diff options
author | Hongxu Jia <hongxu.jia@windriver.com> | 2018-11-05 16:03:35 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-11-07 23:08:54 +0000 |
commit | e84345d6e6ce129e1bffccc29b5159cb50de5ed0 (patch) | |
tree | d541cb5223e11c7a7a99831df197ad7c0a786504 | |
parent | 918c8a13b67b0eece6fcdf4dad43ad032acacca5 (diff) | |
download | poky-e84345d6e6ce129e1bffccc29b5159cb50de5ed0.tar.gz |
ghostscript: fix CVE-2018-17961
Artifex Ghostscript 9.25 and earlier allows attackers to bypass a
sandbox protection mechanism via vectors involving errorhandler
setup. NOTE: this issue exists because of an incomplete fix for
CVE-2018-17183.
(From OE-Core rev: 6c32ea184941d292cd8f0eb898e6cc90120ada40)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
6 files changed, 806 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/files/0001-Bug-699795-add-operand-checking-to-.setnativefontmap.patch b/meta/recipes-extended/ghostscript/files/0001-Bug-699795-add-operand-checking-to-.setnativefontmap.patch new file mode 100644 index 0000000000..f175da0caf --- /dev/null +++ b/meta/recipes-extended/ghostscript/files/0001-Bug-699795-add-operand-checking-to-.setnativefontmap.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From 274b2cc08b0d10a4cac3fe8b50022889f22580cb Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Thu, 20 Sep 2018 16:35:28 +0100 | ||
4 | Subject: [PATCH 1/5] Bug 699795: add operand checking to | ||
5 | .setnativefontmapbuilt | ||
6 | |||
7 | .setnativefontmapbuilt .forceputs a value into systemdict - it is intended | ||
8 | to be a boolean, but in this case was being called with a compound object | ||
9 | (a dictionary). Such an object, in local VM, being forced into systemdict | ||
10 | would then confuse the garbager, since it could be restored away with the | ||
11 | reference remaining. | ||
12 | |||
13 | This adds operand checking, so .setnativefontmapbuilt will simply ignore | ||
14 | anything other than a boolean value, and also removes the definition of | ||
15 | .setnativefontmapbuilt after use, since it is only used in two, closely | ||
16 | related places. | ||
17 | |||
18 | CVE: CVE-2018-17961 | ||
19 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
20 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
21 | --- | ||
22 | Resource/Init/gs_fonts.ps | 11 ++++++++--- | ||
23 | 1 file changed, 8 insertions(+), 3 deletions(-) | ||
24 | |||
25 | diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps | ||
26 | index 38f0f6c..45b6613 100644 | ||
27 | --- a/Resource/Init/gs_fonts.ps | ||
28 | +++ b/Resource/Init/gs_fonts.ps | ||
29 | @@ -372,9 +372,13 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if | ||
30 | % of strings: what the system thinks is the ps name, | ||
31 | % and the access path. | ||
32 | /.setnativefontmapbuilt { % set whether we've been run | ||
33 | - systemdict exch /.nativefontmapbuilt exch .forceput | ||
34 | + dup type /booleantype eq { | ||
35 | + systemdict exch /.nativefontmapbuilt exch .forceput | ||
36 | + } | ||
37 | + {pop} | ||
38 | + ifelse | ||
39 | } .bind executeonly def | ||
40 | -systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt | ||
41 | +systemdict /NONATIVEFONTMAP known //.setnativefontmapbuilt exec | ||
42 | /.buildnativefontmap { % - .buildnativefontmap <bool> | ||
43 | systemdict /.nativefontmapbuilt .knownget not | ||
44 | { //false} if | ||
45 | @@ -415,9 +419,10 @@ systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt | ||
46 | } forall | ||
47 | } if | ||
48 | % record that we've been run | ||
49 | - //true .setnativefontmapbuilt | ||
50 | + //true //.setnativefontmapbuilt exec | ||
51 | } ifelse | ||
52 | } bind def | ||
53 | +currentdict /.setnativefontmapbuilt .forceundef | ||
54 | |||
55 | % Create the dictionary that registers the .buildfont procedure | ||
56 | % (called by definefont) for each FontType. | ||
57 | -- | ||
58 | 2.7.4 | ||
59 | |||
diff --git a/meta/recipes-extended/ghostscript/files/0002-Bug-699816-Improve-hiding-of-security-critical-custo.patch b/meta/recipes-extended/ghostscript/files/0002-Bug-699816-Improve-hiding-of-security-critical-custo.patch new file mode 100644 index 0000000000..000f9c9ef2 --- /dev/null +++ b/meta/recipes-extended/ghostscript/files/0002-Bug-699816-Improve-hiding-of-security-critical-custo.patch | |||
@@ -0,0 +1,434 @@ | |||
1 | From 0661bf23a5be32973682e17afed4a2f23a8214ba Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Sat, 29 Sep 2018 15:34:55 +0100 | ||
4 | Subject: [PATCH 2/5] Bug 699816: Improve hiding of security critical custom | ||
5 | operators | ||
6 | |||
7 | Make procedures that use .forceput/.forcedef/.forceundef into operators. | ||
8 | |||
9 | The result of this is that errors get reported against the "top" operator, | ||
