summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHongxu Jia <hongxu.jia@windriver.com>2018-09-10 03:21:01 -0400
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-09-11 09:05:35 +0100
commitc0f6e29c2146c66dffee65d7d650fc906a57a26c (patch)
treeb8ce60a74495eba74959899d46bc4e26c3dcf370
parent17f1496f841e0409e345bf889f3396cded2d7d69 (diff)
downloadpoky-c0f6e29c2146c66dffee65d7d650fc906a57a26c.tar.gz
ghostscript: fix CVE-2018-15908 & CVE-2018-15909 & CVE-2018-15910 & CVE-2018-15911
(From OE-Core rev: b6d32d43fd2b016e932b7dc81fb943eb936b73bb) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch56
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch53
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch91
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/0004-Hide-the-.shfill-operator.patch35
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch54
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript_9.23.bb5
6 files changed, 294 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch
new file mode 100644
index 0000000000..df654f721d
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch
@@ -0,0 +1,56 @@
1From b9fa1157e1f4982d42241146c9b7c6c789d6f076 Mon Sep 17 00:00:00 2001
2From: Ken Sharp <ken.sharp@artifex.com>
3Date: Thu, 23 Aug 2018 15:42:02 +0100
4Subject: [PATCH 1/5] Bug 699665 "memory corruption in aesdecode"
5
6The specimen file calls aesdecode without specifying the key to be
7used, though it does manage to do enough work with the PDF interpreter
8routines to get access to aesdecode (which isn't normally available).
9
10This causes us to read uninitialised memory, which can (and often does)
11lead to a segmentation fault.
12
13In this commit we set the key to NULL explicitly during intialisation
14and then check it before we read it. If its NULL we just return.
15
16It seems bizarre that we don't return error codes, we should probably
17look into that at some point, but this prevents the code trying to
18read uninitialised memory.
19
20CVE: CVE-2018-15911
21Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
22Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
23---
24 base/aes.c | 3 +++
25 base/saes.c | 1 +
26 2 files changed, 4 insertions(+)
27
28diff --git a/base/aes.c b/base/aes.c
29index a6bce93..e86f000 100644
30--- a/base/aes.c
31+++ b/base/aes.c
32@@ -662,6 +662,9 @@ void aes_crypt_ecb( aes_context *ctx,
33 }
34 #endif
35
36+ if (ctx == NULL || ctx->rk == NULL)
37+ return;
38+
39 RK = ctx->rk;
40
41 GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
42diff --git a/base/saes.c b/base/saes.c
43index 6db0e8b..307ed74 100644
44--- a/base/saes.c
45+++ b/base/saes.c
46@@ -120,6 +120,7 @@ s_aes_process(stream_state * ss, stream_cursor_read * pr,
47 gs_throw(gs_error_VMerror, "could not allocate aes context");
48 return ERRC;
49 }
50+ memset(state->ctx, 0x00, sizeof(aes_context));
51 if (state->keylength < 1 || state->keylength > SAES_MAX_KEYLENGTH) {
52 gs_throw1(gs_error_rangecheck, "invalid aes key length (%d bytes)",
53 state->keylength);
54--
552.8.1
56
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch b/meta/recipes-extended/ghostscript/ghostscript/0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch
new file mode 100644
index 0000000000..a16f215bd3
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch
@@ -0,0 +1,53 @@
1From 1b516be5f6829ab6ce37835529ba08abd6d18663 Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Tue, 21 Aug 2018 16:42:45 +0100
4Subject: [PATCH 2/5] Bug 699656: Handle LockDistillerParams not being a
5 boolean
6
7This caused a function call commented as "Can't fail" to fail, and resulted
8in memory correuption and a segfault.
9
10CVE: CVE-2018-15910
11Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
12
13Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
14---
15 devices/vector/gdevpdfp.c | 2 +-
16 psi/iparam.c | 7 ++++---
17 2 files changed, 5 insertions(+), 4 deletions(-)
18
19diff --git a/devices/vector/gdevpdfp.c b/devices/vector/gdevpdfp.c
20index 522db7a..f2816b9 100644
21--- a/devices/vector/gdevpdfp.c
22+++ b/devices/vector/gdevpdfp.c
23@@ -364,7 +364,7 @@ gdev_pdf_put_params_impl(gx_device * dev, const gx_device_pdf * save_dev, gs_par
24 * LockDistillerParams is read again, and reset if necessary, in
25 * psdf_put_params.
