summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNaveen Saini <naveen.kumar.saini@intel.com>2019-07-31 15:18:51 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-09-30 16:44:41 +0100
commitbd1ccd4c28c99ae65a00b03ae98c4cde67f0043c (patch)
tree6149f50d9bc965f9afb81356d20cec63a76e8f22
parent787ec750a21df3d712de2a92d7bd9349244e51f5 (diff)
downloadpoky-bd1ccd4c28c99ae65a00b03ae98c4cde67f0043c.tar.gz
ghostscript: fix CVE-2019-3839
(From OE-Core rev: 4f608782e43accb23aa144339ed9169b1718c4f0) Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3839-0008.patch440
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript_9.26.bb1
2 files changed, 441 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3839-0008.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3839-0008.patch
new file mode 100644
index 0000000000..4be1c84f92
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3839-0008.patch
@@ -0,0 +1,440 @@
1From c253752ef731f49922e0a97490d1ef09ca697c91 Mon Sep 17 00:00:00 2001
2From: Ray Johnston <ray.johnston@artifex.com>
3Date: Thu, 31 Jan 2019 11:31:30 -0800
4Subject: [PATCH] Hide pdfdict and GS_PDF_ProcSet (internal stuff for the PDF
5 interp).
6
7We now keep GS_PDF_ProcSet in pdfdict, and immediately bind pdfdict
8where needed so we can undef it after the last PDF interp file has
9run (pdf_sec.ps).
10
11CVE: CVE-2019-3839
12Upstream-Status: Backport [http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4ec9ca74bed49f2a82acb4bf430eae0d8b3b75c9]
13Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
14---
15 Resource/Init/pdf_base.ps | 11 ++++----
16 Resource/Init/pdf_draw.ps | 59 +++++++++++++++++++--------------------
17 Resource/Init/pdf_font.ps | 9 +++---
18 Resource/Init/pdf_main.ps | 25 +++++++++--------
19 Resource/Init/pdf_ops.ps | 11 ++++----
20 Resource/Init/pdf_sec.ps | 4 ++-
21 6 files changed, 60 insertions(+), 59 deletions(-)
22
23diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps
24index e35e0e373..13dd51f46 100644
25--- a/Resource/Init/pdf_base.ps
26+++ b/Resource/Init/pdf_base.ps
27@@ -23,7 +23,6 @@
28
29 /.setlanguagelevel where { pop 2 .setlanguagelevel } if
30 .currentglobal //true .setglobal
31-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
32 pdfdict begin
33
34 % Define the name interpretation dictionary for reading values.
35@@ -133,11 +132,11 @@ currentdict /num-chars-dict .undef
36
37 /.pdfexectoken { % <count> <opdict> <exectoken> .pdfexectoken ?
38 PDFDEBUG {
39- pdfdict /PDFSTEPcount known not { pdfdict /PDFSTEPcount 1 .forceput } executeonly if
40+ //pdfdict /PDFSTEPcount known not { //pdfdict /PDFSTEPcount 1 .forceput } executeonly if
41 PDFSTEP {
42- pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput
43+ //pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput
44 PDFSTEPcount 1 gt {
45- pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput
46+ //pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput
47 } executeonly
48 {
49 dup ==only
50@@ -145,10 +144,10 @@ currentdict /num-chars-dict .undef
51 ( ? ) print flush 1 //false .outputpage
52 (%stdin) (r) file 255 string readline {
53 token {
54- exch pop pdfdict /PDFSTEPcount 3 -1 roll .forceput
55+ exch pop //pdfdict /PDFSTEPcount 3 -1 roll .forceput
56 } executeonly
57 {
58- pdfdict /PDFSTEPcount 1 .forceput
59+ //pdfdict /PDFSTEPcount 1 .forceput
60 } executeonly ifelse % token
61 } {
62 pop /PDFSTEP //false def % EOF on stdin
63diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
64index 36c41a9a3..2e39c87d2 100644
65--- a/Resource/Init/pdf_draw.ps
66+++ b/Resource/Init/pdf_draw.ps
67@@ -18,8 +18,7 @@
68
69 /.setlanguagelevel where { pop 2 .setlanguagelevel } if
70 .currentglobal //true .setglobal
71-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
72-GS_PDF_ProcSet begin
73+/GS_PDF_ProcSet load begin
74 pdfdict begin
75
76 % For simplicity, we use a single interpretation dictionary for all
77@@ -113,7 +112,7 @@ pdfdict begin
78
79 /resolvefunction { % <fndict> resolvefunction <function>
80 .resolvefn
81- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Function: ) print dup === flush } if } if
82+ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Function: ) print dup === flush } if } if
83 } bind executeonly def
84
85 /resolvefnproc { % <fndict> resolvefnproc <proc>
86@@ -1086,7 +1085,7 @@ currentdict end readonly def
87 %% finished running the PaintProc.
