diff options
author | Hongxu Jia <hongxu.jia@windriver.com> | 2018-09-10 03:21:01 -0400 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-09-11 09:05:35 +0100 |
commit | c0f6e29c2146c66dffee65d7d650fc906a57a26c (patch) | |
tree | b8ce60a74495eba74959899d46bc4e26c3dcf370 | |
parent | 17f1496f841e0409e345bf889f3396cded2d7d69 (diff) | |
download | poky-c0f6e29c2146c66dffee65d7d650fc906a57a26c.tar.gz |
ghostscript: fix CVE-2018-15908 & CVE-2018-15909 & CVE-2018-15910 & CVE-2018-15911
(From OE-Core rev: b6d32d43fd2b016e932b7dc81fb943eb936b73bb)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
6 files changed, 294 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch new file mode 100644 index 0000000000..df654f721d --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch | |||
@@ -0,0 +1,56 @@ | |||
1 | From b9fa1157e1f4982d42241146c9b7c6c789d6f076 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ken Sharp <ken.sharp@artifex.com> | ||
3 | Date: Thu, 23 Aug 2018 15:42:02 +0100 | ||
4 | Subject: [PATCH 1/5] Bug 699665 "memory corruption in aesdecode" | ||
5 | |||
6 | The specimen file calls aesdecode without specifying the key to be | ||
7 | used, though it does manage to do enough work with the PDF interpreter | ||
8 | routines to get access to aesdecode (which isn't normally available). | ||
9 | |||
10 | This causes us to read uninitialised memory, which can (and often does) | ||
11 | lead to a segmentation fault. | ||
12 | |||
13 | In this commit we set the key to NULL explicitly during intialisation | ||
14 | and then check it before we read it. If its NULL we just return. | ||
15 | |||
16 | It seems bizarre that we don't return error codes, we should probably | ||
17 | look into that at some point, but this prevents the code trying to | ||
18 | read uninitialised memory. | ||
19 | |||
20 | CVE: CVE-2018-15911 | ||
21 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
22 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
23 | --- | ||
24 | base/aes.c | 3 +++ | ||
25 | base/saes.c | 1 + | ||
26 | 2 files changed, 4 insertions(+) | ||
27 | |||
28 | diff --git a/base/aes.c b/base/aes.c | ||
29 | index a6bce93..e86f000 100644 | ||
30 | --- a/base/aes.c | ||
31 | +++ b/base/aes.c | ||
32 | @@ -662,6 +662,9 @@ void aes_crypt_ecb( aes_context *ctx, | ||
33 | } | ||
34 | #endif | ||
35 | |||
36 | + if (ctx == NULL || ctx->rk == NULL) | ||
37 | + return; | ||
38 | + | ||
39 | RK = ctx->rk; | ||
40 | |||
41 | GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++; | ||
42 | diff --git a/base/saes.c b/base/saes.c | ||
43 | index 6db0e8b..307ed74 100644 | ||
44 | --- a/base/saes.c | ||
45 | +++ b/base/saes.c | ||
46 | @@ -120,6 +120,7 @@ s_aes_process(stream_state * ss, stream_cursor_read * pr, | ||
47 | gs_throw(gs_error_VMerror, "could not allocate aes context"); | ||
48 | return ERRC; | ||
49 | } | ||
50 | + memset(state->ctx, 0x00, sizeof(aes_context)); | ||
51 | if (state->keylength < 1 || state->keylength > SAES_MAX_KEYLENGTH) { | ||
52 | gs_throw1(gs_error_rangecheck, "invalid aes key length (%d bytes)", | ||
53 | state->keylength); | ||
54 | -- | ||
55 | 2.8.1 | ||
56 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch b/meta/recipes-extended/ghostscript/ghostscript/0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch new file mode 100644 index 0000000000..a16f215bd3 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 1b516be5f6829ab6ce37835529ba08abd6d18663 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Tue, 21 Aug 2018 16:42:45 +0100 | ||
4 | Subject: [PATCH 2/5] Bug 699656: Handle LockDistillerParams not being a | ||
5 | boolean | ||
6 | |||
7 | This caused a function call commented as "Can't fail" to fail, and resulted | ||
8 | in memory correuption and a segfault. | ||
9 | |||
10 | CVE: CVE-2018-15910 | ||
11 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
12 | |||
13 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