26 */
27- ecode = param_read_bool(plist, "LockDistillerParams", &locked);
28+ ecode = param_read_bool(plist, (param_name = "LockDistillerParams"), &locked);
29 if (ecode < 0)
30 param_signal_error(plist, param_name, ecode);
31
32diff --git a/psi/iparam.c b/psi/iparam.c
33index 68c20d4..0279455 100644
34--- a/psi/iparam.c
35+++ b/psi/iparam.c
36@@ -822,10 +822,11 @@ static int
37 ref_param_read_signal_error(gs_param_list * plist, gs_param_name pkey, int code)
38 {
39 iparam_list *const iplist = (iparam_list *) plist;
40- iparam_loc loc;
41+ iparam_loc loc = {0};
42
43- ref_param_read(iplist, pkey, &loc, -1); /* can't fail */
44- *loc.presult = code;
45+ ref_param_read(iplist, pkey, &loc, -1);
46+ if (loc.presult)
47+ *loc.presult = code;
48 switch (ref_param_read_get_policy(plist, pkey)) {
49 case gs_param_policy_ignore:
50 return 0;
51--
522.8.1
53
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch b/meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch
new file mode 100644
index 0000000000..174f79e42a
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch
@@ -0,0 +1,91 @@
1From 759238fd904aab1706dc1007826a13a670cda320 Mon Sep 17 00:00:00 2001
2From: Ken Sharp <ken.sharp@artifex.com>
3Date: Thu, 23 Aug 2018 14:12:48 +0100
4Subject: [PATCH 3/5] Fix Bug 699660 "shading_param incomplete type checking"
5
6Its possible to pass a t_struct parameter to .shfill which is not a
7shading function built by .buildshading. This could then lead to memory
8corruption or a segmentation fault by treating the object passed in
9as if it were a shading.
10
11Its non-trivial to check the t_struct, because this function can take
127 different kinds of structures as a parameter. Checking these is
13possible, of course, but would add a performance penalty.
14
15However, we can note that we never call .shfill without first calling
16.buildshading, and we never call .buildshading without immediately
17calling .shfill. So we can treat these as an atomic operation. The
18.buildshading function takes all its parameters as PostScript objects
19and validates them, so that should be safe.
20
21This allows us to 'hide' the .shfill operator preventing the possibility
22of passing an invalid parameter.
23
24CVE: CVE-2018-15909
25Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
26
27Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
28---
29 Resource/Init/gs_init.ps | 4 ++--
30 Resource/Init/gs_ll3.ps | 7 ++++++-
31 Resource/Init/pdf_draw.ps | 3 +--
32 3 files changed, 9 insertions(+), 5 deletions(-)
33
34diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
35index 6c8da53..1956ed5 100644
36--- a/Resource/Init/gs_init.ps
37+++ b/Resource/Init/gs_init.ps
38@@ -2181,8 +2181,8 @@ SAFER { .setsafeglobal } if
39 /.getiodevice /.getdevparms /.putdevparams /.bbox_transform /.matchmedia /.matchpagesize /.defaultpapersize
40 /.oserrno /.setoserrno /.oserrorstring /.getCPSImode
41 /.getscanconverter /.setscanconverter /.type1encrypt /.type1decrypt/.languagelevel /.setlanguagelevel /.eqproc /.fillpage /.buildpattern1 /.saslprep
42-/.buildshading1 /.buildshadin2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern
43-/.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring
44+/.buildshading1 /.buildshading2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern
45+%/.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring
46 /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile
47 /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams
48 /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath
49diff --git a/Resource/Init/gs_ll3.ps b/Resource/Init/gs_ll3.ps
50index 5aa56a3..1d37e53 100644
51--- a/Resource/Init/gs_ll3.ps
52+++ b/Resource/Init/gs_ll3.ps
53@@ -440,6 +440,11 @@ systemdict /.reuseparamdict mark
54 /shfill .systemvar /undefined signalerror
55 } ifelse
56 } bind def
57+
58+/.buildshading_and_shfill {
59+ .buildshading .shfill
60+} bind def
61+
62 systemdict /.reuseparamdict undef
63
64 /.buildpattern2 { % <template> <matrix> .buildpattern2
65@@ -464,7 +469,7 @@ systemdict /.reuseparamdict undef
66 % Currently, .shfill requires that the color space
67 % in the pattern be the current color space.
68 % Disable overprintmode for shfill
69- { dup gsave 0 .setoverprintmode .buildshading .shfill } stopped
70+ { dup gsave 0 .setoverprintmode .buildshading_and_shfill } stopped
71 grestore {
72 /$error .systemvar /errorinfo 2 copy known {
73 pop pop
74diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
75index e8ca213..a7144d3 100644
76--- a/Resource/Init/pdf_draw.ps
77+++ b/Resource/Init/pdf_draw.ps
78@@ -1365,9 +1365,8 @@ drawopdict begin
79 { dup /.shading .knownget {
80 exch pop
81 } {
82- .buildshading
83+ .buildshading_and_shfill
84 } ifelse
85- .shfill
86 } stopped {
87 pop
88 ( **** Error: Ignoring invalid smooth shading object, output may be incorrect.\n)
89--
902.8.1
91
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0004-Hide-the-.shfill-operator.patch b/meta/recipes-extended/ghostscript/ghostscript/0004-Hide-the-.shfill-operator.patch
new file mode 100644
index 0000000000..7c6d002620
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/0004-Hide-the-.shfill-operator.patch
@@ -0,0 +1,35 @@
1From ee9e8065e7d7b3adbc25fd655727ca72861ee032 Mon Sep 17 00:00:00 2001
2From: Ken Sharp <ken.sharp@artifex.com>
3Date: Fri, 24 Aug 2018 12:44:26 +0100
4Subject: [PATCH 4/5] Hide the .shfill operator
5
6Commit 0b6cd1918e1ec4ffd087400a754a845180a4522b was supposed to make
7the .shfill operator unobtainable, but I accidentally left a comment
8in the line doing so.
