summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHongxu Jia <hongxu.jia@windriver.com>2018-11-05 16:03:35 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-11-07 23:08:54 +0000
commite84345d6e6ce129e1bffccc29b5159cb50de5ed0 (patch)
treed541cb5223e11c7a7a99831df197ad7c0a786504
parent918c8a13b67b0eece6fcdf4dad43ad032acacca5 (diff)
downloadpoky-e84345d6e6ce129e1bffccc29b5159cb50de5ed0.tar.gz
ghostscript: fix CVE-2018-17961
Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving errorhandler setup. NOTE: this issue exists because of an incomplete fix for CVE-2018-17183. (From OE-Core rev: 6c32ea184941d292cd8f0eb898e6cc90120ada40) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/ghostscript/files/0001-Bug-699795-add-operand-checking-to-.setnativefontmap.patch59
-rw-r--r--meta/recipes-extended/ghostscript/files/0002-Bug-699816-Improve-hiding-of-security-critical-custo.patch434
-rw-r--r--meta/recipes-extended/ghostscript/files/0003-Bug-699832-add-control-over-hiding-error-handlers.patch172
-rw-r--r--meta/recipes-extended/ghostscript/files/0004-For-hidden-operators-pass-a-name-object-to-error-han.patch105
-rw-r--r--meta/recipes-extended/ghostscript/files/0005-Bug-699938-.loadfontloop-must-be-an-operator.patch31
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript_9.25.bb5
6 files changed, 806 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/files/0001-Bug-699795-add-operand-checking-to-.setnativefontmap.patch b/meta/recipes-extended/ghostscript/files/0001-Bug-699795-add-operand-checking-to-.setnativefontmap.patch
new file mode 100644
index 0000000000..f175da0caf
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/files/0001-Bug-699795-add-operand-checking-to-.setnativefontmap.patch
@@ -0,0 +1,59 @@
1From 274b2cc08b0d10a4cac3fe8b50022889f22580cb Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Thu, 20 Sep 2018 16:35:28 +0100
4Subject: [PATCH 1/5] Bug 699795: add operand checking to
5 .setnativefontmapbuilt
6
7.setnativefontmapbuilt .forceputs a value into systemdict - it is intended
8to be a boolean, but in this case was being called with a compound object
9(a dictionary). Such an object, in local VM, being forced into systemdict
10would then confuse the garbager, since it could be restored away with the
11reference remaining.
12
13This adds operand checking, so .setnativefontmapbuilt will simply ignore
14anything other than a boolean value, and also removes the definition of
15.setnativefontmapbuilt after use, since it is only used in two, closely
16related places.
17
18CVE: CVE-2018-17961
19Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
20Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
21---
22 Resource/Init/gs_fonts.ps | 11 ++++++++---
23 1 file changed, 8 insertions(+), 3 deletions(-)
24
25diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps
26index 38f0f6c..45b6613 100644
27--- a/Resource/Init/gs_fonts.ps
28+++ b/Resource/Init/gs_fonts.ps
29@@ -372,9 +372,13 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
30 % of strings: what the system thinks is the ps name,
31 % and the access path.
32 /.setnativefontmapbuilt { % set whether we've been run
33- systemdict exch /.nativefontmapbuilt exch .forceput
34+ dup type /booleantype eq {
35+ systemdict exch /.nativefontmapbuilt exch .forceput
36+ }
37+ {pop}
38+ ifelse
39 } .bind executeonly def
40-systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt
41+systemdict /NONATIVEFONTMAP known //.setnativefontmapbuilt exec
42 /.buildnativefontmap { % - .buildnativefontmap <bool>
43 systemdict /.nativefontmapbuilt .knownget not
44 { //false} if
45@@ -415,9 +419,10 @@ systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt
46 } forall
47 } if
48 % record that we've been run
49- //true .setnativefontmapbuilt
50+ //true //.setnativefontmapbuilt exec
51 } ifelse
52 } bind def
53+currentdict /.setnativefontmapbuilt .forceundef
54
55 % Create the dictionary that registers the .buildfont procedure
56 % (called by definefont) for each FontType.
57--
582.7.4
59
diff --git a/meta/recipes-extended/ghostscript/files/0002-Bug-699816-Improve-hiding-of-security-critical-custo.patch b/meta/recipes-extended/ghostscript/files/0002-Bug-699816-Improve-hiding-of-security-critical-custo.patch
new file mode 100644
index 0000000000..000f9c9ef2
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/files/0002-Bug-699816-Improve-hiding-of-security-critical-custo.patch
@@ -0,0 +1,434 @@
1From 0661bf23a5be32973682e17afed4a2f23a8214ba Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Sat, 29 Sep 2018 15:34:55 +0100
4Subject: [PATCH 2/5] Bug 699816: Improve hiding of security critical custom
5 operators
6
7Make procedures that use .forceput/.forcedef/.forceundef into operators.
