import ghostscript-9.25-5.el8_1.1
This commit is contained in:
parent
49d0a6477b
commit
7e24f47308
43
SOURCES/ghostscript-cve-2019-10216.patch
Normal file
43
SOURCES/ghostscript-cve-2019-10216.patch
Normal file
@ -0,0 +1,43 @@
|
||||
From 5b85ddd19a8420a1bd2d5529325be35d78e94234 Mon Sep 17 00:00:00 2001
|
||||
From: Chris Liddell <chris.liddell@artifex.com>
|
||||
Date: Fri, 2 Aug 2019 15:18:26 +0100
|
||||
Subject: Bug 701394: protect use of .forceput with executeonly
|
||||
|
||||
|
||||
diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps
|
||||
index 6c7735bc0c..a039ccee35 100644
|
||||
--- a/Resource/Init/gs_type1.ps
|
||||
+++ b/Resource/Init/gs_type1.ps
|
||||
@@ -118,25 +118,25 @@
|
||||
( to be the same as glyph: ) print 1 index //== exec } if
|
||||
3 index exch 3 index .forceput
|
||||
% scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
|
||||
- }
|
||||
+ }executeonly
|
||||
{pop} ifelse
|
||||
- } forall
|
||||
+ } executeonly forall
|
||||
pop pop
|
||||
- }
|
||||
+ } executeonly
|
||||
{
|
||||
pop pop pop
|
||||
} ifelse
|
||||
- }
|
||||
+ } executeonly
|
||||
{
|
||||
% scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
|
||||
pop pop
|
||||
} ifelse
|
||||
- } forall
|
||||
+ } executeonly forall
|
||||
3 1 roll pop pop
|
||||
- } if
|
||||
+ } executeonly if
|
||||
pop
|
||||
dup /.AGLprocessed~GS //true .forceput
|
||||
- } if
|
||||
+ } executeonly if
|
||||
|
||||
%% We need to excute the C .buildfont1 in a stopped context so that, if there
|
||||
%% are errors we can put the stack back sanely and exit. Otherwise callers won't
|
56
SOURCES/ghostscript-cve-2019-14811-14812-14813.patch
Normal file
56
SOURCES/ghostscript-cve-2019-14811-14812-14813.patch
Normal file
@ -0,0 +1,56 @@
|
||||
From 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001
|
||||
From: Ken Sharp <ken.sharp@artifex.com>
|
||||
Date: Tue, 20 Aug 2019 10:10:28 +0100
|
||||
Subject: make .forceput inaccessible
|
||||
|
||||
Bug #701343, #701344, #701345
|
||||
|
||||
More defensive programming. We don't want people to access .forecput
|
||||
even though it is no longer sufficient to bypass SAFER. The exploit
|
||||
in #701343 didn't work anyway because of earlier work to stop the error
|
||||
handler being used, but nevertheless, prevent access to .forceput from
|
||||
.setuserparams2.
|
||||
|
||||
diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
|
||||
index 4cc7f820f..0fd416465 100644
|
||||
--- a/Resource/Init/gs_lev2.ps
|
||||
+++ b/Resource/Init/gs_lev2.ps
|
||||
@@ -158,7 +158,7 @@ end
|
||||
{
|
||||
pop pop
|
||||
} ifelse
|
||||
- } forall
|
||||
+ } executeonly forall
|
||||
% A context switch might have occurred during the above loop,
|
||||
% causing the interpreter-level parameters to be reset.
|
||||
% Set them again to the new values. From here on, we are safe,
|
||||
@@ -229,9 +229,9 @@ end
|
||||
{ pop pop
|
||||
}
|
||||
ifelse
|
||||
- }
|
||||
+ } executeonly
|
||||
forall pop
|
||||
-} .bind odef
|
||||
+} .bind executeonly odef
|
||||
|
||||
% Initialize the passwords.