88
89 /.actual_pdfpaintproc { % <patdict> <resdict> .pdfpaintproc -
90- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Begin PaintProc) print dup === flush } if } if
91+ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Begin PaintProc) print dup === flush } if } if
92 PDFfile fileposition 3 1 roll
93 q
94 1 index /PaintType oget 1 eq {
95@@ -1121,21 +1120,21 @@ currentdict end readonly def
96 Q
97 }{
98 (\n **** Error: File has unbalanced q/Q operators \(too many Q's\)\n Output may be incorrect.\n)
99- pdfdict /.Qqwarning_issued .knownget
100+ //pdfdict /.Qqwarning_issued .knownget
101 {
102 {
103 pop
104 }
105 {
106- currentglobal pdfdict gcheck .setglobal
107- pdfdict /.Qqwarning_issued //true .forceput
108+ currentglobal //pdfdict gcheck .setglobal
109+ //pdfdict /.Qqwarning_issued //true .forceput
110 .setglobal
111 pdfformaterror
112 } executeonly ifelse
113 }
114 {
115- currentglobal pdfdict gcheck .setglobal
116- pdfdict /.Qqwarning_issued //true .forceput
117+ currentglobal //pdfdict gcheck .setglobal
118+ //pdfdict /.Qqwarning_issued //true .forceput
119 .setglobal
120 pdfformaterror
121 } executeonly ifelse
122@@ -1144,21 +1143,21 @@ currentdict end readonly def
123 } loop
124 {
125 (\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
126- pdfdict /.Qqwarning_issued .knownget
127+ //pdfdict /.Qqwarning_issued .knownget
128 {
129 {
130 pop
131 }
132 {
133- currentglobal pdfdict gcheck .setglobal
134- pdfdict /.Qqwarning_issued //true .forceput
135+ currentglobal //pdfdict gcheck .setglobal
136+ //pdfdict /.Qqwarning_issued //true .forceput
137 .setglobal
138 pdfformaterror
139 } executeonly ifelse
140 }
141 {
142- currentglobal pdfdict gcheck .setglobal
143- pdfdict /.Qqwarning_issued //true .forceput
144+ currentglobal //pdfdict gcheck .setglobal
145+ //pdfdict /.Qqwarning_issued //true .forceput
146 .setglobal
147 pdfformaterror
148 } executeonly ifelse
149@@ -1169,7 +1168,7 @@ currentdict end readonly def
150 /pdfemptycount exch def
151
152 Q
153- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if
154+ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if
155 PDFfile exch setfileposition
156 } bind executeonly odef
157
158@@ -1240,7 +1239,7 @@ currentdict end readonly def
159 ] cvx put
160 dup /BBox 2 copy knownoget { normrect FixPatternBBox put } { pop pop } ifelse
161 dup /.pattern_uses_transparency 1 index patternusestransparency put
162- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Pattern: ) print dup === flush } if } if
163+ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Pattern: ) print dup === flush } if } if
164 } bind executeonly def
165
166 /ignore_color_op ( **** Error: Ignoring a color operation in a cached context.\n Output may be incorrect.\n) readonly def
167@@ -2361,16 +2360,16 @@ currentdict /last-ditch-bpc-csp undef
168 } bind executeonly def
169
170 /IncrementAppearanceNumber {
171- pdfdict /AppearanceNumber .knownget {
172- 1 add pdfdict /AppearanceNumber 3 -1 roll .forceput
173+ //pdfdict /AppearanceNumber .knownget {
174+ 1 add //pdfdict /AppearanceNumber 3 -1 roll .forceput