8
9The result of this is that errors get reported against the "top" operator,
10rather than the "called" operator within the procedure.
11
12For example:
13/myproc
14{
15 myop
16} bind def
17
18If 'myop' throws an error, the error handler will be passed the 'myop'
19operator. Promoting 'myproc' to a operator means the error handler will be
20passed 'myproc'.
21
22CVE: CVE-2018-17961
23Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
24Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
25---
26 Resource/Init/gs_diskn.ps | 2 +-
27 Resource/Init/gs_dps.ps | 2 +-
28 Resource/Init/gs_fntem.ps | 2 +-
29 Resource/Init/gs_fonts.ps | 10 +++++-----
30 Resource/Init/gs_lev2.ps | 13 +++++++++----
31 Resource/Init/gs_pdfwr.ps | 2 +-
32 Resource/Init/gs_setpd.ps | 25 +++++++++++++++++--------
33 Resource/Init/gs_typ32.ps | 14 +++++++++-----
34 Resource/Init/gs_type1.ps | 2 +-
35 Resource/Init/pdf_base.ps | 2 +-
36 Resource/Init/pdf_draw.ps | 10 +++++-----
37 Resource/Init/pdf_font.ps | 8 ++++----
38 Resource/Init/pdf_main.ps | 4 ++--
39 Resource/Init/pdf_ops.ps | 8 ++++----
40 14 files changed, 61 insertions(+), 43 deletions(-)
41
42diff --git a/Resource/Init/gs_diskn.ps b/Resource/Init/gs_diskn.ps
43index 5540715..26ec0b5 100644
44--- a/Resource/Init/gs_diskn.ps
45+++ b/Resource/Init/gs_diskn.ps
46@@ -53,7 +53,7 @@ systemdict begin
47 exch .setglobal
48 }
49 if
50-} .bind executeonly def % must be bound and hidden for .forceput
51+} .bind executeonly odef % must be bound and hidden for .forceput
52
53 % Modify .putdevparams to force regeneration of .searchabledevs list
54 /.putdevparams {
55diff --git a/Resource/Init/gs_dps.ps b/Resource/Init/gs_dps.ps
56index cad7056..daf7b0f 100644
57--- a/Resource/Init/gs_dps.ps
58+++ b/Resource/Init/gs_dps.ps
59@@ -70,7 +70,7 @@
60 % Save a copy of the initial gstate.
61 //systemdict /savedinitialgstate gstate readonly .forceput
62 .setglobal
63-} .bind executeonly def % must be bound and hidden for .forceput
64+} .bind executeonly odef % must be bound and hidden for .forceput
65
66 % Initialize local dictionaries and gstate when creating a new context.
67 % Note that until this completes, we are in the anomalous situation of
68diff --git a/Resource/Init/gs_fntem.ps b/Resource/Init/gs_fntem.ps
69index 3ceee18..c1f7651 100644
70--- a/Resource/Init/gs_fntem.ps
71+++ b/Resource/Init/gs_fntem.ps
72@@ -408,7 +408,7 @@ currentdict end def
73 exit
74 } loop
75 exch setglobal
76-} .bind executeonly def % must be bound and hidden for .forceput
77+} .bind executeonly odef % must be bound and hidden for .forceput
78
79 currentdict end /ProcSet defineresource pop
80
81diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps
82index 45b6613..89c3ab7 100644
83--- a/Resource/Init/gs_fonts.ps
84+++ b/Resource/Init/gs_fonts.ps
85@@ -377,8 +377,8 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
86 }
87 {pop}
88 ifelse
89-} .bind executeonly def
90-systemdict /NONATIVEFONTMAP known //.setnativefontmapbuilt exec
91+} .bind executeonly odef
92+systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt
93 /.buildnativefontmap { % - .buildnativefontmap <bool>
94 systemdict /.nativefontmapbuilt .knownget not
95 { //false} if
96@@ -419,7 +419,7 @@ systemdict /NONATIVEFONTMAP known //.setnativefontmapbuilt exec
97 } forall
98 } if
99 % record that we've been run
100- //true //.setnativefontmapbuilt exec
101+ //true .setnativefontmapbuilt
102 } ifelse
103 } bind def
104 currentdict /.setnativefontmapbuilt .forceundef
105@@ -1103,7 +1103,7 @@ $error /SubstituteFont { } put
106
107 % Check to make sure the font was actually loaded.