|
||||
% NOTE: the names StartJobPassword and SystemParamsPassword are known to
|
||||
diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps
|
||||
index c158a8faf..422e66e1a 100644
|
||||
--- a/Resource/Init/gs_pdfwr.ps
|
||||
+++ b/Resource/Init/gs_pdfwr.ps
|
||||
@@ -658,11 +658,11 @@ currentdict /.pdfmarkparams .undef
|
||||
systemdict /.pdf_hooked_DSC_Creator //true .forceput
|
||||
} executeonly if
|
||||
pop
|
||||
- } if
|
||||
+ } executeonly if
|
||||
} {
|
||||
pop
|
||||
} ifelse
|
||||
- }
|
||||
+ } executeonly
|
||||
{
|
||||
pop
|
||||
} ifelse
|
258
SOURCES/ghostscript-cve-2019-14817.patch
Normal file
258
SOURCES/ghostscript-cve-2019-14817.patch
Normal file
@ -0,0 +1,258 @@
|
||||
From be86d2ff2f0f0ea0e365707f3be0fa0c9e7315ee Mon Sep 17 00:00:00 2001
|
||||
From: Ray Johnston <ray.johnston@artifex.com>
|
||||
Date: Mon, 18 Feb 2019 12:11:45 -0800
|
||||
Subject: [PATCH 1/2] Bug 700599: Issue an error message if an ExtGstate is not
|
||||
found.
|
||||
|
||||
Previously, this was silently ignored. Only issue a single warning,
|
||||
and respect PDFSTOPONERROR to prevent continuing with potentially
|
||||
incorrect output.
|
||||
|
||||
Note that tests_private/pdf/uploads/bug696410.pdf also now gets this
|
||||
error message (ExtGState" instead of ExtGState in object 10).
|
||||
---
|
||||
Resource/Init/pdf_draw.ps | 11 ++++++++++-
|
||||
1 file changed, 10 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
|
||||
index 1add3f7..6a2773a 100644
|
||||
--- a/Resource/Init/pdf_draw.ps
|
||||
+++ b/Resource/Init/pdf_draw.ps
|
||||
@@ -494,7 +494,16 @@ end
|
||||
dup {
|
||||
oforce exch gsparamdict exch .knownget { exec } { pop } ifelse
|
||||
} forall pop
|
||||
- } if
|
||||
+ } {
|
||||
+ //pdfdict /.gs_warning_issued known not {
|
||||
+ (\n **** Error 'gs' ignored -- ExtGState missing from Resources.\n)
|
||||
+ pdfformaterror
|
||||
+ ( Output may be incorrect.\n) pdfformaterror
|
||||
+ //pdfdict /.gs_warning_issued //true .forceput
|
||||
+ PDFSTOPONERROR { /gs /undefined signalerror } if
|
||||
+ } if
|
||||
+ }
|
||||
+ ifelse
|
||||
} bind executeonly def
|
||||
|
||||
% ------ Transparency support ------ %
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
||||
From cd1b1cacadac2479e291efe611979bdc1b3bdb19 Mon Sep 17 00:00:00 2001
|
||||
From: Ken Sharp <ken.sharp@artifex.com>
|
||||
Date: Wed, 21 Aug 2019 10:10:51 +0100
|
||||
Subject: [PATCH 2/2] PDF interpreter - review .forceput security
|
||||
|
||||
Bug #701450 "Safer Mode Bypass by .forceput Exposure in .pdfexectoken"
|
||||
|
||||
By abusing the error handler it was possible to get the PDFDEBUG portion
|
||||
of .pdfexectoken, which uses .forceput left readable.
|
||||
|
||||
Add an executeonly appropriately to make sure that clause isn't readable
|
||||
no mstter what.
|
||||
|
||||
Review all the uses of .forceput searching for similar cases, add
|
||||
executeonly as required to secure those. All cases in the PostScript
|
||||
support files seem to be covered already.