10 | rather than the "called" operator within the procedure. | ||
11 | |||
12 | For example: | ||
13 | /myproc | ||
14 | { | ||
15 | myop | ||
16 | } bind def | ||
17 | |||
18 | If 'myop' throws an error, the error handler will be passed the 'myop' | ||
19 | operator. Promoting 'myproc' to a operator means the error handler will be | ||
20 | passed 'myproc'. | ||
21 | |||
22 | CVE: CVE-2018-17961 | ||
23 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
24 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
25 | --- | ||
26 | Resource/Init/gs_diskn.ps | 2 +- | ||
27 | Resource/Init/gs_dps.ps | 2 +- | ||
28 | Resource/Init/gs_fntem.ps | 2 +- | ||
29 | Resource/Init/gs_fonts.ps | 10 +++++----- | ||
30 | Resource/Init/gs_lev2.ps | 13 +++++++++---- | ||
31 | Resource/Init/gs_pdfwr.ps | 2 +- | ||
32 | Resource/Init/gs_setpd.ps | 25 +++++++++++++++++-------- | ||
33 | Resource/Init/gs_typ32.ps | 14 +++++++++----- | ||
34 | Resource/Init/gs_type1.ps | 2 +- | ||
35 | Resource/Init/pdf_base.ps | 2 +- | ||
36 | Resource/Init/pdf_draw.ps | 10 +++++----- | ||
37 | Resource/Init/pdf_font.ps | 8 ++++---- | ||
38 | Resource/Init/pdf_main.ps | 4 ++-- | ||
39 | Resource/Init/pdf_ops.ps | 8 ++++---- | ||
40 | 14 files changed, 61 insertions(+), 43 deletions(-) | ||
41 | |||
42 | diff --git a/Resource/Init/gs_diskn.ps b/Resource/Init/gs_diskn.ps | ||
43 | index 5540715..26ec0b5 100644 | ||
44 | --- a/Resource/Init/gs_diskn.ps | ||
45 | +++ b/Resource/Init/gs_diskn.ps | ||
46 | @@ -53,7 +53,7 @@ systemdict begin | ||
47 | exch .setglobal | ||
48 | } | ||
49 | if | ||
50 | -} .bind executeonly def % must be bound and hidden for .forceput | ||
51 | +} .bind executeonly odef % must be bound and hidden for .forceput | ||
52 | |||
53 | % Modify .putdevparams to force regeneration of .searchabledevs list | ||
54 | /.putdevparams { | ||
55 | diff --git a/Resource/Init/gs_dps.ps b/Resource/Init/gs_dps.ps | ||
56 | index cad7056..daf7b0f 100644 | ||
57 | --- a/Resource/Init/gs_dps.ps | ||
58 | +++ b/Resource/Init/gs_dps.ps | ||
59 | @@ -70,7 +70,7 @@ | ||
60 | % Save a copy of the initial gstate. | ||
61 | //systemdict /savedinitialgstate gstate readonly .forceput | ||
62 | .setglobal | ||
63 | -} .bind executeonly def % must be bound and hidden for .forceput | ||
64 | +} .bind executeonly odef % must be bound and hidden for .forceput | ||
65 | |||
66 | % Initialize local dictionaries and gstate when creating a new context. | ||
67 | % Note that until this completes, we are in the anomalous situation of | ||
68 | diff --git a/Resource/Init/gs_fntem.ps b/Resource/Init/gs_fntem.ps | ||
69 | index 3ceee18..c1f7651 100644 | ||
70 | --- a/Resource/Init/gs_fntem.ps | ||
71 | +++ b/Resource/Init/gs_fntem.ps | ||
72 | @@ -408,7 +408,7 @@ currentdict end def | ||
73 | exit | ||
74 | } loop | ||
75 | exch setglobal | ||
76 | -} .bind executeonly def % must be bound and hidden for .forceput | ||
77 | +} .bind executeonly odef % must be bound and hidden for .forceput | ||
78 | |||
79 | currentdict end /ProcSet defineresource pop | ||
80 | |||
81 | diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps | ||
82 | index 45b6613..89c3ab7 100644 | ||
83 | --- a/Resource/Init/gs_fonts.ps | ||
84 | +++ b/Resource/Init/gs_fonts.ps | ||
85 | @@ -377,8 +377,8 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if | ||
86 | } | ||
87 | {pop} | ||
88 | ifelse | ||
89 | -} .bind executeonly def | ||
90 | -systemdict /NONATIVEFONTMAP known //.setnativefontmapbuilt exec | ||
91 | +} .bind executeonly odef | ||
92 | +systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt | ||
93 | /.buildnativefontmap { % - .buildnativefontmap <bool> | ||
94 | systemdict /.nativefontmapbuilt .knownget not | ||
95 | { //false} if | ||
96 | @@ -419,7 +419,7 @@ systemdict /NONATIVEFONTMAP known //.setnativefontmapbuilt exec | ||
97 | } forall | ||
98 | } if | ||
99 | % record that we've been run | ||
100 | - //true //.setnativefontmapbuilt exec | ||
101 | + //true .setnativefontmapbuilt | ||
102 | } ifelse | ||
103 | } bind def | ||
104 | currentdict /.setnativefontmapbuilt .forceundef | ||
105 | @@ -1103,7 +1103,7 @@ $error /SubstituteFont { } put | ||
106 | |||
107 | % Check to make sure the font was actually loaded. | ||
108 | dup 3 index .fontknownget | ||
109 | - { dup /PathLoad 4 index //.putgstringcopy exec | ||
110 | + { dup /PathLoad 4 index .putgstringcopy | ||
111 | 4 1 roll pop pop pop //true exit | ||
112 | } if | ||
113 | |||
114 | @@ -1115,7 +1115,7 @@ $error /SubstituteFont { } put | ||
115 | { % Stack: origfontname fontdirectory path filefontname | ||
116 | 2 index 1 index .fontknownget | ||
117 | { % Yes. Stack: origfontname fontdirectory path filefontname fontdict | ||
