ghostscript: backport patch fix for CVE-2021-3781

Upstream advisory: https://ghostscript.com/blog/CVE-2021-3781.html Other than the CVE fix other two commits are backported to fit the patch. (From OE-Core rev: ce856e5e07589d49d5ff84b515c48735cc78cd01) Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Davide Gardenal <davidegarde2000@gmail.com> 2022-03-25 17:46:30 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-03-31 21:09:33 +0100
commit: a27aa2316f383735d5c4cba7f7e502bff579979b (patch)
tree: 33c61bb6dd64663ce6fb868102faf00fa0c91416
parent: 4391ddecb2c5903a4c00d62646add0988a79c6d9 (diff)
download: poky-a27aa2316f383735d5c4cba7f7e502bff579979b.tar.gz
4 files changed, 399 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch
new file mode 100644
index 0000000000..033ba77f9a
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch
@@ -0,0 +1,121 @@
+From 3920a727fb19e19f597e518610ce2416d08cb75f Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Thu, 20 Aug 2020 17:19:09 +0100
+Subject: [PATCH] Fix pdfwrite "%d" mode with file permissions
+Firstly, in gx_device_delete_output_file the iodev pointer was being passed
+to the delete_method incorrectly (passing a pointer to that pointer). Thus
+when we attempted to use that to confirm permission to delete the file, it
+crashed. Credit to Ken for finding that.
+Secondly, due to the way pdfwrite works, when running with an output file per
+page, it creates the current output file immediately it has completed writing
+the previous one. Thus, it has to delete that partial file on exit.
+Previously, the output file was not added to the "control" permission list,
+so an attempt to delete it would result in an error. So add the output file
+to the "control" as well as "write" list.
+CVE: CVE-2021-3781
+Upstream-Status: Backport:
+https://git.ghostscript.com/?p=ghostpdl.git;a=commit;f=base/gslibctx.c;h=3920a727fb19e19f597e518610ce2416d08cb75f
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+ base/gsdevice.c |  2 +-
+ base/gslibctx.c | 20 ++++++++++++++------
+ 2 files changed, 15 insertions(+), 7 deletions(-)
+diff --git a/base/gsdevice.c b/base/gsdevice.c
+index 913119495..ac78af93f 100644
+--- a/base/gsdevice.c
+++ b/base/gsdevice.c
+@@ -1185,7 +1185,7 @@ int gx_device_delete_output_file(const gx_device * dev, const char *fname)
+         parsed.len = strlen(parsed.fname);
+     }
+     if (parsed.iodev)
+-        code = parsed.iodev->procs.delete_file((gx_io_device *)(&parsed.iodev), (const char *)parsed.fname);
+        code = parsed.iodev->procs.delete_file((gx_io_device *)(parsed.iodev), (const char *)parsed.fname);
+     else
+         code = gs_note_error(gs_error_invalidfileaccess);
+ 
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index d726c58b5..ff8fc895e 100644
+--- a/base/gslibctx.c
+++ b/base/gslibctx.c
+@@ -647,7 +647,7 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
+     char *fp, f[gp_file_name_sizeof];
+     const int pipe = 124; /* ASCII code for '|' */
+     const int len = strlen(fname);
+-    int i;
+    int i, code;
+ 
+     /* Be sure the string copy will fit */
+     if (len >= gp_file_name_sizeof)
+@@ -658,8 +658,6 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
+     rewrite_percent_specifiers(f);
+     for (i = 0; i < len; i++) {
+         if (f[i] == pipe) {
+-           int code;
+-
+            fp = &f[i + 1];
+            /* Because we potentially have to check file permissions at two levels
+               for the output file (gx_device_open_output_file and the low level
+@@ -671,10 +669,16 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
+            if (code < 0)
+                return code;
+            break;
+           code = gs_add_control_path(mem, gs_permit_file_control, f);
+           if (code < 0)
+               return code;
+         }
+         if (!IS_WHITESPACE(f[i]))
+             break;
+     }
+    code = gs_add_control_path(mem, gs_permit_file_control, fp);
+    if (code < 0)
+        return code;
+     return gs_add_control_path(mem, gs_permit_file_writing, fp);
+ }
+ 
+@@ -684,7 +688,7 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
+     char *fp, f[gp_file_name_sizeof];
+     const int pipe = 124; /* ASCII code for '|' */
+     const int len = strlen(fname);
+-    int i;
+    int i, code;
+ 
+     /* Be sure the string copy will fit */
+     if (len >= gp_file_name_sizeof)
+@@ -694,8 +698,6 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
+     /* Try to rewrite any %d (or similar) in the string */
+     for (i = 0; i < len; i++) {
+         if (f[i] == pipe) {
+-           int code;
+-
+            fp = &f[i + 1];
+            /* Because we potentially have to check file permissions at two levels
+               for the output file (gx_device_open_output_file and the low level
+@@ -704,6 +706,9 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
+               the pipe_fopen(), the leading '|' has been stripped.