|
||||
---
|
||||
Resource/Init/pdf_base.ps | 2 +-
|
||||
Resource/Init/pdf_draw.ps | 14 +++++++-------
|
||||
Resource/Init/pdf_font.ps | 23 ++++++++++++-----------
|
||||
Resource/Init/pdf_main.ps | 6 +++---
|
||||
Resource/Init/pdf_ops.ps | 11 ++++++-----
|
||||
5 files changed, 29 insertions(+), 27 deletions(-)
|
||||
|
||||
diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps
|
||||
index d3c3a5f..5dabe4d 100644
|
||||
--- a/Resource/Init/pdf_base.ps
|
||||
+++ b/Resource/Init/pdf_base.ps
|
||||
@@ -154,7 +154,7 @@ currentdict /num-chars-dict .undef
|
||||
{
|
||||
dup ==only () = flush
|
||||
} ifelse % PDFSTEP
|
||||
- } if % PDFDEBUG
|
||||
+ } executeonly if % PDFDEBUG
|
||||
2 copy .knownget {
|
||||
exch pop exch pop exch pop exec
|
||||
} {
|
||||
diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
|
||||
index 6a2773a..068ba7c 100644
|
||||
--- a/Resource/Init/pdf_draw.ps
|
||||
+++ b/Resource/Init/pdf_draw.ps
|
||||
@@ -501,8 +501,8 @@ end
|
||||
( Output may be incorrect.\n) pdfformaterror
|
||||
//pdfdict /.gs_warning_issued //true .forceput
|
||||
PDFSTOPONERROR { /gs /undefined signalerror } if
|
||||
- } if
|
||||
- }
|
||||
+ } executeonly if
|
||||
+ } executeonly
|
||||
ifelse
|
||||
} bind executeonly def
|
||||
|
||||
@@ -1127,7 +1127,7 @@ currentdict end readonly def
|
||||
.setglobal
|
||||
pdfformaterror
|
||||
} executeonly ifelse
|
||||
- }
|
||||
+ } executeonly
|
||||
{
|
||||
currentglobal //pdfdict gcheck .setglobal
|
||||
//pdfdict /.Qqwarning_issued //true .forceput
|
||||
@@ -1135,8 +1135,8 @@ currentdict end readonly def
|
||||
pdfformaterror
|
||||
} executeonly ifelse
|
||||
end
|
||||
- } ifelse
|
||||
- } loop
|
||||
+ } executeonly ifelse
|
||||
+ } executeonly loop
|
||||
{
|
||||
(\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
|
||||
//pdfdict /.Qqwarning_issued .knownget
|
||||
@@ -1150,14 +1150,14 @@ currentdict end readonly def
|
||||
.setglobal
|
||||
pdfformaterror
|
||||
} executeonly ifelse
|
||||
- }
|
||||
+ } executeonly
|
||||
{
|
||||
currentglobal //pdfdict gcheck .setglobal
|
||||
//pdfdict /.Qqwarning_issued //true .forceput
|
||||
.setglobal
|
||||
pdfformaterror
|
||||
} executeonly ifelse
|
||||
- } if
|
||||
+ } executeonly if
|
||||
pop
|
||||
|
||||
% restore pdfemptycount
|
||||
diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps
|
||||
index 8b8fef8..86b1870 100644
|
||||
--- a/Resource/Init/pdf_font.ps
|
||||
+++ b/Resource/Init/pdf_font.ps
|
||||
@@ -677,7 +677,7 @@ currentdict end readonly def
|
||||
currentglobal 2 index dup gcheck setglobal
|
||||
/FontInfo 5 dict dup 5 1 roll .forceput
|
||||
setglobal
|
||||
- } if
|
||||
+ } executeonly if
|
||||
dup /GlyphNames2Unicode .knownget not {
|
||||
//true % No existing G2U, make one
|
||||
} {
|
||||
@@ -701,9 +701,9 @@ currentdict end readonly def
|
||||
} if
|
||||
PDFDEBUG {
|
||||
(.processToUnicode end) =
|
||||
- } if
|
||||
- } if
|
||||
- } stopped
|
||||
+ } executeonly if
|
||||
+ } executeonly if
|
||||
+ } executeonly stopped
|
||||
{
|
||||
.dstackdepth 1 countdictstack 1 sub
|
||||
{pop end} for
|
||||
@@ -1225,19 +1225,20 @@ currentdict /eexec_pdf_param_dict .undef
|
||||
//pdfdict /.Qqwarning_issued //true .forceput
|
||||
} executeonly if
|
||||
Q
|
||||
- } repeat
|
||||
+ } executeonly repeat
|
||||
Q
|
||||
- } PDFfile fileposition 2 .execn % Keep pdfcount valid.
|
||||
+ } executeonly PDFfile fileposition 2 .execn % Keep pdfcount valid.