175 } executeonly
176 {
177- pdfdict /AppearanceNumber 0 .forceput
178+ //pdfdict /AppearanceNumber 0 .forceput
179 } executeonly ifelse
180 }bind executeonly odef
181
182 /MakeAppearanceName {
183- pdfdict /AppearanceNumber get
184+ //pdfdict /AppearanceNumber get
185 10 string cvs
186 dup length 10 add string dup 0 (\{FormName) putinterval
187 dup 3 -1 roll
188@@ -2391,17 +2390,17 @@ currentdict /last-ditch-bpc-csp undef
189 gsave initclip
190 MakeNewAppearanceName
191 .pdfFormName
192- pdfdict /.PreservePDFForm known {pdfdict /.PreservePDFForm get} {//false}ifelse exch
193- pdfdict /.PreservePDFForm true .forceput
194+ //pdfdict /.PreservePDFForm known {//pdfdict /.PreservePDFForm get} {//false}ifelse exch
195+ //pdfdict /.PreservePDFForm true .forceput
196 DoForm
197- pdfdict /.PreservePDFForm 3 -1 roll .forceput
198+ //pdfdict /.PreservePDFForm 3 -1 roll .forceput
199 grestore
200 } bind executeonly odef
201
202 /DoForm {
203 %% save the current value, if its true we will set it to false later, in order
204 %% to prevent us preserving Forms which are used *from* an annotation /Appearance.
205- pdfdict /.PreservePDFForm known {pdfdict /.PreservePDFForm get} {//false}ifelse exch
206+ //pdfdict /.PreservePDFForm known {//pdfdict /.PreservePDFForm get} {//false}ifelse exch
207
208 %% We may alter the Default* colour spaces, if the Resources
209 %% ColorSpace entry contains one of them. But we don't want that
210@@ -2516,13 +2515,13 @@ currentdict /last-ditch-bpc-csp undef
211 pdfemptycount countdictstack 3 -1 roll
212 /pdfemptycount count 4 sub store
213
214- pdfdict /.PreservePDFForm known {pdfdict /.PreservePDFForm get}{//false} ifelse
215+ //pdfdict /.PreservePDFForm known {//pdfdict /.PreservePDFForm get}{//false} ifelse
216 {
217 %% We must *not* preserve any subsidiary forms (curently at least) as PDF
218 %% form preservation doesn't really work. This is used just for Annotation
219 %% Appearances currently, and if they should happen to use a form, we do not
220 %% want to preserve it.
221- pdfdict /.PreservePDFForm false .forceput
222+ //pdfdict /.PreservePDFForm false .forceput
223 /q cvx /execform cvx 5 -2 roll
224 } executeonly
225 {
226@@ -2555,7 +2554,7 @@ currentdict /last-ditch-bpc-csp undef
227 saved_DCMYK /DefaultCMYK exch /ColorSpace defineresource pop
228 end
229 } if
230- pdfdict /.PreservePDFForm 3 -1 roll .forceput
231+ //pdfdict /.PreservePDFForm 3 -1 roll .forceput
232 } bind executeonly odef
233
234 /_dops_save 1 array def
235@@ -2714,13 +2713,13 @@ drawopdict begin
236 % Start by getting the object number for a Form XObject
237 dup Page /XObject obj_get dup 0 eq not {
238 % Now get the recording dictionary and see if that object number has been seen
239- pdfdict /Recursive_XObject_D get 1 index known {
240+ //pdfdict /Recursive_XObject_D get 1 index known {
241 ( **** Error: Recursive XObject detected, ignoring ") print 1 index 256 string cvs print (", object number ) print 256 string cvs print (\n) print
242 ( Output may be incorrect.\n) pdfformaterror
243 //false
244 }{
245 % We haven't seen it yet, so record it.