118 | - dup 4 -1 roll /PathLoad exch //.putgstringcopy exec | ||
119 | + dup 4 -1 roll /PathLoad exch .putgstringcopy | ||
120 | % Stack: origfontname fontdirectory filefontname fontdict | ||
121 | 3 -1 roll pop | ||
122 | % Stack: origfontname filefontname fontdict | ||
123 | diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps | ||
124 | index eee0b9f..a8ed892 100644 | ||
125 | --- a/Resource/Init/gs_lev2.ps | ||
126 | +++ b/Resource/Init/gs_lev2.ps | ||
127 | @@ -163,10 +163,11 @@ end | ||
128 | % Set them again to the new values. From here on, we are safe, | ||
129 | % since a context switch will consult userparams. | ||
130 | .setuserparams | ||
131 | -} .bind executeonly def % must be bound and hidden for .forceput | ||
132 | +} .bind executeonly odef % must be bound and hidden for .forceput | ||
133 | |||
134 | /setuserparams { % <dict> setuserparams - | ||
135 | - .setuserparams2 | ||
136 | + {.setuserparams2} stopped | ||
137 | + {/setuserparams load $error /errorname get signalerror} if | ||
138 | } .bind odef | ||
139 | % Initialize user parameters managed here. | ||
140 | /JobName () .definepsuserparam | ||
141 | @@ -415,7 +416,9 @@ psuserparams /ProcessDSCComment {.checkprocesscomment} put | ||
142 | |||
143 | % VMReclaim and VMThreshold are user parameters. | ||
144 | /setvmthreshold { % <int> setvmthreshold - | ||
145 | - mark /VMThreshold 2 .argindex .dicttomark .setuserparams2 pop | ||
146 | + mark /VMThreshold 2 .argindex .dicttomark {.setuserparams2} stopped | ||
147 | + {pop /setvmthreshold load $error /errorname get signalerror} | ||
148 | + {pop} ifelse | ||
149 | } odef | ||
150 | /vmreclaim { % <int> vmreclaim - | ||
151 | dup 0 gt { | ||
152 | @@ -427,7 +430,9 @@ psuserparams /ProcessDSCComment {.checkprocesscomment} put | ||
153 | ifelse | ||
154 | } { | ||
155 | % VMReclaim userparam controls enable/disable GC | ||
156 | - mark /VMReclaim 2 index .dicttomark .setuserparams2 pop | ||
157 | + mark /VMReclaim 2 index .dicttomark {.setuserparams2} stopped | ||
158 | + {pop /vmreclaim load $error /errorname get signalerror} | ||
159 | + {pop} ifelse | ||
160 | } ifelse | ||
161 | } odef | ||
162 | -1 setvmthreshold | ||
163 | diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps | ||
164 | index fb1c419..58e75d3 100644 | ||
165 | --- a/Resource/Init/gs_pdfwr.ps | ||
166 | +++ b/Resource/Init/gs_pdfwr.ps | ||
167 | @@ -660,7 +660,7 @@ currentdict /.pdfmarkparams .undef | ||
168 | { | ||
169 | pop | ||
170 | } ifelse | ||
171 | -} .bind executeonly def % must be bound and hidden for .forceput | ||
172 | +} .bind executeonly odef % must be bound and hidden for .forceput | ||
173 | |||
174 | % Use the DSC processing hook to pass DSC comments to the driver. | ||
175 | % We use a pseudo-parameter named DSC whose value is an array: | ||
176 | diff --git a/Resource/Init/gs_setpd.ps b/Resource/Init/gs_setpd.ps | ||
177 | index 8fa7c51..afb4ffa 100644 | ||
178 | --- a/Resource/Init/gs_setpd.ps | ||
179 | +++ b/Resource/Init/gs_setpd.ps | ||
180 | @@ -608,6 +608,20 @@ NOMEDIAATTRS { | ||
181 | % in the <failed> dictionary with the policy value, | ||
182 | % and we replace the key in the <merged> dictionary with its prior value | ||
183 | % (or remove it if it had no prior value). | ||
184 | + | ||
185 | +% Making this an operator means we can properly hide | ||
186 | +% the contents - specifically .forceput | ||
187 | +/1Policy | ||
188 | +{ | ||
189 | + % Roll back the failed request to its previous status. | ||
190 | + SETPDDEBUG { (Rolling back.) = pstack flush } if | ||
191 | + 3 index 2 index 3 -1 roll .forceput | ||
192 | + 4 index 1 index .knownget | ||
193 | + { 4 index 3 1 roll .forceput } | ||
194 | + { 3 index exch .undef } | ||
195 | + ifelse | ||
196 | +} bind executeonly odef | ||
197 | + | ||
198 | /.policyprocs mark | ||
199 | % These procedures are called with the following on the stack: | ||
200 | % <orig> <merged> <failed> <Policies> <key> <policy> | ||
201 | @@ -631,14 +645,7 @@ NOMEDIAATTRS { | ||
202 | /setpagedevice .systemvar /configurationerror signalerror | ||
203 | } ifelse | ||
204 | } bind | ||
205 | - 1 { % Roll back the failed request to its previous status. | ||
206 | -SETPDDEBUG { (Rolling back.) = pstack flush } if | ||
207 | - 3 index 2 index 3 -1 roll .forceput | ||
208 | - 4 index 1 index .knownget | ||
209 | - { 4 index 3 1 roll .forceput } | ||
210 | - { 3 index exch .undef } | ||
211 | - ifelse | ||
212 | - } .bind executeonly % must be bound and hidden for .forceput | ||
213 | + 1 /1Policy load | ||
214 | 7 { % For PageSize only, just impose the request. | ||
215 | 1 index /PageSize eq | ||
216 | { pop pop 1 index /PageSize 7 put } | ||
217 | @@ -646,6 +653,8 @@ SETPDDEBUG { (Rolling back.) = pstack flush } if | ||