|
||||
PDFfile exch setfileposition
|
||||
- } ifelse
|
||||
- } {
|
||||
+ } executeonly ifelse
|
||||
+ } executeonly
|
||||
+ {
|
||||
% PDF Type 3 fonts don't use .notdef
|
||||
% d1 implementation adjusts the width as needed
|
||||
0 0 0 0 0 0
|
||||
pdfopdict /d1 get exec
|
||||
} ifelse
|
||||
end end
|
||||
- } bdef
|
||||
+ } executeonly bdef
|
||||
dup currentdict Encoding .processToUnicode
|
||||
currentdict end .completefont exch pop
|
||||
} bind executeonly odef
|
||||
@@ -2022,9 +2023,9 @@ currentdict /CMap_read_dict undef
|
||||
(Will continue, but content may be missing.) = flush
|
||||
} ifelse
|
||||
} if
|
||||
- } if
|
||||
+ } executeonly if
|
||||
/findresource cvx /undefined signalerror
|
||||
- } loop
|
||||
+ } executeonly loop
|
||||
} bind executeonly odef
|
||||
|
||||
/buildCIDType0 { % <CIDFontType0-font-resource> buildCIDType0 <font>
|
||||
diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps
|
||||
index e44288e..ecde3d4 100644
|
||||
--- a/Resource/Init/pdf_main.ps
|
||||
+++ b/Resource/Init/pdf_main.ps
|
||||
@@ -2696,15 +2696,15 @@ currentdict /PDF2PS_matrix_key undef
|
||||
.setglobal
|
||||
pdfformaterror
|
||||
} executeonly ifelse
|
||||
- }
|
||||
+ } executeonly
|
||||
{
|
||||
currentglobal //pdfdict gcheck .setglobal
|
||||
//pdfdict /.Qqwarning_issued //true .forceput
|
||||
.setglobal
|
||||
pdfformaterror
|
||||
} executeonly ifelse
|
||||
- } if
|
||||
- } if
|
||||
+ } executeonly if
|
||||
+ } executeonly if
|
||||
pop
|
||||
count PDFexecstackcount sub { pop } repeat
|
||||
(after exec) VMDEBUG
|
||||
diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps
|
||||
index c2e7461..12d5a66 100644
|
||||
--- a/Resource/Init/pdf_ops.ps
|
||||
+++ b/Resource/Init/pdf_ops.ps
|
||||
@@ -186,14 +186,14 @@ currentdict /gput_always_allow .undef
|
||||
.setglobal
|
||||
pdfformaterror
|
||||
} executeonly ifelse
|
||||
- }
|
||||
+ } executeonly
|
||||
{
|
||||
currentglobal //pdfdict gcheck .setglobal
|
||||
//pdfdict /.Qqwarning_issued //true .forceput
|
||||
.setglobal
|
||||
pdfformaterror
|
||||
} executeonly ifelse
|
||||
- } if
|
||||
+ } executeonly if
|
||||
} bind executeonly odef
|
||||
|
||||
% Save PDF gstate
|
||||
@@ -440,11 +440,12 @@ currentdict /gput_always_allow .undef
|
||||
dup type /booleantype eq {
|
||||
.currentSMask type /dicttype eq {
|
||||
.currentSMask /Processed 2 index .forceput
|
||||
+ } executeonly
|
||||
+ {
|
||||
+ .setSMask
|
||||
+ }ifelse
|
||||
} executeonly
|
||||
{
|
||||
- .setSMask
|
||||
- }ifelse
|
||||
- }{
|
||||
.setSMask
|
||||
}ifelse
|
||||
|
||||
--
|
||||
2.20.1
|
||||
|
40
SOURCES/ghostscript-cve-2019-14869.patch
Normal file
40
SOURCES/ghostscript-cve-2019-14869.patch
Normal file
@ -0,0 +1,40 @@
|
||||
diff --git a/Resource/Init/gs_ttf.ps b/Resource/Init/gs_ttf.ps
|
||||
index 064b6c8..600907e 100644
|
||||
--- a/Resource/Init/gs_ttf.ps
|
||||
+++ b/Resource/Init/gs_ttf.ps
|
||||
@@ -1421,7 +1421,7 @@ mark
|
||||
TTFDEBUG { (\n1 setting alias: ) print dup ==only
|
||||
( to be the same as ) print 2 index //== exec } if
|
||||
|
||||
- 7 index 2 index 3 -1 roll exch .forceput
|
||||
+ 7 index 2 index 3 -1 roll exch put
|
||||
} forall
|
||||
pop pop pop
|
||||
}
|
||||
@@ -1439,7 +1439,7 @@ mark
|
||||
exch pop
|
||||
TTFDEBUG { (\n2 setting alias: ) print 1 index ==only
|
||||
( to use glyph index: ) print dup //== exec } if
|
||||
- 5 index 3 1 roll .forceput
|
||||
+ 5 index 3 1 roll put
|
||||
//false
|
||||
}
|
||||
{
|
||||
@@ -1456,7 +1456,7 @@ mark
|
||||
{ % CharStrings(dict) isunicode(boolean) cmap(dict) RAGL(dict) gname(name) codep(integer) gindex(integer)
|
||||
TTFDEBUG { (\3 nsetting alias: ) print 1 index ==only
|
||||
( to be index: ) print dup //== exec } if
|
||||
- exch pop 5 index 3 1 roll .forceput
|
||||
+ exch pop 5 index 3 1 roll put
|
||||
}
|
||||
{
|
||||
pop pop
|
||||
@@ -1486,7 +1486,7 @@ mark
|
||||
} ifelse
|
||||
]
|
||||
TTFDEBUG { (Encoding: ) print dup === flush } if
|
||||
-} .bind executeonly odef % hides .forceput
|
||||
+} .bind odef
|
||||
|
||||
% to be removed 9.09......