+             */
+            code = gs_remove_control_path(mem, gs_permit_file_writing, f);
+           if (code < 0)
+               return code;
+           code = gs_remove_control_path(mem, gs_permit_file_control, f);
+            if (code < 0)
+                return code;
+            break;
+@@ -711,6 +716,9 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
+         if (!IS_WHITESPACE(f[i]))
+             break;
+     }
+    code = gs_remove_control_path(mem, gs_permit_file_control, fp);
+    if (code < 0)
+        return code;
+     return gs_remove_control_path(mem, gs_permit_file_writing, fp);
+ }
+ 
+-- 
+2.25.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_2.patch
new file mode 100644
index 0000000000..beade79eef
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_2.patch
@@ -0,0 +1,37 @@
+From 9daf042fd7bb19e93388d89d9686a2fa4496f382 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Mon, 24 Aug 2020 09:24:31 +0100
+Subject: [PATCH] Coverity 361429: move "break" to correct place.
+We had to add the outputfile to the "control" file permission list (as well
+as write), but for the "pipe" case, I accidentally added the call after the
+break out of loop that checks for a pipe.
+CVE: CVE-2021-3781
+Upstream-Status: Backport:
+https://git.ghostscript.com/?p=ghostpdl.git;a=commit;f=base/gslibctx.c;h=9daf042fd7bb19e93388d89d9686a2fa4496f382
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+ base/gslibctx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index ff8fc895e..63dfbe2e0 100644
+--- a/base/gslibctx.c
+++ b/base/gslibctx.c
+@@ -668,10 +668,10 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
+            code = gs_add_control_path(mem, gs_permit_file_writing, f);
+            if (code < 0)
+                return code;
+-           break;
+            code = gs_add_control_path(mem, gs_permit_file_control, f);
+            if (code < 0)
+                return code;
+           break;
+         }
+         if (!IS_WHITESPACE(f[i]))
+             break;
+-- 
+2.25.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch
new file mode 100644
index 0000000000..e3f9e81c45
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch
@@ -0,0 +1,238 @@
+From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Tue, 7 Sep 2021 20:36:12 +0100
+Subject: [PATCH] Bug 704342: Include device specifier strings in access
+ validation
+for the "%pipe%", %handle%" and %printer% io devices.
+We previously validated only the part after the "%pipe%" Postscript device
+specifier, but this proved insufficient.
+This rebuilds the original file name string, and validates it complete. The
+slight complication for "%pipe%" is it can be reached implicitly using
+"|" so we have to check both prefixes.
+Addresses CVE-2021-3781
+CVE: CVE-2021-3781
+Upstream-Status: Backport:
+https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a9bd3dec9fde
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+ base/gdevpipe.c | 22 +++++++++++++++-
+ base/gp_mshdl.c | 11 +++++++-
+ base/gp_msprn.c | 10 ++++++-
+ base/gp_os2pr.c | 13 +++++++++-
+ base/gslibctx.c | 69 ++++++++++---------------------------------------
+ 5 files changed, 65 insertions(+), 60 deletions(-)
+diff --git a/base/gdevpipe.c b/base/gdevpipe.c
+index 96d71f5d8..5bdc485be 100644
+--- a/base/gdevpipe.c
+++ b/base/gdevpipe.c
+@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access,
+ #else
+     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+     gs_fs_list_t *fs = ctx->core->fs;
+    /* The pipe device can be reached in two ways, explicltly with %pipe%
+       or implicitly with "|", so we have to check for both
+     */
+    char f[gp_file_name_sizeof];
+    const char *pipestr = "|";
+    const size_t pipestrlen = strlen(pipestr);
+    const size_t preflen = strlen(iodev->dname);
+    const size_t nlen = strlen(fname);
+    int code1;
+
+    if (preflen + nlen >= gp_file_name_sizeof)
+        return_error(gs_error_invalidaccess);
+
+    memcpy(f, iodev->dname, preflen);
+    memcpy(f + preflen, fname, nlen + 1);
+
+    code1 = gp_validate_path(mem, f, access);
+
+    memcpy(f, pipestr, pipestrlen);
