diff options
author | Ovidiu Panait <ovidiu.panait@windriver.com> | 2019-04-05 17:56:31 +0300 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-04-09 13:44:39 +0100 |
commit | 327513ee83499827b6f4a8fae2ba0336b65bb68a (patch) | |
tree | 4fcd2fded9d4cc1f302db18cfabe3fea7425215e /meta/recipes-extended/ghostscript | |
parent | a1fb2c59e82fd5ccc1d8ae649af7f1979cee3939 (diff) | |
download | poky-327513ee83499827b6f4a8fae2ba0336b65bb68a.tar.gz |
ghostscript: Fix 3 CVEs
It was discovered that the ghostscript /invalidaccess checks fail under
certain conditions. An attacker could possibly exploit this to bypass
the -dSAFER protection and, for example, execute arbitrary shell commands
via a specially crafted PostScript document.
It was found that the superexec operator was available in the internal
dictionary in ghostscript before 9.27. A specially crafted PostScript
file could use this flaw in order to, for example, have access to the
file system outside of the constrains imposed by -dSAFER.
It was found that the forceput operator could be extracted from the
DefineResource method in ghostscript before 9.27. A specially crafted
PostScript file could use this flaw in order to, for example, have
access to the file system outside of the constrains imposed by -dSAFER.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-6116
https://www.openwall.com/lists/oss-security/2019/01/23/5
https://nvd.nist.gov/vuln/detail/CVE-2019-3835
https://nvd.nist.gov/vuln/detail/CVE-2019-3838
Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=13b0a36
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2db98f9
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=99f1309
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=59d8f4d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2768d1a
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=49c8092
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2ff600a
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=779664d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e8acf6d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd9
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e
(From OE-Core rev: 12e140dfdac8456772223c816e37bd869419bb18)
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/ghostscript')
14 files changed, 2688 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0001.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0001.patch new file mode 100644 index 0000000000..30ce04a7b1 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0001.patch | |||
@@ -0,0 +1,99 @@ | |||
1 | From ad3ad6b389653722507e588c5cb34d8731e49e89 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Mon, 26 Nov 2018 18:01:25 +0000 | ||
4 | Subject: [PATCH] Have gs_cet.ps run from gs_init.ps | ||
5 | |||
6 | Previously gs_cet.ps was run on the command line, to set up the interpreter | ||
7 | state so our output more closely matches the example output for the QL CET | ||
8 | tests. | ||
9 | |||
10 | Allow a -dCETMODE command line switch, which will cause gs_init.ps to run the | ||
11 | file directly. | ||
12 | |||
13 | This works better for gpdl as it means the changes are made in the intial | ||
14 | interpreter state, rather than after initialisation is complete. | ||
15 | |||
16 | This also means adding a definition of the default procedure for black | ||
17 | generation and under color removal (rather it being defined in-line in | ||
18 | .setdefaultbgucr | ||
19 | |||
20 | Also, add a check so gs_cet.ps only runs once - if we try to run it a second | ||
21 | time, we'll just skip over the file, flushing through to the end. | ||
22 | |||
23 | CVE: CVE-2019-3835 | ||
24 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
25 | |||
26 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
27 | --- | ||
28 | Resource/Init/gs_cet.ps | 11 ++++++++++- | ||
29 | Resource/Init/gs_init.ps | 13 ++++++++++++- | ||
30 | 2 files changed, 22 insertions(+), 2 deletions(-) | ||
31 | |||
32 | diff --git a/Resource/Init/gs_cet.ps b/Resource/Init/gs_cet.ps | ||
33 | index d3e1686..75534bb 100644 | ||
34 | --- a/Resource/Init/gs_cet.ps | ||
35 | +++ b/Resource/Init/gs_cet.ps | ||
36 | @@ -1,6 +1,11 @@ | ||
37 | %!PS | ||
38 | % Set defaults for Ghostscript to match Adobe CPSI behaviour for CET | ||
39 | |||
40 | +systemdict /product get (PhotoPRINT SE 5.0v2) readonly eq | ||
41 | +{ | ||
42 | + (%END GS_CET) .skipeof | ||
43 | +} if | ||
44 | + | ||
45 | % do this in the server level so it is persistent across jobs | ||
46 | //true 0 startjob not { | ||
47 | (*** Warning: CET startup is not in server default) = flush | ||
48 | @@ -25,7 +30,9 @@ currentglobal //true setglobal | ||
49 | |||
50 | /UNROLLFORMS true def | ||
51 | |||
52 | -{ } bind dup | ||
53 | +(%.defaultbgrucrproc) cvn { } bind def | ||
54 | + | ||
55 | +(%.defaultbgrucrproc) cvn load dup | ||
56 | setblackgeneration | ||
57 | setundercolorremoval | ||
58 | 0 array cvx readonly dup dup dup setcolortransfer | ||
59 | @@ -109,3 +116,5 @@ userdict /.smoothness currentsmoothness put | ||
60 | % end of slightly nasty hack to give consistent cluster results | ||
61 | |||
62 | //false 0 startjob pop % re-enter encapsulated mode | ||
63 | + | ||
64 | +%END GS_CET | ||
65 | diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps | ||
66 | index 45bebf4..e6b9cd2 100644 | ||
67 | --- a/Resource/Init/gs_init.ps | ||
68 | +++ b/Resource/Init/gs_init.ps | ||
69 | @@ -1538,10 +1538,18 @@ setpacking | ||
70 | % any-part-of-pixel rule. | ||
71 | 0.5 .setfilladjust | ||
72 | } bind def | ||
73 | + | ||
74 | % Set the default screen and BG/UCR. | ||
75 | +% We define the proc here, rather than inline in .setdefaultbgucr | ||
76 | +% for the benefit of gs_cet.ps so jobs that do anything that causes | ||
77 | +% .setdefaultbgucr to be called will still get the redefined proc | ||
78 | +% in gs_cet.ps | ||
79 | +(%.defaultbgrucrproc) cvn { pop 0 } def | ||
80 | + | ||
81 | /.setdefaultbgucr { | ||
82 | systemdict /setblackgeneration known { | ||
83 | - { pop 0 } dup setblackgeneration setundercolorremoval | ||
84 | + (%.defaultbgrucrproc) cvn load dup | ||
85 | + setblackgeneration setundercolorremoval | ||
86 | } if | ||
87 | } bind def | ||
88 | /.useloresscreen { % - .useloresscreen <bool> | ||
89 | @@ -2491,4 +2499,7 @@ WRITESYSTEMDICT { | ||
90 | % be 'true' in some cases. | ||
91 | userdict /AGM_preserve_spots //false put | ||
92 | |||
93 | +systemdict /CETMODE .knownget | ||
94 | +{ { (gs_cet.ps) runlibfile } if } if | ||
95 | + | ||
96 | % The interpreter will run the initial procedure (start). | ||
97 | -- | ||
98 | 2.18.1 | ||
99 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0002.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0002.patch new file mode 100644 index 0000000000..590b92e186 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0002.patch | |||
@@ -0,0 +1,71 @@ | |||
1 | From ba6dbd6e61dbb3cc6ee6db9dd3a4f70cc18f706e Mon Sep 17 00:00:00 2001 | ||
2 | From: Nancy Durgin <nancy.durgin@artifex.com> | ||
3 | Date: Thu, 14 Feb 2019 10:09:00 -0800 | ||
4 | Subject: [PATCH] Undef /odef in gs_init.ps | ||
5 | |||
6 | Made a new temporary utility function in gs_cet.ps (.odef) to use instead | ||
7 | of /odef. This makes it fine to undef odef with all the other operators in | ||
8 | gs_init.ps | ||
9 | |||
10 | This punts the bigger question of what to do with .makeoperator, but it | ||
11 | doesn't make the situation any worse than it already was. | ||
12 | |||
13 | CVE: CVE-2019-3835 | ||
14 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
15 | |||
16 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
17 | --- | ||
18 | Resource/Init/gs_cet.ps | 10 ++++++++-- | ||
19 | Resource/Init/gs_init.ps | 1 + | ||
20 | 2 files changed, 9 insertions(+), 2 deletions(-) | ||
21 | |||
22 | diff --git a/Resource/Init/gs_cet.ps b/Resource/Init/gs_cet.ps | ||
23 | index 75534bb..dbc5c4e 100644 | ||
24 | --- a/Resource/Init/gs_cet.ps | ||
25 | +++ b/Resource/Init/gs_cet.ps | ||
26 | @@ -1,6 +1,10 @@ | ||
27 | %!PS | ||
28 | % Set defaults for Ghostscript to match Adobe CPSI behaviour for CET | ||
29 | |||
30 | +/.odef { % <name> <proc> odef - | ||
31 | + 1 index exch .makeoperator def | ||
32 | +} bind def | ||
33 | + | ||
34 | systemdict /product get (PhotoPRINT SE 5.0v2) readonly eq | ||
35 | { | ||
36 | (%END GS_CET) .skipeof | ||
37 | @@ -93,8 +97,8 @@ userdict /.smoothness currentsmoothness put | ||
38 | } { | ||
39 | /setsmoothness .systemvar /typecheck signalerror | ||
40 | } ifelse | ||
41 | -} bind odef | ||
42 | -/currentsmoothness { userdict /.smoothness get } bind odef % for 09-55.PS, 09-57.PS . | ||
43 | +} bind //.odef exec | ||
44 | +/currentsmoothness { userdict /.smoothness get } bind //.odef exec % for 09-55.PS, 09-57.PS . | ||
45 | |||
46 | % slightly nasty hack to give consistent cluster results | ||
47 | /ofnfa systemdict /filenameforall get def | ||
48 | @@ -113,6 +117,8 @@ userdict /.smoothness currentsmoothness put | ||
49 | } ifelse | ||
50 | ofnfa | ||
51 | } bind def | ||
52 | + | ||
53 | +currentdict /.odef undef | ||
54 | % end of slightly nasty hack to give consistent cluster results | ||
55 | |||
56 | //false 0 startjob pop % re-enter encapsulated mode | ||
57 | diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps | ||
58 | index e6b9cd2..80d9585 100644 | ||
59 | --- a/Resource/Init/gs_init.ps | ||
60 | +++ b/Resource/Init/gs_init.ps | ||
61 | @@ -2257,6 +2257,7 @@ SAFER { .setsafeglobal } if | ||
62 | /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams | ||
63 | /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath /.currentoutputdevice | ||
64 | /.type /.writecvs /.setSMask /.currentSMask /.needinput /.countexecstack /.execstack /.applypolicies | ||
65 | + /odef | ||
66 | |||
67 | % Used by a free user in the Library of Congress. Apparently this is used to | ||
68 | % draw a partial page, which is then filled in by the results of a barcode | ||
69 | -- | ||
70 | 2.18.1 | ||
71 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0003.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0003.patch new file mode 100644 index 0000000000..a339fa2f33 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0003.patch | |||
@@ -0,0 +1,295 @@ | |||
1 | From 4203e04ef9e6ca22ed68a1ab10a878aa9ceaeedc Mon Sep 17 00:00:00 2001 | ||
2 | From: Ray Johnston <ray.johnston@artifex.com> | ||
3 | Date: Thu, 14 Feb 2019 10:20:03 -0800 | ||
4 | Subject: [PATCH] Fix bug 700585: Restrict superexec and remove it from | ||
5 | internals and gs_cet.ps | ||
6 | |||
7 | Also while changing things, restructure the CETMODE so that it will | ||
8 | work with -dSAFER. The gs_cet.ps is now run when we are still at save | ||
9 | level 0 with systemdict writeable. Allows us to undefine .makeoperator | ||
10 | and .setCPSImode internal operators after CETMODE is handled. | ||
11 | |||
12 | Change previous uses of superexec to using .forceput (with the usual | ||
13 | .bind executeonly to hide it). | ||
14 | |||
15 | CVE: CVE-2019-3835 | ||
16 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
17 | |||
18 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
19 | --- | ||
20 | Resource/Init/gs_cet.ps | 38 ++++++++++++++------------------------ | ||
21 | Resource/Init/gs_dps1.ps | 2 +- | ||
22 | Resource/Init/gs_fonts.ps | 8 ++++---- | ||
23 | Resource/Init/gs_init.ps | 38 +++++++++++++++++++++++++++----------- | ||
24 | Resource/Init/gs_ttf.ps | 8 ++++---- | ||
25 | Resource/Init/gs_type1.ps | 6 +++--- | ||
26 | 6 files changed, 53 insertions(+), 47 deletions(-) | ||
27 | |||
28 | diff --git a/Resource/Init/gs_cet.ps b/Resource/Init/gs_cet.ps | ||
29 | index dbc5c4e..3cc6883 100644 | ||
30 | --- a/Resource/Init/gs_cet.ps | ||
31 | +++ b/Resource/Init/gs_cet.ps | ||
32 | @@ -1,37 +1,29 @@ | ||
33 | %!PS | ||
34 | % Set defaults for Ghostscript to match Adobe CPSI behaviour for CET | ||
35 | |||
36 | -/.odef { % <name> <proc> odef - | ||
37 | - 1 index exch .makeoperator def | ||
38 | -} bind def | ||
39 | - | ||
40 | +% skip if we've already run this -- based on fake "product" | ||
41 | systemdict /product get (PhotoPRINT SE 5.0v2) readonly eq | ||
42 | { | ||
43 | (%END GS_CET) .skipeof | ||
44 | } if | ||
45 | |||
46 | -% do this in the server level so it is persistent across jobs | ||
47 | -//true 0 startjob not { | ||
48 | - (*** Warning: CET startup is not in server default) = flush | ||
49 | -} if | ||
50 | +% Note: this must be run at save level 0 and when systemdict is writeable | ||
51 | +currentglobal //true setglobal | ||
52 | +systemdict dup dup dup | ||
53 | +/version (3017.102) readonly .forceput % match CPSI 3017.102 | ||
54 | +/product (PhotoPRINT SE 5.0v2) readonly .forceput % match CPSI 3017.102 | ||
55 | +/revision 0 put % match CPSI 3017.103 Tek shows revision 5 | ||
56 | +/serialnumber dup {233640} readonly .makeoperator .forceput % match CPSI 3017.102 Tek shows serialnumber 1401788461 | ||
57 | + | ||
58 | +systemdict /.odef { % <name> <proc> odef - | ||
59 | + 1 index exch //.makeoperator def | ||
60 | +} .bind .forceput % this will be undefined at the end | ||
61 | |||
62 | 300 .sethiresscreen % needed for language switch build since it | ||
63 | % processes gs_init.ps BEFORE setting the resolution | ||
64 | |||
65 | 0 array 0 setdash % CET 09-08 wants local setdash | ||
66 | |||
67 | -currentglobal //true setglobal | ||
68 | - | ||
69 | -{ | ||
70 | - systemdict dup dup dup | ||
71 | - /version (3017.102) readonly put % match CPSI 3017.102 | ||
72 | - /product (PhotoPRINT SE 5.0v2) readonly put % match CPSI 3017.102 | ||
73 | - /revision 0 put % match CPSI 3017.103 Tek shows revision 5 | ||
74 | - /serialnumber dup {233640} readonly .makeoperator put % match CPSI 3017.102 Tek shows serialnumber 1401788461 | ||
75 | - systemdict /deviceinfo undef % for CET 20-23-1 | ||
76 | -% /UNROLLFORMS true put % CET files do unreasonable things inside forms | ||
77 | -} 1183615869 internaldict /superexec get exec | ||
78 | - | ||
79 | /UNROLLFORMS true def | ||
80 | |||
81 | (%.defaultbgrucrproc) cvn { } bind def | ||
82 | @@ -118,9 +110,7 @@ userdict /.smoothness currentsmoothness put | ||
83 | ofnfa | ||
84 | } bind def | ||
85 | |||
86 | -currentdict /.odef undef | ||
87 | -% end of slightly nasty hack to give consistent cluster results | ||
88 | - | ||
89 | -//false 0 startjob pop % re-enter encapsulated mode | ||
90 | +systemdict /.odef .undef | ||
91 | |||
92 | +% end of slightly nasty hack to give consistent cluster results | ||
93 | %END GS_CET | ||
94 | diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps | ||
95 | index 3d2cf7a..c4fd839 100644 | ||
96 | --- a/Resource/Init/gs_dps1.ps | ||
97 | +++ b/Resource/Init/gs_dps1.ps | ||
98 | @@ -89,7 +89,7 @@ level2dict begin | ||
99 | % definition, copy it into the local directory. | ||
100 | //systemdict /SharedFontDirectory .knownget | ||
