summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStefan Ghinea <stefan.ghinea@windriver.com>2019-09-10 09:34:12 +0300
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-09-16 23:02:44 +0100
commit7f87451e6ea28cb028598e5358387d2c06e291a9 (patch)
tree143eb226c481418dcc1bbb4f4724a8e7249d3712
parent7920994ba885f6ffbf4f152ff6369a714775b9e0 (diff)
downloadpoky-7f87451e6ea28cb028598e5358387d2c06e291a9.tar.gz
ghostscript: CVE-2019-14811, CVE-2019-14817
A flaw was found in, ghostscript versions prior to 9.28, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. A flaw was found in, ghostscript versions prior to 9.28, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. References: https://nvd.nist.gov/vuln/detail/CVE-2019-14811 https://nvd.nist.gov/vuln/detail/CVE-2019-14817 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19 (From OE-Core rev: 1533b92848ea73d6fe6ba22d87d7b6749b47842c) Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14811-0001.patch68
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0001.patch270
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0002.patch236
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript_9.27.bb3
4 files changed, 577 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14811-0001.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14811-0001.patch
new file mode 100644
index 0000000000..3f28555e8a
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14811-0001.patch
@@ -0,0 +1,68 @@
1From 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001
2From: Ken Sharp <ken.sharp@artifex.com>
3Date: Tue, 20 Aug 2019 10:10:28 +0100
4Subject: [PATCH] make .forceput inaccessible
5
6Bug #701343, #701344, #701345
7
8More defensive programming. We don't want people to access .forecput
9even though it is no longer sufficient to bypass SAFER. The exploit
10in #701343 didn't work anyway because of earlier work to stop the error
11handler being used, but nevertheless, prevent access to .forceput from
12.setuserparams2.
13
14CVE: CVE-2019-14811
15Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
16
17Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
18---
19 Resource/Init/gs_lev2.ps | 6 +++---
20 Resource/Init/gs_pdfwr.ps | 4 ++--
21 2 files changed, 5 insertions(+), 5 deletions(-)
22
23diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
24index 98d55fe..f1b771f 100644
25--- a/Resource/Init/gs_lev2.ps
26+++ b/Resource/Init/gs_lev2.ps
27@@ -158,7 +158,7 @@ end
28 {
29 pop pop
30 } ifelse
31- } forall
32+ } executeonly forall
33 % A context switch might have occurred during the above loop,
34 % causing the interpreter-level parameters to be reset.
35 % Set them again to the new values. From here on, we are safe,
36@@ -229,9 +229,9 @@ end
37 { pop pop
38 }
39 ifelse
40- }
41+ } executeonly
42 forall pop
43-} .bind odef
44+} .bind executeonly odef
45
46 % Initialize the passwords.
47 % NOTE: the names StartJobPassword and SystemParamsPassword are known to
48diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps
49index 00c19fa..dfe504d 100644
50--- a/Resource/Init/gs_pdfwr.ps
51+++ b/Resource/Init/gs_pdfwr.ps
52@@ -652,11 +652,11 @@ currentdict /.pdfmarkparams .undef
53 systemdict /.pdf_hooked_DSC_Creator //true .forceput
54 } executeonly if
55 pop
56- } if
57+ } executeonly if
58 } {
59 pop
60 } ifelse
61- }
62+ } executeonly
63 {
64 pop
65 } ifelse
66--
672.20.1
68
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0001.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0001.patch
new file mode 100644
index 0000000000..c76e21caa6
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0001.patch
@@ -0,0 +1,270 @@
1From 0bafbd9c1273fab0dc79fd20db0ffc4443683f96 Mon Sep 17 00:00:00 2001
2From: Ken Sharp <ken.sharp@artifex.com>
3Date: Mon, 29 Apr 2019 11:14:06 +0100
4Subject: [PATCH 1/2] PDF interpreter - Decode ToUnicode entries of the form
5 /Identity-H/V
6
7Bug #701003 "Text searchability broken due to omission of /ToUnicode /Identity-H"
8
9The PDF references from 1.2 too 2.0 all state that the value associated
10with a ToUnicode key in a FontDescriptor must be a stream object. However
11this file (and one case seen previously, bug 687351) have FontDescriptor
12dictionaries where the value associated with a /ToUnicode key is a
13name object, in both cases /Identity-H.