246- pdfdict /Recursive_XObject_D get 1 index null put
247+ //pdfdict /Recursive_XObject_D get 1 index null put
248 3 1 roll
249 //true
250 }ifelse
251@@ -2758,7 +2757,7 @@ drawopdict begin
252 ( Output may be incorrect.\n) pdfformaterror
253 } ifelse
254 PDFfile exch setfileposition
255- pdfdict /Recursive_XObject_D get exch undef
256+ //pdfdict /Recursive_XObject_D get exch undef
257 }{
258 % Otherwise ignore it and tidy up the stacks
259 pop pop
260diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps
261index 7e35c02ac..6b09be61f 100644
262--- a/Resource/Init/pdf_font.ps
263+++ b/Resource/Init/pdf_font.ps
264@@ -37,8 +37,7 @@
265
266 /.setlanguagelevel where { pop 2 .setlanguagelevel } if
267 .currentglobal //true .setglobal
268-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
269-GS_PDF_ProcSet begin
270+/GS_PDF_ProcSet load begin % from userdict at this point
271 pdfdict begin
272
273 % We cache the PostScript font in an additional element of the
274@@ -1227,11 +1226,11 @@ currentdict /eexec_pdf_param_dict .undef
275 .pdfruncontext
276 countdictstack BuildCharDictDepth sub
277 {
278- pdfdict /.Qqwarning_issued .knownget {not}{//true} ifelse
279+ //pdfdict /.Qqwarning_issued .knownget {not}{//true} ifelse
280 {
281 (\n **** Warning: Type 3 glyph has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
282 pdfformatwarning
283- pdfdict /.Qqwarning_issued //true .forceput
284+ //pdfdict /.Qqwarning_issued //true .forceput
285 } executeonly if
286 Q
287 } repeat
288@@ -2361,7 +2360,7 @@ currentdict /bndef undef
289 dup //null eq
290 {pop}
291 {
292- pdfdict /InputPDFFileName .knownget {.CRCHashFilenameAndObject} if
293+ //pdfdict /InputPDFFileName .knownget {.CRCHashFilenameAndObject} if
294 exch dup /.OrigUniqueIDXUID .knownget not
295 {
296 dup /XUID .knownget not
297diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps
298index 0a8929a2a..c1de1b0ef 100644
299--- a/Resource/Init/pdf_main.ps
300+++ b/Resource/Init/pdf_main.ps
301@@ -18,8 +18,9 @@
302
303 /.setlanguagelevel where { pop 2 .setlanguagelevel } if
304 .currentglobal //true .setglobal
305-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
306 pdfdict begin
307+/GS_PDF_ProcSet dup load def % keep in pdfdict to hide it
308+userdict /GS_PDF_ProcSet undef
309
310 % Patch in an obsolete variable used by some third-party software.
311 /#? //false def
312@@ -304,8 +305,8 @@ currentdict /runpdfstring .undef
313 /Page //null def
314 /DSCPageCount 0 def
315 /PDFSave //null def
316- GS_PDF_ProcSet begin
317- pdfdict begin
318+ //pdfdict /GS_PDF_ProcSet get begin
319+ //pdfdict begin
320 pdfopen begin
321 /CumulativePageCount currentpagedevice /PageCount get def
322 } bind executeonly def
323@@ -624,7 +625,7 @@ currentdict /runpdfstring .undef
324 %% copied to a temporary file) and store it in pdfdict. We will use this for
325 %% hashing fonts to detect if fonts with the same name are from different files.
326 %%
327- dup currentglobal exch true setglobal .getfilename exch setglobal /InputPDFFileName exch pdfdict 3 1 roll .forceput
328+ dup currentglobal exch true setglobal .getfilename exch setglobal /InputPDFFileName exch //pdfdict 3 1 roll .forceput
329
330 //runpdfbegin exec
331 //pdf_collection_files exec
332@@ -1390,7 +1391,7 @@ currentdict /xref-char-dict undef
333 } bind executeonly def
334
335 /pdfopenfile { % <file> pdfopenfile <dict>
336- pdfdict readonly pop % can't do it any earlier than this
337+ //pdfdict readonly pop % can't do it any earlier than this
338 32 dict begin
339 /LocalResources 0 dict def
340 /DefaultQstate //null def % establish binding
341@@ -2717,21 +2718,21 @@ currentdict /PDF2PS_matrix_key undef
342 StreamRunAborted not {