101 | { 1 index .knownget | ||
102 | - { //.FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly | ||
103 | + { //.FontDirectory 2 index 3 -1 roll .forceput } % readonly | ||
104 | if | ||
105 | } | ||
106 | if | ||
107 | diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps | ||
108 | index 0562235..f2b4e19 100644 | ||
109 | --- a/Resource/Init/gs_fonts.ps | ||
110 | +++ b/Resource/Init/gs_fonts.ps | ||
111 | @@ -519,11 +519,11 @@ buildfontdict 3 /.buildfont3 cvx put | ||
112 | % the font in LocalFontDirectory. | ||
113 | .currentglobal | ||
114 | { //systemdict /LocalFontDirectory .knownget | ||
115 | - { 2 index 2 index { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly | ||
116 | + { 2 index 2 index .forceput } % readonly | ||
117 | if | ||
118 | } | ||
119 | if | ||
120 | - dup //.FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly | ||
121 | + dup //.FontDirectory 4 -2 roll .forceput % readonly | ||
122 | % If the font originated as a resource, register it. | ||
123 | currentfile .currentresourcefile eq { dup .registerfont } if | ||
124 | readonly | ||
125 | @@ -1191,13 +1191,13 @@ $error /SubstituteFont { } put | ||
126 | //.FontDirectory 1 index known not { | ||
127 | 2 dict dup /FontName 3 index put | ||
128 | dup /FontType 1 put | ||
129 | - //.FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly | ||
130 | + //.FontDirectory 3 1 roll //.forceput exec % readonly | ||
131 | } { | ||
132 | pop | ||
133 | } ifelse | ||
134 | } forall | ||
135 | } forall | ||
136 | - } | ||
137 | + } executeonly % hide .forceput | ||
138 | FAKEFONTS { exch } if pop def % don't bind, .current/setglobal get redefined | ||
139 | |||
140 | % Install initial fonts from Fontmap. | ||
141 | diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps | ||
142 | index 80d9585..0d5c4f7 100644 | ||
143 | --- a/Resource/Init/gs_init.ps | ||
144 | +++ b/Resource/Init/gs_init.ps | ||
145 | @@ -2188,9 +2188,6 @@ SAFER { .setsafeglobal } if | ||
146 | /.endtransparencygroup % transparency-example.ps | ||
147 | /.setdotlength % Bug687720.ps | ||
148 | /.sort /.setdebug /.mementolistnewblocks /getenv | ||
149 | - | ||
150 | - /.makeoperator /.setCPSImode % gs_cet.ps, this won't work on cluster with -dSAFER | ||
151 | - | ||
152 | /unread | ||
153 | ] | ||
154 | {systemdict exch .forceundef} forall | ||
155 | @@ -2270,7 +2267,6 @@ SAFER { .setsafeglobal } if | ||
156 | |||
157 | % Used by our own test suite files | ||
158 | %/.fileposition %image-qa.ps | ||
159 | - %/.makeoperator /.setCPSImode % gs_cet.ps | ||
160 | |||
161 | % Either our code uses these in ways which mean they can't be undefined, or they are used directly by | ||
162 | % test files/utilities, or engineers expressed a desire to keep them visible. | ||
163 | @@ -2457,6 +2453,16 @@ end | ||
164 | /vmreclaim where | ||
165 | { pop NOGC not { 2 .vmreclaim 0 vmreclaim } if | ||
166 | } if | ||
167 | + | ||
168 | +% Do this before systemdict is locked (see below for additional CETMODE setup using gs_cet.ps) | ||
169 | +systemdict /CETMODE .knownget { | ||
170 | + { | ||
171 | + (gs_cet.ps) runlibfile | ||
172 | + } if | ||
173 | +} if | ||
174 | +systemdict /.makeoperator .undef % must be after gs_cet.ps | ||
175 | +systemdict /.setCPSImode .undef % must be after gs_cet.ps | ||
176 | + | ||
177 | DELAYBIND not { | ||
178 | systemdict /.bindnow .undef % We only need this for DELAYBIND | ||
179 | systemdict /.forcecopynew .undef % remove temptation | ||
180 | @@ -2464,16 +2470,29 @@ DELAYBIND not { | ||
181 | systemdict /.forceundef .undef % ditto | ||
182 | } if | ||
183 | |||
184 | -% Move superexec to internaldict if superexec is defined. | ||
185 | -systemdict /superexec .knownget { | ||
186 | - 1183615869 internaldict /superexec 3 -1 roll put | ||
187 | - systemdict /superexec .undef | ||
188 | +% Move superexec to internaldict if superexec is defined. (Level 2 or later) | ||
189 | +systemdict /superexec known { | ||
190 | + % restrict superexec to single known use by PScript5.dll | ||
191 | + % We could do this only for SAFER mode, but internaldict and superexec are | ||
192 | + % not very well documented, and we don't want them to be used. | ||
193 | + 1183615869 internaldict /superexec { | ||
194 | + 2 index /Private eq % first check for typical use in PScript5.dll | ||
195 | + 1 index length 1 eq and % expected usage is: dict /Private <value> {put} superexec | ||
196 | + 1 index 0 get systemdict /put get eq and | ||
197 | + { | ||
198 | + //superexec exec % the only usage we allow | ||
199 | + } { | ||
200 | + /superexec load /invalidaccess signalerror | ||
201 | + } ifelse | ||
202 | + } bind cvx executeonly put | ||
203 | + systemdict /superexec .undef % get rid of the dangerous (unrestricted) operator | ||
204 | } if | ||
205 | |||
206 | % Can't remove this one until the last minute :-) | ||
207 | DELAYBIND not { | ||
208 | systemdict /.undef .undef | ||
209 | } if | ||
210 | + | ||
211 | WRITESYSTEMDICT { | ||
212 | SAFER { | ||
213 | (\n *** WARNING - you have selected SAFER, indicating you want Ghostscript\n) print | ||
214 | @@ -2500,7 +2519,4 @@ WRITESYSTEMDICT { | ||
215 | % be 'true' in some cases. | ||
216 | userdict /AGM_preserve_spots //false put | ||
217 | |||
218 | -systemdict /CETMODE .knownget | ||
219 | -{ { (gs_cet.ps) runlibfile } if } if | ||
220 | - | ||
221 | % The interpreter will run the initial procedure (start). | ||
222 | diff --git a/Resource/Init/gs_ttf.ps b/Resource/Init/gs_ttf.ps | ||
223 | index 05943c5..da97afa 100644 | ||
224 | --- a/Resource/Init/gs_ttf.ps | ||
225 | +++ b/Resource/Init/gs_ttf.ps | ||
226 | @@ -1421,7 +1421,7 @@ mark | ||
227 | TTFDEBUG { (\n1 setting alias: ) print dup ==only | ||
228 | ( to be the same as ) print 2 index //== exec } if | ||
229 | |||
230 | - 7 index 2 index 3 -1 roll exch //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse | ||
231 | + 7 index 2 index 3 -1 roll exch .forceput | ||
232 | } forall | ||
233 | pop pop pop | ||
234 | } | ||
235 | @@ -1439,7 +1439,7 @@ mark | ||
236 | exch pop | ||
237 | TTFDEBUG { (\n2 setting alias: ) print 1 index ==only | ||
238 | ( to use glyph index: ) print dup //== exec } if | ||
239 | - 5 index 3 1 roll //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse | ||
240 | + 5 index 3 1 roll .forceput | ||
241 | //false | ||
242 | } | ||
243 | { | ||
244 | @@ -1456,7 +1456,7 @@ mark | ||
245 | { % CharStrings(dict) isunicode(boolean) cmap(dict) RAGL(dict) gname(name) codep(integer) gindex(integer) | ||
246 | TTFDEBUG { (\3 nsetting alias: ) print 1 index ==only | ||
247 | ( to be index: ) print dup //== exec } if | ||
248 | - exch pop 5 index 3 1 roll //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse | ||
249 | + exch pop 5 index 3 1 roll .forceput | ||
250 | } | ||
251 | { | ||
252 | pop pop | ||
253 | @@ -1486,7 +1486,7 @@ mark | ||
254 | } ifelse | ||
255 | ] | ||
256 | TTFDEBUG { (Encoding: ) print dup === flush } if | ||
257 | -} bind def | ||
258 | +} .bind executeonly odef % hides .forceput | ||
259 | |||
260 | % to be removed 9.09...... | ||
261 | currentdict /postalias undef | ||
262 | diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps | ||
263 | index 96e1ced..61f5269 100644 | ||
264 | --- a/Resource/Init/gs_type1.ps | ||
265 | +++ b/Resource/Init/gs_type1.ps | ||
266 | @@ -116,7 +116,7 @@ | ||
267 | { % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname aglname | ||
268 | CFFDEBUG { (\nsetting alias: ) print dup ==only | ||
269 | ( to be the same as glyph: ) print 1 index //== exec } if | ||
270 | - 3 index exch 3 index //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse | ||
271 | + 3 index exch 3 index .forceput | ||
272 | % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname | ||
273 | } | ||
274 | {pop} ifelse | ||
275 | @@ -135,7 +135,7 @@ | ||
276 | 3 1 roll pop pop | ||
277 | } if | ||
278 | pop | ||
279 | - dup /.AGLprocessed~GS //true //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse | ||
280 | + dup /.AGLprocessed~GS //true .forceput | ||
281 | } if | ||
282 | |||
283 | %% We need to excute the C .buildfont1 in a stopped context so that, if there | ||
284 | @@ -148,7 +148,7 @@ | ||
285 | {//.buildfont1} stopped | ||
286 | 4 3 roll .setglobal | ||
287 | {//.buildfont1 $error /errorname get signalerror} if | ||
288 | - } bind def | ||
289 | + } .bind executeonly def % hide .forceput | ||
290 | |||
291 | % If the diskfont feature isn't included, define a dummy .loadfontdict. | ||
292 | /.loadfontdict where | ||
293 | -- | ||
294 | 2.20.1 | ||
295 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0004.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0004.patch new file mode 100644 index 0000000000..5228cace24 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0004.patch | |||
@@ -0,0 +1,167 @@ | |||
1 | From 5845e667dda3c945ee793fbe6af021533cb4fbec Mon Sep 17 00:00:00 2001 | ||
2 | From: Ray Johnston <ray.johnston@artifex.com> | ||
3 | Date: Sun, 24 Feb 2019 22:01:04 -0800 | ||
4 | Subject: [PATCH] Bug 700585: Obliterate "superexec". We don't need it, nor | ||
5 | do any known apps. | ||
6 | |||
7 | We were under the impression that the Windows driver 'PScript5.dll' used | ||
8 | superexec, but after testing with our extensive suite of PostScript file, | ||
9 | and analysis of the PScript5 "Adobe CoolType ProcSet, it does not appear | ||
10 | that this operator is needed anymore. Get rid of superexec and all of the | ||
11 | references to it, since it is a potential security hole. | ||
12 | |||
13 | CVE: CVE-2019-3835 | ||
14 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
15 | |||
16 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
17 | --- | ||
18 | Resource/Init/gs_init.ps | 18 ------------------ | ||
19 | psi/icontext.c | 1 - | ||
20 | psi/icstate.h | 1 - | ||
21 | psi/zcontrol.c | 30 ------------------------------ | ||
22 | psi/zdict.c | 6 ++---- | ||
23 | psi/zgeneric.c | 3 +-- | ||
24 | 6 files changed, 3 insertions(+), 56 deletions(-) | ||
25 | |||
26 | diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps | ||
27 | index 0d5c4f7..c5ac82a 100644 | ||
28 | --- a/Resource/Init/gs_init.ps | ||
29 | +++ b/Resource/Init/gs_init.ps | ||
30 | @@ -2470,24 +2470,6 @@ DELAYBIND not { | ||
31 | systemdict /.forceundef .undef % ditto | ||
32 | } if | ||
33 | |||
34 | -% Move superexec to internaldict if superexec is defined. (Level 2 or later) | ||
35 | -systemdict /superexec known { | ||
36 | - % restrict superexec to single known use by PScript5.dll | ||
37 | - % We could do this only for SAFER mode, but internaldict and superexec are | ||
38 | - % not very well documented, and we don't want them to be used. | ||
39 | - 1183615869 internaldict /superexec { | ||
40 | - 2 index /Private eq % first check for typical use in PScript5.dll | ||
41 | - 1 index length 1 eq and % expected usage is: dict /Private <value> {put} superexec | ||
42 | - 1 index 0 get systemdict /put get eq and | ||
43 | - { | ||
44 | - //superexec exec % the only usage we allow | ||
45 | - } { | ||
46 | - /superexec load /invalidaccess signalerror | ||
47 | - } ifelse | ||
48 | - } bind cvx executeonly put | ||
49 | - systemdict /superexec .undef % get rid of the dangerous (unrestricted) operator | ||
50 | -} if | ||
51 | - | ||
52 | % Can't remove this one until the last minute :-) | ||
53 | DELAYBIND not { | ||
54 | systemdict /.undef .undef | ||
55 | diff --git a/psi/icontext.c b/psi/icontext.c | ||
56 | index 1fbe486..7462ea3 100644 | ||
57 | --- a/psi/icontext.c | ||
58 | +++ b/psi/icontext.c | ||
59 | @@ -151,7 +151,6 @@ context_state_alloc(gs_context_state_t ** ppcst, | ||
60 | pcst->rand_state = rand_state_initial; | ||
61 | pcst->usertime_total = 0; | ||
62 | pcst->keep_usertime = false; | ||
63 | - pcst->in_superexec = 0; | ||
64 | pcst->plugin_list = 0; | ||
65 | make_t(&pcst->error_object, t__invalid); | ||
66 | { /* | ||
67 | diff --git a/psi/icstate.h b/psi/icstate.h | ||
68 | index 4c6a14d..1009d85 100644 | ||
69 | --- a/psi/icstate.h | ||
70 | +++ b/psi/icstate.h | ||
71 | @@ -54,7 +54,6 @@ struct gs_context_state_s { | ||
72 | long usertime_total; /* total accumulated usertime, */ | ||
73 | /* not counting current time if running */ | ||
74 | bool keep_usertime; /* true if context ever executed usertime */ | ||
75 | - int in_superexec; /* # of levels of superexec */ | ||
76 | /* View clipping is handled in the graphics state. */ | ||
77 | ref error_object; /* t__invalid or error object from operator */ | ||
78 | ref userparams; /* t_dictionary */ | ||
79 | diff --git a/psi/zcontrol.c b/psi/zcontrol.c | ||
80 | index 0362cf4..dc813e8 100644 | ||
81 | --- a/psi/zcontrol.c | ||
82 | +++ b/psi/zcontrol.c | ||
83 | @@ -158,34 +158,6 @@ zexecn(i_ctx_t *i_ctx_p) | ||
84 | return o_push_estack; | ||
85 | } | ||
86 | |||
87 | -/* <obj> superexec - */ | ||
88 | -static int end_superexec(i_ctx_t *); | ||
89 | -static int | ||
90 | -zsuperexec(i_ctx_t *i_ctx_p) | ||
91 | -{ | ||
92 | - os_ptr op = osp; | ||
93 | - es_ptr ep; | ||
94 | - | ||
95 | - check_op(1); | ||
96 | - if (!r_has_attr(op, a_executable)) | ||
97 | - return 0; /* literal object just gets pushed back */ | ||
98 | - check_estack(2); | ||
99 | - ep = esp += 3; | ||
100 | - make_mark_estack(ep - 2, es_other, end_superexec); /* error case */ | ||
101 | - make_op_estack(ep - 1, end_superexec); /* normal case */ | ||
102 | - ref_assign(ep, op); | ||
103 | - esfile_check_cache(); | ||
104 | - pop(1); | ||
105 | - i_ctx_p->in_superexec++; | ||
106 | - return o_push_estack; | ||
107 | -} | ||
108 | -static int | ||
109 | -end_superexec(i_ctx_t *i_ctx_p) | ||
110 | -{ | ||
111 | - i_ctx_p->in_superexec--; | ||
112 | - return 0; | ||
113 | -} | ||
114 | - | ||
115 | /* <array> <executable> .runandhide <obj> */ | ||
116 | /* before executing <executable>, <array> is been removed from */ | ||
117 | /* the operand stack and placed on the execstack with attributes */ | ||
118 | @@ -971,8 +943,6 @@ const op_def zcontrol3_op_defs[] = { | ||
119 | {"0%loop_continue", loop_continue}, | ||
120 | {"0%repeat_continue", repeat_continue}, | ||
121 | {"0%stopped_push", stopped_push}, | ||
122 | - {"1superexec", zsuperexec}, | ||
123 | - {"0%end_superexec", end_superexec}, | ||
124 | {"2.runandhide", zrunandhide}, | ||
125 | {"0%end_runandhide", end_runandhide}, | ||
126 | op_def_end(0) | ||
127 | diff --git a/psi/zdict.c b/psi/zdict.c | ||
128 | index b0deaaa..e2e525d 100644 | ||
129 | --- a/psi/zdict.c | ||
130 | +++ b/psi/zdict.c | ||
131 | @@ -212,8 +212,7 @@ zundef(i_ctx_t *i_ctx_p) | ||
132 | int code; | ||
133 | |||
134 | check_type(*op1, t_dictionary); | ||
135 | - if (i_ctx_p->in_superexec == 0) | ||
136 | - check_dict_write(*op1); | ||
137 | + check_dict_write(*op1); | ||
138 | code = idict_undef(op1, op); | ||
139 | if (code < 0 && code != gs_error_undefined) /* ignore undefined error */ | ||