9
10Fix it here, without this the operator can still be exploited.
11
12CVE: CVE-2018-15909
13Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
14
15Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
16---
17 Resource/Init/gs_init.ps | 2 +-
18 1 file changed, 1 insertion(+), 1 deletion(-)
19
20diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
21index 1956ed5..955b843 100644
22--- a/Resource/Init/gs_init.ps
23+++ b/Resource/Init/gs_init.ps
24@@ -2182,7 +2182,7 @@ SAFER { .setsafeglobal } if
25 /.oserrno /.setoserrno /.oserrorstring /.getCPSImode
26 /.getscanconverter /.setscanconverter /.type1encrypt /.type1decrypt/.languagelevel /.setlanguagelevel /.eqproc /.fillpage /.buildpattern1 /.saslprep
27 /.buildshading1 /.buildshading2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern
28-%/.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring
29+/.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring
30 /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile
31 /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams
32 /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath
33--
342.8.1
35
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch b/meta/recipes-extended/ghostscript/ghostscript/0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch
new file mode 100644
index 0000000000..ccd40216c0
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch
@@ -0,0 +1,54 @@
1From f4f50ceea8e8852b8c3ac73f5807d8b54b735c3e Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Tue, 21 Aug 2018 20:17:05 +0100
4Subject: [PATCH 5/5] Bug 699657: properly apply file permissions to .tempfile
5
6CVE: CVE-2018-15908
7Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
8
9Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
10---
11 psi/zfile.c | 20 ++++++++++++++++++--
12 1 file changed, 18 insertions(+), 2 deletions(-)
13
14diff --git a/psi/zfile.c b/psi/zfile.c
15index a0acd5a..19996b0 100644
16--- a/psi/zfile.c
17+++ b/psi/zfile.c
18@@ -134,7 +134,7 @@ check_file_permissions_reduced(i_ctx_t *i_ctx_p, const char *fname, int len,
19 /* we're protecting arbitrary file system accesses, not Postscript device accesses.
20 * Although, note that %pipe% is explicitly checked for and disallowed elsewhere
21 */
22- if (iodev != iodev_default(imemory)) {
23+ if (iodev && iodev != iodev_default(imemory)) {
24 return 0;
25 }
26
27@@ -734,7 +734,23 @@ ztempfile(i_ctx_t *i_ctx_p)
28 }
29
30 if (gp_file_name_is_absolute(pstr, strlen(pstr))) {
31- if (check_file_permissions(i_ctx_p, pstr, strlen(pstr),
32+ int plen = strlen(pstr);
33+ const char *sep = gp_file_name_separator();
34+#ifdef DEBUG
35+ int seplen = strlen(sep);
36+ if (seplen != 1)
37+ return_error(gs_error_Fatal);
38+#endif
39+ /* strip off the file name prefix, leave just the directory name
40+ * so we can check if we are allowed to write to it
41+ */
42+ for ( ; plen >=0; plen--) {
43+ if (pstr[plen] == sep[0])
44+ break;
45+ }
46+ memcpy(fname, pstr, plen);
47+ fname[plen] = '\0';
48+ if (check_file_permissions(i_ctx_p, fname, strlen(fname),
49 NULL, "PermitFileWriting") < 0) {
50 code = gs_note_error(gs_error_invalidfileaccess);
51 goto done;
52--
532.8.1
54
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.23.bb b/meta/recipes-extended/ghostscript/ghostscript_9.23.bb
index 019d99b021..898b6cd985 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.23.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.23.bb
@@ -26,6 +26,11 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
26 file://avoid-host-contamination.patch \ 26 file://avoid-host-contamination.patch \
27 file://mkdir-p.patch \ 27 file://mkdir-p.patch \
28 file://remove-direct-symlink.patch \ 28 file://remove-direct-symlink.patch \
29 file://0001-Bug-699665-memory-corruption-in-aesdecode.patch \
30 file://0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch \
31 file://0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch \
32 file://0004-Hide-the-.shfill-operator.patch \
33 file://0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch \
29" 34"
30 35
31SRC_URI = "${SRC_URI_BASE} \ 36SRC_URI = "${SRC_URI_BASE} \