14 | --- | ||
15 | devices/vector/gdevpdfp.c | 2 +- | ||
16 | psi/iparam.c | 7 ++++--- | ||
17 | 2 files changed, 5 insertions(+), 4 deletions(-) | ||
18 | |||
19 | diff --git a/devices/vector/gdevpdfp.c b/devices/vector/gdevpdfp.c | ||
20 | index 522db7a..f2816b9 100644 | ||
21 | --- a/devices/vector/gdevpdfp.c | ||
22 | +++ b/devices/vector/gdevpdfp.c | ||
23 | @@ -364,7 +364,7 @@ gdev_pdf_put_params_impl(gx_device * dev, const gx_device_pdf * save_dev, gs_par | ||
24 | * LockDistillerParams is read again, and reset if necessary, in | ||
25 | * psdf_put_params. | ||
26 | */ | ||
27 | - ecode = param_read_bool(plist, "LockDistillerParams", &locked); | ||
28 | + ecode = param_read_bool(plist, (param_name = "LockDistillerParams"), &locked); | ||
29 | if (ecode < 0) | ||
30 | param_signal_error(plist, param_name, ecode); | ||
31 | |||
32 | diff --git a/psi/iparam.c b/psi/iparam.c | ||
33 | index 68c20d4..0279455 100644 | ||
34 | --- a/psi/iparam.c | ||
35 | +++ b/psi/iparam.c | ||
36 | @@ -822,10 +822,11 @@ static int | ||
37 | ref_param_read_signal_error(gs_param_list * plist, gs_param_name pkey, int code) | ||
38 | { | ||
39 | iparam_list *const iplist = (iparam_list *) plist; | ||
40 | - iparam_loc loc; | ||
41 | + iparam_loc loc = {0}; | ||
42 | |||
43 | - ref_param_read(iplist, pkey, &loc, -1); /* can't fail */ | ||
44 | - *loc.presult = code; | ||
45 | + ref_param_read(iplist, pkey, &loc, -1); | ||
46 | + if (loc.presult) | ||
47 | + *loc.presult = code; | ||
48 | switch (ref_param_read_get_policy(plist, pkey)) { | ||
49 | case gs_param_policy_ignore: | ||
50 | return 0; | ||
51 | -- | ||
52 | 2.8.1 | ||
53 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch b/meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch new file mode 100644 index 0000000000..174f79e42a --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch | |||
@@ -0,0 +1,91 @@ | |||
1 | From 759238fd904aab1706dc1007826a13a670cda320 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ken Sharp <ken.sharp@artifex.com> | ||
3 | Date: Thu, 23 Aug 2018 14:12:48 +0100 | ||
4 | Subject: [PATCH 3/5] Fix Bug 699660 "shading_param incomplete type checking" | ||
5 | |||
6 | Its possible to pass a t_struct parameter to .shfill which is not a | ||
7 | shading function built by .buildshading. This could then lead to memory | ||
8 | corruption or a segmentation fault by treating the object passed in | ||
9 | as if it were a shading. | ||
10 | |||
11 | Its non-trivial to check the t_struct, because this function can take | ||
12 | 7 different kinds of structures as a parameter. Checking these is | ||
13 | possible, of course, but would add a performance penalty. | ||
14 | |||
15 | However, we can note that we never call .shfill without first calling | ||
16 | .buildshading, and we never call .buildshading without immediately | ||
17 | calling .shfill. So we can treat these as an atomic operation. The | ||
18 | .buildshading function takes all its parameters as PostScript objects | ||
19 | and validates them, so that should be safe. | ||
20 | |||
21 | This allows us to 'hide' the .shfill operator preventing the possibility | ||
22 | of passing an invalid parameter. | ||
23 | |||
24 | CVE: CVE-2018-15909 | ||
25 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
26 | |||
27 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
28 | --- | ||
29 | Resource/Init/gs_init.ps | 4 ++-- | ||
30 | Resource/Init/gs_ll3.ps | 7 ++++++- | ||
31 | Resource/Init/pdf_draw.ps | 3 +-- | ||
32 | 3 files changed, 9 insertions(+), 5 deletions(-) | ||
33 | |||
34 | diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps | ||
35 | index 6c8da53..1956ed5 100644 | ||
36 | --- a/Resource/Init/gs_init.ps | ||
37 | +++ b/Resource/Init/gs_init.ps | ||
38 | @@ -2181,8 +2181,8 @@ SAFER { .setsafeglobal } if | ||
39 | /.getiodevice /.getdevparms /.putdevparams /.bbox_transform /.matchmedia /.matchpagesize /.defaultpapersize | ||