140 | return code; | ||
141 | @@ -504,8 +503,7 @@ zsetmaxlength(i_ctx_t *i_ctx_p) | ||
142 | int code; | ||
143 | |||
144 | check_type(*op1, t_dictionary); | ||
145 | - if (i_ctx_p->in_superexec == 0) | ||
146 | - check_dict_write(*op1); | ||
147 | + check_dict_write(*op1); | ||
148 | check_type(*op, t_integer); | ||
149 | if (op->value.intval < 0) | ||
150 | return_error(gs_error_rangecheck); | ||
151 | diff --git a/psi/zgeneric.c b/psi/zgeneric.c | ||
152 | index 8048e28..d4edddb 100644 | ||
153 | --- a/psi/zgeneric.c | ||
154 | +++ b/psi/zgeneric.c | ||
155 | @@ -204,8 +204,7 @@ zput(i_ctx_t *i_ctx_p) | ||
156 | |||
157 | switch (r_type(op2)) { | ||
158 | case t_dictionary: | ||
159 | - if (i_ctx_p->in_superexec == 0) | ||
160 | - check_dict_write(*op2); | ||
161 | + check_dict_write(*op2); | ||
162 | { | ||
163 | int code = idict_put(op2, op1, op); | ||
164 | |||
165 | -- | ||
166 | 2.18.1 | ||
167 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0001.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0001.patch new file mode 100644 index 0000000000..593109fb9f --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0001.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From 53f0cb4c54ac951697704cb87d24154ae08aecce Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Wed, 20 Feb 2019 09:54:28 +0000 | ||
4 | Subject: [PATCH] Bug 700576: Make a transient proc executeonly (in | ||
5 | DefineResource). | ||
6 | |||
7 | This prevents access to .forceput | ||
8 | |||
9 | Solution originally suggested by cbuissar@redhat.com. | ||
10 | |||
11 | CVE: CVE-2019-3838 | ||
12 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
13 | |||
14 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
15 | --- | ||
16 | Resource/Init/gs_res.ps | 2 +- | ||
17 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps | ||
20 | index 89c0ed6..a163541 100644 | ||
21 | --- a/Resource/Init/gs_res.ps | ||
22 | +++ b/Resource/Init/gs_res.ps | ||
23 | @@ -426,7 +426,7 @@ status { | ||
24 | % so we have to use .forceput here. | ||
25 | currentdict /.Instances 2 index .forceput % Category dict is read-only | ||
26 | } executeonly if | ||
27 | - } | ||
28 | + } executeonly | ||
29 | { .LocalInstances dup //.emptydict eq | ||
30 | { pop 3 dict localinstancedict Category 2 index put | ||
31 | } | ||
32 | -- | ||
33 | 2.18.1 | ||
34 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0002.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0002.patch new file mode 100644 index 0000000000..921e5b6876 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0002.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | From 0cb5e967c0200559f946291b5b54f8da30c32cd6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Fri, 22 Feb 2019 12:28:23 +0000 | ||
4 | Subject: [PATCH] Bug 700576(redux): an extra transient proc needs | ||
5 | executeonly'ed. | ||
6 | |||
7 | CVE: CVE-2019-3838 | ||
8 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
9 | |||
10 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
11 | --- | ||
12 | Resource/Init/gs_res.ps | 2 +- | ||
13 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
14 | |||
15 | diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps | ||
16 | index a163541..8ce4ae3 100644 | ||
17 | --- a/Resource/Init/gs_res.ps | ||
18 | +++ b/Resource/Init/gs_res.ps | ||
19 | @@ -438,7 +438,7 @@ status { | ||
20 | % Now make the resource value read-only. | ||
21 | 0 2 copy get { readonly } .internalstopped pop | ||
22 | dup 4 1 roll put exch pop exch pop | ||
23 | - } | ||
24 | + } executeonly | ||
25 | { /defineresource cvx /typecheck signaloperror | ||
26 | } | ||
27 | ifelse | ||
28 | -- | ||
29 | 2.18.1 | ||
30 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0001.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0001.patch new file mode 100644 index 0000000000..b2c1ade4be --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0001.patch | |||
@@ -0,0 +1,177 @@ | |||
1 | From c8c77690199b677f70093824382f0881e643e17b Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Wed, 5 Dec 2018 12:22:13 +0000 | ||
4 | Subject: [PATCH 1/7] Sanitize op stack for error conditions | ||
5 | |||
6 | We save the stacks to an array and store the array for the error handler to | ||
7 | access. | ||
8 | |||
9 | For SAFER, we traverse the array, and deep copy any op arrays (procedures). As | ||
10 | we make these copies, we check for operators that do *not* exist in systemdict, | ||
11 | when we find one, we replace the operator with a name object (of the form | ||
12 | "/--opname--"). | ||
13 | |||
14 | CVE: CVE-2019-6116 | ||
15 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
16 | |||
17 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
18 | --- | ||
19 | psi/int.mak | 3 +- | ||
20 | psi/interp.c | 8 ++++++ | ||
21 | psi/istack.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++ | ||
22 | psi/istack.h | 3 ++ | ||
23 | 4 files changed, 91 insertions(+), 1 deletion(-) | ||
24 | |||
25 | diff --git a/psi/int.mak b/psi/int.mak | ||
26 | index 6ab5bf0..6b349cb 100644 | ||
27 | --- a/psi/int.mak | ||
28 | +++ b/psi/int.mak | ||
29 | @@ -204,7 +204,8 @@ $(PSOBJ)iparam.$(OBJ) : $(PSSRC)iparam.c $(GH)\ | ||
30 | $(PSOBJ)istack.$(OBJ) : $(PSSRC)istack.c $(GH) $(memory__h)\ | ||
31 | $(ierrors_h) $(gsstruct_h) $(gsutil_h)\ | ||
32 | $(ialloc_h) $(istack_h) $(istkparm_h) $(istruct_h) $(iutil_h) $(ivmspace_h)\ | ||
33 | - $(store_h) $(INT_MAK) $(MAKEDIRS) | ||
34 | + $(store_h) $(icstate_h) $(iname_h) $(dstack_h) $(idict_h) \ | ||
35 | + $(INT_MAK) $(MAKEDIRS) | ||
36 | $(PSCC) $(PSO_)istack.$(OBJ) $(C_) $(PSSRC)istack.c | ||
37 | |||
38 | $(PSOBJ)iutil.$(OBJ) : $(PSSRC)iutil.c $(GH) $(math__h) $(memory__h) $(string__h)\ | ||
39 | diff --git a/psi/interp.c b/psi/interp.c | ||
40 | index 6dc0dda..aa5779c 100644 | ||
41 | --- a/psi/interp.c | ||
42 | +++ b/psi/interp.c | ||
43 | @@ -761,6 +761,7 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_stack_t * pstack, int skip, ref * arr) | ||
44 | uint size = ref_stack_count(pstack) - skip; | ||
45 | uint save_space = ialloc_space(idmemory); | ||
46 | int code, i; | ||
47 | + ref *safety, *safe; | ||
48 | |||
49 | if (size > 65535) | ||
50 | size = 65535; | ||
51 | @@ -778,6 +779,13 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_stack_t * pstack, int skip, ref * arr) | ||
52 | make_null(&arr->value.refs[i]); | ||
53 | } | ||
54 | } | ||
55 | + if (pstack == &o_stack && dict_find_string(systemdict, "SAFETY", &safety) > 0 && | ||
56 | + dict_find_string(safety, "safe", &safe) > 0 && r_has_type(safe, t_boolean) && | ||
57 | + safe->value.boolval == true) { | ||
58 | + code = ref_stack_array_sanitize(i_ctx_p, arr, arr); | ||
59 | + if (code < 0) | ||
60 | + return code; | ||
61 | + } | ||
62 | ialloc_set_space(idmemory, save_space); | ||
63 | return code; | ||
64 | } | ||
65 | diff --git a/psi/istack.c b/psi/istack.c | ||
66 | index 8fe151f..f1a3e51 100644 | ||
67 | --- a/psi/istack.c | ||
68 | +++ b/psi/istack.c | ||
69 | @@ -27,6 +27,10 @@ | ||
70 | #include "iutil.h" | ||
71 | #include "ivmspace.h" /* for local/global test */ | ||
72 | #include "store.h" | ||
73 | +#include "icstate.h" | ||
74 | +#include "iname.h" | ||
75 | +#include "dstack.h" | ||
76 | +#include "idict.h" | ||
77 | |||
78 | /* Forward references */ | ||
79 | static void init_block(ref_stack_t *pstack, const ref *pblock_array, | ||
80 | @@ -294,6 +298,80 @@ ref_stack_store_check(const ref_stack_t *pstack, ref *parray, uint count, | ||
81 | return 0; | ||
82 | } | ||
83 | |||
84 | +int | ||
85 | +ref_stack_array_sanitize(i_ctx_t *i_ctx_p, ref *sarr, ref *darr) | ||
86 | +{ | ||
87 | + int i, code; | ||
88 | + ref obj, arr2; | ||
89 | + ref *pobj2; | ||
90 | + gs_memory_t *mem = (gs_memory_t *)idmemory->current; | ||
91 | + | ||
92 | + if (!r_is_array(sarr) || !r_has_type(darr, t_array)) | ||
93 | + return_error(gs_error_typecheck); | ||
94 | + | ||
95 | + for (i = 0; i < r_size(sarr); i++) { | ||
96 | + code = array_get(mem, sarr, i, &obj); | ||
97 | + if (code < 0) | ||
98 | + make_null(&obj); | ||
99 | + switch(r_type(&obj)) { | ||
100 | + case t_operator: | ||
101 | + { | ||
102 | + int index = op_index(&obj); | ||
103 | + | ||
104 | + if (index > 0 && index < op_def_count) { | ||
105 | + const byte *data = (const byte *)(op_index_def(index)->oname + 1); | ||
106 | + if (dict_find_string(systemdict, (const char *)data, &pobj2) <= 0) { | ||
107 | + byte *s = gs_alloc_bytes(mem, strlen((char *)data) + 5, "ref_stack_array_sanitize"); | ||
108 | + if (s) { | ||
109 | + s[0] = '\0'; | ||
110 | + strcpy((char *)s, "--"); | ||
111 | + strcpy((char *)s + 2, (char *)data); | ||
112 | + strcpy((char *)s + strlen((char *)data) + 2, "--"); | ||
113 | + } | ||
114 | + else { | ||
115 | + s = (byte *)data; | ||
116 | + } | ||
117 | + code = name_ref(imemory, s, strlen((char *)s), &obj, 1); | ||
118 | + if (code < 0) make_null(&obj); | ||
119 | + if (s != data) | ||
120 | + gs_free_object(mem, s, "ref_stack_array_sanitize"); | ||
121 | + } | ||
122 | + } | ||
123 | + else { | ||
124 | + make_null(&obj); | ||
125 | + } | ||
126 | + ref_assign(darr->value.refs + i, &obj); | ||
127 | + break; | ||
128 | + } | ||
129 | + case t_array: | ||
130 | + case t_shortarray: | ||
131 | + case t_mixedarray: | ||
132 | + { | ||
133 | + int attrs = r_type_attrs(&obj) & (a_write | a_read | a_execute | a_executable); | ||
134 | + /* We only want to copy executable arrays */ | ||
135 | + if (attrs & (a_execute | a_executable)) { | ||
136 | + code = ialloc_ref_array(&arr2, attrs, r_size(&obj), "ref_stack_array_sanitize"); | ||
137 | + if (code < 0) { | ||
138 | + make_null(&arr2); | ||
139 | + } | ||
140 | + else { | ||
141 | + code = ref_stack_array_sanitize(i_ctx_p, &obj, &arr2); | ||
142 | + } | ||
143 | + ref_assign(darr->value.refs + i, &arr2); | ||
144 | + } | ||
145 | + else { | ||
146 | + ref_assign(darr->value.refs + i, &obj); | ||
147 | + } | ||
148 | + break; | ||
149 | + } | ||
150 | + default: | ||
151 | + ref_assign(darr->value.refs + i, &obj); | ||
152 | + } | ||
153 | + } | ||
154 | + return 0; | ||
155 | +} | ||
156 | + | ||
157 | + | ||
158 | /* | ||
159 | * Store the top 'count' elements of a stack, starting 'skip' elements below | ||
160 | * the top, into an array, with or without store/undo checking. age=-1 for | ||
161 | diff --git a/psi/istack.h b/psi/istack.h | ||
162 | index 051dcbe..54be405 100644 | ||
163 | --- a/psi/istack.h | ||
164 | +++ b/psi/istack.h | ||
165 | @@ -129,6 +129,9 @@ int ref_stack_store(const ref_stack_t *pstack, ref *parray, uint count, | ||
166 | uint skip, int age, bool check, | ||
167 | gs_dual_memory_t *idmem, client_name_t cname); | ||
168 | |||
169 | +int | ||
170 | +ref_stack_array_sanitize(i_ctx_t *i_ctx_p, ref *sarr, ref *darr); | ||
171 | + | ||
172 | /* | ||
173 | * Pop the top N elements off a stack. | ||
174 | * The number must not exceed the number of elements in use. | ||
175 | -- | ||
176 | 2.18.1 | ||
177 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0002.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0002.patch new file mode 100644 index 0000000000..97c74e7e31 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0002.patch | |||
@@ -0,0 +1,442 @@ | |||
1 | From 20001d2bdf3cc60e76241a6ae72b1df01c5424c5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Thu, 13 Dec 2018 15:28:34 +0000 | ||
4 | Subject: [PATCH 2/7] Any transient procedures that call .force* operators | ||
5 | |||
6 | (i.e. for conditionals or loops) make them executeonly. | ||
7 | |||
8 | CVE: CVE-2019-6116 | ||
9 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
10 | |||
11 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
12 | --- | ||
13 | Resource/Init/gs_diskn.ps | 2 +- | ||
14 | Resource/Init/gs_dps1.ps | 4 ++-- | ||
15 | Resource/Init/gs_fntem.ps | 4 ++-- | ||
16 | Resource/Init/gs_fonts.ps | 12 ++++++------ | ||
17 | Resource/Init/gs_init.ps | 4 ++-- | ||
18 | Resource/Init/gs_lev2.ps | 11 ++++++----- | ||
19 | Resource/Init/gs_pdfwr.ps | 2 +- | ||
20 | Resource/Init/gs_res.ps | 4 ++-- | ||
21 | Resource/Init/gs_setpd.ps | 2 +- | ||
22 | Resource/Init/pdf_base.ps | 13 ++++++++----- | ||
23 | Resource/Init/pdf_draw.ps | 16 +++++++++------- | ||
24 | Resource/Init/pdf_font.ps | 6 +++--- | ||
25 | Resource/Init/pdf_main.ps | 4 ++-- | ||
26 | Resource/Init/pdf_ops.ps | 7 ++++--- | ||
27 | 14 files changed, 49 insertions(+), 42 deletions(-) | ||
28 | |||
29 | diff --git a/Resource/Init/gs_diskn.ps b/Resource/Init/gs_diskn.ps | ||
30 | index fd694bc..8bf2054 100644 | ||
31 | --- a/Resource/Init/gs_diskn.ps | ||
32 | +++ b/Resource/Init/gs_diskn.ps | ||
33 | @@ -51,7 +51,7 @@ systemdict begin | ||
34 | mark 5 1 roll ] mark exch { { } forall } forall ] | ||
35 | //systemdict /.searchabledevs 2 index .forceput | ||
36 | exch .setglobal | ||
37 | - } | ||
38 | + } executeonly | ||
39 | if | ||
40 | } .bind executeonly odef % must be bound and hidden for .forceput | ||
41 | |||
42 | diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps | ||
43 | index ec5db61..4fae283 100644 | ||
44 | --- a/Resource/Init/gs_dps1.ps | ||
45 | +++ b/Resource/Init/gs_dps1.ps | ||
46 | @@ -78,7 +78,7 @@ level2dict begin | ||
47 | .currentglobal | ||
48 | { % Current mode is global; delete from local directory too. | ||
49 | //systemdict /LocalFontDirectory .knownget | ||
50 | - { 1 index .forceundef } % LocalFontDirectory is readonly | ||
51 | + { 1 index .forceundef } executeonly % LocalFontDirectory is readonly | ||
52 | if | ||
53 | } | ||
54 | { % Current mode is local; if there was a shadowed global | ||
55 | @@ -126,7 +126,7 @@ level2dict begin | ||
56 | } | ||
57 | ifelse | ||
58 | } forall | ||
59 | - pop counttomark 2 idiv { .forceundef } repeat pop % readonly | ||
60 | + pop counttomark 2 idiv { .forceundef } executeonly repeat pop % readonly | ||
61 | } | ||
62 | if | ||
63 | //SharedFontDirectory exch .forcecopynew pop | ||
64 | diff --git a/Resource/Init/gs_fntem.ps b/Resource/Init/gs_fntem.ps | ||
65 | index c1f7651..6eb672a 100644 | ||
66 | --- a/Resource/Init/gs_fntem.ps | ||
67 | +++ b/Resource/Init/gs_fntem.ps | ||
68 | @@ -401,12 +401,12 @@ currentdict end def | ||
69 | .forceput % FontInfo can be read-only. | ||
70 | pop % bool <font> | ||
71 | exit | ||
72 | - } if | ||
73 | + } executeonly if | ||
74 | dup /FontInfo get % bool <font> <FI> | ||
75 | /GlyphNames2Unicode /Unicode /Decoding findresource | ||
76 | .forceput % FontInfo can be read-only. | ||
77 | exit | ||
78 | - } loop | ||
79 | + } executeonly loop | ||
80 | exch setglobal | ||
81 | } .bind executeonly odef % must be bound and hidden for .forceput | ||
82 | |||
83 | diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps | ||
84 | index 803faca..290da0c 100644 | ||
85 | --- a/Resource/Init/gs_fonts.ps | ||
86 | +++ b/Resource/Init/gs_fonts.ps | ||
