diff options
author | Ovidiu Panait <ovidiu.panait@windriver.com> | 2019-07-29 07:20:58 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-29 23:50:43 +0100 |
commit | e6058824bbd6c9786368d79fa5a69c230219d112 (patch) | |
tree | 9a5062fe31b796da05b7e10d133acfdd8b349f15 /meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0001.patch | |
parent | 885459d264e8fa1472142ff0ce02cbce91e630a0 (diff) | |
download | poky-e6058824bbd6c9786368d79fa5a69c230219d112.tar.gz |
ghostscript: Fix 3 CVEs
It was discovered that the ghostscript /invalidaccess checks fail under
certain conditions. An attacker could possibly exploit this to bypass
the -dSAFER protection and, for example, execute arbitrary shell commands
via a specially crafted PostScript document.
It was found that the superexec operator was available in the internal
dictionary in ghostscript before 9.27. A specially crafted PostScript
file could use this flaw in order to, for example, have access to the
file system outside of the constrains imposed by -dSAFER.
It was found that the forceput operator could be extracted from the
DefineResource method in ghostscript before 9.27. A specially crafted
PostScript file could use this flaw in order to, for example, have
access to the file system outside of the constrains imposed by -dSAFER.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-6116
https://www.openwall.com/lists/oss-security/2019/01/23/5
https://nvd.nist.gov/vuln/detail/CVE-2019-3835
https://nvd.nist.gov/vuln/detail/CVE-2019-3838
Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=13b0a36
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2db98f9
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=99f1309
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=59d8f4d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2768d1a
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=49c8092
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2ff600a
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=779664d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e8acf6d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd9
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e
(From OE-Core rev: 12e140dfdac8456772223c816e37bd869419bb18)
(From OE-Core rev: cf5d29dcac6247e8476f7af78b4e0bb129b94677)
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Fix for CVE-2019-6116 is already in thud, so that has been removed]
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0001.patch')
-rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0001.patch | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0001.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0001.patch new file mode 100644 index 0000000000..593109fb9f --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0001.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From 53f0cb4c54ac951697704cb87d24154ae08aecce Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Wed, 20 Feb 2019 09:54:28 +0000 | ||
4 | Subject: [PATCH] Bug 700576: Make a transient proc executeonly (in | ||
5 | DefineResource). | ||
6 | |||
7 | This prevents access to .forceput | ||
8 | |||
9 | Solution originally suggested by cbuissar@redhat.com. | ||
10 | |||
11 | CVE: CVE-2019-3838 | ||
12 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
13 | |||
14 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
15 | --- | ||
16 | Resource/Init/gs_res.ps | 2 +- | ||
17 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps | ||
20 | index 89c0ed6..a163541 100644 | ||
21 | --- a/Resource/Init/gs_res.ps | ||
22 | +++ b/Resource/Init/gs_res.ps | ||
23 | @@ -426,7 +426,7 @@ status { | ||
24 | % so we have to use .forceput here. | ||
25 | currentdict /.Instances 2 index .forceput % Category dict is read-only | ||
26 | } executeonly if | ||
27 | - } | ||
28 | + } executeonly | ||
29 | { .LocalInstances dup //.emptydict eq | ||
30 | { pop 3 dict localinstancedict Category 2 index put | ||
31 | } | ||
32 | -- | ||
33 | 2.18.1 | ||
34 | |||