14
15Although this is clearly not legal, Acrobat not only tolerates it, it
16actually uses it for search/copy/paste (see bug 701003 for details).
17Without the key Acrobat is unable to successfully search the output file.
18
19We can't simply preserve the name object as a ToUnicode value; when
20handling ToUnicode we actually decode the CMap and build a
21GlyphNames2Unicode map (an internal representation of the G2U data
22produced by the Microsoft PostScript printer driver). When writing the
23output file we use that information to get a Unicode value for each
24character we write, and build a new ToUnicode CMap using that.
25
26This commit tackles the problem by pre-scanning for a name object and
27then checking to see if its Identity-H or Identity-V (although we have
28not seen an Identity-V, there seems no reason why it wouldn't be
29equally valid). If we find either of these then we construct a
30GlyphNames2Unicode table for all possible values (0 - 65535) and store
31that with the font as normal. When we write the output file we only
32write the required entries for the subset font, so we write a now
33completely legal ToUnicode CMap, and Acrobat is equally happy with that
34as the original name.
35
36If the ToUnicode value isn't a name object, or isn't one of the
37identities then we proceed as before. This means we will print a
38warning for non conforming ToUnicode entries and ignore them.
39
40CVE: CVE-2019-14817
41Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
42
43Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
44---
45 Resource/Init/pdf_font.ps | 200 ++++++++++++++++++++++++--------------
46 1 file changed, 129 insertions(+), 71 deletions(-)
47
48diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps
49index 9fb85f6..2df3303 100644
50--- a/Resource/Init/pdf_font.ps
51+++ b/Resource/Init/pdf_font.ps
52@@ -621,86 +621,144 @@ currentdict end readonly def
53 PDFDEBUG {
54 (.processToUnicode beg) =
55 } if
56- 2 index /ToUnicode knownoget {
57- dup type /dicttype eq { dup /File known not } { //true } ifelse {
58- % We undefine wrong /Length and define /File in stream dictionaries.
59- % Bug687351.pdf defines /ToUnicode /Identity-H, what is incorrect.
60- ( **** Warning: Ignoring bad ToUnicode CMap.\n) pdfformatwarning
61- pop
62+
63+ 2 index /ToUnicode knownoget
64+ {
65+ dup type /nametype eq {
66+ % This is contrary to the specification but it seems that Acrobat at least will accept
67+ % a ToUnicode with a value of Identity-H *and* will use that for search, copy/paste.
68+ % We can't pass through a name, so the best we can do is build a GlyphNames2Unicode
69+ % map matching that which would have been generated by a full 16-bit Identity CMap
70+ %
71+ % See bug numbers 701003 and 687351
72+ %
73+ dup /Identity-H eq 1 index /Identity-V eq or{
74+ pop
75+ 1 index /FontInfo .knownget not {
76+ currentglobal 2 index dup gcheck setglobal
77+ /FontInfo 5 dict dup 5 1 roll .forceput
78+ setglobal
79+ } if
80+ dup /GlyphNames2Unicode .knownget not {
81+ //true % No existing G2U, make one
82+ } {
83+ dup wcheck {
84+ //false % Existing, writeable G2U, don't make new one
85+ } {
86+ pop //true % Existing read only G2U, make new one
87+ } ifelse
88+ } ifelse
89+ {
90+ currentglobal exch dup gcheck setglobal