|
||||
currentdict /postalias undef
|
@ -28,15 +28,6 @@ diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps
|
||||
index f1d1728..46408f9 100644
|
||||
--- a/Resource/Init/pdf_font.ps
|
||||
+++ b/Resource/Init/pdf_font.ps
|
||||
@@ -678,7 +678,7 @@ currentdict end readonly def
|
||||
currentglobal 2 index dup gcheck setglobal
|
||||
/FontInfo 5 dict dup 5 1 roll .forceput
|
||||
setglobal
|
||||
- } if
|
||||
+ } executeonly if
|
||||
dup /GlyphNames2Unicode .knownget not {
|
||||
//true % No existing G2U, make one
|
||||
} {
|
||||
@@ -692,7 +692,7 @@ currentdict end readonly def
|
||||
currentglobal exch dup gcheck setglobal
|
||||
dup /GlyphNames2Unicode 100 dict dup 4 1 roll .forceput
|
||||
|
@ -37,7 +37,7 @@
|
||||
Name: ghostscript
|
||||
Summary: Interpreter for PostScript language & PDF
|
||||
Version: 9.25
|
||||
Release: 3%{?dist}
|
||||
Release: 5%{?dist}.1
|
||||
|
||||
License: AGPLv3+
|
||||
|
||||
@ -102,6 +102,10 @@ Patch011: ghostscript-cve-2019-3835.patch
|
||||
Patch012: ghostscript-cve-2019-3838.patch
|
||||
Patch013: ghostscript-fix-DSC-comment-parsing.patch
|
||||
Patch014: ghostscript-pdf2dsc-regression.patch
|
||||
Patch015: ghostscript-cve-2019-10216.patch
|
||||
Patch016: ghostscript-cve-2019-14811-14812-14813.patch
|
||||
Patch017: ghostscript-cve-2019-14817.patch
|
||||
Patch018: ghostscript-cve-2019-14869.patch
|
||||
|
||||
# Downstream patches -- these should be always included when doing rebase:
|
||||
# ------------------
|
||||
@ -441,6 +445,18 @@ done
|
||||
# =============================================================================
|
||||
|
||||
%changelog
|
||||
* Fri Nov 08 2019 Zdenek Dohnal <zdohnal@redhat.com> - 9.25-5.1
|
||||
- 1769342 - CVE-2019-14869 ghostscript: -dSAFER escape in .charkeys
|
||||
|
||||
* Thu Aug 22 2019 Martin Osvald <mosvald@redhat.com> - 9.25-5
|
||||
- Resolves: #1744011 - CVE-2019-14811 ghostscript: Safer Mode Bypass by .forceput Exposure in .pdf_hook_DSC_Creator (701445)
|
||||
- Resolves: #1744015 - CVE-2019-14812 ghostscript: Safer Mode Bypass by .forceput Exposure in setuserparams (701444)
|
||||
- Resolves: #1744006 - CVE-2019-14813 ghostscript: Safer Mode Bypass by .forceput Exposure in setsystemparams (701443)
|
||||
- Resolves: #1744231 - CVE-2019-14817 ghostscript: Safer Mode Bypass by .forceput Exposure in .pdfexectoken and other procedures (701450)
|
||||
|
||||
* Mon Aug 05 2019 Martin Osvald <mosvald@redhat.com> - 9.25-4
|
||||
- Resolves: #1737337 - CVE-2019-10216 ghostscript: -dSAFER escape via .buildfont1 (701394)
|
||||
|
||||
* Thu Mar 28 2019 Martin Osvald <mosvald@redhat.com> - 9.25-3
|
||||
- Resolves: #1692798 - CVE-2019-3839 ghostscript: missing attack vector
|
||||
protections for CVE-2019-6116
|
||||
|
Loading…
Reference in New Issue
Block a user