343 (\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
344
345- pdfdict /.Qqwarning_issued .knownget
346+ //pdfdict /.Qqwarning_issued .knownget
347 {
348 {
349 pop
350 }
351 {
352- currentglobal pdfdict gcheck .setglobal
353- pdfdict /.Qqwarning_issued //true .forceput
354+ currentglobal //pdfdict gcheck .setglobal
355+ //pdfdict /.Qqwarning_issued //true .forceput
356 .setglobal
357 pdfformaterror
358 } executeonly ifelse
359 }
360 {
361- currentglobal pdfdict gcheck .setglobal
362- pdfdict /.Qqwarning_issued //true .forceput
363+ currentglobal //pdfdict gcheck .setglobal
364+ //pdfdict /.Qqwarning_issued //true .forceput
365 .setglobal
366 pdfformaterror
367 } executeonly ifelse
368@@ -2743,8 +2744,8 @@ currentdict /PDF2PS_matrix_key undef
369 Repaired % pass Repaired state around the restore
370 RepairedAnError
371 PDFSave restore
372- currentglobal pdfdict gcheck .setglobal
373- pdfdict /.Qqwarning_issued //false .forceput
374+ currentglobal //pdfdict gcheck .setglobal
375+ //pdfdict /.Qqwarning_issued //false .forceput
376 .setglobal
377 /RepairedAnError exch def
378 /Repaired exch def
379diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps
380index 34e2fbd58..46de547f7 100644
381--- a/Resource/Init/pdf_ops.ps
382+++ b/Resource/Init/pdf_ops.ps
383@@ -24,6 +24,7 @@
384 systemdict /pdfmark known not
385 { userdict /pdfmark { cleartomark } bind executeonly put } if
386
387+systemdict /pdfdict where { pop } { /pdfdict 100 dict put } ifelse
388 userdict /GS_PDF_ProcSet 256 dict dup begin
389
390 % ---------------- Abbreviations ---------------- %
391@@ -174,21 +175,21 @@ currentdict /gput_always_allow .undef
392 {
393 (\n **** Error: File has unbalanced q/Q operators \(too many Q's\)\n Output may be incorrect.\n)
394
395- pdfdict /.Qqwarning_issued .knownget
396+ //pdfdict /.Qqwarning_issued .knownget
397 {
398 {
399 pop
400 }
401 {
402- currentglobal pdfdict gcheck .setglobal
403- pdfdict /.Qqwarning_issued //true .forceput
404+ currentglobal //pdfdict gcheck .setglobal
405+ //pdfdict /.Qqwarning_issued //true .forceput
406 .setglobal
407 pdfformaterror
408 } executeonly ifelse
409 }
410 {
411- currentglobal pdfdict gcheck .setglobal
412- pdfdict /.Qqwarning_issued //true .forceput
413+ currentglobal //pdfdict gcheck .setglobal
414+ //pdfdict /.Qqwarning_issued //true .forceput
415 .setglobal
416 pdfformaterror
417 } executeonly ifelse
418diff --git a/Resource/Init/pdf_sec.ps b/Resource/Init/pdf_sec.ps
419index d8cc94c86..163dd6877 100644
420--- a/Resource/Init/pdf_sec.ps
421+++ b/Resource/Init/pdf_sec.ps
422@@ -39,7 +39,6 @@
423
424 /.setlanguagelevel where { pop 2 .setlanguagelevel } if
425 .currentglobal //true .setglobal
426-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
427 pdfdict begin
428
429 % Older ghostscript versions do not have .pdftoken, so we use 'token' instead.
430@@ -748,4 +747,7 @@ currentdict /PDFScanRules_null undef
431 } bind executeonly def
432
433 end % pdfdict
434+
435+systemdict /pdfdict .forceundef % hide pdfdict
436+
437 .setglobal
438--
4392.17.1
440
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.26.bb b/meta/recipes-extended/ghostscript/ghostscript_9.26.bb
index 2630084a07..03e4569dbc 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.26.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.26.bb
@@ -45,6 +45,7 @@ SRC_URI = "${SRC_URI_BASE} \
45 file://CVE-2019-3835-0004.patch \ 45 file://CVE-2019-3835-0004.patch \
46 file://CVE-2019-3838-0001.patch \ 46 file://CVE-2019-3838-0001.patch \
47 file://CVE-2019-3838-0002.patch \ 47 file://CVE-2019-3838-0002.patch \
48 file://CVE-2019-3839-0008.patch \
48 " 49 "
49 50
50SRC_URI_class-native = "${SRC_URI_BASE} \ 51SRC_URI_class-native = "${SRC_URI_BASE} \