+    memcpy(f + pipestrlen, fname, nlen + 1);
+ 
+-    if (gp_validate_path(mem, fname, access) != 0)
+    if (code1 != 0 && gp_validate_path(mem, f, access) != 0 )
+         return gs_error_invalidfileaccess;
+ 
+     /*
+diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c
+index 2b964ed74..8d87ceadc 100644
+--- a/base/gp_mshdl.c
+++ b/base/gp_mshdl.c
+@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access,
+     long hfile;        /* Correct for Win32, may be wrong for Win64 */
+     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+     gs_fs_list_t *fs = ctx->core->fs;
+    char f[gp_file_name_sizeof];
+    const size_t preflen = strlen(iodev->dname);
+    const size_t nlen = strlen(fname);
+ 
+-    if (gp_validate_path(mem, fname, access) != 0)
+    if (preflen + nlen >= gp_file_name_sizeof)
+        return_error(gs_error_invalidaccess);
+
+    memcpy(f, iodev->dname, preflen);
+    memcpy(f + preflen, fname, nlen + 1);
+
+    if (gp_validate_path(mem, f, access) != 0)
+         return gs_error_invalidfileaccess;
+ 
+     /* First we try the open_handle method. */
+diff --git a/base/gp_msprn.c b/base/gp_msprn.c
+index ed4827968..746a974f7 100644
+--- a/base/gp_msprn.c
+++ b/base/gp_msprn.c
+@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
+     unsigned long *ptid = &((tid_t *)(iodev->state))->tid;
+     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+     gs_fs_list_t *fs = ctx->core->fs;
+    const size_t preflen = strlen(iodev->dname);
+    const size_t nlen = strlen(fname);
+ 
+-    if (gp_validate_path(mem, fname, access) != 0)
+    if (preflen + nlen >= gp_file_name_sizeof)
+        return_error(gs_error_invalidaccess);
+
+    memcpy(pname, iodev->dname, preflen);
+    memcpy(pname + preflen, fname, nlen + 1);
+
+    if (gp_validate_path(mem, pname, access) != 0)
+         return gs_error_invalidfileaccess;
+ 
+     /* First we try the open_printer method. */
+diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c
+index f852c71fc..ba54cde66 100644
+--- a/base/gp_os2pr.c
+++ b/base/gp_os2pr.c
+@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
+            FILE ** pfile, char *rfname, uint rnamelen)
+ {
+     os2_printer_t *pr = (os2_printer_t *)iodev->state;
+-    char driver_name[256];
+    char driver_name[gp_file_name_sizeof];
+     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+     gs_fs_list_t *fs = ctx->core->fs;
+    const size_t preflen = strlen(iodev->dname);
+    const int size_t = strlen(fname);
+
+    if (preflen + nlen >= gp_file_name_sizeof)
+        return_error(gs_error_invalidaccess);
+
+    memcpy(driver_name, iodev->dname, preflen);
+    memcpy(driver_name + preflen, fname, nlen + 1);
+
+    if (gp_validate_path(mem, driver_name, access) != 0)
+        return gs_error_invalidfileaccess;
+ 
+     /* First we try the open_printer method. */
+     /* Note that the loop condition here ensures we don't
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index 6dfed6cd5..318039fad 100644
+--- a/base/gslibctx.c
+++ b/base/gslibctx.c
+@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s)
+ int
+ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
+ {
+-    char *fp, f[gp_file_name_sizeof];
+-    const int pipe = 124; /* ASCII code for '|' */
+-    const int len = strlen(fname);
+-    int i, code;
+    char f[gp_file_name_sizeof];
+    int code;
+ 
+     /* Be sure the string copy will fit */
+-    if (len >= gp_file_name_sizeof)
+    if (strlen(fname) >= gp_file_name_sizeof)
+         return gs_error_rangecheck;
+     strcpy(f, fname);
+-    fp = f;
+     /* Try to rewrite any %d (or similar) in the string */
+     rewrite_percent_specifiers(f);
+-    for (i = 0; i < len; i++) {
+-        if (f[i] == pipe) {
+-           fp = &f[i + 1];
+-           /* Because we potentially have to check file permissions at two levels
+-              for the output file (gx_device_open_output_file and the low level
+-              fopen API, if we're using a pipe, we have to add both the full string,
+-              (including the '|', and just the command to which we pipe - since at
+-              the pipe_fopen(), the leading '|' has been stripped.
