diff options
author | Ovidiu Panait <ovidiu.panait@windriver.com> | 2019-07-29 07:20:58 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-29 23:50:43 +0100 |
commit | e6058824bbd6c9786368d79fa5a69c230219d112 (patch) | |
tree | 9a5062fe31b796da05b7e10d133acfdd8b349f15 /meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0002.patch | |
parent | 885459d264e8fa1472142ff0ce02cbce91e630a0 (diff) | |
download | poky-e6058824bbd6c9786368d79fa5a69c230219d112.tar.gz |
ghostscript: Fix 3 CVEs
It was discovered that the ghostscript /invalidaccess checks fail under
certain conditions. An attacker could possibly exploit this to bypass
the -dSAFER protection and, for example, execute arbitrary shell commands
via a specially crafted PostScript document.
It was found that the superexec operator was available in the internal
dictionary in ghostscript before 9.27. A specially crafted PostScript
file could use this flaw in order to, for example, have access to the
file system outside of the constrains imposed by -dSAFER.
It was found that the forceput operator could be extracted from the
DefineResource method in ghostscript before 9.27. A specially crafted
PostScript file could use this flaw in order to, for example, have
access to the file system outside of the constrains imposed by -dSAFER.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-6116
https://www.openwall.com/lists/oss-security/2019/01/23/5
https://nvd.nist.gov/vuln/detail/CVE-2019-3835
https://nvd.nist.gov/vuln/detail/CVE-2019-3838
Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=13b0a36
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2db98f9
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=99f1309
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=59d8f4d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2768d1a
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=49c8092
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2ff600a
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=779664d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e8acf6d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd9
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e
(From OE-Core rev: 12e140dfdac8456772223c816e37bd869419bb18)
(From OE-Core rev: cf5d29dcac6247e8476f7af78b4e0bb129b94677)
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Fix for CVE-2019-6116 is already in thud, so that has been removed]
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0002.patch')
-rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0002.patch | 71 |
1 files changed, 71 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0002.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0002.patch new file mode 100644 index 0000000000..590b92e186 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0002.patch | |||
@@ -0,0 +1,71 @@ | |||
1 | From ba6dbd6e61dbb3cc6ee6db9dd3a4f70cc18f706e Mon Sep 17 00:00:00 2001 | ||
2 | From: Nancy Durgin <nancy.durgin@artifex.com> | ||
3 | Date: Thu, 14 Feb 2019 10:09:00 -0800 | ||
4 | Subject: [PATCH] Undef /odef in gs_init.ps | ||
5 | |||
6 | Made a new temporary utility function in gs_cet.ps (.odef) to use instead | ||
7 | of /odef. This makes it fine to undef odef with all the other operators in | ||
8 | gs_init.ps | ||
9 | |||
10 | This punts the bigger question of what to do with .makeoperator, but it | ||
11 | doesn't make the situation any worse than it already was. | ||
12 | |||
13 | CVE: CVE-2019-3835 | ||
14 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
15 | |||
16 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
17 | --- | ||
18 | Resource/Init/gs_cet.ps | 10 ++++++++-- | ||
19 | Resource/Init/gs_init.ps | 1 + | ||
20 | 2 files changed, 9 insertions(+), 2 deletions(-) | ||
21 | |||
22 | diff --git a/Resource/Init/gs_cet.ps b/Resource/Init/gs_cet.ps | ||
23 | index 75534bb..dbc5c4e 100644 | ||
24 | --- a/Resource/Init/gs_cet.ps | ||
25 | +++ b/Resource/Init/gs_cet.ps | ||
26 | @@ -1,6 +1,10 @@ | ||
27 | %!PS | ||
28 | % Set defaults for Ghostscript to match Adobe CPSI behaviour for CET | ||
29 | |||
30 | +/.odef { % <name> <proc> odef - | ||
31 | + 1 index exch .makeoperator def | ||
32 | +} bind def | ||
33 | + | ||
34 | systemdict /product get (PhotoPRINT SE 5.0v2) readonly eq | ||
35 | { | ||
36 | (%END GS_CET) .skipeof | ||
37 | @@ -93,8 +97,8 @@ userdict /.smoothness currentsmoothness put | ||
38 | } { | ||
39 | /setsmoothness .systemvar /typecheck signalerror | ||
40 | } ifelse | ||
41 | -} bind odef | ||
42 | -/currentsmoothness { userdict /.smoothness get } bind odef % for 09-55.PS, 09-57.PS . | ||
43 | +} bind //.odef exec | ||
44 | +/currentsmoothness { userdict /.smoothness get } bind //.odef exec % for 09-55.PS, 09-57.PS . | ||
45 | |||
46 | % slightly nasty hack to give consistent cluster results | ||
47 | /ofnfa systemdict /filenameforall get def | ||
48 | @@ -113,6 +117,8 @@ userdict /.smoothness currentsmoothness put | ||
49 | } ifelse | ||
50 | ofnfa | ||
51 | } bind def | ||
52 | + | ||
53 | +currentdict /.odef undef | ||
54 | % end of slightly nasty hack to give consistent cluster results | ||
55 | |||
56 | //false 0 startjob pop % re-enter encapsulated mode | ||
57 | diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps | ||
58 | index e6b9cd2..80d9585 100644 | ||
59 | --- a/Resource/Init/gs_init.ps | ||
60 | +++ b/Resource/Init/gs_init.ps | ||
61 | @@ -2257,6 +2257,7 @@ SAFER { .setsafeglobal } if | ||
62 | /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams | ||
63 | /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath /.currentoutputdevice | ||
64 | /.type /.writecvs /.setSMask /.currentSMask /.needinput /.countexecstack /.execstack /.applypolicies | ||
65 | + /odef | ||
66 | |||
67 | % Used by a free user in the Library of Congress. Apparently this is used to | ||
68 | % draw a partial page, which is then filled in by the results of a barcode | ||
69 | -- | ||
70 | 2.18.1 | ||
71 | |||