87 | @@ -374,7 +374,7 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if | ||
88 | /.setnativefontmapbuilt { % set whether we've been run | ||
89 | dup type /booleantype eq { | ||
90 | systemdict exch /.nativefontmapbuilt exch .forceput | ||
91 | - } | ||
92 | + } executeonly | ||
93 | {pop} | ||
94 | ifelse | ||
95 | } .bind executeonly odef | ||
96 | @@ -1007,11 +1007,11 @@ $error /SubstituteFont { } put | ||
97 | { 2 index gcheck currentglobal | ||
98 | 2 copy eq { | ||
99 | pop pop .forceput | ||
100 | - } { | ||
101 | + } executeonly { | ||
102 | 5 1 roll setglobal | ||
103 | dup length string copy | ||
104 | .forceput setglobal | ||
105 | - } ifelse | ||
106 | + } executeonly ifelse | ||
107 | } .bind executeonly odef % must be bound and hidden for .forceput | ||
108 | |||
109 | % Attempt to load a font from a file. | ||
110 | @@ -1084,7 +1084,7 @@ $error /SubstituteFont { } put | ||
111 | .FontDirectory 3 index .forceundef % readonly | ||
112 | 1 index (r) file .loadfont .FontDirectory exch | ||
113 | /.setglobal .systemvar exec | ||
114 | - } | ||
115 | + } executeonly | ||
116 | { .loadfont .FontDirectory | ||
117 | } | ||
118 | ifelse | ||
119 | @@ -1105,7 +1105,7 @@ $error /SubstituteFont { } put | ||
120 | dup 3 index .fontknownget | ||
121 | { dup /PathLoad 4 index .putgstringcopy | ||
122 | 4 1 roll pop pop pop //true exit | ||
123 | - } if | ||
124 | + } executeonly if | ||
125 | |||
126 | % Maybe the file had a different FontName. | ||
127 | % See if we can get a FontName from the file, and if so, | ||
128 | @@ -1134,7 +1134,7 @@ $error /SubstituteFont { } put | ||
129 | ifelse % Stack: origfontname fontdict | ||
130 | exch pop //true exit | ||
131 | % Stack: fontdict | ||
132 | - } | ||
133 | + } executeonly | ||
134 | if pop % Stack: origfontname fontdirectory path | ||
135 | } | ||
136 | if pop pop % Stack: origfontname | ||
137 | diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps | ||
138 | index d733124..56c0bd2 100644 | ||
139 | --- a/Resource/Init/gs_init.ps | ||
140 | +++ b/Resource/Init/gs_init.ps | ||
141 | @@ -2357,7 +2357,7 @@ SAFER { .setsafeglobal } if | ||
142 | % Update the copy of the user parameters. | ||
143 | mark .currentuserparams counttomark 2 idiv { | ||
144 | userparams 3 1 roll .forceput % userparams is read-only | ||
145 | - } repeat pop | ||
146 | + } executeonly repeat pop | ||
147 | % Turn on idiom recognition, if available. | ||
148 | currentuserparams /IdiomRecognition known { | ||
149 | /IdiomRecognition //true .definepsuserparam | ||
150 | @@ -2376,7 +2376,7 @@ SAFER { .setsafeglobal } if | ||
151 | % Remove real system params from pssystemparams. | ||
152 | mark .currentsystemparams counttomark 2 idiv { | ||
153 | pop pssystemparams exch .forceundef | ||
154 | - } repeat pop | ||
155 | + } executeonly repeat pop | ||
156 | } if | ||
157 | |||
158 | % Set up AlignToPixels : | ||
159 | diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps | ||
160 | index 44fe619..0f0d573 100644 | ||
161 | --- a/Resource/Init/gs_lev2.ps | ||
162 | +++ b/Resource/Init/gs_lev2.ps | ||
163 | @@ -154,7 +154,8 @@ end | ||
164 | % protect top level of parameters that we copied | ||
165 | dup type dup /arraytype eq exch /stringtype eq or { readonly } if | ||
166 | /userparams .systemvar 3 1 roll .forceput % userparams is read-only | ||
167 | - } { | ||
168 | + } executeonly | ||
169 | + { | ||
170 | pop pop | ||
171 | } ifelse | ||
172 | } forall | ||
173 | @@ -224,7 +225,7 @@ end | ||
174 | % protect top level parameters that we copied | ||
175 | dup type dup /arraytype eq exch /stringtype eq or { readonly } if | ||
176 | //pssystemparams 3 1 roll .forceput % pssystemparams is read-only | ||
177 | - } | ||
178 | + } executeonly | ||
179 | { pop pop | ||
180 | } | ||
181 | ifelse | ||
182 | @@ -934,7 +935,7 @@ mark | ||
183 | dup /PaintProc get | ||
184 | 1 index /Implementation known not { | ||
185 | 1 index dup /Implementation //null .forceput readonly pop | ||
186 | - } if | ||
187 | + } executeonly if | ||
188 | exec | ||
189 | }.bind odef | ||
190 | |||
191 | @@ -958,7 +959,7 @@ mark | ||
192 | dup /PaintProc get | ||
193 | 1 index /Implementation known not { | ||
194 | 1 index dup /Implementation //null .forceput readonly pop | ||
195 | - } if | ||
196 | + } executeonly if | ||
197 | /UNROLLFORMS where {/UNROLLFORMS get}{false}ifelse not | ||
198 | %% [CTM] <<Form>> PaintProc .beginform - | ||
199 | { | ||
200 | @@ -1005,7 +1006,7 @@ mark | ||
201 | %% Form dictioanry using the /Implementation key). | ||
202 | 1 dict dup /FormID 4 -1 roll put | ||
203 | 1 index exch /Implementation exch .forceput readonly pop | ||
204 | - } | ||
205 | + } executeonly | ||
206 | ifelse | ||
207 | } | ||
208 | { | ||
209 | diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps | ||
210 | index 58e75d3..b425103 100644 | ||
211 | --- a/Resource/Init/gs_pdfwr.ps | ||
212 | +++ b/Resource/Init/gs_pdfwr.ps | ||
213 | @@ -650,7 +650,7 @@ currentdict /.pdfmarkparams .undef | ||
214 | } ifelse | ||
215 | } bind .makeoperator .forceput | ||
216 | systemdict /.pdf_hooked_DSC_Creator //true .forceput | ||
217 | - } if | ||
218 | + } executeonly if | ||
219 | pop | ||
220 | } if | ||
221 | } { | ||
222 | diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps | ||
223 | index 8eb8bb0..d9b3459 100644 | ||
224 | --- a/Resource/Init/gs_res.ps | ||
225 | +++ b/Resource/Init/gs_res.ps | ||
226 | @@ -152,7 +152,7 @@ setglobal | ||
227 | % use .forceput / .forcedef later to replace the dummy, | ||
228 | % empty .Instances dictionary with the real one later. | ||
229 | readonly | ||
230 | - } { | ||
231 | + }{ | ||
232 | /defineresource cvx /typecheck signaloperror | ||
233 | } ifelse | ||
234 | } bind executeonly odef | ||
235 | @@ -424,7 +424,7 @@ status { | ||
236 | % As noted above, Category dictionaries are read-only, | ||
237 | % so we have to use .forcedef here. | ||
238 | /.Instances 1 index .forcedef % Category dict is read-only | ||
239 | - } if | ||
240 | + } executeonly if | ||
241 | } | ||
242 | { .LocalInstances dup //.emptydict eq | ||
243 | { pop 3 dict localinstancedict Category 2 index put | ||
244 | diff --git a/Resource/Init/gs_setpd.ps b/Resource/Init/gs_setpd.ps | ||
245 | index e22597e..7875d1f 100644 | ||
246 | --- a/Resource/Init/gs_setpd.ps | ||
247 | +++ b/Resource/Init/gs_setpd.ps | ||
248 | @@ -634,7 +634,7 @@ NOMEDIAATTRS { | ||
249 | SETPDDEBUG { (Rolling back.) = pstack flush } if | ||
250 | 3 index 2 index 3 -1 roll .forceput | ||
251 | 4 index 1 index .knownget | ||
252 | - { 4 index 3 1 roll .forceput } | ||
253 | + { 4 index 3 1 roll .forceput } executeonly | ||
254 | { 3 index exch .undef } | ||
255 | ifelse | ||
256 | } bind executeonly odef | ||
257 | diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps | ||
258 | index b45e980..7312729 100644 | ||
259 | --- a/Resource/Init/pdf_base.ps | ||
260 | +++ b/Resource/Init/pdf_base.ps | ||
261 | @@ -130,26 +130,29 @@ currentdict /num-chars-dict .undef | ||
262 | |||
263 | /.pdfexectoken { % <count> <opdict> <exectoken> .pdfexectoken ? | ||
264 | PDFDEBUG { | ||
265 | - pdfdict /PDFSTEPcount known not { pdfdict /PDFSTEPcount 1 .forceput } if | ||
266 | + pdfdict /PDFSTEPcount known not { pdfdict /PDFSTEPcount 1 .forceput } executeonly if | ||
267 | PDFSTEP { | ||
268 | pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput | ||
269 | PDFSTEPcount 1 gt { | ||
270 | pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput | ||
271 | - } { | ||
272 | + } executeonly | ||
273 | + { | ||
274 | dup ==only | ||
275 | ( step # ) print PDFtokencount =only | ||
276 | ( ? ) print flush 1 //false .outputpage | ||
277 | (%stdin) (r) file 255 string readline { | ||
278 | token { | ||
279 | exch pop pdfdict /PDFSTEPcount 3 -1 roll .forceput | ||
280 | - } { | ||
281 | + } executeonly | ||
282 | + { | ||
283 | pdfdict /PDFSTEPcount 1 .forceput | ||
284 | - } ifelse % token | ||
285 | + } executeonly ifelse % token | ||
286 | } { | ||
287 | pop /PDFSTEP //false def % EOF on stdin | ||
288 | } ifelse % readline | ||
289 | } ifelse % PDFSTEPcount > 1 | ||
290 | - } { | ||
291 | + } executeonly | ||
292 | + { | ||
293 | dup ==only () = flush | ||
294 | } ifelse % PDFSTEP | ||
295 | } if % PDFDEBUG | ||
296 | diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps | ||
297 | index 6b0ba93..40c6ac8 100644 | ||
298 | --- a/Resource/Init/pdf_draw.ps | ||
299 | +++ b/Resource/Init/pdf_draw.ps | ||
300 | @@ -1118,14 +1118,14 @@ currentdict end readonly def | ||
301 | pdfdict /.Qqwarning_issued //true .forceput | ||
302 | .setglobal | ||
303 | pdfformaterror | ||
304 | - } ifelse | ||
305 | + } executeonly ifelse | ||
306 | } | ||
307 | { | ||
308 | currentglobal pdfdict gcheck .setglobal | ||
309 | pdfdict /.Qqwarning_issued //true .forceput | ||
310 | .setglobal | ||
311 | pdfformaterror | ||
312 | - } ifelse | ||
313 | + } executeonly ifelse | ||
314 | end | ||
315 | } ifelse | ||
316 | } loop | ||
317 | @@ -1141,14 +1141,14 @@ currentdict end readonly def | ||
318 | pdfdict /.Qqwarning_issued //true .forceput | ||
319 | .setglobal | ||
320 | pdfformaterror | ||
321 | - } ifelse | ||
322 | + } executeonly ifelse | ||
323 | } | ||
324 | { | ||
325 | currentglobal pdfdict gcheck .setglobal | ||
326 | pdfdict /.Qqwarning_issued //true .forceput | ||
327 | .setglobal | ||
328 | pdfformaterror | ||
329 | - } ifelse | ||
330 | + } executeonly ifelse | ||
331 | } if | ||
332 | pop | ||
333 | |||
334 | @@ -2350,9 +2350,10 @@ currentdict /last-ditch-bpc-csp undef | ||
335 | /IncrementAppearanceNumber { | ||
336 | pdfdict /AppearanceNumber .knownget { | ||
337 | 1 add pdfdict /AppearanceNumber 3 -1 roll .forceput | ||
338 | - }{ | ||
339 | + } executeonly | ||
340 | + { | ||
341 | pdfdict /AppearanceNumber 0 .forceput | ||
342 | - } ifelse | ||
343 | + } executeonly ifelse | ||
344 | }bind executeonly odef | ||
345 | |||
346 | /MakeAppearanceName { | ||
347 | @@ -2510,7 +2511,8 @@ currentdict /last-ditch-bpc-csp undef | ||
348 | %% want to preserve it. | ||
349 | pdfdict /.PreservePDFForm false .forceput | ||
350 | /q cvx /execform cvx 5 -2 roll | ||
351 | - }{ | ||
352 | + } executeonly | ||
353 | + { | ||
354 | /q cvx /PDFexecform cvx 5 -2 roll | ||
355 | } ifelse | ||
356 | |||
357 | diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps | ||
358 | index bea9ea9..4cd62b9 100644 | ||
359 | --- a/Resource/Init/pdf_font.ps | ||
360 | +++ b/Resource/Init/pdf_font.ps | ||
361 | @@ -714,7 +714,7 @@ currentdict end readonly def | ||
362 | pop pop pop | ||
363 | currentdict /.stackdepth .forceundef | ||
364 | currentdict /.dstackdepth .forceundef | ||
365 | - } | ||
366 | + } executeonly | ||
367 | {pop pop pop} | ||
368 | ifelse | ||
369 | |||
370 | @@ -1232,7 +1232,7 @@ currentdict /eexec_pdf_param_dict .undef | ||
371 | (\n **** Warning: Type 3 glyph has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n) | ||
372 | pdfformatwarning | ||
373 | pdfdict /.Qqwarning_issued //true .forceput | ||
374 | - } if | ||
375 | + } executeonly if | ||
376 | Q | ||
377 | } repeat | ||
378 | Q | ||
379 | @@ -2016,7 +2016,7 @@ currentdict /CMap_read_dict undef | ||
380 | /CIDFallBack /CIDFont findresource | ||
381 | } if | ||
382 | exit | ||
383 | - } if | ||
384 | + } executeonly if | ||
385 | } if | ||
386 | } if | ||
387 | |||
388 | diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps | ||
389 | index 00da47a..37e69b3 100644 | ||
390 | --- a/Resource/Init/pdf_main.ps | ||
391 | +++ b/Resource/Init/pdf_main.ps | ||
392 | @@ -2701,14 +2701,14 @@ currentdict /PDF2PS_matrix_key undef | ||
393 | pdfdict /.Qqwarning_issued //true .forceput | ||
394 | .setglobal | ||
395 | pdfformaterror | ||
396 | - } ifelse | ||
397 | + } executeonly ifelse | ||
398 | } | ||
399 | { | ||
400 | currentglobal pdfdict gcheck .setglobal | ||
401 | pdfdict /.Qqwarning_issued //true .forceput | ||
402 | .setglobal | ||
403 | pdfformaterror | ||
404 | - } ifelse | ||
405 | + } executeonly ifelse | ||
406 | } if | ||
407 | } if | ||
408 | pop | ||
409 | diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps | ||
410 | index 8672d61..aa09641 100644 | ||
411 | --- a/Resource/Init/pdf_ops.ps | ||
412 | +++ b/Resource/Init/pdf_ops.ps | ||
413 | @@ -184,14 +184,14 @@ currentdict /gput_always_allow .undef | ||
414 | pdfdict /.Qqwarning_issued //true .forceput | ||
415 | .setglobal | ||
416 | pdfformaterror | ||
417 | - } ifelse | ||
418 | + } executeonly ifelse | ||
419 | } | ||
420 | { | ||
421 | currentglobal pdfdict gcheck .setglobal | ||
422 | pdfdict /.Qqwarning_issued //true .forceput | ||
423 | .setglobal | ||
424 | pdfformaterror | ||
425 | - } ifelse | ||
426 | + } executeonly ifelse | ||
427 | } if | ||
428 | } bind executeonly odef | ||
429 | |||
430 | @@ -439,7 +439,8 @@ currentdict /gput_always_allow .undef | ||
431 | dup type /booleantype eq { | ||
432 | .currentSMask type /dicttype eq { | ||
433 | .currentSMask /Processed 2 index .forceput | ||
434 | - } { | ||
435 | + } executeonly | ||
436 | + { | ||
437 | .setSMask | ||
438 | }ifelse | ||
439 | }{ | ||
440 | -- | ||
441 | 2.18.1 | ||
442 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0003.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0003.patch new file mode 100644 index 0000000000..02b1dc962f --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0003.patch | |||
@@ -0,0 +1,32 @@ | |||
1 | From 60b77b8bf8b6e4d30519c47724631012b530cf0e Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Sat, 15 Dec 2018 09:08:32 +0000 | ||
4 | Subject: [PATCH 3/7] Bug700317: Fix logic for an older change | ||
5 | |||
6 | Unlike almost every other function in gs, dict_find_string() returns 1 on | ||
7 | success 0 or <0 on failure. The logic for this case was wrong. | ||
8 | |||
9 | CVE: CVE-2019-6116 | ||
10 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
11 | |||
12 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
13 | --- | ||
14 | psi/interp.c | 2 +- | ||
15 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
16 | |||
17 | diff --git a/psi/interp.c b/psi/interp.c | ||
18 | index aa5779c..f6c45bb 100644 | ||
19 | --- a/psi/interp.c | ||
20 | +++ b/psi/interp.c | ||
21 | @@ -703,7 +703,7 @@ again: | ||
22 | * i.e. it's an internal operator we have hidden | ||
23 | */ | ||
24 | code = dict_find_string(systemdict, (const char *)bufptr, &tobj); | ||
25 | - if (code < 0) { | ||
26 | + if (code <= 0) { | ||
27 | buf[0] = buf[1] = buf[rlen + 2] = buf[rlen + 3] = '-'; | ||
28 | rlen += 4; | ||
29 | bufptr = buf; | ||
30 | -- | ||
31 | 2.18.1 | ||
32 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0004.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0004.patch new file mode 100644 index 0000000000..cc15453f00 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0004.patch | |||
@@ -0,0 +1,136 @@ | |||
