import UBI ghostscript-9.54.0-10.el9_2
This commit is contained in:
parent
6571265829
commit
e322047064
142
SOURCES/ghostscript-9.54.0-CVE-2023-36664.patch
Normal file
142
SOURCES/ghostscript-9.54.0-CVE-2023-36664.patch
Normal file
@ -0,0 +1,142 @@
|
|||||||
|
From 505eab7782b429017eb434b2b95120855f2b0e3c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Chris Liddell <chris.liddell@artifex.com>
|
||||||
|
Date: Wed, 7 Jun 2023 10:23:06 +0100
|
||||||
|
Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission
|
||||||
|
validation
|
||||||
|
|
||||||
|
For regular file names, we try to simplfy relative paths before we use them.
|
||||||
|
|
||||||
|
Because the %pipe% device can, effectively, accept command line calls, we
|
||||||
|
shouldn't be simplifying that string, because the command line syntax can end
|
||||||
|
up confusing the path simplifying code. That can result in permitting a pipe
|
||||||
|
command which does not match what was originally permitted.
|
||||||
|
|
||||||
|
Special case "%pipe" in the validation code so we always deal with the entire
|
||||||
|
string.
|
||||||
|
---
|
||||||
|
base/gpmisc.c | 31 +++++++++++++++++++--------
|
||||||
|
base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++-------------
|
||||||
|
2 files changed, 64 insertions(+), 23 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/base/gpmisc.c b/base/gpmisc.c
|
||||||
|
index 5f39ebba7..2fb87f769 100644
|
||||||
|
--- a/base/gpmisc.c
|
||||||
|
+++ b/base/gpmisc.c
|
||||||
|
@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *mem,
|
||||||
|
&& !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
|
||||||
|
prefix_len = 0;
|
||||||
|
}
|
||||||
|
- rlen = len+1;
|
||||||
|
- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
|
||||||
|
- if (bufferfull == NULL)
|
||||||
|
- return gs_error_VMerror;
|
||||||
|
-
|
||||||
|
- buffer = bufferfull + prefix_len;
|
||||||
|
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
|
||||||
|
- return gs_error_invalidfileaccess;
|
||||||
|
- buffer[rlen] = 0;
|
||||||
|
|
||||||
|
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
|
||||||
|
+ don't "reduce" them to avoid unexpected results
|
||||||
|
+ */
|
||||||
|
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
|
||||||
|
+ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
|
||||||
|
+ if (buffer == NULL)
|
||||||
|
+ return gs_error_VMerror;
|
||||||
|
+ memcpy(buffer, path, len);
|
||||||
|
+ buffer[len] = 0;
|
||||||
|
+ rlen = len;
|
||||||
|
+ }
|
||||||
|
+ else {
|
||||||
|
+ rlen = len+1;
|
||||||
|
+ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
|
||||||
|
+ if (bufferfull == NULL)
|
||||||
|
+ return gs_error_VMerror;
|
||||||
|
+
|
||||||
|
+ buffer = bufferfull + prefix_len;
|
||||||
|
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
|
||||||
|
+ return gs_error_invalidfileaccess;
|
||||||
|
+ buffer[rlen] = 0;
|
||||||
|
+ }
|
||||||
|
while (1) {
|
||||||
|
switch (mode[0])
|
||||||
|
{
|
||||||
|
diff --git a/base/gslibctx.c b/base/gslibctx.c
|
||||||
|
index eb566ed06..d2a1aa91d 100644
|
||||||
|
--- a/base/gslibctx.c
|
||||||
|
+++ b/base/gslibctx.c
|
||||||
|
@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co
|
||||||
|
return gs_error_rangecheck;
|
||||||
|
}
|
||||||
|
|
||||||
|
- rlen = len+1;
|
||||||
|
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
|
||||||
|
- if (buffer == NULL)
|
||||||
|
- return gs_error_VMerror;
|
||||||
|
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
|
||||||
|
+ don't "reduce" them to avoid unexpected results
|
||||||
|
+ */
|
||||||
|
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
|
||||||
|
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
|
||||||
|
+ if (buffer == NULL)
|
||||||
|
+ return gs_error_VMerror;
|
||||||
|
+ memcpy(buffer, path, len);
|
||||||
|
+ buffer[len] = 0;
|
||||||
|
+ rlen = len;
|
||||||
|
+ }
|
||||||
|
+ else {
|
||||||
|
+ rlen = len + 1;
|