+-            */
+-           code = gs_add_control_path(mem, gs_permit_file_writing, f);
+-           if (code < 0)
+-               return code;
+-           code = gs_add_control_path(mem, gs_permit_file_control, f);
+-           if (code < 0)
+-               return code;
+-           break;
+-        }
+-        if (!IS_WHITESPACE(f[i]))
+-            break;
+-    }
+-    code = gs_add_control_path(mem, gs_permit_file_control, fp);
+
+    code = gs_add_control_path(mem, gs_permit_file_control, f);
+     if (code < 0)
+         return code;
+-    return gs_add_control_path(mem, gs_permit_file_writing, fp);
+    return gs_add_control_path(mem, gs_permit_file_writing, f);
+ }
+ 
+ int
+ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
+ {
+-    char *fp, f[gp_file_name_sizeof];
+-    const int pipe = 124; /* ASCII code for '|' */
+-    const int len = strlen(fname);
+-    int i, code;
+    char f[gp_file_name_sizeof];
+    int code;
+ 
+     /* Be sure the string copy will fit */
+-    if (len >= gp_file_name_sizeof)
+    if (strlen(fname) >= gp_file_name_sizeof)
+         return gs_error_rangecheck;
+     strcpy(f, fname);
+-    fp = f;
+     /* Try to rewrite any %d (or similar) in the string */
+-    for (i = 0; i < len; i++) {
+-        if (f[i] == pipe) {
+-           fp = &f[i + 1];
+-           /* Because we potentially have to check file permissions at two levels
+-              for the output file (gx_device_open_output_file and the low level
+-              fopen API, if we're using a pipe, we have to add both the full string,
+-              (including the '|', and just the command to which we pipe - since at
+-              the pipe_fopen(), the leading '|' has been stripped.
+-            */
+-           code = gs_remove_control_path(mem, gs_permit_file_writing, f);
+-           if (code < 0)
+-               return code;
+-           code = gs_remove_control_path(mem, gs_permit_file_control, f);
+-           if (code < 0)
+-               return code;
+-           break;
+-        }
+-        if (!IS_WHITESPACE(f[i]))
+-            break;
+-    }
+-    code = gs_remove_control_path(mem, gs_permit_file_control, fp);
+    rewrite_percent_specifiers(f);
+
+    code = gs_remove_control_path(mem, gs_permit_file_control, f);
+     if (code < 0)
+         return code;
+-    return gs_remove_control_path(mem, gs_permit_file_writing, fp);
+    return gs_remove_control_path(mem, gs_permit_file_writing, f);
+ }
+ 
+ int
+-- 
+2.25.1 
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
index 310c4f6d24..a829d4b4ae 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
@@ -36,6 +36,9 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://CVE-2020-15900.patch \
                file://check-stack-limits-after-function-evalution.patch \
                file://CVE-2021-45949.patch \
+                file://CVE-2021-3781_1.patch \
+                file://CVE-2021-3781_2.patch \
+                file://CVE-2021-3781_3.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \
author	Davide Gardenal <davidegarde2000@gmail.com>	2022-03-25 17:46:30 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-03-31 21:09:33 +0100
commit	a27aa2316f383735d5c4cba7f7e502bff579979b (patch)
tree	33c61bb6dd64663ce6fb868102faf00fa0c91416
parent	4391ddecb2c5903a4c00d62646add0988a79c6d9 (diff)
download	poky-a27aa2316f383735d5c4cba7f7e502bff579979b.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch new file mode 100644 index 0000000000..033ba77f9a --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch
@@ -0,0 +1,121 @@
		1	From 3920a727fb19e19f597e518610ce2416d08cb75f Mon Sep 17 00:00:00 2001
		2	From: Chris Liddell <chris.liddell@artifex.com>
		3	Date: Thu, 20 Aug 2020 17:19:09 +0100
		4	Subject: [PATCH] Fix pdfwrite "%d" mode with file permissions
		5
		6	Firstly, in gx_device_delete_output_file the iodev pointer was being passed
		7	to the delete_method incorrectly (passing a pointer to that pointer). Thus
		8	when we attempted to use that to confirm permission to delete the file, it
		9	crashed. Credit to Ken for finding that.
		10
		11	Secondly, due to the way pdfwrite works, when running with an output file per
		12	page, it creates the current output file immediately it has completed writing
		13	the previous one. Thus, it has to delete that partial file on exit.
		14
		15	Previously, the output file was not added to the "control" permission list,
		16	so an attempt to delete it would result in an error. So add the output file
		17	to the "control" as well as "write" list.