108 dup 3 index .fontknownget
109- { dup /PathLoad 4 index //.putgstringcopy exec
110+ { dup /PathLoad 4 index .putgstringcopy
111 4 1 roll pop pop pop //true exit
112 } if
113
114@@ -1115,7 +1115,7 @@ $error /SubstituteFont { } put
115 { % Stack: origfontname fontdirectory path filefontname
116 2 index 1 index .fontknownget
117 { % Yes. Stack: origfontname fontdirectory path filefontname fontdict
118- dup 4 -1 roll /PathLoad exch //.putgstringcopy exec
119+ dup 4 -1 roll /PathLoad exch .putgstringcopy
120 % Stack: origfontname fontdirectory filefontname fontdict
121 3 -1 roll pop
122 % Stack: origfontname filefontname fontdict
123diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
124index eee0b9f..a8ed892 100644
125--- a/Resource/Init/gs_lev2.ps
126+++ b/Resource/Init/gs_lev2.ps
127@@ -163,10 +163,11 @@ end
128 % Set them again to the new values. From here on, we are safe,
129 % since a context switch will consult userparams.
130 .setuserparams
131-} .bind executeonly def % must be bound and hidden for .forceput
132+} .bind executeonly odef % must be bound and hidden for .forceput
133
134 /setuserparams { % <dict> setuserparams -
135- .setuserparams2
136+ {.setuserparams2} stopped
137+ {/setuserparams load $error /errorname get signalerror} if
138 } .bind odef
139 % Initialize user parameters managed here.
140 /JobName () .definepsuserparam
141@@ -415,7 +416,9 @@ psuserparams /ProcessDSCComment {.checkprocesscomment} put
142
143 % VMReclaim and VMThreshold are user parameters.
144 /setvmthreshold { % <int> setvmthreshold -
145- mark /VMThreshold 2 .argindex .dicttomark .setuserparams2 pop
146+ mark /VMThreshold 2 .argindex .dicttomark {.setuserparams2} stopped
147+ {pop /setvmthreshold load $error /errorname get signalerror}
148+ {pop} ifelse
149 } odef
150 /vmreclaim { % <int> vmreclaim -
151 dup 0 gt {
152@@ -427,7 +430,9 @@ psuserparams /ProcessDSCComment {.checkprocesscomment} put
153 ifelse
154 } {
155 % VMReclaim userparam controls enable/disable GC
156- mark /VMReclaim 2 index .dicttomark .setuserparams2 pop
157+ mark /VMReclaim 2 index .dicttomark {.setuserparams2} stopped
158+ {pop /vmreclaim load $error /errorname get signalerror}
159+ {pop} ifelse
160 } ifelse
161 } odef
162 -1 setvmthreshold
163diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps
164index fb1c419..58e75d3 100644
165--- a/Resource/Init/gs_pdfwr.ps
166+++ b/Resource/Init/gs_pdfwr.ps
167@@ -660,7 +660,7 @@ currentdict /.pdfmarkparams .undef
168 {
169 pop
170 } ifelse
171-} .bind executeonly def % must be bound and hidden for .forceput
172+} .bind executeonly odef % must be bound and hidden for .forceput
173
174 % Use the DSC processing hook to pass DSC comments to the driver.
175 % We use a pseudo-parameter named DSC whose value is an array:
176diff --git a/Resource/Init/gs_setpd.ps b/Resource/Init/gs_setpd.ps
177index 8fa7c51..afb4ffa 100644
178--- a/Resource/Init/gs_setpd.ps
179+++ b/Resource/Init/gs_setpd.ps
180@@ -608,6 +608,20 @@ NOMEDIAATTRS {
181 % in the <failed> dictionary with the policy value,
182 % and we replace the key in the <merged> dictionary with its prior value
183 % (or remove it if it had no prior value).
184+
185+% Making this an operator means we can properly hide
186+% the contents - specifically .forceput
187+/1Policy
188+{
189+ % Roll back the failed request to its previous status.
190+ SETPDDEBUG { (Rolling back.) = pstack flush } if
191+ 3 index 2 index 3 -1 roll .forceput
192+ 4 index 1 index .knownget
193+ { 4 index 3 1 roll .forceput }
194+ { 3 index exch .undef }
195+ ifelse
196+} bind executeonly odef
197+
198 /.policyprocs mark
199 % These procedures are called with the following on the stack:
200 % <orig> <merged> <failed> <Policies> <key> <policy>
201@@ -631,14 +645,7 @@ NOMEDIAATTRS {
202 /setpagedevice .systemvar /configurationerror signalerror
203 } ifelse
204 } bind
205- 1 { % Roll back the failed request to its previous status.