218 | ifelse | ||
219 | } bind | ||
220 | .dicttomark readonly def | ||
221 | +currentdict /1Policy undef | ||
222 | + | ||
223 | /.applypolicies % <orig> <merged> <failed> .applypolicies | ||
224 | % <orig> <merged'> <failed'> | ||
225 | { 1 index /Policies get 1 index | ||
226 | diff --git a/Resource/Init/gs_typ32.ps b/Resource/Init/gs_typ32.ps | ||
227 | index b6600b0..9150f71 100644 | ||
228 | --- a/Resource/Init/gs_typ32.ps | ||
229 | +++ b/Resource/Init/gs_typ32.ps | ||
230 | @@ -79,15 +79,19 @@ systemdict /.removeglyphs .undef | ||
231 | .dicttomark /ProcSet defineresource pop | ||
232 | |||
233 | /.cidfonttypes where { pop } { /.cidfonttypes 6 dict def } ifelse | ||
234 | -.cidfonttypes begin | ||
235 | - | ||
236 | -4 % CIDFontType 4 = FontType 32 | ||
237 | -{ dup /FontType 32 .forceput | ||
238 | +/CIDFontType4 | ||
239 | +{ | ||
240 | + dup /FontType 32 .forceput | ||
241 | dup /CharStrings 20 dict .forceput | ||
242 | 1 index exch .buildfont32 exch pop | ||
243 | -} .bind executeonly def % must be bound and hidden for .forceput | ||
244 | +} .bind executeonly odef | ||
245 | +.cidfonttypes begin | ||
246 | + | ||
247 | + | ||
248 | +4 /CIDFontType4 load def % CIDFontType 4 = FontType 32 | ||
249 | |||
250 | end % .cidfonttypes | ||
251 | +currentdict /CIDFontType4 .forceundef | ||
252 | |||
253 | % Define the BuildGlyph procedure. | ||
254 | % Since Type 32 fonts are indexed by CID, there is no BuildChar procedure. | ||
255 | diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps | ||
256 | index efdae48..2935d9c 100644 | ||
257 | --- a/Resource/Init/gs_type1.ps | ||
258 | +++ b/Resource/Init/gs_type1.ps | ||
259 | @@ -283,7 +283,7 @@ currentdict /closesourcedict .undef | ||
260 | } if | ||
261 | 2 copy /WeightVector exch .forceput | ||
262 | .setweightvector | ||
263 | -} .bind executeonly def | ||
264 | +} .bind executeonly odef | ||
265 | end | ||
266 | |||
267 | % Register the font types for definefont. | ||
268 | diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps | ||
269 | index a82a2a3..7ccd4cd 100644 | ||
270 | --- a/Resource/Init/pdf_base.ps | ||
271 | +++ b/Resource/Init/pdf_base.ps | ||
272 | @@ -218,7 +218,7 @@ currentdict /num-chars-dict .undef | ||
273 | } ifelse | ||
274 | } ifelse | ||
275 | } ifelse | ||
276 | -} bind executeonly def | ||
277 | +} bind executeonly odef | ||
278 | /PDFScanRules_true << /PDFScanRules //true >> def | ||
279 | /PDFScanRules_null << /PDFScanRules //null >> def | ||
280 | /.pdfrun { % <file> <opdict> .pdfrun - | ||
281 | diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps | ||
282 | index d1b6ac9..c239daf 100644 | ||
283 | --- a/Resource/Init/pdf_draw.ps | ||
284 | +++ b/Resource/Init/pdf_draw.ps | ||
285 | @@ -1158,7 +1158,7 @@ currentdict end readonly def | ||
286 | Q | ||
287 | PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if | ||
288 | PDFfile exch setfileposition | ||
289 | -} bind executeonly def | ||
290 | +} bind executeonly odef | ||
291 | |||
292 | /.pdfpaintproc { | ||
293 | %% Get the /m from pdfopdict (must be present) | ||
294 | @@ -1189,7 +1189,7 @@ currentdict end readonly def | ||
295 | { | ||
296 | switch_to_text_marking_ops | ||
297 | } if | ||
298 | -}bind executeonly def | ||
299 | +}bind executeonly odef | ||
300 | |||
301 | /resolvepattern { % <patternstreamdict> resolvepattern <patterndict> | ||
302 | % Don't do the resolvestream now: just capture the data | ||
303 | @@ -2353,7 +2353,7 @@ currentdict /last-ditch-bpc-csp undef | ||
304 | }{ | ||
305 | pdfdict /AppearanceNumber 0 .forceput | ||
306 | } ifelse | ||
307 | -}bind executeonly def | ||
308 | +}bind executeonly odef | ||
309 | |||
310 | /MakeAppearanceName { | ||
311 | pdfdict /AppearanceNumber get | ||
312 | @@ -2382,7 +2382,7 @@ currentdict /last-ditch-bpc-csp undef | ||
313 | DoForm | ||
314 | pdfdict /.PreservePDFForm 3 -1 roll .forceput | ||
315 | grestore | ||
316 | -} bind executeonly def | ||
317 | +} bind executeonly odef | ||
318 | |||
319 | /DoForm { | ||
320 | %% save the current value, if its true we will set it to false later, in order | ||
321 | @@ -2541,7 +2541,7 @@ currentdict /last-ditch-bpc-csp undef | ||
322 | end | ||
323 | } if | ||
324 | pdfdict /.PreservePDFForm 3 -1 roll .forceput | ||
325 | -} bind executeonly def | ||
326 | +} bind executeonly odef | ||
327 | |||
328 | /_dops_save 1 array def | ||
329 | |||
330 | diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps | ||
331 | index feaf0d0..535b14a 100644 | ||
332 | --- a/Resource/Init/pdf_font.ps | ||
333 | +++ b/Resource/Init/pdf_font.ps | ||
334 | @@ -718,7 +718,7 @@ currentdict end readonly def | ||
335 | {pop pop pop} | ||
336 | ifelse | ||
337 | |||
338 | -} bind executeonly def | ||