		18
		19	CVE: CVE-2021-3781
		20
		21	Upstream-Status: Backport:
		22	https://git.ghostscript.com/?p=ghostpdl.git;a=commit;f=base/gslibctx.c;h=3920a727fb19e19f597e518610ce2416d08cb75f
		23
		24	Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
		25	---
		26	base/gsdevice.c \| 2 +-
		27	base/gslibctx.c \| 20 ++++++++++++++------
		28	2 files changed, 15 insertions(+), 7 deletions(-)
		29
		30	diff --git a/base/gsdevice.c b/base/gsdevice.c
		31	index 913119495..ac78af93f 100644
		32	--- a/base/gsdevice.c
		33	+++ b/base/gsdevice.c
		34	@@ -1185,7 +1185,7 @@ int gx_device_delete_output_file(const gx_device * dev, const char *fname)
		35	parsed.len = strlen(parsed.fname);
		36	}
		37	if (parsed.iodev)
		38	- code = parsed.iodev->procs.delete_file((gx_io_device )(&parsed.iodev), (const char )parsed.fname);
		39	+ code = parsed.iodev->procs.delete_file((gx_io_device )(parsed.iodev), (const char )parsed.fname);
		40	else
		41	code = gs_note_error(gs_error_invalidfileaccess);
		42
		43	diff --git a/base/gslibctx.c b/base/gslibctx.c
		44	index d726c58b5..ff8fc895e 100644
		45	--- a/base/gslibctx.c
		46	+++ b/base/gslibctx.c
		47	@@ -647,7 +647,7 @@ gs_add_outputfile_control_path(gs_memory_t mem, const char fname)
		48	char *fp, f[gp_file_name_sizeof];
		49	const int pipe = 124; /* ASCII code for '\|' */
		50	const int len = strlen(fname);
		51	- int i;
		52	+ int i, code;
		53
		54	/* Be sure the string copy will fit */
		55	if (len >= gp_file_name_sizeof)
		56	@@ -658,8 +658,6 @@ gs_add_outputfile_control_path(gs_memory_t mem, const char fname)
		57	rewrite_percent_specifiers(f);
		58	for (i = 0; i < len; i++) {
		59	if (f[i] == pipe) {
		60	- int code;
		61	-
		62	fp = &f[i + 1];
		63	/* Because we potentially have to check file permissions at two levels
		64	for the output file (gx_device_open_output_file and the low level
		65	@@ -671,10 +669,16 @@ gs_add_outputfile_control_path(gs_memory_t mem, const char fname)
		66	if (code < 0)
		67	return code;
		68	break;
		69	+ code = gs_add_control_path(mem, gs_permit_file_control, f);
		70	+ if (code < 0)
		71	+ return code;
		72	}
		73	if (!IS_WHITESPACE(f[i]))
		74	break;
		75	}
		76	+ code = gs_add_control_path(mem, gs_permit_file_control, fp);
		77	+ if (code < 0)
		78	+ return code;
		79	return gs_add_control_path(mem, gs_permit_file_writing, fp);
		80	}
		81
		82	@@ -684,7 +688,7 @@ gs_remove_outputfile_control_path(gs_memory_t mem, const char fname)
		83	char *fp, f[gp_file_name_sizeof];
		84	const int pipe = 124; /* ASCII code for '\|' */
		85	const int len = strlen(fname);
		86	- int i;
		87	+ int i, code;
		88
		89	/* Be sure the string copy will fit */
		90	if (len >= gp_file_name_sizeof)
		91	@@ -694,8 +698,6 @@ gs_remove_outputfile_control_path(gs_memory_t mem, const char fname)
		92	/* Try to rewrite any %d (or similar) in the string */
		93	for (i = 0; i < len; i++) {
		94	if (f[i] == pipe) {
		95	- int code;
		96	-
		97	fp = &f[i + 1];
		98	/* Because we potentially have to check file permissions at two levels
		99	for the output file (gx_device_open_output_file and the low level
		100	@@ -704,6 +706,9 @@ gs_remove_outputfile_control_path(gs_memory_t mem, const char fname)
		101	the pipe_fopen(), the leading '\|' has been stripped.