206-SETPDDEBUG { (Rolling back.) = pstack flush } if
207- 3 index 2 index 3 -1 roll .forceput
208- 4 index 1 index .knownget
209- { 4 index 3 1 roll .forceput }
210- { 3 index exch .undef }
211- ifelse
212- } .bind executeonly % must be bound and hidden for .forceput
213+ 1 /1Policy load
214 7 { % For PageSize only, just impose the request.
215 1 index /PageSize eq
216 { pop pop 1 index /PageSize 7 put }
217@@ -646,6 +653,8 @@ SETPDDEBUG { (Rolling back.) = pstack flush } if
218 ifelse
219 } bind
220 .dicttomark readonly def
221+currentdict /1Policy undef
222+
223 /.applypolicies % <orig> <merged> <failed> .applypolicies
224 % <orig> <merged'> <failed'>
225 { 1 index /Policies get 1 index
226diff --git a/Resource/Init/gs_typ32.ps b/Resource/Init/gs_typ32.ps
227index b6600b0..9150f71 100644
228--- a/Resource/Init/gs_typ32.ps
229+++ b/Resource/Init/gs_typ32.ps
230@@ -79,15 +79,19 @@ systemdict /.removeglyphs .undef
231 .dicttomark /ProcSet defineresource pop
232
233 /.cidfonttypes where { pop } { /.cidfonttypes 6 dict def } ifelse
234-.cidfonttypes begin
235-
236-4 % CIDFontType 4 = FontType 32
237-{ dup /FontType 32 .forceput
238+/CIDFontType4
239+{
240+ dup /FontType 32 .forceput
241 dup /CharStrings 20 dict .forceput
242 1 index exch .buildfont32 exch pop
243-} .bind executeonly def % must be bound and hidden for .forceput
244+} .bind executeonly odef
245+.cidfonttypes begin
246+
247+
248+4 /CIDFontType4 load def % CIDFontType 4 = FontType 32
249
250 end % .cidfonttypes
251+currentdict /CIDFontType4 .forceundef
252
253 % Define the BuildGlyph procedure.
254 % Since Type 32 fonts are indexed by CID, there is no BuildChar procedure.
255diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps
256index efdae48..2935d9c 100644
257--- a/Resource/Init/gs_type1.ps
258+++ b/Resource/Init/gs_type1.ps
259@@ -283,7 +283,7 @@ currentdict /closesourcedict .undef
260 } if
261 2 copy /WeightVector exch .forceput
262 .setweightvector
263-} .bind executeonly def
264+} .bind executeonly odef
265 end
266
267 % Register the font types for definefont.
268diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps
269index a82a2a3..7ccd4cd 100644
270--- a/Resource/Init/pdf_base.ps
271+++ b/Resource/Init/pdf_base.ps
272@@ -218,7 +218,7 @@ currentdict /num-chars-dict .undef
273 } ifelse
274 } ifelse
275 } ifelse
276-} bind executeonly def
277+} bind executeonly odef
278 /PDFScanRules_true << /PDFScanRules //true >> def
279 /PDFScanRules_null << /PDFScanRules //null >> def
280 /.pdfrun { % <file> <opdict> .pdfrun -
281diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
282index d1b6ac9..c239daf 100644
283--- a/Resource/Init/pdf_draw.ps
284+++ b/Resource/Init/pdf_draw.ps
285@@ -1158,7 +1158,7 @@ currentdict end readonly def
286 Q
287 PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if
288 PDFfile exch setfileposition
289-} bind executeonly def
290+} bind executeonly odef
291
292 /.pdfpaintproc {
293 %% Get the /m from pdfopdict (must be present)
294@@ -1189,7 +1189,7 @@ currentdict end readonly def
295 {
296 switch_to_text_marking_ops
297 } if
298-}bind executeonly def
299+}bind executeonly odef
300
301 /resolvepattern { % <patternstreamdict> resolvepattern <patterndict>
302 % Don't do the resolvestream now: just capture the data
303@@ -2353,7 +2353,7 @@ currentdict /last-ditch-bpc-csp undef
304 }{
305 pdfdict /AppearanceNumber 0 .forceput
306 } ifelse
307-}bind executeonly def
308+}bind executeonly odef
309
310 /MakeAppearanceName {
311 pdfdict /AppearanceNumber get
312@@ -2382,7 +2382,7 @@ currentdict /last-ditch-bpc-csp undef
313 DoForm
314 pdfdict /.PreservePDFForm 3 -1 roll .forceput
315 grestore
316-} bind executeonly def
317+} bind executeonly odef
318
319 /DoForm {
320 %% save the current value, if its true we will set it to false later, in order
321@@ -2541,7 +2541,7 @@ currentdict /last-ditch-bpc-csp undef
322 end
323 } if
324 pdfdict /.PreservePDFForm 3 -1 roll .forceput
325-} bind executeonly def
326+} bind executeonly odef
327
328 /_dops_save 1 array def
329
330diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps
331index feaf0d0..535b14a 100644
332--- a/Resource/Init/pdf_font.ps
333+++ b/Resource/Init/pdf_font.ps
334@@ -718,7 +718,7 @@ currentdict end readonly def
335 {pop pop pop}
336 ifelse
337
338-} bind executeonly def
339+} bind executeonly odef
340
341 currentdict /.DoToUnicode? .forceundef
342
343@@ -1241,7 +1241,7 @@ currentdict /eexec_pdf_param_dict .undef
344 } bdef
345 dup currentdict Encoding .processToUnicode
346 currentdict end .completefont exch pop
347-} bind executeonly def
348+} bind executeonly odef
349 /.adjustcharwidth { % <wx> <wy> .adjustcharwidth <wx'> <wy'>
350 % Enforce the metrics, in glyph space, to the values found in the PDF Font object
351 % - force wy == 0 (assumed, and not stored in the PDF font)
352@@ -2026,7 +2026,7 @@ currentdict /CMap_read_dict undef
353 } if
354 /findresource cvx /undefined signalerror
355 } loop
356-} bind executeonly def
357+} bind executeonly odef
358
359 /buildCIDType0 { % <CIDFontType0-font-resource> buildCIDType0 <font>
360 dup /BaseFont get findCIDFont exch pop
361@@ -2211,7 +2211,7 @@ currentdict /CMap_read_dict undef
362 /Type0 //buildType0
363 /Type1 //buildType1
364 /MMType1 //buildType1
365- /Type3 //buildType3
366+ /Type3 /buildType3 load
367 /TrueType //buildTrueType
368 /CIDFontType0 //buildCIDType0
369 /CIDFontType2 //buildCIDType2
370diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps
371index 09f8735..c823e69 100644
372--- a/Resource/Init/pdf_main.ps
373+++ b/Resource/Init/pdf_main.ps
374@@ -660,7 +660,7 @@ currentdict /runpdfstring .undef
375 } forall
376 pop
377 } ifelse
378-} bind executeonly def
379+} bind executeonly odef
380
381 currentdict /pdf_collection_files .undef
382
383@@ -2715,7 +2715,7 @@ currentdict /PDF2PS_matrix_key undef
384 .setglobal
385 /RepairedAnError exch def
386 /Repaired exch def
387-} bind executeonly def
388+} bind executeonly odef
389
390 % Display the contents of a page (including annotations).
391 /showpagecontents { % <pagedict> showpagecontents -
392diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps
393index c45fc51..8672d61 100644
394--- a/Resource/Init/pdf_ops.ps
395+++ b/Resource/Init/pdf_ops.ps
396@@ -193,7 +193,7 @@ currentdict /gput_always_allow .undef
397 pdfformaterror
398 } ifelse
399 } if
400-} bind executeonly def
401+} bind executeonly odef
402
403 % Save PDF gstate
404 /qstate { % - qstate <qstate>
405@@ -451,7 +451,7 @@ currentdict /gput_always_allow .undef
406 %% a gsave, so we haven't copied it to /self, if we don't do that here
407 %% then transparent annotations cause an invalid access error.
408 currentdict //nodict eq {/self dup load end 5 dict begin def} if
409-} bind executeonly def
410+} bind executeonly odef
411 /AIS { .setalphaisshape } bind executeonly def
412 /BM {
413 /.setblendmode where {
414@@ -1077,7 +1077,7 @@ end readonly def
415 pdfopdict /v {inside_text_v} bind .forceput
416 pdfopdict /y {inside_text_y} bind .forceput
417 pdfopdict /re {inside_text_re} bind .forceput
418-} bind executeonly def
419+} bind executeonly odef
420
421 /switch_to_normal_marking_ops {
422 pdfopdict /m {normal_m} bind .forceput
423@@ -1086,7 +1086,7 @@ end readonly def
424 pdfopdict /v {normal_v} bind .forceput
425 pdfopdict /y {normal_y} bind .forceput
426 pdfopdict /re {normal_re} bind .forceput
427-} bind executeonly def
428+} bind executeonly odef
429
430 /BT {
431 currentdict /TextSaveMatrix known {
432--
4332.7.4
434
diff --git a/meta/recipes-extended/ghostscript/files/0003-Bug-699832-add-control-over-hiding-error-handlers.patch b/meta/recipes-extended/ghostscript/files/0003-Bug-699832-add-control-over-hiding-error-handlers.patch
new file mode 100644
index 0000000000..cd78659583
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/files/0003-Bug-699832-add-control-over-hiding-error-handlers.patch
@@ -0,0 +1,172 @@
1From 1f9a91c86bd56acf57826b9b0e020ebe1953e2ae Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Thu, 4 Oct 2018 10:42:13 +0100
4Subject: [PATCH 3/5] Bug 699832: add control over hiding error handlers.
