
 | ||||||
|  | +        bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
 | ||||||
|  | +        if (bufferfull == NULL)
 | ||||||
|  | +            return gs_error_VMerror;
 | ||||||
|  | +
 | ||||||
|  | +        buffer = bufferfull + prefix_len;
 | ||||||
|  | +        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
 | ||||||
|  | +            return gs_error_invalidfileaccess;
 | ||||||
|  | +        buffer[rlen] = 0;
 | ||||||
|  | +    }
 | ||||||
|  |      while (1) { | ||||||
|  |          switch (mode[0]) | ||||||
|  |          { | ||||||
|  | diff --git a/base/gslibctx.c b/base/gslibctx.c
 | ||||||
|  | index eb566ed06..d2a1aa91d 100644
 | ||||||
|  | --- a/base/gslibctx.c
 | ||||||
|  | +++ b/base/gslibctx.c
 | ||||||
|  | @@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co
 | ||||||
|  |              return gs_error_rangecheck; | ||||||
|  |      } | ||||||
|  |   | ||||||
|  | -    rlen = len+1;
 | ||||||
|  | -    buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
 | ||||||
|  | -    if (buffer == NULL)
 | ||||||
|  | -        return gs_error_VMerror;
 | ||||||
|  | +    /* "%pipe%" do not follow the normal rules for path definitions, so we
 | ||||||
|  | +       don't "reduce" them to avoid unexpected results
 | ||||||
|  | +     */
 | ||||||
|  | +    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
 | ||||||
|  | +        buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
 | ||||||
|  | +        if (buffer == NULL)
 | ||||||
|  | +            return gs_error_VMerror;
 | ||||||
|  | +        memcpy(buffer, path, len);
 | ||||||
|  | +        buffer[len] = 0;
 | ||||||
|  | +        rlen = len;
 | ||||||
|  | +    }
 | ||||||
|  | +    else {
 | ||||||
|  | +        rlen = len + 1;
 | ||||||
|  |   | ||||||
|  | -    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
 | ||||||
|  | -        return gs_error_invalidfileaccess;
 | ||||||
|  | -    buffer[rlen] = 0;
 | ||||||
|  | +        buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
 | ||||||
|  | +        if (buffer == NULL)
 | ||||||
|  | +            return gs_error_VMerror;
 | ||||||
|  | +
 | ||||||
|  | +        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
 | ||||||
|  | +            return gs_error_invalidfileaccess;
 | ||||||
|  | +        buffer[rlen] = 0;
 | ||||||
|  | +    }
 | ||||||
|  |   | ||||||
|  |      n = control->num; | ||||||
|  |      for (i = 0; i < n; i++) | ||||||
|  | @@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type,
 | ||||||
|  |              return gs_error_rangecheck; | ||||||
|  |      } | ||||||
|  |   | ||||||
|  | -    rlen = len+1;
 | ||||||
|  | -    buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
 | ||||||
|  | -    if (buffer == NULL)
 | ||||||
|  | -        return gs_error_VMerror;
 | ||||||
|  | +    /* "%pipe%" do not follow the normal rules for path definitions, so we
 | ||||||
|  | +       don't "reduce" them to avoid unexpected results
 | ||||||
|  | +     */
 | ||||||
|  | +    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
 | ||||||
|  | +        buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
 | ||||||
|  | +        if (buffer == NULL)
 | ||||||
|  | +            return gs_error_VMerror;
 | ||||||
|  | +        memcpy(buffer, path, len);
 | ||||||
|  | +        buffer[len] = 0;
 | ||||||
|  | +        rlen = len;
 | ||||||
|  | +    }
 | ||||||
|  | +    else {
 | ||||||
|  | +        rlen = len+1;
 | ||||||
|  |   | ||||||
|  | -    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
 | ||||||
|  | -        return gs_error_invalidfileaccess;
 | ||||||
|  | -    buffer[rlen] = 0;
 | ||||||
|  | +        buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
 | ||||||
|  | +        if (buffer == NULL)
 | ||||||
|  | +            return gs_error_VMerror;
 | ||||||
|  | +
 | ||||||
|  | +        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
 | ||||||
|  | +            return gs_error_invalidfileaccess;
 | ||||||
|  | +        buffer[rlen] = 0;
 | ||||||
|  | +    }
 | ||||||
|  |   | ||||||
|  |      n = control->num; | ||||||
|  |      for (i = 0; i < n; i++) { | ||||||
|  | -- 
 | ||||||
|  | 2.41.0 | ||||||
|  | 
 | ||||||
| @ -42,7 +42,7 @@ | |||||||
| Name:             ghostscript | Name:             ghostscript | ||||||
| Summary:          Interpreter for PostScript language & PDF | Summary:          Interpreter for PostScript language & PDF | ||||||
| Version:          9.54.0 | Version:          9.54.0 | ||||||
| Release:          11%{?dist} | Release:          12%{?dist} | ||||||
| 
 | 
 | ||||||
| License:          AGPLv3+ | License:          AGPLv3+ | ||||||
| 
 | 
 | ||||||
| @ -110,6 +110,7 @@ Patch005: ghostscript-9.54.0-Deal-with-different-VM-modes-during-CIDFont-loading | |||||||
| Patch006: ghostscript-9.54.0-ESC-Page-driver-does-not-set-page-size-correctly.patch | Patch006: ghostscript-9.54.0-ESC-Page-driver-does-not-set-page-size-correctly.patch | ||||||
| Patch007: ghostscript-9.54.0-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch | Patch007: ghostscript-9.54.0-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch | ||||||
| Patch008: ghostscript-9.54.0-CVE-2023-28879.patch | Patch008: ghostscript-9.54.0-CVE-2023-28879.patch | ||||||
|  | Patch009: ghostscript-9.54.0-CVE-2023-36664.patch | ||||||
| 
 | 
 | ||||||
| # Downstream patches -- these should be always included when doing rebase: | # Downstream patches -- these should be always included when doing rebase: | ||||||
| # ------------------ | # ------------------ | ||||||
| @ -443,6 +444,10 @@ done | |||||||
| # ============================================================================= | # ============================================================================= | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Tue Aug 01 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-12 | ||||||
|  | - fix for CVE-2023-36664 | ||||||
|  | - Resolves: rhbz#2217810 | ||||||
|  | 
 | ||||||
| * Fri May 05 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-11 | * Fri May 05 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-11 | ||||||
| - fix for CVE-2023-28879 | - fix for CVE-2023-28879 | ||||||
| - Resolves: rhbz#2188300 | - Resolves: rhbz#2188300 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user