91+ dup /GlyphNames2Unicode 100 dict dup 4 1 roll .forceput
92+ 3 2 roll setglobal
93+ } if % font-res font-dict encoding|null font-info g2u
94+
95+ 0 1 65535{
96+ % g2u index
97+ dup dup 256 mod exch 256 idiv % g2u index lo-byte hi-byte
98+ 2 string dup 0 4 -1 roll % g2u index lo-byte () () 0 hi-byte
99+ put % g2u index lo-byte (x)
100+ dup 1 % g2u index lo-byte (x) (x) 1
101+ 4 -1 roll put % g2u index (x) (x) 1 lo-byte -> dict index (xx)
102+ 2 index % g2u index (xx) dict
103+ 3 1 roll % g2u g2u index (xx)
104+ put % g2u
105+ } for
106+ pop % font-res font-dict encoding|null font-info
107+ pop % font-res font-dict encoding|null
108+ //false % We built a GlyphNames2Unicode table, don't need to process further
109+ }{
110+ //true % name is not Identity-V or H, fail by falling through
111+ }ifelse
112 } {
113- /PDFScanRules .getuserparam dup //null eq {
114- pop //PDFScanRules_null
115- } {
116- 1 dict dup /PDFScanRules 4 -1 roll put
117- } ifelse
118- //PDFScanRules_true setuserparams
119- PDFfile fileposition
120- 3 -1 roll
121- count 1 sub
122- countdictstack
123- { //false resolvestream
124- % Following Acrobat we ignore everything outside
125- % begincodespacerange .. endcmap.
126- dup 0 (begincodespacerange) /SubFileDecode filter flushfile
127- /CIDInit /ProcSet findresource begin
128- //ToUnicodeCMapReader begin
129- 12 dict begin
130- /CMapType 2 def
131- mark exch % emulate 'begincodespacerange'
132- 0 (endcmap) /SubFileDecode filter cvx /begincmap cvx exch 2 .execn
133- endcmap
134- userdict /.lastToUnicode currentdict put
135- end end end
136- }
137+ //true
138+ } ifelse % not a name, try as a dictionary (as specified)
139
140- PDFSTOPONERROR {
141- { exec } 0 get
142- //false
143- 5 -2 roll
144- 5
145+ % If the ToUnicode isn't a name, or the name isn't Identity-V or -H then follow the specification
146+ % If its not a dictionary type throw an error, otherwise decode it and build a GlyphNames2Unicode
147+ %
148+ {
149+ dup type /dicttype eq { dup /File known not } { //true } ifelse {
150+ % We undefine wrong /Length and define /File in stream dictionaries.
151+ % Bug687351.pdf defines /ToUnicode /Identity-H, what is incorrect.
152+ ( **** Warning: Ignoring bad ToUnicode CMap.\n) pdfformatwarning
153+ pop
154 } {
155- { stopped } 0 get
156- 4 2 roll
157- 4
158- } ifelse
159- array astore cvx exec
160+ /PDFScanRules .getuserparam dup //null eq {
161+ pop //PDFScanRules_null
162+ } {
163+ 1 dict dup /PDFScanRules 4 -1 roll put
164+ } ifelse
165+ //PDFScanRules_true setuserparams
166+ PDFfile fileposition
167+ 3 -1 roll
168+ count 1 sub
169+ countdictstack
170+ { //false resolvestream
171+ % Following Acrobat we ignore everything outside
172+ % begincodespacerange .. endcmap.
173+ dup 0 (begincodespacerange) /SubFileDecode filter flushfile
174+ /CIDInit /ProcSet findresource begin
175+ //ToUnicodeCMapReader begin
176+ 12 dict begin
177+ /CMapType 2 def
178+ mark exch % emulate 'begincodespacerange'
179+ 0 (endcmap) /SubFileDecode filter cvx /begincmap cvx exch 2 .execn
180+ endcmap
181+ userdict /.lastToUnicode currentdict put
182+ end end end
183+ }
184
185- countdictstack exch sub 0 .max { end } repeat
186- count exch sub 2 sub 0 .max { exch pop } repeat
187- 3 1 roll % Stach the stop flag.