339 | +} bind executeonly odef | ||
340 | |||
341 | currentdict /.DoToUnicode? .forceundef | ||
342 | |||
343 | @@ -1241,7 +1241,7 @@ currentdict /eexec_pdf_param_dict .undef | ||
344 | } bdef | ||
345 | dup currentdict Encoding .processToUnicode | ||
346 | currentdict end .completefont exch pop | ||
347 | -} bind executeonly def | ||
348 | +} bind executeonly odef | ||
349 | /.adjustcharwidth { % <wx> <wy> .adjustcharwidth <wx'> <wy'> | ||
350 | % Enforce the metrics, in glyph space, to the values found in the PDF Font object | ||
351 | % - force wy == 0 (assumed, and not stored in the PDF font) | ||
352 | @@ -2026,7 +2026,7 @@ currentdict /CMap_read_dict undef | ||
353 | } if | ||
354 | /findresource cvx /undefined signalerror | ||
355 | } loop | ||
356 | -} bind executeonly def | ||
357 | +} bind executeonly odef | ||
358 | |||
359 | /buildCIDType0 { % <CIDFontType0-font-resource> buildCIDType0 <font> | ||
360 | dup /BaseFont get findCIDFont exch pop | ||
361 | @@ -2211,7 +2211,7 @@ currentdict /CMap_read_dict undef | ||
362 | /Type0 //buildType0 | ||
363 | /Type1 //buildType1 | ||
364 | /MMType1 //buildType1 | ||
365 | - /Type3 //buildType3 | ||
366 | + /Type3 /buildType3 load | ||
367 | /TrueType //buildTrueType | ||
368 | /CIDFontType0 //buildCIDType0 | ||
369 | /CIDFontType2 //buildCIDType2 | ||
370 | diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps | ||
371 | index 09f8735..c823e69 100644 | ||
372 | --- a/Resource/Init/pdf_main.ps | ||
373 | +++ b/Resource/Init/pdf_main.ps | ||
374 | @@ -660,7 +660,7 @@ currentdict /runpdfstring .undef | ||
375 | } forall | ||
376 | pop | ||
377 | } ifelse | ||
378 | -} bind executeonly def | ||
379 | +} bind executeonly odef | ||
380 | |||
381 | currentdict /pdf_collection_files .undef | ||
382 | |||
383 | @@ -2715,7 +2715,7 @@ currentdict /PDF2PS_matrix_key undef | ||
384 | .setglobal | ||
385 | /RepairedAnError exch def | ||
386 | /Repaired exch def | ||
387 | -} bind executeonly def | ||
388 | +} bind executeonly odef | ||
389 | |||
390 | % Display the contents of a page (including annotations). | ||
391 | /showpagecontents { % <pagedict> showpagecontents - | ||
392 | diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps | ||
393 | index c45fc51..8672d61 100644 | ||
394 | --- a/Resource/Init/pdf_ops.ps | ||
395 | +++ b/Resource/Init/pdf_ops.ps | ||
396 | @@ -193,7 +193,7 @@ currentdict /gput_always_allow .undef | ||
397 | pdfformaterror | ||
398 | } ifelse | ||
399 | } if | ||
400 | -} bind executeonly def | ||
401 | +} bind executeonly odef | ||
402 | |||
403 | % Save PDF gstate | ||
404 | /qstate { % - qstate <qstate> | ||
405 | @@ -451,7 +451,7 @@ currentdict /gput_always_allow .undef | ||
406 | %% a gsave, so we haven't copied it to /self, if we don't do that here | ||
407 | %% then transparent annotations cause an invalid access error. | ||
408 | currentdict //nodict eq {/self dup load end 5 dict begin def} if | ||
409 | -} bind executeonly def | ||
410 | +} bind executeonly odef | ||
411 | /AIS { .setalphaisshape } bind executeonly def | ||
412 | /BM { | ||
413 | /.setblendmode where { | ||
414 | @@ -1077,7 +1077,7 @@ end readonly def | ||
415 | pdfopdict /v {inside_text_v} bind .forceput | ||
416 | pdfopdict /y {inside_text_y} bind .forceput | ||
417 | pdfopdict /re {inside_text_re} bind .forceput | ||
418 | -} bind executeonly def | ||
419 | +} bind executeonly odef | ||
420 | |||
421 | /switch_to_normal_marking_ops { | ||
422 | pdfopdict /m {normal_m} bind .forceput | ||
423 | @@ -1086,7 +1086,7 @@ end readonly def | ||
424 | pdfopdict /v {normal_v} bind .forceput | ||
425 | pdfopdict /y {normal_y} bind .forceput | ||
426 | pdfopdict /re {normal_re} bind .forceput | ||
427 | -} bind executeonly def | ||
428 | +} bind executeonly odef | ||
429 | |||
430 | /BT { | ||
431 | currentdict /TextSaveMatrix known { | ||
432 | -- | ||
433 | 2.7.4 | ||
434 | |||
diff --git a/meta/recipes-extended/ghostscript/files/0003-Bug-699832-add-control-over-hiding-error-handlers.patch b/meta/recipes-extended/ghostscript/files/0003-Bug-699832-add-control-over-hiding-error-handlers.patch new file mode 100644 index 0000000000..cd78659583 --- /dev/null +++ b/meta/recipes-extended/ghostscript/files/0003-Bug-699832-add-control-over-hiding-error-handlers.patch | |||
@@ -0,0 +1,172 @@ | |||
1 | From 1f9a91c86bd56acf57826b9b0e020ebe1953e2ae Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Thu, 4 Oct 2018 10:42:13 +0100 | ||
4 | Subject: [PATCH 3/5] Bug 699832: add control over hiding error handlers. | ||
5 | |||
6 | With a previous commit changing error handling in SAFER so the handler gets | ||
7 | passed a name object (rather than executable object), it is less critical to | ||
8 | hide the error handlers. | ||