1 | From d739565534e955c4336731e4ea4eebc895c09c5c Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Tue, 18 Dec 2018 10:42:10 +0000 | ||
4 | Subject: [PATCH 4/7] Harden some uses of .force* operators | ||
5 | |||
6 | by adding a few immediate evalutions | ||
7 | |||
8 | CVE: CVE-2019-6116 | ||
9 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
10 | |||
11 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
12 | --- | ||
13 | Resource/Init/gs_dps1.ps | 4 ++-- | ||
14 | Resource/Init/gs_fonts.ps | 20 ++++++++++---------- | ||
15 | Resource/Init/gs_init.ps | 6 +++--- | ||
16 | 3 files changed, 15 insertions(+), 15 deletions(-) | ||
17 | |||
18 | diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps | ||
19 | index 4fae283..b75ea14 100644 | ||
20 | --- a/Resource/Init/gs_dps1.ps | ||
21 | +++ b/Resource/Init/gs_dps1.ps | ||
22 | @@ -74,7 +74,7 @@ level2dict begin | ||
23 | } odef | ||
24 | % undefinefont has to take local/global VM into account. | ||
25 | /undefinefont % <fontname> undefinefont - | ||
26 | - { .FontDirectory 1 .argindex .forceundef % FontDirectory is readonly | ||
27 | + { //.FontDirectory 1 .argindex .forceundef % FontDirectory is readonly | ||
28 | .currentglobal | ||
29 | { % Current mode is global; delete from local directory too. | ||
30 | //systemdict /LocalFontDirectory .knownget | ||
31 | @@ -85,7 +85,7 @@ level2dict begin | ||
32 | % definition, copy it into the local directory. | ||
33 | //systemdict /SharedFontDirectory .knownget | ||
34 | { 1 index .knownget | ||
35 | - { .FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly | ||
36 | + { //.FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly | ||
37 | if | ||
38 | } | ||
39 | if | ||
40 | diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps | ||
41 | index 290da0c..c13a2fc 100644 | ||
42 | --- a/Resource/Init/gs_fonts.ps | ||
43 | +++ b/Resource/Init/gs_fonts.ps | ||
44 | @@ -516,7 +516,7 @@ buildfontdict 3 /.buildfont3 cvx put | ||
45 | if | ||
46 | } | ||
47 | if | ||
48 | - dup .FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly | ||
49 | + dup //.FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly | ||
50 | % If the font originated as a resource, register it. | ||
51 | currentfile .currentresourcefile eq { dup .registerfont } if | ||
52 | readonly | ||
53 | @@ -943,7 +943,7 @@ $error /SubstituteFont { } put | ||
54 | % Try to find a font using only the present contents of Fontmap. | ||
55 | /.tryfindfont { % <fontname> .tryfindfont <font> true | ||
56 | % <fontname> .tryfindfont false | ||
57 | - .FontDirectory 1 index .fontknownget | ||
58 | + //.FontDirectory 1 index .fontknownget | ||
59 | { % Already loaded | ||
60 | exch pop //true | ||
61 | } | ||
62 | @@ -975,7 +975,7 @@ $error /SubstituteFont { } put | ||
63 | { % Font with a procedural definition | ||
64 | exec % The procedure will load the font. | ||
65 | % Check to make sure this really happened. | ||
66 | - .FontDirectory 1 index .knownget | ||
67 | + //.FontDirectory 1 index .knownget | ||
68 | { exch pop //true exit } | ||
69 | if | ||
70 | } | ||
71 | @@ -1081,11 +1081,11 @@ $error /SubstituteFont { } put | ||
72 | % because it's different depending on language level. | ||
73 | .currentglobal exch /.setglobal .systemvar exec | ||
74 | % Remove the fake definition, if any. | ||
75 | - .FontDirectory 3 index .forceundef % readonly | ||
76 | - 1 index (r) file .loadfont .FontDirectory exch | ||
77 | + //.FontDirectory 3 index .forceundef % readonly | ||
78 | + 1 index (r) file .loadfont //.FontDirectory exch | ||
79 | /.setglobal .systemvar exec | ||
80 | } executeonly | ||
81 | - { .loadfont .FontDirectory | ||
82 | + { .loadfont //.FontDirectory | ||
83 | } | ||
84 | ifelse | ||
85 | % Stack: fontname fontfilename fontdirectory | ||
86 | @@ -1119,8 +1119,8 @@ $error /SubstituteFont { } put | ||
87 | % Stack: origfontname fontdirectory filefontname fontdict | ||
88 | 3 -1 roll pop | ||
89 | % Stack: origfontname filefontname fontdict | ||
90 | - dup /FontName get dup FontDirectory exch .forceundef | ||
91 | - GlobalFontDirectory exch .forceundef | ||
92 | + dup /FontName get dup //.FontDirectory exch .forceundef | ||
93 | + /GlobalFontDirectory .systemvar exch .forceundef | ||
94 | dup length dict .copydict dup 3 index /FontName exch put | ||
95 | 2 index exch definefont | ||
96 | exch | ||
97 | @@ -1176,10 +1176,10 @@ currentdict /.putgstringcopy .undef | ||
98 | { | ||
99 | { | ||
100 | pop dup type /stringtype eq { cvn } if | ||
101 | - .FontDirectory 1 index known not { | ||
102 | + //.FontDirectory 1 index known not { | ||
103 | 2 dict dup /FontName 3 index put | ||
104 | dup /FontType 1 put | ||
105 | - .FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly | ||
106 | + //.FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly | ||
107 | } { | ||
108 | pop | ||
109 | } ifelse | ||
110 | diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps | ||
111 | index 56c0bd2..d9a0829 100644 | ||
112 | --- a/Resource/Init/gs_init.ps | ||
113 | +++ b/Resource/Init/gs_init.ps | ||
114 | @@ -1168,8 +1168,8 @@ errordict /unknownerror .undef | ||
115 | }ifelse | ||
116 | }forall | ||
117 | noaccess pop | ||
118 | - systemdict /.setsafeerrors .forceundef | ||
119 | - systemdict /.SAFERERRORLIST .forceundef | ||
120 | + //systemdict /.setsafeerrors .forceundef | ||
121 | + //systemdict /.SAFERERRORLIST .forceundef | ||
122 | } bind executeonly odef | ||
123 | |||
124 | SAFERERRORS {.setsafererrors} if | ||
125 | @@ -2114,7 +2114,7 @@ currentdict /tempfilepaths undef | ||
126 | |||
127 | /.locksafe { | ||
128 | .locksafe_userparams | ||
129 | - systemdict /getenv {pop //false} .forceput | ||
130 | + //systemdict /getenv {pop //false} .forceput | ||
131 | % setpagedevice has the side effect of clearing the page, but | ||
132 | % we will just document that. Using setpagedevice keeps the device | ||
133 | % properties and pagedevice .LockSafetyParams in agreement even | ||
134 | -- | ||
135 | 2.18.1 | ||
136 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0005.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0005.patch new file mode 100644 index 0000000000..db70bba215 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0005.patch | |||
@@ -0,0 +1,250 @@ | |||
1 | From 1e830cafa56c6e3e1b08d246eaf5496fe81a0032 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nancy Durgin <nancy.durgin@artifex.com> | ||
3 | Date: Tue, 27 Nov 2018 12:36:14 -0800 | ||
4 | Subject: [PATCH 5/7] Undef a bunch of internal things in gs_res.ps | ||
5 | |||
6 | CVE: CVE-2019-6116 | ||
7 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
8 | |||
9 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
10 | --- | ||
11 | Resource/Init/gs_res.ps | 72 +++++++++++++++++++++++++-------------- | ||
12 | Resource/Init/gs_resmp.ps | 4 +-- | ||
13 | 2 files changed, 49 insertions(+), 27 deletions(-) | ||
14 | |||
15 | diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps | ||
16 | index d9b3459..18d5452 100644 | ||
17 | --- a/Resource/Init/gs_res.ps | ||
18 | +++ b/Resource/Init/gs_res.ps | ||
19 | @@ -197,7 +197,7 @@ setglobal | ||
20 | /.findresource { % <key> <category> findresource <instance> | ||
21 | 2 copy dup /Category eq | ||
22 | { pop //Category 0 get begin } { .findcategory } ifelse | ||
23 | - /FindResource .resourceexec exch pop exch pop | ||
24 | + /FindResource //.resourceexec exec exch pop exch pop | ||
25 | } bind | ||
26 | end % .Instances of Category | ||
27 | def | ||
28 | @@ -223,7 +223,7 @@ def | ||
29 | not { /defineresource cvx /typecheck signaloperror } if | ||
30 | } if | ||
31 | } if | ||
32 | - /DefineResource .resourceexec | ||
33 | + /DefineResource //.resourceexec exec | ||
34 | 4 1 roll pop pop pop | ||
35 | } .errorexec | ||
36 | } bind executeonly odef | ||
37 | @@ -252,7 +252,7 @@ def | ||
38 | % without the check. | ||
39 | /resourcestatus cvx /typecheck signalerror | ||
40 | } if | ||
41 | - 2 copy .findcategory /ResourceStatus .resourceexec | ||
42 | + 2 copy .findcategory /ResourceStatus //.resourceexec exec | ||
43 | { 4 2 roll pop pop //true } { pop pop //false } ifelse | ||
44 | } stopped { | ||
45 | % Although resourcestatus is an operator, Adobe uses executable name | ||
46 | @@ -266,7 +266,7 @@ def | ||
47 | } if | ||
48 | 1 .argindex 1 index % catch stackunderflow | ||
49 | |||
50 | - { .findcategory /UndefineResource .resourceexec pop pop | ||
51 | + { .findcategory /UndefineResource //.resourceexec exec pop pop | ||
52 | } stopped { | ||
53 | % Although undefineresource is an operator, Adobe uses executable name | ||
54 | % here but uses operator for the errors above. CET 23-33 | ||
55 | @@ -315,10 +315,10 @@ currentdict /pssystemparams known not { | ||
56 | /pssystemparams 10 dict readonly def | ||
57 | } if | ||
58 | pssystemparams begin | ||
59 | - .default_resource_dir | ||
60 | - /FontResourceDir (Font) .resource_dir_name | ||
61 | + //.default_resource_dir exec | ||
62 | + /FontResourceDir (Font) //.resource_dir_name exec | ||
63 | readonly .forcedef % pssys'params is r-o | ||
64 | - /GenericResourceDir () .resource_dir_name | ||
65 | + /GenericResourceDir () //.resource_dir_name exec | ||
66 | readonly .forcedef % pssys'params is r-o | ||
67 | pop % .default_resource_dir | ||
68 | /GenericResourcePathSep | ||
69 | @@ -387,13 +387,13 @@ status { | ||
70 | } bind def | ||
71 | /.localresourceforall { % <key> <value> <args> .localr'forall - | ||
72 | exch pop | ||
73 | - 2 copy 0 get .stringmatch { .enumerateresource } { pop pop } ifelse | ||
74 | + 2 copy 0 get .stringmatch { //.enumerateresource exec } { pop pop } ifelse | ||
75 | } bind def | ||
76 | /.globalresourceforall { % <key> <value> <args> .globalr'forall - | ||
77 | exch pop | ||
78 | 2 copy 0 get .stringmatch { | ||
79 | dup 3 get begin .LocalInstances end 2 index known not { | ||
80 | - .enumerateresource | ||
81 | + //.enumerateresource exec | ||
82 | } { | ||
83 | pop pop | ||
84 | } ifelse | ||
85 | @@ -408,7 +408,7 @@ status { | ||
86 | 3 index known { | ||
87 | pop pop pop | ||
88 | } { | ||
89 | - 2 index known { pop pop } { .enumerateresource } ifelse | ||
90 | + 2 index known { pop pop } { //.enumerateresource exec } ifelse | ||
91 | } ifelse | ||
92 | } bind def | ||
93 | |||
94 | @@ -468,19 +468,19 @@ status { | ||
95 | % .knownget doesn't fail on null | ||
96 | /findresource cvx /typecheck signaloperror | ||
97 | } if | ||
98 | - dup .getvminstance { | ||
99 | + dup //.getvminstance exec { | ||
100 | exch pop 0 get | ||
101 | } { | ||
102 | dup ResourceStatus { | ||
103 | pop 1 gt { | ||
104 | - .DoLoadResource .getvminstance not { | ||
105 | - /findresource cvx .undefinedresource | ||
106 | + .DoLoadResource //.getvminstance exec not { | ||
107 | + /findresource cvx //.undefinedresource exec | ||
108 | } if 0 get | ||
109 | } { | ||
110 | .GetInstance pop 0 get | ||
111 | } ifelse | ||
112 | } { | ||
113 | - /findresource cvx .undefinedresource | ||
114 | + /findresource cvx //.undefinedresource exec | ||
115 | } ifelse | ||
116 | } ifelse | ||
117 | } bind executeonly | ||
118 | @@ -621,7 +621,7 @@ status { | ||
119 | .currentglobal not .setglobal | ||
120 | vmstatus pop exch pop add | ||
121 | } repeat | ||
122 | -} bind def | ||
123 | +} bind executeonly odef | ||
124 | /.DoLoadResource { | ||
125 | % .LoadResource may push entries on the operand stack. | ||
126 | % It is an undocumented feature of Adobe implementations, | ||
127 | @@ -633,8 +633,8 @@ status { | ||
128 | {.LoadResource} 4 1 roll 4 .execn | ||
129 | % Stack: ... count key memused | ||
130 | .vmused exch sub | ||
131 | - 1 index .getvminstance not { | ||
132 | - pop dup .undefinedresource % didn't load | ||
133 | + 1 index //.getvminstance exec not { | ||
134 | + pop dup //.undefinedresource exec % didn't load | ||
135 | } if | ||
136 | dup 1 1 put | ||
137 | 2 3 -1 roll put | ||
138 | @@ -648,7 +648,7 @@ status { | ||
139 | { //true setglobal { .runresource } stopped //false setglobal { stop } if } | ||
140 | ifelse | ||
141 | } | ||
142 | - { dup .undefinedresource | ||
143 | + { dup //.undefinedresource exec | ||
144 | } | ||
145 | ifelse | ||
146 | } bind | ||
147 | @@ -758,7 +758,7 @@ counttomark 2 idiv | ||
148 | /FindResource | ||
149 | { .Instances 1 index .knownget | ||
150 | { exch pop } | ||
151 | - { /findresource cvx .undefinedresource } | ||
152 | + { /findresource cvx //.undefinedresource exec } | ||
153 | ifelse | ||
154 | } bind executeonly | ||
155 | /ResourceStatus | ||
156 | @@ -862,7 +862,7 @@ userdict /.localcsdefaults //false put | ||
157 | 2 copy /Generic /Category findresource /DefineResource get exec | ||
158 | exch pop | ||
159 | exch //.defaultcsnames exch .knownget { | ||
160 | - 1 index .definedefaultcs | ||
161 | + 1 index //.definedefaultcs exec | ||
162 | currentglobal not { .userdict /.localcsdefaults //true put } if | ||
163 | } if | ||
164 | } bind executeonly | ||
165 | @@ -872,13 +872,13 @@ userdict /.localcsdefaults //false put | ||
166 | //.defaultcsnames 1 index .knownget { | ||
167 | % Stack: resname index | ||
168 | currentglobal { | ||
169 | - .undefinedefaultcs pop | ||
170 | + //.undefinedefaultcs exec pop | ||
171 | } { | ||
172 | % We removed the local definition, but there might be a global one. | ||
173 | exch .GetInstance { | ||
174 | - 0 get .definedefaultcs | ||
175 | + 0 get //.definedefaultcs exec | ||
176 | } { | ||
177 | - .undefinedefaultcs | ||
178 | + //.undefinedefaultcs exec | ||
179 | } ifelse | ||
180 | % Recompute .localcsdefaults by scanning. This is rarely needed. | ||
181 | .userdict /.localcsdefaults //false //.defaultcsnames { | ||
182 | @@ -997,7 +997,7 @@ currentdict /.fontstatusaux .undef | ||
183 | /Generic /Category findresource /UndefineResource get exec | ||
184 | } bind executeonly | ||
185 | /FindResource { | ||
186 | - dup .getvminstance { | ||
187 | + dup //.getvminstance exec { | ||
188 | exch pop 0 get | ||
189 | } { | ||
190 | dup ResourceStatus { | ||
191 | @@ -1024,7 +1024,7 @@ currentdict /.fontstatusaux .undef | ||
192 | % stack: name font vmused | ||
193 | % findfont has the prerogative of not calling definefont | ||
194 | % in certain obscure cases of font substitution. | ||
195 | - 2 index .getvminstance { | ||
196 | + 2 index //.getvminstance exec { | ||
197 | dup 1 1 put | ||
198 | 2 3 -1 roll put | ||
199 | } { | ||
200 | @@ -1159,3 +1159,25 @@ end % level2dict | ||
201 | |||
202 | %% Replace 1 (gs_resmp.ps) | ||
203 | (gs_resmp.ps) dup runlibfile VMDEBUG | ||
204 | + | ||
205 | +[ | ||
206 | + /.default_resource_dir | ||
207 | + /.resource_dir_name | ||
208 | +] | ||
209 | +{systemdict exch .forceundef} forall | ||
210 | + | ||
211 | +[ | ||
212 | + /.definedefaultcs | ||
213 | + /.undefinedefaultcs | ||
214 | + /.defaultcsnames | ||
215 | + /.enumerateresource | ||
216 | + /.externalresourceforall | ||
217 | + /.getvminstance | ||
218 | + /.globalresourceforall | ||