		102	*/
		103	code = gs_remove_control_path(mem, gs_permit_file_writing, f);
		104	+ if (code < 0)
		105	+ return code;
		106	+ code = gs_remove_control_path(mem, gs_permit_file_control, f);
		107	if (code < 0)
		108	return code;
		109	break;
		110	@@ -711,6 +716,9 @@ gs_remove_outputfile_control_path(gs_memory_t mem, const char fname)
		111	if (!IS_WHITESPACE(f[i]))
		112	break;
		113	}
		114	+ code = gs_remove_control_path(mem, gs_permit_file_control, fp);
		115	+ if (code < 0)
		116	+ return code;
		117	return gs_remove_control_path(mem, gs_permit_file_writing, fp);
		118	}
		119
		120	--
		121	2.25.1


diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_2.patch new file mode 100644 index 0000000000..beade79eef --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_2.patch
@@ -0,0 +1,37 @@
		1	From 9daf042fd7bb19e93388d89d9686a2fa4496f382 Mon Sep 17 00:00:00 2001
		2	From: Chris Liddell <chris.liddell@artifex.com>
		3	Date: Mon, 24 Aug 2020 09:24:31 +0100
		4	Subject: [PATCH] Coverity 361429: move "break" to correct place.
		5
		6	We had to add the outputfile to the "control" file permission list (as well
		7	as write), but for the "pipe" case, I accidentally added the call after the
		8	break out of loop that checks for a pipe.
		9
		10	CVE: CVE-2021-3781
		11
		12	Upstream-Status: Backport:
		13	https://git.ghostscript.com/?p=ghostpdl.git;a=commit;f=base/gslibctx.c;h=9daf042fd7bb19e93388d89d9686a2fa4496f382
		14
		15	Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
		16	---
		17	base/gslibctx.c \| 2 +-
		18	1 file changed, 1 insertion(+), 1 deletion(-)
		19
		20	diff --git a/base/gslibctx.c b/base/gslibctx.c
		21	index ff8fc895e..63dfbe2e0 100644
		22	--- a/base/gslibctx.c
		23	+++ b/base/gslibctx.c
		24	@@ -668,10 +668,10 @@ gs_add_outputfile_control_path(gs_memory_t mem, const char fname)
		25	code = gs_add_control_path(mem, gs_permit_file_writing, f);
		26	if (code < 0)
		27	return code;
		28	- break;
		29	code = gs_add_control_path(mem, gs_permit_file_control, f);
		30	if (code < 0)
		31	return code;
		32	+ break;
		33	}
		34	if (!IS_WHITESPACE(f[i]))
		35	break;
		36	--
		37	2.25.1


diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch new file mode 100644 index 0000000000..e3f9e81c45 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch
@@ -0,0 +1,238 @@
		1	From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001
		2	From: Chris Liddell <chris.liddell@artifex.com>
		3	Date: Tue, 7 Sep 2021 20:36:12 +0100
		4	Subject: [PATCH] Bug 704342: Include device specifier strings in access
		5	validation
		6
		7	for the "%pipe%", %handle%" and %printer% io devices.
		8
		9	We previously validated only the part after the "%pipe%" Postscript device
		10	specifier, but this proved insufficient.
		11
		12	This rebuilds the original file name string, and validates it complete. The
		13	slight complication for "%pipe%" is it can be reached implicitly using
		14	"\|" so we have to check both prefixes.
		15
		16	Addresses CVE-2021-3781
		17
		18	CVE: CVE-2021-3781
		19
		20	Upstream-Status: Backport:
		21	https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a9bd3dec9fde
		22
		23	Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
		24	---
		25	base/gdevpipe.c \| 22 +++++++++++++++-
		26	base/gp_mshdl.c \| 11 +++++++-
		27	base/gp_msprn.c \| 10 ++++++-
		28	base/gp_os2pr.c \| 13 +++++++++-
		29	base/gslibctx.c \| 69 ++++++++++---------------------------------------
		30	5 files changed, 65 insertions(+), 60 deletions(-)
		31
		32	diff --git a/base/gdevpipe.c b/base/gdevpipe.c
		33	index 96d71f5d8..5bdc485be 100644
		34	--- a/base/gdevpipe.c
		35	+++ b/base/gdevpipe.c
		36	@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char fname, const char access,
		37	#else
		38	gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
		39	gs_fs_list_t *fs = ctx->core->fs;
		40	+ /* The pipe device can be reached in two ways, explicltly with %pipe%
		41	+ or implicitly with "\|", so we have to check for both
		42	+ */
		43	+ char f[gp_file_name_sizeof];
		44	+ const char *pipestr = "\|";
		45	+ const size_t pipestrlen = strlen(pipestr);
		46	+ const size_t preflen = strlen(iodev->dname);
		47	+ const size_t nlen = strlen(fname);
		48	+ int code1;
		49	+
		50	+ if (preflen + nlen >= gp_file_name_sizeof)
		51	+ return_error(gs_error_invalidaccess);
		52	+
		53	+ memcpy(f, iodev->dname, preflen);
		54	+ memcpy(f + preflen, fname, nlen + 1);
		55	+
		56	+ code1 = gp_validate_path(mem, f, access);