188- PDFfile exch setfileposition
189- setuserparams
190- {
191- ( **** Warning: Failed to read ToUnicode CMap.\n) pdfformatwarning
192- } {
193- 1 index /FontInfo .knownget not {
194- currentglobal 2 index dup gcheck setglobal
195- /FontInfo 5 dict dup 5 1 roll .forceput
196- setglobal
197- } if
198- dup /GlyphNames2Unicode .knownget not {
199- //true % No existing G2U, make one
200+ PDFSTOPONERROR {
201+ { exec } 0 get
202+ //false
203+ 5 -2 roll
204+ 5
205+ } {
206+ { stopped } 0 get
207+ 4 2 roll
208+ 4
209+ } ifelse
210+ array astore cvx exec
211+
212+ countdictstack exch sub 0 .max { end } repeat
213+ count exch sub 2 sub 0 .max { exch pop } repeat
214+ 3 1 roll % Stach the stop flag.
215+ PDFfile exch setfileposition
216+ setuserparams
217+ {
218+ ( **** Warning: Failed to read ToUnicode CMap.\n) pdfformatwarning
219 } {
220- dup wcheck {
221- //false % Existing, writeable G2U, don't make new one
222+ 1 index /FontInfo .knownget not {
223+ currentglobal 2 index dup gcheck setglobal
224+ /FontInfo 5 dict dup 5 1 roll .forceput
225+ setglobal
226+ } if
227+ dup /GlyphNames2Unicode .knownget not {
228+ //true % No existing G2U, make one
229 } {
230- pop //true % Existing read only G2U, make new one
231+ dup wcheck {
232+ //false % Existing, writeable G2U, don't make new one
233+ } {
234+ pop //true % Existing read only G2U, make new one
235+ } ifelse
236 } ifelse
237+ {
238+ currentglobal exch dup gcheck setglobal
239+ dup /GlyphNames2Unicode 100 dict dup 4 1 roll .forceput
240+ 3 2 roll setglobal
241+ } if % font-res font-dict encoding|null font-info g2u
242+ exch pop exch % font-res font-dict g2u encoding|null
243+ userdict /.lastToUnicode get % font-res font-dict g2u Encoding|null CMap
244+ .convert_ToUnicode-into-g2u % font-res font-dict
245+ //null % font-res font-dict //null
246 } ifelse
247- {
248- currentglobal exch dup gcheck setglobal
249- dup /GlyphNames2Unicode 100 dict dup 4 1 roll .forceput
250- 3 2 roll setglobal
251- } if % font-res font-dict encoding|null font-info g2u
252- exch pop exch % font-res font-dict g2u encoding|null
253- userdict /.lastToUnicode get % font-res font-dict g2u Encoding|null CMap
254- .convert_ToUnicode-into-g2u % font-res font-dict
255- //null % font-res font-dict //null
256 } ifelse
257- } ifelse
258- } if
259- PDFDEBUG {
260- (.processToUnicode end) =
261+ } if
262+ PDFDEBUG {
263+ (.processToUnicode end) =
264+ } if
265 } if
266 } if
267 } stopped
268--
2692.20.1
270
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0002.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0002.patch
new file mode 100644
index 0000000000..6348fff2d1
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0002.patch
@@ -0,0 +1,236 @@
1From cd1b1cacadac2479e291efe611979bdc1b3bdb19 Mon Sep 17 00:00:00 2001
2From: Ken Sharp <ken.sharp@artifex.com>
3Date: Wed, 21 Aug 2019 10:10:51 +0100
4Subject: [PATCH 2/2] PDF interpreter - review .forceput security
5
6Bug #701450 "Safer Mode Bypass by .forceput Exposure in .pdfexectoken"
7
8By abusing the error handler it was possible to get the PDFDEBUG portion
9of .pdfexectoken, which uses .forceput left readable.
10
11Add an executeonly appropriately to make sure that clause isn't readable
12no mstter what.
13
14Review all the uses of .forceput searching for similar cases, add
15executeonly as required to secure those. All cases in the PostScript
16support files seem to be covered already.