5
6With a previous commit changing error handling in SAFER so the handler gets
7passed a name object (rather than executable object), it is less critical to
8hide the error handlers.
9
10This introduces a -dSAFERERRORS option to force only use of the default error
11handlers.
12
13It also adds a .setsafererrors Postscript call, meaning a caller, without
14-dSAFERERRORS, can create their own default error handlers (in errordict, as
15normal), and then call .setsafererrors meaning their own handlers are always
16called.
17
18With -dSAFERERRORS or after a call to .setsafererrors, .setsafererrors is
19removed.
20
21CVE: CVE-2018-17961
22Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
23Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
24---
25 Resource/Init/gs_init.ps | 42 +++++++++++++++++++++++++++++------------
26 psi/interp.c | 49 ++++++++++++++++++++++++++++--------------------
27 2 files changed, 59 insertions(+), 32 deletions(-)
28
29diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
30index bec307d..f952f32 100644
31--- a/Resource/Init/gs_init.ps
32+++ b/Resource/Init/gs_init.ps
33@@ -188,6 +188,16 @@ currentdict /DELAYSAFER known { /DELAYSAFER //true def /NOSAFER //true def } if
34 currentdict /PARANOIDSAFER known or % PARANOIDSAFER is equivalent
35 }
36 ifelse def
37+
38+/SAFERERRORS
39+currentdict /NOSAFERERRORS known
40+{
41+ //false
42+}
43+{
44+ currentdict /SAFERERRORS known
45+} ifelse def
46+
47 currentdict /SHORTERRORS known /SHORTERRORS exch def
48 currentdict /TTYPAUSE known /TTYPAUSE exch def
49 currentdict /WRITESYSTEMDICT known /WRITESYSTEMDICT exch def
50@@ -1123,12 +1133,23 @@ errordict begin
51 } bind def
52 end % errordict
53
54-% Put all the default handlers in gserrordict
55-gserrordict
56-errordict {2 index 3 1 roll put} forall
57-noaccess pop
58-% remove the non-standard errors from errordict
59+gserrordict /unknownerror errordict /unknownerror get put
60 errordict /unknownerror .undef
61+
62+/.SAFERERRORLIST ErrorNames def
63+/.setsafererrors
64+{
65+% Put all the requested handlers in gserrordict
66+ gserrordict
67+ //.SAFERERRORLIST
68+ {dup errordict exch get 2 index 3 1 roll put} forall
69+ noaccess pop
70+ systemdict /.setsafeerrors .forceundef
71+ systemdict /.SAFERERRORLIST .forceundef
72+} bind executeonly odef
73+
74+SAFERERRORS {.setsafererrors} if
75+
76 % Define a stable private copy of handleerror that we will always use under
77 % JOBSERVER mode.
78 /.GShandleerror errordict /handleerror get def
79@@ -1760,18 +1781,15 @@ currentdict /.runlibfile .undef
80
81 % Bind all the operators defined as procedures.
82 /.bindoperators % binds operators in currentdict
83- { % Temporarily disable the typecheck error.
84- errordict /typecheck 2 copy get
85- errordict /typecheck { pop } put % pop the command
86+ {
87 currentdict
88 { dup type /operatortype eq
89- { % This might be a real operator, so bind might cause a typecheck,
90- % but we've made the error a no-op temporarily.
91- .bind
92+ {
93+ % This might be a real operator, so bind might cause a typecheck
94+ {.bind} .internalstopped pop
95 }
96 if pop pop
97 } forall
98- put
99 } def
100 DELAYBIND not { .bindoperators } if
101
102diff --git a/psi/interp.c b/psi/interp.c
103index 3dd5f7a..cd894f9 100644
104--- a/psi/interp.c
105+++ b/psi/interp.c
106@@ -662,27 +662,18 @@ again:
107 if (gs_errorname(i_ctx_p, code, &error_name) < 0)
108 return code; /* out-of-range error code! */
109
110- /* If LockFilePermissions is true, we only refer to gserrordict, which
111- * is not accessible to Postcript jobs
112+ /* We refer to gserrordict first, which is not accessible to Postcript jobs
113+ * If we're running with SAFERERRORS all the handlers are copied to gserrordict
114+ * so we'll always find the default one. If not SAFERERRORS, only gs specific
115+ * errors are in gserrordict.