		57	+
		58	+ memcpy(f, pipestr, pipestrlen);
		59	+ memcpy(f + pipestrlen, fname, nlen + 1);
		60
		61	- if (gp_validate_path(mem, fname, access) != 0)
		62	+ if (code1 != 0 && gp_validate_path(mem, f, access) != 0 )
		63	return gs_error_invalidfileaccess;
		64
		65	/*
		66	diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c
		67	index 2b964ed74..8d87ceadc 100644
		68	--- a/base/gp_mshdl.c
		69	+++ b/base/gp_mshdl.c
		70	@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char fname, const char access,
		71	long hfile; /* Correct for Win32, may be wrong for Win64 */
		72	gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
		73	gs_fs_list_t *fs = ctx->core->fs;
		74	+ char f[gp_file_name_sizeof];
		75	+ const size_t preflen = strlen(iodev->dname);
		76	+ const size_t nlen = strlen(fname);
		77
		78	- if (gp_validate_path(mem, fname, access) != 0)
		79	+ if (preflen + nlen >= gp_file_name_sizeof)
		80	+ return_error(gs_error_invalidaccess);
		81	+
		82	+ memcpy(f, iodev->dname, preflen);
		83	+ memcpy(f + preflen, fname, nlen + 1);
		84	+
		85	+ if (gp_validate_path(mem, f, access) != 0)
		86	return gs_error_invalidfileaccess;
		87
		88	/* First we try the open_handle method. */
		89	diff --git a/base/gp_msprn.c b/base/gp_msprn.c
		90	index ed4827968..746a974f7 100644
		91	--- a/base/gp_msprn.c
		92	+++ b/base/gp_msprn.c
		93	@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char fname, const char access,
		94	unsigned long ptid = &((tid_t )(iodev->state))->tid;
		95	gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
		96	gs_fs_list_t *fs = ctx->core->fs;
		97	+ const size_t preflen = strlen(iodev->dname);
		98	+ const size_t nlen = strlen(fname);
		99
		100	- if (gp_validate_path(mem, fname, access) != 0)
		101	+ if (preflen + nlen >= gp_file_name_sizeof)
		102	+ return_error(gs_error_invalidaccess);
		103	+
		104	+ memcpy(pname, iodev->dname, preflen);
		105	+ memcpy(pname + preflen, fname, nlen + 1);
		106	+
		107	+ if (gp_validate_path(mem, pname, access) != 0)
		108	return gs_error_invalidfileaccess;
		109
		110	/* First we try the open_printer method. */
		111	diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c
		112	index f852c71fc..ba54cde66 100644
		113	--- a/base/gp_os2pr.c
		114	+++ b/base/gp_os2pr.c
		115	@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char fname, const char access,
		116	FILE ** pfile, char *rfname, uint rnamelen)
		117	{
		118	os2_printer_t pr = (os2_printer_t )iodev->state;
		119	- char driver_name[256];
		120	+ char driver_name[gp_file_name_sizeof];
		121	gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
		122	gs_fs_list_t *fs = ctx->core->fs;
		123	+ const size_t preflen = strlen(iodev->dname);
		124	+ const int size_t = strlen(fname);
		125	+
		126	+ if (preflen + nlen >= gp_file_name_sizeof)
		127	+ return_error(gs_error_invalidaccess);
		128	+
		129	+ memcpy(driver_name, iodev->dname, preflen);
		130	+ memcpy(driver_name + preflen, fname, nlen + 1);
		131	+
		132	+ if (gp_validate_path(mem, driver_name, access) != 0)
		133	+ return gs_error_invalidfileaccess;
		134
		135	/* First we try the open_printer method. */
		136	/* Note that the loop condition here ensures we don't
		137	diff --git a/base/gslibctx.c b/base/gslibctx.c
		138	index 6dfed6cd5..318039fad 100644
		139	--- a/base/gslibctx.c
		140	+++ b/base/gslibctx.c
		141	@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s)
		142	int
		143	gs_add_outputfile_control_path(gs_memory_t mem, const char fname)
		144	{
		145	- char *fp, f[gp_file_name_sizeof];
		146	- const int pipe = 124; /* ASCII code for '\|' */
		147	- const int len = strlen(fname);
		148	- int i, code;
		149	+ char f[gp_file_name_sizeof];
		150	+ int code;
		151
		152	/* Be sure the string copy will fit */
		153	- if (len >= gp_file_name_sizeof)
		154	+ if (strlen(fname) >= gp_file_name_sizeof)
		155	return gs_error_rangecheck;
		156	strcpy(f, fname);
		157	- fp = f;
		158	/* Try to rewrite any %d (or similar) in the string */
		159	rewrite_percent_specifiers(f);
		160	- for (i = 0; i < len; i++) {
		161	- if (f[i] == pipe) {
		162	- fp = &f[i + 1];
		163	- /* Because we potentially have to check file permissions at two levels
		164	- for the output file (gx_device_open_output_file and the low level
		165	- fopen API, if we're using a pipe, we have to add both the full string,
		166	- (including the '\|', and just the command to which we pipe - since at
		167	- the pipe_fopen(), the leading '\|' has been stripped.