9 | |||
10 | This introduces a -dSAFERERRORS option to force only use of the default error | ||
11 | handlers. | ||
12 | |||
13 | It also adds a .setsafererrors Postscript call, meaning a caller, without | ||
14 | -dSAFERERRORS, can create their own default error handlers (in errordict, as | ||
15 | normal), and then call .setsafererrors meaning their own handlers are always | ||
16 | called. | ||
17 | |||
18 | With -dSAFERERRORS or after a call to .setsafererrors, .setsafererrors is | ||
19 | removed. | ||
20 | |||
21 | CVE: CVE-2018-17961 | ||
22 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
23 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
24 | --- | ||
25 | Resource/Init/gs_init.ps | 42 +++++++++++++++++++++++++++++------------ | ||
26 | psi/interp.c | 49 ++++++++++++++++++++++++++++-------------------- | ||
27 | 2 files changed, 59 insertions(+), 32 deletions(-) | ||
28 | |||
29 | diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps | ||
30 | index bec307d..f952f32 100644 | ||
31 | --- a/Resource/Init/gs_init.ps | ||
32 | +++ b/Resource/Init/gs_init.ps | ||
33 | @@ -188,6 +188,16 @@ currentdict /DELAYSAFER known { /DELAYSAFER //true def /NOSAFER //true def } if | ||
34 | currentdict /PARANOIDSAFER known or % PARANOIDSAFER is equivalent | ||
35 | } | ||
36 | ifelse def | ||
37 | + | ||
38 | +/SAFERERRORS | ||
39 | +currentdict /NOSAFERERRORS known | ||
40 | +{ | ||
41 | + //false | ||
42 | +} | ||
43 | +{ | ||
44 | + currentdict /SAFERERRORS known | ||
45 | +} ifelse def | ||
46 | + | ||
47 | currentdict /SHORTERRORS known /SHORTERRORS exch def | ||
48 | currentdict /TTYPAUSE known /TTYPAUSE exch def | ||
49 | currentdict /WRITESYSTEMDICT known /WRITESYSTEMDICT exch def | ||
50 | @@ -1123,12 +1133,23 @@ errordict begin | ||
51 | } bind def | ||
52 | end % errordict | ||
53 | |||
54 | -% Put all the default handlers in gserrordict | ||
55 | -gserrordict | ||
56 | -errordict {2 index 3 1 roll put} forall | ||
57 | -noaccess pop | ||
58 | -% remove the non-standard errors from errordict | ||
59 | +gserrordict /unknownerror errordict /unknownerror get put | ||
60 | errordict /unknownerror .undef | ||
61 | + | ||
62 | +/.SAFERERRORLIST ErrorNames def | ||
63 | +/.setsafererrors | ||
64 | +{ | ||
65 | +% Put all the requested handlers in gserrordict | ||
66 | + gserrordict | ||
67 | + //.SAFERERRORLIST | ||
68 | + {dup errordict exch get 2 index 3 1 roll put} forall | ||
69 | + noaccess pop | ||
70 | + systemdict /.setsafeerrors .forceundef | ||
71 | + systemdict /.SAFERERRORLIST .forceundef | ||
72 | +} bind executeonly odef | ||
73 | + | ||
74 | +SAFERERRORS {.setsafererrors} if | ||
75 | + | ||
76 | % Define a stable private copy of handleerror that we will always use under | ||
77 | % JOBSERVER mode. | ||
78 | /.GShandleerror errordict /handleerror get def | ||
79 | @@ -1760,18 +1781,15 @@ currentdict /.runlibfile .undef | ||
80 | |||
81 | % Bind all the operators defined as procedures. | ||
82 | /.bindoperators % binds operators in currentdict | ||
83 | - { % Temporarily disable the typecheck error. | ||
84 | - errordict /typecheck 2 copy get | ||
85 | - errordict /typecheck { pop } put % pop the command | ||
86 | + { | ||
87 | currentdict | ||
88 | { dup type /operatortype eq | ||
89 | - { % This might be a real operator, so bind might cause a typecheck, | ||
90 | - % but we've made the error a no-op temporarily. | ||
91 | - .bind | ||
92 | + { | ||
93 | + % This might be a real operator, so bind might cause a typecheck | ||
94 | + {.bind} .internalstopped pop | ||
95 | } | ||
96 | if pop pop | ||
97 | } forall | ||
98 | - put | ||
99 | } def | ||
100 | DELAYBIND not { .bindoperators } if | ||
101 | |||
102 | diff --git a/psi/interp.c b/psi/interp.c | ||
103 | index 3dd5f7a..cd894f9 100644 | ||
104 | --- a/psi/interp.c | ||
105 | +++ b/psi/interp.c | ||
106 | @@ -662,27 +662,18 @@ again: | ||
107 | if (gs_errorname(i_ctx_p, code, &error_name) < 0) | ||
108 | return code; /* out-of-range error code! */ | ||
109 | |||
110 | - /* If LockFilePermissions is true, we only refer to gserrordict, which | ||
111 | - * is not accessible to Postcript jobs | ||
112 | + /* We refer to gserrordict first, which is not accessible to Postcript jobs | ||
113 | + * If we're running with SAFERERRORS all the handlers are copied to gserrordict | ||
114 | + * so we'll always find the default one. If not SAFERERRORS, only gs specific | ||
115 | + * errors are in gserrordict. | ||
116 | */ | ||
117 | - if (i_ctx_p->LockFilePermissions) { | ||
118 | - if (((dict_find_string(systemdict, "gserrordict", &perrordict) <= 0 || | ||
119 | - dict_find(perrordict, &error_name, &epref) <= 0)) | ||
120 | - ) | ||
121 | - return code; /* error name not in errordict??? */ | ||
