ghostscript: fix CVE-2018-15908 & CVE-2018-15909 & CVE-2018-15910 & CVE-2018-15911

(From OE-Core rev: b6d32d43fd2b016e932b7dc81fb943eb936b73bb) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Hongxu Jia <hongxu.jia@windriver.com> 2018-09-10 03:21:01 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-09-11 09:05:35 +0100
commit: c0f6e29c2146c66dffee65d7d650fc906a57a26c (patch)
tree: b8ce60a74495eba74959899d46bc4e26c3dcf370 /meta/recipes-extended/ghostscript/ghostscript/0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch
parent: 17f1496f841e0409e345bf889f3396cded2d7d69 (diff)
download: poky-c0f6e29c2146c66dffee65d7d650fc906a57a26c.tar.gz
1 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch b/meta/recipes-extended/ghostscript/ghostscript/0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch
new file mode 100644
index 0000000000..ccd40216c0
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch
@@ -0,0 +1,54 @@
+From f4f50ceea8e8852b8c3ac73f5807d8b54b735c3e Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Tue, 21 Aug 2018 20:17:05 +0100
+Subject: [PATCH 5/5] Bug 699657: properly apply file permissions to .tempfile
+CVE: CVE-2018-15908
+Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ psi/zfile.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+diff --git a/psi/zfile.c b/psi/zfile.c
+index a0acd5a..19996b0 100644
+--- a/psi/zfile.c
+++ b/psi/zfile.c
+@@ -134,7 +134,7 @@ check_file_permissions_reduced(i_ctx_t *i_ctx_p, const char *fname, int len,
+     /* we're protecting arbitrary file system accesses, not Postscript device accesses.
+      * Although, note that %pipe% is explicitly checked for and disallowed elsewhere
+      */
+-    if (iodev != iodev_default(imemory)) {
+    if (iodev && iodev != iodev_default(imemory)) {
+         return 0;
+     }
+ 
+@@ -734,7 +734,23 @@ ztempfile(i_ctx_t *i_ctx_p)
+     }
+ 
+     if (gp_file_name_is_absolute(pstr, strlen(pstr))) {
+-        if (check_file_permissions(i_ctx_p, pstr, strlen(pstr),
+        int plen = strlen(pstr);
+        const char *sep = gp_file_name_separator();
+#ifdef DEBUG
+        int seplen = strlen(sep);
+        if (seplen != 1)
+            return_error(gs_error_Fatal);
+#endif
+        /* strip off the file name prefix, leave just the directory name
+         * so we can check if we are allowed to write to it
+         */
+        for ( ; plen >=0; plen--) {
+            if (pstr[plen] == sep[0])
+                break;
+        }
+        memcpy(fname, pstr, plen);
+        fname[plen] = '\0';
+        if (check_file_permissions(i_ctx_p, fname, strlen(fname),
+                                    NULL, "PermitFileWriting") < 0) {
+             code = gs_note_error(gs_error_invalidfileaccess);
+             goto done;
+-- 
+2.8.1
author	Hongxu Jia <hongxu.jia@windriver.com>	2018-09-10 03:21:01 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-09-11 09:05:35 +0100
commit	c0f6e29c2146c66dffee65d7d650fc906a57a26c (patch)
tree	b8ce60a74495eba74959899d46bc4e26c3dcf370 /meta/recipes-extended/ghostscript/ghostscript/0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch
parent	17f1496f841e0409e345bf889f3396cded2d7d69 (diff)
download	poky-c0f6e29c2146c66dffee65d7d650fc906a57a26c.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch b/meta/recipes-extended/ghostscript/ghostscript/0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch new file mode 100644 index 0000000000..ccd40216c0 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch
@@ -0,0 +1,54 @@
	1	From f4f50ceea8e8852b8c3ac73f5807d8b54b735c3e Mon Sep 17 00:00:00 2001
	2	From: Chris Liddell <chris.liddell@artifex.com>
	3	Date: Tue, 21 Aug 2018 20:17:05 +0100
	4	Subject: [PATCH 5/5] Bug 699657: properly apply file permissions to .tempfile
	5
	6	CVE: CVE-2018-15908
	7	Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
	8
	9	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
	10	---
	11	psi/zfile.c \| 20 ++++++++++++++++++--
	12	1 file changed, 18 insertions(+), 2 deletions(-)
	13
	14	diff --git a/psi/zfile.c b/psi/zfile.c
	15	index a0acd5a..19996b0 100644
	16	--- a/psi/zfile.c
	17	+++ b/psi/zfile.c
	18	@@ -134,7 +134,7 @@ check_file_permissions_reduced(i_ctx_t i_ctx_p, const char fname, int len,
	19	/* we're protecting arbitrary file system accesses, not Postscript device accesses.
	20	* Although, note that %pipe% is explicitly checked for and disallowed elsewhere
	21	*/
	22	- if (iodev != iodev_default(imemory)) {
	23	+ if (iodev && iodev != iodev_default(imemory)) {
	24	return 0;
	25	}
	26
	27	@@ -734,7 +734,23 @@ ztempfile(i_ctx_t *i_ctx_p)
	28	}
	29
	30	if (gp_file_name_is_absolute(pstr, strlen(pstr))) {
	31	- if (check_file_permissions(i_ctx_p, pstr, strlen(pstr),
	32	+ int plen = strlen(pstr);
	33	+ const char *sep = gp_file_name_separator();
	34	+#ifdef DEBUG
	35	+ int seplen = strlen(sep);
	36	+ if (seplen != 1)
	37	+ return_error(gs_error_Fatal);
	38	+#endif
	39	+ /* strip off the file name prefix, leave just the directory name
	40	+ * so we can check if we are allowed to write to it
	41	+ */
	42	+ for ( ; plen >=0; plen--) {
	43	+ if (pstr[plen] == sep[0])
	44	+ break;
	45	+ }
	46	+ memcpy(fname, pstr, plen);
	47	+ fname[plen] = '\0';
	48	+ if (check_file_permissions(i_ctx_p, fname, strlen(fname),
	49	NULL, "PermitFileWriting") < 0) {
	50	code = gs_note_error(gs_error_invalidfileaccess);
	51	goto done;
	52	--
	53	2.8.1
	54