219 | + /.localresourceforall | ||
220 | + /resourceforall1 | ||
221 | + /.resourceexec | ||
222 | + /.undefinedresource | ||
223 | + /.vmused | ||
224 | +] | ||
225 | +{level2dict exch .forceundef} forall | ||
226 | diff --git a/Resource/Init/gs_resmp.ps b/Resource/Init/gs_resmp.ps | ||
227 | index 9bb4263..cb948d1 100644 | ||
228 | --- a/Resource/Init/gs_resmp.ps | ||
229 | +++ b/Resource/Init/gs_resmp.ps | ||
230 | @@ -230,7 +230,7 @@ currentpacking //false setpacking | ||
231 | } { | ||
232 | dup dup .map exch .knownget { % /Name /Name <<record>> | ||
233 | dup dup /RecordVirtualMethods get /IsActive get exec { | ||
234 | - 1 index .getvminstance { % /Name /Name <<record>> holder | ||
235 | + 1 index //.getvminstance exec { % /Name /Name <<record>> holder | ||
236 | 1 get 1 eq | ||
237 | } { | ||
238 | //true | ||
239 | @@ -242,7 +242,7 @@ currentpacking //false setpacking | ||
240 | DefineResource exec % size bStatusIs1 /Name Instance | ||
241 | % Make ResourceStatus to return correct values for this instance : | ||
242 | % Hack: we replace status values in the instance holder : | ||
243 | - exch .getvminstance pop % size bStatusIs1 Instance holder | ||
244 | + exch //.getvminstance exec pop % size bStatusIs1 Instance holder | ||
245 | dup 5 -1 roll 2 exch put % bStatusIs1 Instance holder | ||
246 | 3 2 roll { % Instance holder | ||
247 | 1 1 put % Instance | ||
248 | -- | ||
249 | 2.18.1 | ||
250 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0006.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0006.patch new file mode 100644 index 0000000000..79e640b18f --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0006.patch | |||
@@ -0,0 +1,596 @@ | |||
1 | From 97f9052ce49e6844b06a49ff9e4b8fc1eaf6bd10 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Wed, 9 Jan 2019 14:24:07 +0000 | ||
4 | Subject: [PATCH 6/7] Undefine a bunch of gs_fonts.ps specific procs | ||
5 | |||
6 | Also reorder and add some immediate evaluation, so it still works with the | ||
7 | undefining. | ||
8 | |||
9 | CVE: CVE-2019-6116 | ||
10 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
11 | |||
12 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
13 | --- | ||
14 | Resource/Init/gs_dps1.ps | 3 +- | ||
15 | Resource/Init/gs_fonts.ps | 275 +++++++++++++++++++++----------------- | ||
16 | Resource/Init/gs_res.ps | 7 +- | ||
17 | 3 files changed, 157 insertions(+), 128 deletions(-) | ||
18 | |||
19 | diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps | ||
20 | index b75ea14..8700c8c 100644 | ||
21 | --- a/Resource/Init/gs_dps1.ps | ||
22 | +++ b/Resource/Init/gs_dps1.ps | ||
23 | @@ -67,7 +67,8 @@ level2dict begin | ||
24 | |||
25 | /selectfont % <fontname> <size> selectfont - | ||
26 | { | ||
27 | - { 1 .argindex findfont | ||
28 | + { | ||
29 | + 1 .argindex findfont | ||
30 | 1 index dup type /arraytype eq { makefont } { scalefont } ifelse | ||
31 | setfont pop pop | ||
32 | } stopped { /selectfont .systemvar $error /errorname get signalerror } if | ||
33 | diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps | ||
34 | index c13a2fc..0562235 100644 | ||
35 | --- a/Resource/Init/gs_fonts.ps | ||
36 | +++ b/Resource/Init/gs_fonts.ps | ||
37 | @@ -100,7 +100,7 @@ userdict /.nativeFontmap .FontDirectory maxlength dict put | ||
38 | { 2 index token not | ||
39 | { (Fontmap entry for ) print 1 index =only | ||
40 | ( ends prematurely! Giving up.) = flush | ||
41 | - {.loadFontmap} 0 get 1 .quit | ||
42 | + {//.loadFontmap exec} 0 get 1 .quit | ||
43 | } if | ||
44 | dup /; eq { pop 3 index 3 1 roll .growput exit } if | ||
45 | pop | ||
46 | @@ -202,6 +202,14 @@ NOFONTPATH { /FONTPATH () def } if | ||
47 | { pop } | ||
48 | { /FONTPATH (GS_FONTPATH) getenv not { () } if def } | ||
49 | ifelse | ||
50 | + | ||
51 | +% The following are dummy definitions that, if we have a FONTPATH, will | ||
52 | +% be replaced in the following section. | ||
53 | +% They are here so immediately evaulation will work, and allow them to | ||
54 | +% undefined at the bottom of the file. | ||
55 | +/.scanfontbegin{} bind def | ||
56 | +/.scanfontdir {} bind def | ||
57 | + | ||
58 | FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if | ||
59 | /FONTPATH [ FONTPATH .pathlist ] def | ||
60 | |||
61 | @@ -242,12 +250,12 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if | ||
62 | /.scanfontbegin | ||
63 | { % Construct the table of all file names already in Fontmap. | ||
64 | currentglobal //true setglobal | ||
65 | - .scanfontdict dup maxlength Fontmap length 2 add .max .setmaxlength | ||
66 | + //.scanfontdict dup maxlength Fontmap length 2 add .max .setmaxlength | ||
67 | Fontmap | ||
68 | { exch pop | ||
69 | { dup type /stringtype eq | ||
70 | - { .splitfilename pop .fonttempstring copy .lowerstring cvn | ||
71 | - .scanfontdict exch //true put | ||
72 | + { //.splitfilename exec pop //.fonttempstring copy //.lowerstring exec cvn | ||
73 | + //.scanfontdict exch //true put | ||
74 | } | ||
75 | { pop | ||
76 | } | ||
77 | @@ -280,9 +288,9 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if | ||
78 | /txt //true | ||
79 | .dicttomark def | ||
80 | /.scan1fontstring 8192 string def | ||
81 | -% %%BeginFont: is not per Adobe documentation, but a few fonts have it. | ||
82 | +% BeginFont: is not per Adobe documentation, but a few fonts have it. | ||
83 | /.scanfontheaders [(%!PS-Adobe*) (%!FontType*) (%%BeginFont:*)] def | ||
84 | -0 .scanfontheaders { length .max } forall 6 add % extra for PFB header | ||
85 | +0 //.scanfontheaders { length .max } forall 6 add % extra for PFB header | ||
86 | /.scan1fontfirst exch string def | ||
87 | /.scanfontdir % <dirname> .scanfontdir - | ||
88 | { currentglobal exch //true setglobal | ||
89 | @@ -291,10 +299,10 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if | ||
90 | 0 0 0 4 -1 roll % found scanned files | ||
91 | { % stack: <fontcount> <scancount> <filecount> <filename> | ||
92 | exch 1 add exch % increment filecount | ||
93 | - dup .splitfilename .fonttempstring copy .lowerstring | ||
94 | + dup //.splitfilename exec //.fonttempstring copy //.lowerstring exec | ||
95 | % stack: <fontcount> <scancount> <filecount+1> <filename> | ||
96 | % <BASE> <ext> | ||
97 | - .scanfontskip exch known exch .scanfontdict exch known or | ||
98 | + //.scanfontskip exch known exch //.scanfontdict exch known or | ||
99 | { pop | ||
100 | % stack: <fontcount> <scancount> <filecount+1> | ||
101 | } | ||
102 | @@ -309,7 +317,7 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if | ||
103 | % On some platforms, the file operator will open directories, | ||
104 | % but an error will occur if we try to read from one. | ||
105 | % Handle this possibility here. | ||
106 | - dup .scan1fontfirst { readstring } .internalstopped | ||
107 | + dup //.scan1fontfirst { readstring } .internalstopped | ||
108 | { pop pop () } | ||
109 | { pop } | ||
110 | ifelse | ||
111 | @@ -322,7 +330,7 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if | ||
112 | { dup length 6 sub 6 exch getinterval } | ||
113 | if | ||
114 | % Check for font file headers. | ||
115 | - //false .scanfontheaders | ||
116 | + //false //.scanfontheaders | ||
117 | { 2 index exch .stringmatch or | ||
118 | } | ||
119 | forall exch pop | ||
120 | @@ -335,7 +343,7 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if | ||
121 | { exch copystring exch | ||
122 | DEBUG { ( ) print dup =only flush } if | ||
123 | 1 index .definenativefontmap | ||
124 | - .splitfilename pop //true .scanfontdict 3 1 roll .growput | ||
125 | + //.splitfilename exec pop //true //.scanfontdict 3 1 roll .growput | ||
126 | % Increment fontcount. | ||
127 | 3 -1 roll 1 add 3 1 roll | ||
128 | } | ||
129 | @@ -352,7 +360,7 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if | ||
130 | } | ||
131 | ifelse | ||
132 | } | ||
133 | - .scan1fontstring filenameforall | ||
134 | + //.scan1fontstring filenameforall | ||
135 | QUIET | ||
136 | { pop pop pop } | ||
137 | { ( ) print =only ( files, ) print =only ( scanned, ) print | ||
138 | @@ -422,7 +430,6 @@ systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt | ||
139 | //true .setnativefontmapbuilt | ||
140 | } ifelse | ||
141 | } bind def | ||
142 | -currentdict /.setnativefontmapbuilt .forceundef | ||
143 | |||
144 | % Create the dictionary that registers the .buildfont procedure | ||
145 | % (called by definefont) for each FontType. | ||
146 | @@ -526,7 +533,8 @@ buildfontdict 3 /.buildfont3 cvx put | ||
147 | % We use this only for explicitly aliased fonts, not substituted fonts: | ||
148 | % we think this matches the observed behavior of Adobe interpreters. | ||
149 | /.aliasfont % <name> <font> .aliasfont <newFont> | ||
150 | - { .currentglobal 3 1 roll dup .gcheck .setglobal | ||
151 | + { | ||
152 | + currentglobal 3 1 roll dup gcheck setglobal | ||
153 | % <bool> <name> <font> | ||
154 | dup length 2 add dict % <bool> <name> <font> <dict> | ||
155 | dup 3 -1 roll % <bool> <name> <dict> <dict> <font> | ||
156 | @@ -541,7 +549,7 @@ buildfontdict 3 /.buildfont3 cvx put | ||
157 | % whose FontName is a local non-string, if someone passed a | ||
158 | % garbage value to findfont. In this case, just don't | ||
159 | % call definefont at all. | ||
160 | - 2 index dup type /stringtype eq exch .gcheck or 1 index .gcheck not or | ||
161 | + 2 index dup type /stringtype eq exch gcheck or 1 index gcheck not or | ||
162 | { pop % <bool> <name> <dict> | ||
163 | 1 index dup type /stringtype eq { cvn } if | ||
164 | % <bool> <name> <dict> <name1> | ||
165 | @@ -566,10 +574,11 @@ buildfontdict 3 /.buildfont3 cvx put | ||
166 | % Don't bind in definefont, since Level 2 redefines it. | ||
167 | /definefont .systemvar exec | ||
168 | } | ||
169 | - { /findfont cvx {.completefont} .errorexec pop exch pop | ||
170 | + { | ||
171 | + /findfont cvx {.completefont} //.errorexec exec pop exch pop | ||
172 | } | ||
173 | ifelse | ||
174 | - exch .setglobal | ||
175 | + exch setglobal | ||
176 | } odef % so findfont will bind it | ||
177 | |||
178 | % Define .loadfontfile for loading a font. If we recognize Type 1 and/or | ||
179 | @@ -669,10 +678,19 @@ buildfontdict 3 /.buildfont3 cvx put | ||
180 | [(Cn) 4] [(Cond) 4] [(Narrow) 4] [(Pkg) 4] [(Compr) 4] | ||
181 | [(Serif) 8] [(Sans) -8] | ||
182 | ] readonly def | ||
183 | + | ||
184 | +/.fontnamestring { % <fontname> .fontnamestring <string|name> | ||
185 | + dup type dup /nametype eq { | ||
186 | + pop .namestring | ||
187 | + } { | ||
188 | + /stringtype ne { pop () } if | ||
189 | + } ifelse | ||
190 | +} bind def | ||
191 | + | ||
192 | /.fontnameproperties { % <int> <string|name> .fontnameproperties | ||
193 | % <int'> | ||
194 | - .fontnamestring | ||
195 | - .substituteproperties { | ||
196 | + //.fontnamestring exec | ||
197 | + //.substituteproperties { | ||
198 | 2 copy 0 get search { | ||
199 | pop pop pop dup length 1 sub 1 exch getinterval 3 -1 roll exch { | ||
200 | dup 0 ge { or } { neg not and } ifelse | ||
201 | @@ -710,13 +728,7 @@ buildfontdict 3 /.buildfont3 cvx put | ||
202 | % <other> .nametostring <other> | ||
203 | dup type /nametype eq { .namestring } if | ||
204 | } bind def | ||
205 | -/.fontnamestring { % <fontname> .fontnamestring <string|name> | ||
206 | - dup type dup /nametype eq { | ||
207 | - pop .namestring | ||
208 | - } { | ||
209 | - /stringtype ne { pop () } if | ||
210 | - } ifelse | ||
211 | -} bind def | ||
212 | + | ||
213 | /.substitutefontname { % <fontname> <properties> .substitutefontname | ||
214 | % <altname|null> | ||
215 | % Look for properties and/or a face name in the font name. | ||
216 | @@ -724,7 +736,7 @@ buildfontdict 3 /.buildfont3 cvx put | ||
217 | % base font; otherwise, use the default font. | ||
218 | % Note that the "substituted" font name may be the same as | ||
219 | % the requested one; the caller must check this. | ||
220 | - exch .fontnamestring { | ||
221 | + exch //.fontnamestring exec { | ||
222 | defaultfontname /Helvetica-Oblique /Helvetica-Bold /Helvetica-BoldOblique | ||
223 | /Helvetica-Narrow /Helvetica-Narrow-Oblique | ||
224 | /Helvetica-Narrow-Bold /Helvetica-Narrow-BoldOblique | ||
225 | @@ -734,12 +746,12 @@ buildfontdict 3 /.buildfont3 cvx put | ||
226 | } 3 1 roll | ||
227 | % Stack: facelist properties fontname | ||
228 | % Look for a face name. | ||
229 | - .substitutefaces { | ||
230 | + //.substitutefaces { | ||
231 | 2 copy 0 get search { | ||
232 | pop pop pop | ||
233 | % Stack: facelist properties fontname [(pattern) family properties] | ||
234 | dup 2 get 4 -1 roll or 3 1 roll | ||
235 | - 1 get .substitutefamilies exch get | ||
236 | + 1 get //.substitutefamilies exch get | ||
237 | 4 -1 roll pop 3 1 roll | ||
238 | } { | ||
239 | pop pop | ||
240 | @@ -748,7 +760,7 @@ buildfontdict 3 /.buildfont3 cvx put | ||
241 | 1 index length mod get exec | ||
242 | } bind def | ||
243 | /.substitutefont { % <fontname> .substitutefont <altname> | ||
244 | - dup 0 exch .fontnameproperties .substitutefontname | ||
245 | + dup 0 exch //.fontnameproperties exec .substitutefontname | ||
246 | % Only accept fonts known in the Fontmap. | ||
247 | Fontmap 1 index known not | ||
248 | { | ||
249 | @@ -814,7 +826,7 @@ FAKEFONTS not { (%END FAKEFONTS) .skipeof } if | ||
250 | counttomark 1 sub { .aliasfont } repeat end | ||
251 | % <fontname> mark <font> | ||
252 | exch pop exch pop | ||
253 | -} odef | ||
254 | +} bind odef | ||
255 | /findfont { | ||
256 | .findfont | ||
257 | } bind def | ||
258 | @@ -860,7 +872,7 @@ FAKEFONTS not { (%END FAKEFONTS) .skipeof } if | ||
259 | } { | ||
260 | dup .substitutefont | ||
261 | 2 copy eq { pop defaultfontname } if | ||
262 | - .checkalias | ||
263 | + //.checkalias exec | ||
264 | QUIET not { | ||
265 | SHORTERRORS { | ||
266 | (%%[) print 1 index =only | ||
267 | @@ -886,8 +898,8 @@ $error /SubstituteFont { } put | ||
268 | //null 0 1 FONTPATH length 1 sub { | ||
269 | FONTPATH 1 index get //null ne { exch pop exit } if pop | ||
270 | } for dup //null ne { | ||
271 | - dup 0 eq { .scanfontbegin } if | ||
272 | - FONTPATH 1 index get .scanfontdir | ||
273 | + dup 0 eq { //.scanfontbegin exec} if | ||
274 | + FONTPATH 1 index get //.scanfontdir exec | ||
275 | FONTPATH exch //null put //true | ||
276 | } { | ||
277 | pop //false | ||
278 | @@ -897,11 +909,10 @@ $error /SubstituteFont { } put | ||
279 | % scanning of FONTPATH. | ||
280 | /.dofindfont { % mark <fontname> .dofindfont % mark <alias> ... <font> | ||
281 | .tryfindfont not { | ||
282 | - | ||
283 | % We didn't find the font. If we haven't scanned | ||
284 | % all the directories in FONTPATH, scan the next one | ||
285 | % now and look for the font again. | ||
286 | - .scannextfontdir { | ||
287 | + //.scannextfontdir exec { | ||
288 | % Start over with an empty alias list. | ||
289 | counttomark 1 sub { pop } repeat % mark <fontname> | ||