122 | - } | ||
123 | - else { | ||
124 | - /* | ||
125 | - * For greater Adobe compatibility, only the standard PostScript errors | ||
126 | - * are defined in errordict; the rest are in gserrordict. | ||
127 | - */ | ||
128 | - if (dict_find_string(systemdict, "errordict", &perrordict) <= 0 || | ||
129 | - (dict_find(perrordict, &error_name, &epref) <= 0 && | ||
130 | - (dict_find_string(systemdict, "gserrordict", &perrordict) <= 0 || | ||
131 | - dict_find(perrordict, &error_name, &epref) <= 0)) | ||
132 | - ) | ||
133 | - return code; /* error name not in errordict??? */ | ||
134 | - } | ||
135 | + if (dict_find_string(systemdict, "gserrordict", &perrordict) <= 0 || | ||
136 | + (dict_find(perrordict, &error_name, &epref) <= 0 && | ||
137 | + (dict_find_string(systemdict, "errordict", &perrordict) <= 0 || | ||
138 | + dict_find(perrordict, &error_name, &epref) <= 0)) | ||
139 | + ) | ||
140 | + return code; /* error name not in errordict??? */ | ||
141 | + | ||
142 | doref = *epref; | ||
143 | epref = &doref; | ||
144 | /* Push the error object on the operand stack if appropriate. */ | ||
145 | @@ -695,6 +686,24 @@ again: | ||
146 | } | ||
147 | *osp = *perror_object; | ||
148 | errorexec_find(i_ctx_p, osp); | ||
149 | + /* If using SAFER, hand a name object to the error handler, rather than the executable | ||
150 | + * object/operator itself. | ||
151 | + */ | ||
152 | + if (i_ctx_p->LockFilePermissions) { | ||
153 | + code = obj_cvs(imemory, osp, buf + 2, 256, &rlen, (const byte **)&bufptr); | ||
154 | + if (code < 0) { | ||
155 | + const char *unknownstr = "--unknown--"; | ||
156 | + rlen = strlen(unknownstr); | ||
157 | + memcpy(buf, unknownstr, rlen); | ||
158 | + } | ||
159 | + else { | ||
160 | + buf[0] = buf[1] = buf[rlen + 2] = buf[rlen + 3] = '-'; | ||
161 | + rlen += 4; | ||
162 | + } | ||
163 | + code = name_ref(imemory, buf, rlen, osp, 1); | ||
164 | + if (code < 0) | ||
165 | + make_null(osp); | ||
166 | + } | ||
167 | } | ||
168 | goto again; | ||
169 | } | ||
170 | -- | ||
171 | 2.7.4 | ||
172 | |||
diff --git a/meta/recipes-extended/ghostscript/files/0004-For-hidden-operators-pass-a-name-object-to-error-han.patch b/meta/recipes-extended/ghostscript/files/0004-For-hidden-operators-pass-a-name-object-to-error-han.patch new file mode 100644 index 0000000000..6c715ad43b --- /dev/null +++ b/meta/recipes-extended/ghostscript/files/0004-For-hidden-operators-pass-a-name-object-to-error-han.patch | |||
@@ -0,0 +1,105 @@ | |||
1 | From 34a8c5aa987d4db5234172a62218b168371606b1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Tue, 2 Oct 2018 16:02:58 +0100 | ||
4 | Subject: [PATCH 4/5] For hidden operators, pass a name object to error | ||
5 | handler. | ||
6 | |||
7 | In normal operation, Postscript error handlers are passed the object which | ||
8 | triggered the error: this is invariably an operator object. | ||
9 | |||
10 | The issue arises when an error is triggered by an operator which is for internal | ||
11 | use only, and that operator is then passed to the error handler, meaning it | ||
12 | becomes visible to the error handler code. | ||
13 | |||
14 | By converting to a name object, the error message is still valid, but we no | ||
15 | longer expose internal use only operators. | ||
16 | |||
17 | The change in gs_dps1.ps is related to the above: previously an error in | ||
18 | scheck would throw an error against .gcheck, but as .gcheck is now a hidden | ||
19 | operator, it resulted in a name object being passed to the error handler. As | ||
20 | scheck is a 'real' operator, it's better to use the real operator, rather than | ||
21 | the name of an internal, hidden one. | ||
22 | |||
23 | CVE: CVE-2018-17961 | ||
24 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
25 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
26 | --- | ||
27 | Resource/Init/gs_dps1.ps | 2 +- | ||
28 | psi/interp.c | 33 ++++++++++++++++++++++++--------- | ||
29 | 2 files changed, 25 insertions(+), 10 deletions(-) | ||
30 | |||
31 | diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps | ||
32 | index 1182f53..ec5db61 100644 | ||
33 | --- a/Resource/Init/gs_dps1.ps | ||
34 | +++ b/Resource/Init/gs_dps1.ps | ||
35 | @@ -21,7 +21,7 @@ level2dict begin | ||
36 | % ------ Virtual memory ------ % | ||
37 | |||
38 | /currentshared /.currentglobal load def | ||
39 | -/scheck /.gcheck load def | ||
40 | +/scheck {.gcheck} bind odef | ||
41 | %****** FOLLOWING IS WRONG ****** | ||
42 | /shareddict currentdict /globaldict .knownget not { 20 dict } if def | ||
43 | |||
44 | diff --git a/psi/interp.c b/psi/interp.c | ||
45 | index cd894f9..b70769d 100644 | ||
46 | --- a/psi/interp.c | ||
47 | +++ b/psi/interp.c | ||
48 | @@ -678,6 +678,8 @@ again: | ||