116 */
117- if (i_ctx_p->LockFilePermissions) {
118- if (((dict_find_string(systemdict, "gserrordict", &perrordict) <= 0 ||
119- dict_find(perrordict, &error_name, &epref) <= 0))
120- )
121- return code; /* error name not in errordict??? */
122- }
123- else {
124- /*
125- * For greater Adobe compatibility, only the standard PostScript errors
126- * are defined in errordict; the rest are in gserrordict.
127- */
128- if (dict_find_string(systemdict, "errordict", &perrordict) <= 0 ||
129- (dict_find(perrordict, &error_name, &epref) <= 0 &&
130- (dict_find_string(systemdict, "gserrordict", &perrordict) <= 0 ||
131- dict_find(perrordict, &error_name, &epref) <= 0))
132- )
133- return code; /* error name not in errordict??? */
134- }
135+ if (dict_find_string(systemdict, "gserrordict", &perrordict) <= 0 ||
136+ (dict_find(perrordict, &error_name, &epref) <= 0 &&
137+ (dict_find_string(systemdict, "errordict", &perrordict) <= 0 ||
138+ dict_find(perrordict, &error_name, &epref) <= 0))
139+ )
140+ return code; /* error name not in errordict??? */
141+
142 doref = *epref;
143 epref = &doref;
144 /* Push the error object on the operand stack if appropriate. */
145@@ -695,6 +686,24 @@ again:
146 }
147 *osp = *perror_object;
148 errorexec_find(i_ctx_p, osp);
149+ /* If using SAFER, hand a name object to the error handler, rather than the executable
150+ * object/operator itself.
151+ */
152+ if (i_ctx_p->LockFilePermissions) {
153+ code = obj_cvs(imemory, osp, buf + 2, 256, &rlen, (const byte **)&bufptr);
154+ if (code < 0) {
155+ const char *unknownstr = "--unknown--";
156+ rlen = strlen(unknownstr);
157+ memcpy(buf, unknownstr, rlen);
158+ }
159+ else {
160+ buf[0] = buf[1] = buf[rlen + 2] = buf[rlen + 3] = '-';
161+ rlen += 4;
162+ }
163+ code = name_ref(imemory, buf, rlen, osp, 1);
164+ if (code < 0)
165+ make_null(osp);
166+ }
167 }
168 goto again;
169 }
170--
1712.7.4
172
diff --git a/meta/recipes-extended/ghostscript/files/0004-For-hidden-operators-pass-a-name-object-to-error-han.patch b/meta/recipes-extended/ghostscript/files/0004-For-hidden-operators-pass-a-name-object-to-error-han.patch
new file mode 100644
index 0000000000..6c715ad43b
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/files/0004-For-hidden-operators-pass-a-name-object-to-error-han.patch
@@ -0,0 +1,105 @@
1From 34a8c5aa987d4db5234172a62218b168371606b1 Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Tue, 2 Oct 2018 16:02:58 +0100
4Subject: [PATCH 4/5] For hidden operators, pass a name object to error
5 handler.
6
7In normal operation, Postscript error handlers are passed the object which
8triggered the error: this is invariably an operator object.
9
10The issue arises when an error is triggered by an operator which is for internal
11use only, and that operator is then passed to the error handler, meaning it
12becomes visible to the error handler code.
13
14By converting to a name object, the error message is still valid, but we no
15longer expose internal use only operators.
16
17The change in gs_dps1.ps is related to the above: previously an error in
18scheck would throw an error against .gcheck, but as .gcheck is now a hidden
19operator, it resulted in a name object being passed to the error handler. As
20scheck is a 'real' operator, it's better to use the real operator, rather than
21the name of an internal, hidden one.
22
23CVE: CVE-2018-17961
24Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
25Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
26---
27 Resource/Init/gs_dps1.ps | 2 +-
28 psi/interp.c | 33 ++++++++++++++++++++++++---------
29 2 files changed, 25 insertions(+), 10 deletions(-)
30
31diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps
32index 1182f53..ec5db61 100644
33--- a/Resource/Init/gs_dps1.ps
34+++ b/Resource/Init/gs_dps1.ps
35@@ -21,7 +21,7 @@ level2dict begin
36 % ------ Virtual memory ------ %
37
38 /currentshared /.currentglobal load def
39-/scheck /.gcheck load def
40+/scheck {.gcheck} bind odef
41 %****** FOLLOWING IS WRONG ******
42 /shareddict currentdict /globaldict .knownget not { 20 dict } if def
43
44diff --git a/psi/interp.c b/psi/interp.c
45index cd894f9..b70769d 100644
46--- a/psi/interp.c
47+++ b/psi/interp.c
48@@ -678,6 +678,8 @@ again:
49 epref = &doref;
50 /* Push the error object on the operand stack if appropriate. */
51 if (!GS_ERROR_IS_INTERRUPT(code)) {
52+ byte buf[260], *bufptr;
53+ uint rlen;
54 /* Replace the error object if within an oparray or .errorexec. */
55 osp++;
56 if (osp >= ostop) {
57@@ -686,23 +688,36 @@ again:
58 }
59 *osp = *perror_object;
60 errorexec_find(i_ctx_p, osp);
61- /* If using SAFER, hand a name object to the error handler, rather than the executable
62- * object/operator itself.