		168	- */
		169	- code = gs_add_control_path(mem, gs_permit_file_writing, f);
		170	- if (code < 0)
		171	- return code;
		172	- code = gs_add_control_path(mem, gs_permit_file_control, f);
		173	- if (code < 0)
		174	- return code;
		175	- break;
		176	- }
		177	- if (!IS_WHITESPACE(f[i]))
		178	- break;
		179	- }
		180	- code = gs_add_control_path(mem, gs_permit_file_control, fp);
		181	+
		182	+ code = gs_add_control_path(mem, gs_permit_file_control, f);
		183	if (code < 0)
		184	return code;
		185	- return gs_add_control_path(mem, gs_permit_file_writing, fp);
		186	+ return gs_add_control_path(mem, gs_permit_file_writing, f);
		187	}
		188
		189	int
		190	gs_remove_outputfile_control_path(gs_memory_t mem, const char fname)
		191	{
		192	- char *fp, f[gp_file_name_sizeof];
		193	- const int pipe = 124; /* ASCII code for '\|' */
		194	- const int len = strlen(fname);
		195	- int i, code;
		196	+ char f[gp_file_name_sizeof];
		197	+ int code;
		198
		199	/* Be sure the string copy will fit */
		200	- if (len >= gp_file_name_sizeof)
		201	+ if (strlen(fname) >= gp_file_name_sizeof)
		202	return gs_error_rangecheck;
		203	strcpy(f, fname);
		204	- fp = f;
		205	/* Try to rewrite any %d (or similar) in the string */
		206	- for (i = 0; i < len; i++) {
		207	- if (f[i] == pipe) {
		208	- fp = &f[i + 1];
		209	- /* Because we potentially have to check file permissions at two levels
		210	- for the output file (gx_device_open_output_file and the low level
		211	- fopen API, if we're using a pipe, we have to add both the full string,
		212	- (including the '\|', and just the command to which we pipe - since at
		213	- the pipe_fopen(), the leading '\|' has been stripped.
		214	- */
		215	- code = gs_remove_control_path(mem, gs_permit_file_writing, f);
		216	- if (code < 0)
		217	- return code;
		218	- code = gs_remove_control_path(mem, gs_permit_file_control, f);
		219	- if (code < 0)
		220	- return code;
		221	- break;
		222	- }
		223	- if (!IS_WHITESPACE(f[i]))
		224	- break;
		225	- }
		226	- code = gs_remove_control_path(mem, gs_permit_file_control, fp);
		227	+ rewrite_percent_specifiers(f);
		228	+
		229	+ code = gs_remove_control_path(mem, gs_permit_file_control, f);
		230	if (code < 0)
		231	return code;
		232	- return gs_remove_control_path(mem, gs_permit_file_writing, fp);
		233	+ return gs_remove_control_path(mem, gs_permit_file_writing, f);
		234	}
		235
		236	int
		237	--
		238	2.25.1


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb index 310c4f6d24..a829d4b4ae 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
@@ -36,6 +36,9 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
36	file://CVE-2020-15900.patch \	36	file://CVE-2020-15900.patch \
37	file://check-stack-limits-after-function-evalution.patch \	37	file://check-stack-limits-after-function-evalution.patch \
38	file://CVE-2021-45949.patch \	38	file://CVE-2021-45949.patch \
		39	file://CVE-2021-3781_1.patch \
		40	file://CVE-2021-3781_2.patch \
		41	file://CVE-2021-3781_3.patch \
39	"	42	"
40		43
41	SRC_URI = "${SRC_URI_BASE} \	44	SRC_URI = "${SRC_URI_BASE} \