17
18CVE: CVE-2019-14817
19Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
20
21Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
22---
23 Resource/Init/pdf_base.ps | 2 +-
24 Resource/Init/pdf_draw.ps | 14 +++++++-------
25 Resource/Init/pdf_font.ps | 29 ++++++++++++++++-------------
26 Resource/Init/pdf_main.ps | 6 +++---
27 Resource/Init/pdf_ops.ps | 11 ++++++-----
28 5 files changed, 33 insertions(+), 29 deletions(-)
29
30diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps
31index 1a218f4..cffde5c 100644
32--- a/Resource/Init/pdf_base.ps
33+++ b/Resource/Init/pdf_base.ps
34@@ -157,7 +157,7 @@ currentdict /num-chars-dict .undef
35 {
36 dup ==only () = flush
37 } ifelse % PDFSTEP
38- } if % PDFDEBUG
39+ } executeonly if % PDFDEBUG
40 2 copy .knownget {
41 exch pop exch pop exch pop exec
42 } {
43diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
44index e18a7c2..0a3924c 100644
45--- a/Resource/Init/pdf_draw.ps
46+++ b/Resource/Init/pdf_draw.ps
47@@ -501,8 +501,8 @@ end
48 ( Output may be incorrect.\n) pdfformaterror
49 //pdfdict /.gs_warning_issued //true .forceput
50 PDFSTOPONERROR { /gs /undefined signalerror } if
51- } if
52- }
53+ } executeonly if
54+ } executeonly
55 ifelse
56 } bind executeonly def
57
58@@ -1142,7 +1142,7 @@ currentdict end readonly def
59 .setglobal
60 pdfformaterror
61 } executeonly ifelse
62- }
63+ } executeonly
64 {
65 currentglobal //pdfdict gcheck .setglobal
66 //pdfdict /.Qqwarning_issued //true .forceput
67@@ -1150,8 +1150,8 @@ currentdict end readonly def
68 pdfformaterror
69 } executeonly ifelse
70 end
71- } ifelse
72- } loop
73+ } executeonly ifelse
74+ } executeonly loop
75 {
76 (\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
77 //pdfdict /.Qqwarning_issued .knownget
78@@ -1165,14 +1165,14 @@ currentdict end readonly def
79 .setglobal
80 pdfformaterror
81 } executeonly ifelse
82- }
83+ } executeonly
84 {
85 currentglobal //pdfdict gcheck .setglobal
86 //pdfdict /.Qqwarning_issued //true .forceput
87 .setglobal
88 pdfformaterror
89 } executeonly ifelse
90- } if
91+ } executeonly if
92 pop
93
94 % restore pdfemptycount
95diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps
96index 2df3303..6a6a5fe 100644
97--- a/Resource/Init/pdf_font.ps
98+++ b/Resource/Init/pdf_font.ps
99@@ -638,7 +638,7 @@ currentdict end readonly def
100 currentglobal 2 index dup gcheck setglobal
101 /FontInfo 5 dict dup 5 1 roll .forceput
102 setglobal
103- } if
104+ } executeonly if
105 dup /GlyphNames2Unicode .knownget not {
106 //true % No existing G2U, make one
107 } {
108@@ -668,10 +668,12 @@ currentdict end readonly def
109 pop % font-res font-dict encoding|null font-info
110 pop % font-res font-dict encoding|null
111 //false % We built a GlyphNames2Unicode table, don't need to process further
112- }{
113+ } executeonly
114+ {
115 //true % name is not Identity-V or H, fail by falling through
116 }ifelse
117- } {
118+ } executeonly
119+ {
120 //true
121 } ifelse % not a name, try as a dictionary (as specified)
122
123@@ -759,9 +761,9 @@ currentdict end readonly def
124 PDFDEBUG {
125 (.processToUnicode end) =
126 } if
127- } if
128- } if
129- } stopped
130+ } executeonly if
131+ } executeonly if
132+ } executeonly stopped
133 {
134 .dstackdepth 1 countdictstack 1 sub
135 {pop end} for
136@@ -1291,19 +1293,20 @@ currentdict /eexec_pdf_param_dict .undef
137 //pdfdict /.Qqwarning_issued //true .forceput
138 } executeonly if
139 Q
140- } repeat
141+ } executeonly repeat
142 Q
143- } PDFfile fileposition 2 .execn % Keep pdfcount valid.