49 | epref = &doref; | ||
50 | /* Push the error object on the operand stack if appropriate. */ | ||
51 | if (!GS_ERROR_IS_INTERRUPT(code)) { | ||
52 | + byte buf[260], *bufptr; | ||
53 | + uint rlen; | ||
54 | /* Replace the error object if within an oparray or .errorexec. */ | ||
55 | osp++; | ||
56 | if (osp >= ostop) { | ||
57 | @@ -686,23 +688,36 @@ again: | ||
58 | } | ||
59 | *osp = *perror_object; | ||
60 | errorexec_find(i_ctx_p, osp); | ||
61 | - /* If using SAFER, hand a name object to the error handler, rather than the executable | ||
62 | - * object/operator itself. | ||
63 | - */ | ||
64 | - if (i_ctx_p->LockFilePermissions) { | ||
65 | + | ||
66 | + if (!r_has_type(osp, t_string) && !r_has_type(osp, t_name)) { | ||
67 | code = obj_cvs(imemory, osp, buf + 2, 256, &rlen, (const byte **)&bufptr); | ||
68 | if (code < 0) { | ||
69 | const char *unknownstr = "--unknown--"; | ||
70 | rlen = strlen(unknownstr); | ||
71 | memcpy(buf, unknownstr, rlen); | ||
72 | + bufptr = buf; | ||
73 | } | ||
74 | else { | ||
75 | - buf[0] = buf[1] = buf[rlen + 2] = buf[rlen + 3] = '-'; | ||
76 | - rlen += 4; | ||
77 | + ref *tobj; | ||
78 | + bufptr[rlen] = '\0'; | ||
79 | + /* Only pass a name object if the operator doesn't exist in systemdict | ||
80 | + * i.e. it's an internal operator we have hidden | ||
81 | + */ | ||
82 | + code = dict_find_string(systemdict, (const char *)bufptr, &tobj); | ||
83 | + if (code < 0) { | ||
84 | + buf[0] = buf[1] = buf[rlen + 2] = buf[rlen + 3] = '-'; | ||
85 | + rlen += 4; | ||
86 | + bufptr = buf; | ||
87 | + } | ||
88 | + else { | ||
89 | + bufptr = NULL; | ||
90 | + } | ||
91 | + } | ||
92 | + if (bufptr) { | ||
93 | + code = name_ref(imemory, buf, rlen, osp, 1); | ||
94 | + if (code < 0) | ||
95 | + make_null(osp); | ||
96 | } | ||
97 | - code = name_ref(imemory, buf, rlen, osp, 1); | ||
98 | - if (code < 0) | ||
99 | - make_null(osp); | ||
100 | } | ||
101 | } | ||
102 | goto again; | ||
103 | -- | ||
104 | 2.7.4 | ||
105 | |||
diff --git a/meta/recipes-extended/ghostscript/files/0005-Bug-699938-.loadfontloop-must-be-an-operator.patch b/meta/recipes-extended/ghostscript/files/0005-Bug-699938-.loadfontloop-must-be-an-operator.patch new file mode 100644 index 0000000000..4924b3cac6 --- /dev/null +++ b/meta/recipes-extended/ghostscript/files/0005-Bug-699938-.loadfontloop-must-be-an-operator.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | From f0a61679d28bc1561640403d92492e199bc1c0f3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Wed, 10 Oct 2018 23:25:51 +0100 | ||
4 | Subject: [PATCH 5/5] Bug 699938: .loadfontloop must be an operator | ||
5 | |||
6 | In the fix for Bug 699816, I omitted to make .loadfontloop into an operator, to | ||
7 | better hide .forceundef and .putgstringcopy. | ||
8 | |||
9 | CVE: CVE-2018-17961 | ||
10 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
11 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
12 | --- | ||
13 | Resource/Init/gs_fonts.ps | 2 +- | ||
14 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
15 | |||
16 | diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps | ||
17 | index 89c3ab7..72feff2 100644 | ||
18 | --- a/Resource/Init/gs_fonts.ps | ||
19 | +++ b/Resource/Init/gs_fonts.ps | ||
20 | @@ -1148,7 +1148,7 @@ $error /SubstituteFont { } put | ||
21 | |||
22 | } loop % end of loop | ||
23 | |||
24 | - } bind executeonly def % must be bound and hidden for .putgstringcopy | ||
25 | + } bind executeonly odef % must be bound and hidden for .putgstringcopy | ||
26 | |||
27 | currentdict /.putgstringcopy .undef | ||
28 | |||
29 | -- | ||
30 | 2.7.4 | ||
31 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.25.bb b/meta/recipes-extended/ghostscript/ghostscript_9.25.bb index 35eaaeb2fa..55251a55d4 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.25.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.25.bb | |||
@@ -25,6 +25,11 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d | |||
25 | file://do-not-check-local-libpng-source.patch \ | 25 | file://do-not-check-local-libpng-source.patch \ |
26 | file://avoid-host-contamination.patch \ | 26 | file://avoid-host-contamination.patch \ |
27 | file://mkdir-p.patch \ | 27 | file://mkdir-p.patch \ |
28 | file://0001-Bug-699795-add-operand-checking-to-.setnativefontmap.patch \ | ||
29 | file://0002-Bug-699816-Improve-hiding-of-security-critical-custo.patch \ | ||
30 | file://0003-Bug-699832-add-control-over-hiding-error-handlers.patch \ | ||
31 | file://0004-For-hidden-operators-pass-a-name-object-to-error-han.patch \ | ||
32 | file://0005-Bug-699938-.loadfontloop-must-be-an-operator.patch \ | ||
28 | " | 33 | " |
29 | 34 | ||
30 | SRC_URI = "${SRC_URI_BASE} \ | 35 | SRC_URI = "${SRC_URI_BASE} \ |