63- */
64- if (i_ctx_p->LockFilePermissions) {
65+
66+ if (!r_has_type(osp, t_string) && !r_has_type(osp, t_name)) {
67 code = obj_cvs(imemory, osp, buf + 2, 256, &rlen, (const byte **)&bufptr);
68 if (code < 0) {
69 const char *unknownstr = "--unknown--";
70 rlen = strlen(unknownstr);
71 memcpy(buf, unknownstr, rlen);
72+ bufptr = buf;
73 }
74 else {
75- buf[0] = buf[1] = buf[rlen + 2] = buf[rlen + 3] = '-';
76- rlen += 4;
77+ ref *tobj;
78+ bufptr[rlen] = '\0';
79+ /* Only pass a name object if the operator doesn't exist in systemdict
80+ * i.e. it's an internal operator we have hidden
81+ */
82+ code = dict_find_string(systemdict, (const char *)bufptr, &tobj);
83+ if (code < 0) {
84+ buf[0] = buf[1] = buf[rlen + 2] = buf[rlen + 3] = '-';
85+ rlen += 4;
86+ bufptr = buf;
87+ }
88+ else {
89+ bufptr = NULL;
90+ }
91+ }
92+ if (bufptr) {
93+ code = name_ref(imemory, buf, rlen, osp, 1);
94+ if (code < 0)
95+ make_null(osp);
96 }
97- code = name_ref(imemory, buf, rlen, osp, 1);
98- if (code < 0)
99- make_null(osp);
100 }
101 }
102 goto again;
103--
1042.7.4
105
diff --git a/meta/recipes-extended/ghostscript/files/0005-Bug-699938-.loadfontloop-must-be-an-operator.patch b/meta/recipes-extended/ghostscript/files/0005-Bug-699938-.loadfontloop-must-be-an-operator.patch
new file mode 100644
index 0000000000..4924b3cac6
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/files/0005-Bug-699938-.loadfontloop-must-be-an-operator.patch
@@ -0,0 +1,31 @@
1From f0a61679d28bc1561640403d92492e199bc1c0f3 Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Wed, 10 Oct 2018 23:25:51 +0100
4Subject: [PATCH 5/5] Bug 699938: .loadfontloop must be an operator
5
6In the fix for Bug 699816, I omitted to make .loadfontloop into an operator, to
7better hide .forceundef and .putgstringcopy.
8
9CVE: CVE-2018-17961
10Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
11Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
12---
13 Resource/Init/gs_fonts.ps | 2 +-
14 1 file changed, 1 insertion(+), 1 deletion(-)
15
16diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps
17index 89c3ab7..72feff2 100644
18--- a/Resource/Init/gs_fonts.ps
19+++ b/Resource/Init/gs_fonts.ps
20@@ -1148,7 +1148,7 @@ $error /SubstituteFont { } put
21
22 } loop % end of loop
23
24- } bind executeonly def % must be bound and hidden for .putgstringcopy
25+ } bind executeonly odef % must be bound and hidden for .putgstringcopy
26
27 currentdict /.putgstringcopy .undef
28
29--
302.7.4
31
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.25.bb b/meta/recipes-extended/ghostscript/ghostscript_9.25.bb
index 35eaaeb2fa..55251a55d4 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.25.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.25.bb
@@ -25,6 +25,11 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
25 file://do-not-check-local-libpng-source.patch \ 25 file://do-not-check-local-libpng-source.patch \
26 file://avoid-host-contamination.patch \ 26 file://avoid-host-contamination.patch \
27 file://mkdir-p.patch \ 27 file://mkdir-p.patch \
28 file://0001-Bug-699795-add-operand-checking-to-.setnativefontmap.patch \
29 file://0002-Bug-699816-Improve-hiding-of-security-critical-custo.patch \
30 file://0003-Bug-699832-add-control-over-hiding-error-handlers.patch \
31 file://0004-For-hidden-operators-pass-a-name-object-to-error-han.patch \
32 file://0005-Bug-699938-.loadfontloop-must-be-an-operator.patch \
28" 33"
29 34
30SRC_URI = "${SRC_URI_BASE} \ 35SRC_URI = "${SRC_URI_BASE} \