40 | /.oserrno /.setoserrno /.oserrorstring /.getCPSImode | ||
41 | /.getscanconverter /.setscanconverter /.type1encrypt /.type1decrypt/.languagelevel /.setlanguagelevel /.eqproc /.fillpage /.buildpattern1 /.saslprep | ||
42 | -/.buildshading1 /.buildshadin2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern | ||
43 | -/.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring | ||
44 | +/.buildshading1 /.buildshading2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern | ||
45 | +%/.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring | ||
46 | /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile | ||
47 | /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams | ||
48 | /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath | ||
49 | diff --git a/Resource/Init/gs_ll3.ps b/Resource/Init/gs_ll3.ps | ||
50 | index 5aa56a3..1d37e53 100644 | ||
51 | --- a/Resource/Init/gs_ll3.ps | ||
52 | +++ b/Resource/Init/gs_ll3.ps | ||
53 | @@ -440,6 +440,11 @@ systemdict /.reuseparamdict mark | ||
54 | /shfill .systemvar /undefined signalerror | ||
55 | } ifelse | ||
56 | } bind def | ||
57 | + | ||
58 | +/.buildshading_and_shfill { | ||
59 | + .buildshading .shfill | ||
60 | +} bind def | ||
61 | + | ||
62 | systemdict /.reuseparamdict undef | ||
63 | |||
64 | /.buildpattern2 { % <template> <matrix> .buildpattern2 | ||
65 | @@ -464,7 +469,7 @@ systemdict /.reuseparamdict undef | ||
66 | % Currently, .shfill requires that the color space | ||
67 | % in the pattern be the current color space. | ||
68 | % Disable overprintmode for shfill | ||
69 | - { dup gsave 0 .setoverprintmode .buildshading .shfill } stopped | ||
70 | + { dup gsave 0 .setoverprintmode .buildshading_and_shfill } stopped | ||
71 | grestore { | ||
72 | /$error .systemvar /errorinfo 2 copy known { | ||
73 | pop pop | ||
74 | diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps | ||
75 | index e8ca213..a7144d3 100644 | ||
76 | --- a/Resource/Init/pdf_draw.ps | ||
77 | +++ b/Resource/Init/pdf_draw.ps | ||
78 | @@ -1365,9 +1365,8 @@ drawopdict begin | ||
79 | { dup /.shading .knownget { | ||
80 | exch pop | ||
81 | } { | ||
82 | - .buildshading | ||
83 | + .buildshading_and_shfill | ||
84 | } ifelse | ||
85 | - .shfill | ||
86 | } stopped { | ||
87 | pop | ||
88 | ( **** Error: Ignoring invalid smooth shading object, output may be incorrect.\n) | ||
89 | -- | ||
90 | 2.8.1 | ||
91 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0004-Hide-the-.shfill-operator.patch b/meta/recipes-extended/ghostscript/ghostscript/0004-Hide-the-.shfill-operator.patch new file mode 100644 index 0000000000..7c6d002620 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/0004-Hide-the-.shfill-operator.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From ee9e8065e7d7b3adbc25fd655727ca72861ee032 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ken Sharp <ken.sharp@artifex.com> | ||
3 | Date: Fri, 24 Aug 2018 12:44:26 +0100 | ||
4 | Subject: [PATCH 4/5] Hide the .shfill operator | ||
5 | |||
6 | Commit 0b6cd1918e1ec4ffd087400a754a845180a4522b was supposed to make | ||
7 | the .shfill operator unobtainable, but I accidentally left a comment | ||
8 | in the line doing so. | ||
9 | |||
10 | Fix it here, without this the operator can still be exploited. | ||
11 | |||
12 | CVE: CVE-2018-15909 | ||
13 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
14 | |||
15 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
16 | --- | ||
17 | Resource/Init/gs_init.ps | 2 +- | ||
18 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps | ||
21 | index 1956ed5..955b843 100644 | ||
22 | --- a/Resource/Init/gs_init.ps | ||
23 | +++ b/Resource/Init/gs_init.ps | ||
24 | @@ -2182,7 +2182,7 @@ SAFER { .setsafeglobal } if | ||
25 | /.oserrno /.setoserrno /.oserrorstring /.getCPSImode | ||
26 | /.getscanconverter /.setscanconverter /.type1encrypt /.type1decrypt/.languagelevel /.setlanguagelevel /.eqproc /.fillpage /.buildpattern1 /.saslprep | ||