||||||
|
|
||||||
|
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
|
||||||
|
- return gs_error_invalidfileaccess;
|
||||||
|
- buffer[rlen] = 0;
|
||||||
|
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
|
||||||
|
+ if (buffer == NULL)
|
||||||
|
+ return gs_error_VMerror;
|
||||||
|
+
|
||||||
|
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
|
||||||
|
+ return gs_error_invalidfileaccess;
|
||||||
|
+ buffer[rlen] = 0;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
n = control->num;
|
||||||
|
for (i = 0; i < n; i++)
|
||||||
|
@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type,
|
||||||
|
return gs_error_rangecheck;
|
||||||
|
}
|
||||||
|
|
||||||
|
- rlen = len+1;
|
||||||
|
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
|
||||||
|
- if (buffer == NULL)
|
||||||
|
- return gs_error_VMerror;
|
||||||
|
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
|
||||||
|
+ don't "reduce" them to avoid unexpected results
|
||||||
|
+ */
|
||||||
|
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
|
||||||
|
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
|
||||||
|
+ if (buffer == NULL)
|
||||||
|
+ return gs_error_VMerror;
|
||||||
|
+ memcpy(buffer, path, len);
|
||||||
|
+ buffer[len] = 0;
|
||||||
|
+ rlen = len;
|
||||||
|
+ }
|
||||||
|
+ else {
|
||||||
|
+ rlen = len+1;
|
||||||
|
|
||||||
|
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
|
||||||
|
- return gs_error_invalidfileaccess;
|
||||||
|
- buffer[rlen] = 0;
|
||||||
|
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
|
||||||
|
+ if (buffer == NULL)
|
||||||
|
+ return gs_error_VMerror;
|
||||||
|
+
|
||||||
|
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
|
||||||
|
+ return gs_error_invalidfileaccess;
|
||||||
|
+ buffer[rlen] = 0;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
n = control->num;
|
||||||
|
for (i = 0; i < n; i++) {
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -42,7 +42,7 @@
|
|||||||
Name: ghostscript
|
Name: ghostscript
|
||||||
Summary: Interpreter for PostScript language & PDF
|
Summary: Interpreter for PostScript language & PDF
|
||||||
Version: 9.54.0
|
Version: 9.54.0
|
||||||
Release: 9%{?dist}
|
Release: 10%{?dist}
|
||||||
|
|
||||||
License: AGPLv3+
|
License: AGPLv3+
|
||||||
|
|
||||||
@ -108,6 +108,7 @@ Patch003: ghostscript-9.54.0-covscan-fixes.patch
|
|||||||
Patch004: ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch
|
Patch004: ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch
|
||||||
Patch005: ghostscript-9.54.0-Deal-with-different-VM-modes-during-CIDFont-loading.patch
|
Patch005: ghostscript-9.54.0-Deal-with-different-VM-modes-during-CIDFont-loading.patch
|
||||||
Patch006: ghostscript-9.54.0-ESC-Page-driver-does-not-set-page-size-correctly.patch
|
Patch006: ghostscript-9.54.0-ESC-Page-driver-does-not-set-page-size-correctly.patch
|
||||||
|
Patch007: ghostscript-9.54.0-CVE-2023-36664.patch
|
||||||
|
|
||||||
# Downstream patches -- these should be always included when doing rebase:
|
# Downstream patches -- these should be always included when doing rebase:
|
||||||
# ------------------
|
# ------------------
|
||||||
@ -441,6 +442,10 @@ done
|
|||||||
# =============================================================================
|
# =============================================================================
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jul 03 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-10
|
||||||
|
- fix for CVE-2023-36664
|
||||||
|
- Resolves: rhbz#2217809
|
||||||
|
|
||||||
* Thu Feb 02 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-9
|
* Thu Feb 02 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-9
|
||||||
- set the page size for A4 correctly in ESC/Page driver
|
- set the page size for A4 correctly in ESC/Page driver
|
||||||
- Resolves: rhbz#2164613
|
- Resolves: rhbz#2164613
|
||||||
|
Loading…
Reference in New Issue
Block a user