290 | .dofindfont | ||
291 | @@ -927,6 +938,7 @@ $error /SubstituteFont { } put | ||
292 | } if | ||
293 | % Substitute for the font. Don't alias. | ||
294 | % Same stack as at the beginning of .dofindfont. | ||
295 | + | ||
296 | $error /SubstituteFont get exec | ||
297 | % | ||
298 | % igorm: I guess the surrounding code assumes that .stdsubstfont | ||
299 | @@ -935,72 +947,11 @@ $error /SubstituteFont { } put | ||
300 | % used in .dofindfont and through .stdsubstfont | ||
301 | % just to represent a simple iteration, | ||
302 | % which accumulates the aliases after the mark. | ||
303 | - .stdsubstfont | ||
304 | + //.stdsubstfont exec | ||
305 | } ifelse | ||
306 | } ifelse | ||
307 | } if | ||
308 | } bind def | ||
309 | -% Try to find a font using only the present contents of Fontmap. | ||
310 | -/.tryfindfont { % <fontname> .tryfindfont <font> true | ||
311 | - % <fontname> .tryfindfont false | ||
312 | - //.FontDirectory 1 index .fontknownget | ||
313 | - { % Already loaded | ||
314 | - exch pop //true | ||
315 | - } | ||
316 | - { | ||
317 | - dup Fontmap exch .knownget | ||
318 | - { //true //true } | ||
319 | - { % Unknown font name. Look for a file with the | ||
320 | - % same name as the requested font. | ||
321 | - dup .tryloadfont | ||
322 | - { exch pop //true //false } | ||
323 | - { | ||
324 | - % if we can't load by name check the native font map | ||
325 | - dup .nativeFontmap exch .knownget | ||
326 | - { //true //true } | ||
327 | - { //false //false } ifelse | ||
328 | - } ifelse | ||
329 | - } ifelse | ||
330 | - | ||
331 | - { % Try each element of the Fontmap in turn. | ||
332 | - pop | ||
333 | - //false exch % (in case we exhaust the list) | ||
334 | - % Stack: fontname false fontmaplist | ||
335 | - { exch pop | ||
336 | - dup type /nametype eq | ||
337 | - { % Font alias | ||
338 | - .checkalias .tryfindfont exit | ||
339 | - } | ||
340 | - { dup dup type dup /arraytype eq exch /packedarraytype eq or exch xcheck and | ||
341 | - { % Font with a procedural definition | ||
342 | - exec % The procedure will load the font. | ||
343 | - % Check to make sure this really happened. | ||
344 | - //.FontDirectory 1 index .knownget | ||
345 | - { exch pop //true exit } | ||
346 | - if | ||
347 | - } | ||
348 | - { % Font file name | ||
349 | - //true .loadfontloop { //true exit } if | ||
350 | - } | ||
351 | - ifelse | ||
352 | - } | ||
353 | - ifelse //false | ||
354 | - } | ||
355 | - forall | ||
356 | - % Stack: font true -or- fontname false | ||
357 | - { //true | ||
358 | - } | ||
359 | - { % None of the Fontmap entries worked. | ||
360 | - % Try loading a file with the same name | ||
361 | - % as the requested font. | ||
362 | - .tryloadfont | ||
363 | - } | ||
364 | - ifelse | ||
365 | - } | ||
366 | - if | ||
367 | - } | ||
368 | - ifelse | ||
369 | - } bind def | ||
370 | |||
371 | % any user of .putgstringcopy must use bind and executeonly | ||
372 | /.putgstringcopy % <dict> <name> <string> .putgstringcopy - | ||
373 | @@ -1014,25 +965,6 @@ $error /SubstituteFont { } put | ||
374 | } executeonly ifelse | ||
375 | } .bind executeonly odef % must be bound and hidden for .forceput | ||
376 | |||
377 | -% Attempt to load a font from a file. | ||
378 | -/.tryloadfont { % <fontname> .tryloadfont <font> true | ||
379 | - % <fontname> .tryloadfont false | ||
380 | - dup .nametostring | ||
381 | - % Hack: check for the presence of the resource machinery. | ||
382 | - /.genericrfn where { | ||
383 | - pop | ||
384 | - pop dup .fonttempstring /FontResourceDir getsystemparam .genericrfn | ||
385 | - {//false .loadfontloop} .internalstopped {//false} if { | ||
386 | - //true | ||
387 | - } { | ||
388 | - dup .nametostring | ||
389 | - {//true .loadfontloop} .internalstopped {//false} if | ||
390 | - } ifelse | ||
391 | - } { | ||
392 | - {//true .loadfontloop} .internalstopped {//false} if | ||
393 | - } ifelse | ||
394 | -} bind def | ||
395 | - | ||
396 | /.loadfontloop { % <fontname> <filename> <libflag> .loadfontloop | ||
397 | % <font> true | ||
398 | % -or- | ||
399 | @@ -1102,7 +1034,7 @@ $error /SubstituteFont { } put | ||
400 | } if | ||
401 | |||
402 | % Check to make sure the font was actually loaded. | ||
403 | - dup 3 index .fontknownget | ||
404 | + dup 3 index //.fontknownget exec | ||
405 | { dup /PathLoad 4 index .putgstringcopy | ||
406 | 4 1 roll pop pop pop //true exit | ||
407 | } executeonly if | ||
408 | @@ -1113,7 +1045,7 @@ $error /SubstituteFont { } put | ||
409 | exch dup % Stack: origfontname fontdirectory path path | ||
410 | (r) file .findfontname | ||
411 | { % Stack: origfontname fontdirectory path filefontname | ||
412 | - 2 index 1 index .fontknownget | ||
413 | + 2 index 1 index //.fontknownget exec | ||
414 | { % Yes. Stack: origfontname fontdirectory path filefontname fontdict | ||
415 | dup 4 -1 roll /PathLoad exch .putgstringcopy | ||
416 | % Stack: origfontname fontdirectory filefontname fontdict | ||
417 | @@ -1136,7 +1068,7 @@ $error /SubstituteFont { } put | ||
418 | % Stack: fontdict | ||
419 | } executeonly | ||
420 | if pop % Stack: origfontname fontdirectory path | ||
421 | - } | ||
422 | + } executeonly | ||
423 | if pop pop % Stack: origfontname | ||
424 | |||
425 | % The font definitely did not load correctly. | ||
426 | @@ -1150,7 +1082,87 @@ $error /SubstituteFont { } put | ||
427 | |||
428 | } bind executeonly odef % must be bound and hidden for .putgstringcopy | ||
429 | |||
430 | -currentdict /.putgstringcopy .undef | ||
431 | +% Attempt to load a font from a file. | ||
432 | +/.tryloadfont { % <fontname> .tryloadfont <font> true | ||
433 | + % <fontname> .tryloadfont false | ||
434 | + dup //.nametostring exec | ||
435 | + % Hack: check for the presence of the resource machinery. | ||
436 | + /.genericrfn where { | ||
437 | + pop | ||
438 | + pop dup //.fonttempstring /FontResourceDir getsystemparam .genericrfn | ||
439 | + {//false .loadfontloop} .internalstopped {//false} if { | ||
440 | + //true | ||
441 | + } { | ||
442 | + dup //.nametostring exec | ||
443 | + {//true .loadfontloop} .internalstopped {//false} if | ||
444 | + } ifelse | ||
445 | + } { | ||
446 | + {//true .loadfontloop} .internalstopped {//false} if | ||
447 | + } ifelse | ||
448 | +} bind def | ||
449 | + | ||
450 | +% Try to find a font using only the present contents of Fontmap. | ||
451 | +/.tryfindfont { % <fontname> .tryfindfont <font> true | ||
452 | + % <fontname> .tryfindfont false | ||
453 | + //.FontDirectory 1 index //.fontknownget exec | ||
454 | + { % Already loaded | ||
455 | + exch pop //true | ||
456 | + } | ||
457 | + { | ||
458 | + dup Fontmap exch .knownget | ||
459 | + { //true //true } | ||
460 | + { % Unknown font name. Look for a file with the | ||
461 | + % same name as the requested font. | ||
462 | + dup //.tryloadfont exec | ||
463 | + { exch pop //true //false } | ||
464 | + { | ||
465 | + % if we can't load by name check the native font map | ||
466 | + dup .nativeFontmap exch .knownget | ||
467 | + { //true //true } | ||
468 | + { //false //false } ifelse | ||
469 | + } ifelse | ||
470 | + } ifelse | ||
471 | + | ||
472 | + { % Try each element of the Fontmap in turn. | ||
473 | + pop | ||
474 | + //false exch % (in case we exhaust the list) | ||
475 | + % Stack: fontname false fontmaplist | ||
476 | + { exch pop | ||
477 | + dup type /nametype eq | ||
478 | + { % Font alias | ||
479 | + //.checkalias exec | ||
480 | + .tryfindfont exit | ||
481 | + } | ||
482 | + { dup dup type dup /arraytype eq exch /packedarraytype eq or exch xcheck and | ||
483 | + { % Font with a procedural definition | ||
484 | + exec % The procedure will load the font. | ||
485 | + % Check to make sure this really happened. | ||
486 | + //.FontDirectory 1 index .knownget | ||
487 | + { exch pop //true exit } | ||
488 | + if | ||
489 | + } | ||
490 | + { % Font file name | ||
491 | + //true .loadfontloop { //true exit } if | ||
492 | + } | ||
493 | + ifelse | ||
494 | + } | ||
495 | + ifelse //false | ||
496 | + } | ||
497 | + forall | ||
498 | + % Stack: font true -or- fontname false | ||
499 | + { //true | ||
500 | + } | ||
501 | + { % None of the Fontmap entries worked. | ||
502 | + % Try loading a file with the same name | ||
503 | + % as the requested font. | ||
504 | + //.tryloadfont exec | ||
505 | + } | ||
506 | + ifelse | ||
507 | + } | ||
508 | + if | ||
509 | + } | ||
510 | + ifelse | ||
511 | + } bind def | ||
512 | |||
513 | % Define a procedure to load all known fonts. | ||
514 | % This isn't likely to be very useful. | ||
515 | @@ -1192,9 +1204,9 @@ FAKEFONTS { exch } if pop def % don't bind, .current/setglobal get redefined | ||
516 | /.loadinitialfonts | ||
517 | { NOFONTMAP not | ||
518 | { /FONTMAP where | ||
519 | - { pop [ FONTMAP .pathlist ] | ||
520 | + { pop [ FONTMAP //.pathlist exec] | ||
521 | { dup VMDEBUG findlibfile | ||
522 | - { exch pop .loadFontmap } | ||
523 | + { exch pop //.loadFontmap exec } | ||
524 | { /undefinedfilename signalerror } | ||
525 | ifelse | ||
526 | } | ||
527 | @@ -1208,7 +1220,7 @@ FAKEFONTS { exch } if pop def % don't bind, .current/setglobal get redefined | ||
528 | pop pop | ||
529 | defaultfontmap_content { .definefontmap } forall | ||
530 | } { | ||
531 | - .loadFontmap | ||
532 | + //.loadFontmap exec | ||
533 | } ifelse | ||
534 | } { | ||
535 | pop pop | ||
536 | @@ -1272,3 +1284,18 @@ FAKEFONTS { exch } if pop def % don't bind, .current/setglobal get redefined | ||
537 | { .makemodifiedfont | ||
538 | dup /FontName get exch definefont pop | ||
539 | } bind def | ||
540 | + | ||
541 | +% Undef these, not needed outside this file | ||
542 | +[ | ||
543 | + % /.fonttempstring /.scannextfontdir - are also used in gs_res.ps, so are undefined there | ||
544 | + % /.fontnameproperties - is used in pdf_font.ps | ||
545 | + % /.scanfontheaders - used in gs_cff.ps, gs_ttf.ps | ||
546 | + /.loadfontloop /.tryloadfont /.findfont /.pathlist /.loadFontmap /.lowerstring | ||
547 | + /.splitfilename /.scanfontdict /.scanfontbegin | ||
548 | + /.scanfontskip /.scan1fontstring | ||
549 | + /.scan1fontfirst /.scanfontdir | ||
550 | + /.setnativefontmapbuilt /.aliasfont | ||
551 | + /.setloadingfont /.substitutefaces /.substituteproperties /.substitutefamilies | ||
552 | + /.nametostring /.fontnamestring /.checkalias /.fontknownget /.stdsubstfont | ||
553 | + /.putgstringcopy | ||
554 | +] {systemdict exch .forceundef} forall | ||
555 | diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps | ||
556 | index 18d5452..b016113 100644 | ||
557 | --- a/Resource/Init/gs_res.ps | ||
558 | +++ b/Resource/Init/gs_res.ps | ||
559 | @@ -961,7 +961,7 @@ userdict /.localcsdefaults //false put | ||
560 | dup type /nametype eq { .namestring } if | ||
561 | dup type /stringtype ne { //false exit } if | ||
562 | % Check the resource directory. | ||
563 | - dup .fonttempstring /FontResourceDir getsystemparam .genericrfn | ||
564 | + dup //.fonttempstring /FontResourceDir getsystemparam .genericrfn | ||
565 | status { | ||
566 | pop pop pop pop //true exit | ||
567 | } if | ||
568 | @@ -969,7 +969,7 @@ userdict /.localcsdefaults //false put | ||
569 | % as the font. | ||
570 | findlibfile { closefile //true exit } if | ||
571 | % Scan a FONTPATH directory and try again. | ||
572 | - .scannextfontdir not { //false exit } if | ||
573 | + //.scannextfontdir exec not { //false exit } if | ||
574 | } loop | ||
575 | } bind def | ||
576 | |||
577 | @@ -1008,7 +1008,7 @@ currentdict /.fontstatusaux .undef | ||
578 | } ifelse | ||
579 | } bind executeonly | ||
580 | /ResourceForAll { | ||
581 | - { .scannextfontdir not { exit } if } loop | ||
582 | + { //.scannextfontdir exec not { exit } if } loop | ||
583 | /Generic /Category findresource /ResourceForAll get exec | ||
584 | } bind executeonly | ||
585 | /.ResourceFileStatus { | ||
586 | @@ -1163,6 +1163,7 @@ end % level2dict | ||
587 | [ | ||
588 | /.default_resource_dir | ||
589 | /.resource_dir_name | ||
590 | + /.fonttempstring /.scannextfontdir % from gs_fonts.ps | ||
591 | ] | ||
592 | {systemdict exch .forceundef} forall | ||
593 | |||
594 | -- | ||
595 | 2.18.1 | ||
596 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0007.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0007.patch new file mode 100644 index 0000000000..5c1f839597 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0007.patch | |||
@@ -0,0 +1,346 @@ | |||
1 | From 5c49efe24dda0f2dbd2a09b9159e683cce99b6d8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Fri, 11 Jan 2019 13:36:36 +0000 | ||
4 | Subject: [PATCH 7/7] Remove .forcedef, and harden .force* ops more | ||
5 | |||
6 | Remove .forcedef and replace all uses with a direct call to .forceput instead. | ||
7 | |||
8 | Ensure every procedure (named and trasient) that calls .forceput is | ||
9 | executeonly. | ||
10 | |||
11 | CVE: CVE-2019-6116 | ||
12 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
13 | |||
14 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
15 | --- | ||
16 | Resource/Init/gs_dps1.ps | 15 +++++++----- | ||
17 | Resource/Init/gs_init.ps | 28 ++++++++------------- | ||
18 | Resource/Init/gs_lev2.ps | 51 +++++++++++++++++++-------------------- | ||
19 | Resource/Init/gs_ll3.ps | 5 ++-- | ||
20 | Resource/Init/gs_res.ps | 29 +++++++++++----------- | ||
21 | Resource/Init/gs_statd.ps | 4 +-- | ||
22 | 6 files changed, 63 insertions(+), 69 deletions(-) | ||
23 | |||
24 | diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps | ||
25 | index 8700c8c..3d2cf7a 100644 | ||
26 | --- a/Resource/Init/gs_dps1.ps | ||
27 | +++ b/Resource/Init/gs_dps1.ps | ||
28 | @@ -33,14 +33,17 @@ systemdict begin | ||
29 | |||
30 | /SharedFontDirectory .FontDirectory .gcheck | ||
31 | { .currentglobal //false .setglobal | ||
32 | + currentdict | ||
33 | /LocalFontDirectory .FontDirectory dup maxlength dict copy | ||
34 | - .forcedef % LocalFontDirectory is local, systemdict is global | ||
35 | + .forceput % LocalFontDirectory is local, systemdict is global | ||
36 | .setglobal .FontDirectory | ||
37 | - } | ||
38 | - { /LocalFontDirectory .FontDirectory | ||
39 | - .forcedef % LocalFontDirectory is local, systemdict is global | ||
40 | + } executeonly | ||
41 | + { | ||
42 | + currentdict | ||
43 | + /LocalFontDirectory .FontDirectory | ||
44 | + .forceput % LocalFontDirectory is local, systemdict is global | ||
45 | 50 dict | ||
46 | - } | ||
47 | + }executeonly | ||
48 | ifelse def | ||
49 | |||
50 | end % systemdict | ||
51 | @@ -55,7 +58,7 @@ level2dict begin | ||
52 | { //SharedFontDirectory } | ||
53 | { /LocalFontDirectory .systemvar } % can't embed ref to local VM | ||
54 | ifelse .forceput pop % LocalFontDirectory is local, systemdict is global | ||
55 | - } .bind odef | ||
56 | + } .bind executeonly odef | ||
57 | % Don't just copy (load) the definition of .setglobal: | ||
58 | % it gets redefined for LL3. | ||