27 | /.buildshading1 /.buildshading2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern | ||
28 | -%/.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring | ||
29 | +/.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring | ||
30 | /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile | ||
31 | /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams | ||
32 | /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath | ||
33 | -- | ||
34 | 2.8.1 | ||
35 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch b/meta/recipes-extended/ghostscript/ghostscript/0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch new file mode 100644 index 0000000000..ccd40216c0 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | From f4f50ceea8e8852b8c3ac73f5807d8b54b735c3e Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Tue, 21 Aug 2018 20:17:05 +0100 | ||
4 | Subject: [PATCH 5/5] Bug 699657: properly apply file permissions to .tempfile | ||
5 | |||
6 | CVE: CVE-2018-15908 | ||
7 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
8 | |||
9 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
10 | --- | ||
11 | psi/zfile.c | 20 ++++++++++++++++++-- | ||
12 | 1 file changed, 18 insertions(+), 2 deletions(-) | ||
13 | |||
14 | diff --git a/psi/zfile.c b/psi/zfile.c | ||
15 | index a0acd5a..19996b0 100644 | ||
16 | --- a/psi/zfile.c | ||
17 | +++ b/psi/zfile.c | ||
18 | @@ -134,7 +134,7 @@ check_file_permissions_reduced(i_ctx_t *i_ctx_p, const char *fname, int len, | ||
19 | /* we're protecting arbitrary file system accesses, not Postscript device accesses. | ||
20 | * Although, note that %pipe% is explicitly checked for and disallowed elsewhere | ||
21 | */ | ||
22 | - if (iodev != iodev_default(imemory)) { | ||
23 | + if (iodev && iodev != iodev_default(imemory)) { | ||
24 | return 0; | ||
25 | } | ||
26 | |||
27 | @@ -734,7 +734,23 @@ ztempfile(i_ctx_t *i_ctx_p) | ||
28 | } | ||
29 | |||
30 | if (gp_file_name_is_absolute(pstr, strlen(pstr))) { | ||
31 | - if (check_file_permissions(i_ctx_p, pstr, strlen(pstr), | ||
32 | + int plen = strlen(pstr); | ||
33 | + const char *sep = gp_file_name_separator(); | ||
34 | +#ifdef DEBUG | ||
35 | + int seplen = strlen(sep); | ||
36 | + if (seplen != 1) | ||
37 | + return_error(gs_error_Fatal); | ||
38 | +#endif | ||
39 | + /* strip off the file name prefix, leave just the directory name | ||
40 | + * so we can check if we are allowed to write to it | ||
41 | + */ | ||
42 | + for ( ; plen >=0; plen--) { | ||
43 | + if (pstr[plen] == sep[0]) | ||
44 | + break; | ||
45 | + } | ||
46 | + memcpy(fname, pstr, plen); | ||
47 | + fname[plen] = '\0'; | ||
48 | + if (check_file_permissions(i_ctx_p, fname, strlen(fname), | ||
49 | NULL, "PermitFileWriting") < 0) { | ||
50 | code = gs_note_error(gs_error_invalidfileaccess); | ||
51 | goto done; | ||
52 | -- | ||
53 | 2.8.1 | ||
54 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.23.bb b/meta/recipes-extended/ghostscript/ghostscript_9.23.bb index 019d99b021..898b6cd985 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.23.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.23.bb | |||
@@ -26,6 +26,11 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d | |||
26 | file://avoid-host-contamination.patch \ | 26 | file://avoid-host-contamination.patch \ |
27 | file://mkdir-p.patch \ | 27 | file://mkdir-p.patch \ |
28 | file://remove-direct-symlink.patch \ | 28 | file://remove-direct-symlink.patch \ |
29 | file://0001-Bug-699665-memory-corruption-in-aesdecode.patch \ | ||
30 | file://0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch \ | ||
31 | file://0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch \ | ||
32 | file://0004-Hide-the-.shfill-operator.patch \ | ||
33 | file://0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch \ | ||
29 | " | 34 | " |
30 | 35 | ||
31 | SRC_URI = "${SRC_URI_BASE} \ | 36 | SRC_URI = "${SRC_URI_BASE} \ |