144+ } executeonly PDFfile fileposition 2 .execn % Keep pdfcount valid.
145 PDFfile exch setfileposition
146- } ifelse
147- } {
148+ } executeonly ifelse
149+ } executeonly
150+ {
151 % PDF Type 3 fonts don't use .notdef
152 % d1 implementation adjusts the width as needed
153 0 0 0 0 0 0
154 pdfopdict /d1 get exec
155 } ifelse
156 end end
157- } bdef
158+ } executeonly bdef
159 dup currentdict Encoding .processToUnicode
160 currentdict end .completefont exch pop
161 } bind executeonly odef
162@@ -2103,9 +2106,9 @@ currentdict /CMap_read_dict undef
163 (Will continue, but content may be missing.) = flush
164 } ifelse
165 } if
166- } if
167+ } executeonly if
168 /findresource cvx /undefined signalerror
169- } loop
170+ } executeonly loop
171 } bind executeonly odef
172
173 /buildCIDType0 { % <CIDFontType0-font-resource> buildCIDType0 <font>
174diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps
175index 5305ea6..a59e63c 100644
176--- a/Resource/Init/pdf_main.ps
177+++ b/Resource/Init/pdf_main.ps
178@@ -2749,15 +2749,15 @@ currentdict /PDF2PS_matrix_key undef
179 .setglobal
180 pdfformaterror
181 } executeonly ifelse
182- }
183+ } executeonly
184 {
185 currentglobal //pdfdict gcheck .setglobal
186 //pdfdict /.Qqwarning_issued //true .forceput
187 .setglobal
188 pdfformaterror
189 } executeonly ifelse
190- } if
191- } if
192+ } executeonly if
193+ } executeonly if
194 pop
195 count PDFexecstackcount sub { pop } repeat
196 (after exec) VMDEBUG
197diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps
198index 285e582..6c1f100 100644
199--- a/Resource/Init/pdf_ops.ps
200+++ b/Resource/Init/pdf_ops.ps
201@@ -186,14 +186,14 @@ currentdict /gput_always_allow .undef
202 .setglobal
203 pdfformaterror
204 } executeonly ifelse
205- }
206+ } executeonly
207 {
208 currentglobal //pdfdict gcheck .setglobal
209 //pdfdict /.Qqwarning_issued //true .forceput
210 .setglobal
211 pdfformaterror
212 } executeonly ifelse
213- } if
214+ } executeonly if
215 } bind executeonly odef
216
217 % Save PDF gstate
218@@ -440,11 +440,12 @@ currentdict /gput_always_allow .undef
219 dup type /booleantype eq {
220 .currentSMask type /dicttype eq {
221 .currentSMask /Processed 2 index .forceput
222+ } executeonly
223+ {
224+ .setSMask
225+ }ifelse
226 } executeonly
227 {
228- .setSMask
229- }ifelse
230- }{
231 .setSMask
232 }ifelse
233
234--
2352.20.1
236
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.27.bb b/meta/recipes-extended/ghostscript/ghostscript_9.27.bb
index fcc9e0099e..349c0c2e8b 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.27.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.27.bb
@@ -25,6 +25,9 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
25 file://do-not-check-local-libpng-source.patch \ 25 file://do-not-check-local-libpng-source.patch \
26 file://avoid-host-contamination.patch \ 26 file://avoid-host-contamination.patch \
27 file://mkdir-p.patch \ 27 file://mkdir-p.patch \
28 file://CVE-2019-14811-0001.patch \
29 file://CVE-2019-14817-0001.patch \
30 file://CVE-2019-14817-0002.patch \
28" 31"
29 32
30SRC_URI = "${SRC_URI_BASE} \ 33SRC_URI = "${SRC_URI_BASE} \