59 | /setshared { /.setglobal .systemvar exec } odef | ||
60 | diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps | ||
61 | index d9a0829..45bebf4 100644 | ||
62 | --- a/Resource/Init/gs_init.ps | ||
63 | +++ b/Resource/Init/gs_init.ps | ||
64 | @@ -54,7 +54,7 @@ systemdict exch | ||
65 | dup /userdict | ||
66 | currentdict dup 200 .setmaxlength % userdict | ||
67 | .forceput % userdict is local, systemdict is global | ||
68 | - } | ||
69 | + } executeonly | ||
70 | if begin | ||
71 | |||
72 | % Define dummy local/global operators if needed. | ||
73 | @@ -299,13 +299,6 @@ QUIET not { printgreeting flush } if | ||
74 | 1 index exch .makeoperator def | ||
75 | } .bind def | ||
76 | |||
77 | -% Define a special version of def for storing local objects into global | ||
78 | -% dictionaries. Like .forceput, this exists only during initialization. | ||
79 | -/.forcedef { % <key> <value> .forcedef - | ||
80 | - 1 .argindex pop % check # of args | ||
81 | - currentdict 3 1 roll .forceput | ||
82 | -} .bind odef | ||
83 | - | ||
84 | % Define procedures for accessing variables in systemdict and userdict | ||
85 | % regardless of the contents of the dictionary stack. | ||
86 | /.systemvar { % <name> .systemvar <value> | ||
87 | @@ -347,7 +340,7 @@ DELAYBIND | ||
88 | } | ||
89 | ifelse | ||
90 | } .bind def | ||
91 | -} if | ||
92 | +} executeonly if | ||
93 | |||
94 | %**************** BACKWARD COMPATIBILITY **************** | ||
95 | /hwsizedict mark /HWSize //null .dicttomark readonly def | ||
96 | @@ -655,7 +648,7 @@ currentdict /.typenames .undef | ||
97 | /ifelse .systemvar | ||
98 | ] cvx executeonly | ||
99 | exch .setglobal | ||
100 | -} odef | ||
101 | +} executeonly odef | ||
102 | systemdict /internaldict dup .makeinternaldict .makeoperator | ||
103 | .forceput % proc is local, systemdict is global | ||
104 | |||
105 | @@ -1093,7 +1086,7 @@ def | ||
106 | |||
107 | % Define $error. This must be in local VM. | ||
108 | .currentglobal //false .setglobal | ||
109 | -/$error 40 dict .forcedef % $error is local, systemdict is global | ||
110 | +currentdict /$error 40 dict .forceput % $error is local, systemdict is global | ||
111 | % newerror, errorname, command, errorinfo, | ||
112 | % ostack, estack, dstack, recordstacks, | ||
113 | % binary, globalmode, | ||
114 | @@ -1112,8 +1105,8 @@ end | ||
115 | % Define errordict similarly. It has one entry per error name, | ||
116 | % plus handleerror. However, some astonishingly badly written PostScript | ||
117 | % files require it to have at least one empty slot. | ||
118 | -/errordict ErrorNames length 3 add dict | ||
119 | -.forcedef % errordict is local, systemdict is global | ||
120 | +currentdict /errordict ErrorNames length 3 add dict | ||
121 | +.forceput % errordict is local, systemdict is global | ||
122 | .setglobal % back to global VM | ||
123 | % gserrordict contains all the default error handling methods, but unlike | ||
124 | % errordict it is noaccess after creation (also it is in global VM). | ||
125 | @@ -1273,8 +1266,9 @@ end | ||
126 | (END PROCS) VMDEBUG | ||
127 | |||
128 | % Define the font directory. | ||
129 | +currentdict | ||
130 | /FontDirectory //false .setglobal 100 dict //true .setglobal | ||
131 | -.forcedef % FontDirectory is local, systemdict is global | ||
132 | +.forceput % FontDirectory is local, systemdict is global | ||
133 | |||
134 | % Define the encoding dictionary. | ||
135 | /EncodingDirectory 16 dict def % enough for Level 2 + PDF standard encodings | ||
136 | @@ -2333,7 +2327,6 @@ SAFER { .setsafeglobal } if | ||
137 | //systemdict /UndefinePostScriptOperators get exec | ||
138 | //systemdict /UndefinePDFOperators get exec | ||
139 | //systemdict /.forcecopynew .forceundef % remove temptation | ||
140 | - //systemdict /.forcedef .forceundef % ditto | ||
141 | //systemdict /.forceput .forceundef % ditto | ||
142 | //systemdict /.undef .forceundef % ditto | ||
143 | //systemdict /.forceundef .forceundef % ditto | ||
144 | @@ -2368,9 +2361,9 @@ SAFER { .setsafeglobal } if | ||
145 | % (and, if implemented, context switching). | ||
146 | .currentglobal //false .setglobal | ||
147 | mark userparams { } forall .dicttomark readonly | ||
148 | - /userparams exch .forcedef % systemdict is read-only | ||
149 | + currentdict exch /userparams exch .forceput % systemdict is read-only | ||
150 | .setglobal | ||
151 | -} if | ||
152 | +} executeonly if | ||
153 | /.currentsystemparams where { | ||
154 | pop | ||
155 | % Remove real system params from pssystemparams. | ||
156 | @@ -2458,7 +2451,6 @@ end | ||
157 | DELAYBIND not { | ||
158 | systemdict /.bindnow .undef % We only need this for DELAYBIND | ||
159 | systemdict /.forcecopynew .undef % remove temptation | ||
160 | - systemdict /.forcedef .undef % ditto | ||
161 | systemdict /.forceput .undef % ditto | ||
162 | systemdict /.forceundef .undef % ditto | ||
163 | } if | ||
164 | diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps | ||
165 | index 0f0d573..9c0c3a6 100644 | ||
166 | --- a/Resource/Init/gs_lev2.ps | ||
167 | +++ b/Resource/Init/gs_lev2.ps | ||
168 | @@ -304,31 +304,30 @@ end | ||
169 | psuserparams exch /.checkFilePermitparams load put | ||
170 | .setglobal | ||
171 | |||
172 | -pssystemparams begin | ||
173 | - /CurDisplayList 0 .forcedef | ||
174 | - /CurFormCache 0 .forcedef | ||
175 | - /CurInputDevice () .forcedef | ||
176 | - /CurOutlineCache 0 .forcedef | ||
177 | - /CurOutputDevice () .forcedef | ||
178 | - /CurPatternCache 0 .forcedef | ||
179 | - /CurUPathCache 0 .forcedef | ||
180 | - /CurScreenStorage 0 .forcedef | ||
181 | - /CurSourceList 0 .forcedef | ||
182 | - /DoPrintErrors //false .forcedef | ||
183 | - /JobTimeout 0 .forcedef | ||
184 | - /LicenseID (LN-001) .forcedef % bogus | ||
185 | - /MaxDisplayList 140000 .forcedef | ||
186 | - /MaxFormCache 100000 .forcedef | ||
187 | - /MaxImageBuffer 524288 .forcedef | ||
188 | - /MaxOutlineCache 65000 .forcedef | ||
189 | - /MaxPatternCache 100000 .forcedef | ||
190 | - /MaxUPathCache 300000 .forcedef | ||
191 | - /MaxScreenStorage 84000 .forcedef | ||
192 | - /MaxSourceList 25000 .forcedef | ||
193 | - /PrinterName product .forcedef | ||
194 | - /RamSize 4194304 .forcedef | ||
195 | - /WaitTimeout 40 .forcedef | ||
196 | -end | ||
197 | +pssystemparams | ||
198 | +dup /CurDisplayList 0 .forceput | ||
199 | +dup /CurFormCache 0 .forceput | ||
200 | +dup /CurInputDevice () .forceput | ||
201 | +dup /CurOutlineCache 0 .forceput | ||
202 | +dup /CurOutputDevice () .forceput | ||
203 | +dup /CurPatternCache 0 .forceput | ||
204 | +dup /CurUPathCache 0 .forceput | ||
205 | +dup /CurScreenStorage 0 .forceput | ||
206 | +dup /CurSourceList 0 .forceput | ||
207 | +dup /DoPrintErrors //false .forceput | ||
208 | +dup /JobTimeout 0 .forceput | ||
209 | +dup /LicenseID (LN-001) .forceput % bogus | ||
210 | +dup /MaxDisplayList 140000 .forceput | ||
211 | +dup /MaxFormCache 100000 .forceput | ||
212 | +dup /MaxImageBuffer 524288 .forceput | ||
213 | +dup /MaxOutlineCache 65000 .forceput | ||
214 | +dup /MaxPatternCache 100000 .forceput | ||
215 | +dup /MaxUPathCache 300000 .forceput | ||
216 | +dup /MaxScreenStorage 84000 .forceput | ||
217 | +dup /MaxSourceList 25000 .forceput | ||
218 | +dup /PrinterName product .forceput | ||
219 | +dup /RamSize 4194304 .forceput | ||
220 | + /WaitTimeout 40 .forceput | ||
221 | |||
222 | % Define the procedures for handling comment scanning. The names | ||
223 | % %ProcessComment and %ProcessDSCComment are known to the interpreter. | ||
224 | @@ -710,7 +709,7 @@ pop % currentsystemparams | ||
225 | /statusdict currentdict def | ||
226 | |||
227 | currentdict end | ||
228 | -/statusdict exch .forcedef % statusdict is local, systemdict is global | ||
229 | +currentdict exch /statusdict exch .forceput % statusdict is local, systemdict is global | ||
230 | |||
231 | % The following compatibility operators are in systemdict. They are | ||
232 | % defined here, rather than in gs_init.ps, because they require the | ||
233 | diff --git a/Resource/Init/gs_ll3.ps b/Resource/Init/gs_ll3.ps | ||
234 | index c86721f..881af44 100644 | ||
235 | --- a/Resource/Init/gs_ll3.ps | ||
236 | +++ b/Resource/Init/gs_ll3.ps | ||
237 | @@ -521,9 +521,8 @@ end | ||
238 | % Define additional user and system parameters. | ||
239 | /HalftoneMode 0 .definepsuserparam | ||
240 | /MaxSuperScreen 1016 .definepsuserparam | ||
241 | -pssystemparams begin % read-only, so use .forcedef | ||
242 | - /MaxDisplayAndSourceList 160000 .forcedef | ||
243 | -end | ||
244 | +% read-only, so use .forceput | ||
245 | +pssystemparams /MaxDisplayAndSourceList 160000 .forceput | ||
246 | |||
247 | % Define the IdiomSet resource category. | ||
248 | { /IdiomSet } { | ||
249 | diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps | ||
250 | index b016113..89c0ed6 100644 | ||
251 | --- a/Resource/Init/gs_res.ps | ||
252 | +++ b/Resource/Init/gs_res.ps | ||
253 | @@ -41,10 +41,10 @@ level2dict begin | ||
254 | % However, Ed Taft of Adobe says their interpreters don't implement this | ||
255 | % either, so we aren't going to worry about it for a while. | ||
256 | |||
257 | -currentglobal //false setglobal systemdict begin | ||
258 | - /localinstancedict 5 dict | ||
259 | - .forcedef % localinstancedict is local, systemdict is global | ||
260 | -end //true setglobal | ||
261 | +currentglobal //false setglobal | ||
262 | + systemdict /localinstancedict 5 dict | ||
263 | + .forceput % localinstancedict is local, systemdict is global | ||
264 | +//true setglobal | ||
265 | /.emptydict 0 dict readonly def | ||
266 | setglobal | ||
267 | |||
268 | @@ -149,7 +149,7 @@ setglobal | ||
269 | dup [ exch 0 -1 ] exch | ||
270 | .Instances 4 2 roll put | ||
271 | % Make the Category dictionary read-only. We will have to | ||
272 | - % use .forceput / .forcedef later to replace the dummy, | ||
273 | + % use .forceput / .forceput later to replace the dummy, | ||
274 | % empty .Instances dictionary with the real one later. | ||
275 | readonly | ||
276 | }{ | ||
277 | @@ -304,7 +304,8 @@ systemdict begin | ||
278 | dup () ne { | ||
279 | .file_name_directory_separator concatstrings | ||
280 | } if | ||
281 | - 2 index exch //false .file_name_combine not { | ||
282 | + 2 index exch //false | ||
283 | + .file_name_combine not { | ||
284 | (Error: .default_resource_dir returned ) print exch print ( that can't combine with ) print = | ||
285 | /.default_resource_dir cvx /configurationerror signalerror | ||
286 | } if | ||
287 | @@ -317,14 +318,14 @@ currentdict /pssystemparams known not { | ||
288 | pssystemparams begin | ||
289 | //.default_resource_dir exec | ||
290 | /FontResourceDir (Font) //.resource_dir_name exec | ||
291 | - readonly .forcedef % pssys'params is r-o | ||
292 | + readonly currentdict 3 1 roll .forceput % pssys'params is r-o | ||
293 | /GenericResourceDir () //.resource_dir_name exec | ||
294 | - readonly .forcedef % pssys'params is r-o | ||
295 | + readonly currentdict 3 1 roll .forceput % pssys'params is r-o | ||
296 | pop % .default_resource_dir | ||
297 | /GenericResourcePathSep | ||
298 | - .file_name_separator readonly .forcedef % pssys'params is r-o | ||
299 | - (%diskFontResourceDir) cvn (/Resource/Font/) readonly .forcedef % pssys'params is r-o | ||
300 | - (%diskGenericResourceDir) cvn (/Resource/) readonly .forcedef % pssys'params is r-o | ||
301 | + .file_name_separator readonly currentdict 3 1 roll .forceput % pssys'params is r-o | ||
302 | + currentdict (%diskFontResourceDir) cvn (/Resource/Font/) readonly .forceput % pssys'params is r-o | ||
303 | + currentdict (%diskGenericResourceDir) cvn (/Resource/) readonly .forceput % pssys'params is r-o | ||
304 | end | ||
305 | end | ||
306 | |||
307 | @@ -422,8 +423,8 @@ status { | ||
308 | .Instances dup //.emptydict eq { | ||
309 | pop 3 dict | ||
310 | % As noted above, Category dictionaries are read-only, | ||
311 | - % so we have to use .forcedef here. | ||
312 | - /.Instances 1 index .forcedef % Category dict is read-only | ||
313 | + % so we have to use .forceput here. | ||
314 | + currentdict /.Instances 2 index .forceput % Category dict is read-only | ||
315 | } executeonly if | ||
316 | } | ||
317 | { .LocalInstances dup //.emptydict eq | ||
318 | @@ -441,7 +442,7 @@ status { | ||
319 | { /defineresource cvx /typecheck signaloperror | ||
320 | } | ||
321 | ifelse | ||
322 | -} .bind executeonly .makeoperator % executeonly to prevent access to .forcedef | ||
323 | +} .bind executeonly .makeoperator % executeonly to prevent access to .forceput | ||
324 | /UndefineResource | ||
325 | { { dup 2 index .knownget | ||
326 | { dup 1 get 1 ge | ||
327 | diff --git a/Resource/Init/gs_statd.ps b/Resource/Init/gs_statd.ps | ||
328 | index 20d4c96..b6a7659 100644 | ||
329 | --- a/Resource/Init/gs_statd.ps | ||
330 | +++ b/Resource/Init/gs_statd.ps | ||
331 | @@ -21,10 +21,10 @@ systemdict begin | ||
332 | % We make statusdict a little larger for Level 2 stuff. | ||
333 | % Note that it must be allocated in local VM. | ||
334 | .currentglobal //false .setglobal | ||
335 | - /statusdict 91 dict .forcedef % statusdict is local, sys'dict global | ||
336 | + currentdict /statusdict 91 dict .forceput % statusdict is local, sys'dict global | ||
337 | % To support the Level 2 job control features, | ||
338 | % serverdict must also be in local VM. | ||
339 | - /serverdict 10 dict .forcedef % serverdict is local, sys'dict global | ||
340 | + currentdict /serverdict 10 dict .forceput % serverdict is local, sys'dict global | ||
341 | .setglobal | ||
342 | end | ||
343 | |||
344 | -- | ||
345 | 2.18.1 | ||
346 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.26.bb b/meta/recipes-extended/ghostscript/ghostscript_9.26.bb index 5ca978f86c..bb32347880 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.26.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.26.bb | |||
@@ -32,6 +32,19 @@ SRC_URI = "${SRC_URI_BASE} \ | |||
32 | file://ghostscript-9.02-genarch.patch \ | 32 | file://ghostscript-9.02-genarch.patch \ |
33 | file://objarch.h \ | 33 | file://objarch.h \ |
34 | file://cups-no-gcrypt.patch \ | 34 | file://cups-no-gcrypt.patch \ |
35 | file://CVE-2019-6116-0001.patch \ | ||
36 | file://CVE-2019-6116-0002.patch \ | ||
37 | file://CVE-2019-6116-0003.patch \ | ||
38 | file://CVE-2019-6116-0004.patch \ | ||
39 | file://CVE-2019-6116-0005.patch \ | ||
40 | file://CVE-2019-6116-0006.patch \ | ||
41 | file://CVE-2019-6116-0007.patch \ | ||
42 | file://CVE-2019-3835-0001.patch \ | ||
43 | file://CVE-2019-3835-0002.patch \ | ||
44 | file://CVE-2019-3835-0003.patch \ | ||
45 | file://CVE-2019-3835-0004.patch \ | ||
46 | file://CVE-2019-3838-0001.patch \ | ||
47 | file://CVE-2019-3838-0002.patch \ | ||
35 | " | 48 | " |
36 | 49 | ||
37 | SRC_URI_class-native = "${SRC_URI_BASE} \ | 50 | SRC_URI_class-native = "${SRC_URI_BASE} \ |