ghostscript: fix CVE-2020-15900

(From OE-Core rev: d70012e8971a4762ea402c3c843938640b9ab9fc) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2020-08-06 17:46:17 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-08-08 09:17:48 +0100
commit: 6ec51d096ecd45a713cb4ca71ee70930a40749e7 (patch)
tree: 8bf1e74175cf235d09ada95388c94f4ff7a060d9 /meta/recipes-extended
parent: ddd3e25679b7bc62205f64ecce7f64ccaba8e955 (diff)
download: poky-6ec51d096ecd45a713cb4ca71ee70930a40749e7.tar.gz
2 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch
new file mode 100644
index 0000000000..d7c5f034e5
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch
@@ -0,0 +1,54 @@
+From 5d499272b95a6b890a1397e11d20937de000d31b Mon Sep 17 00:00:00 2001
+From: Ray Johnston <ray.johnston@artifex.com>
+Date: Wed, 22 Jul 2020 09:57:54 -0700
+Subject: [PATCH] Bug 702582, CVE 2020-15900 Memory Corruption in Ghostscript
+ 9.52
+Fix the 'rsearch' calculation for the 'post' size to give the correct
+size.  Previous calculation would result in a size that was too large,
+and could underflow to max uint32_t. Also fix 'rsearch' to return the
+correct 'pre' string with empty string match.
+A future change may 'undefine' this undocumented, non-standard operator
+during initialization as we do with the many other non-standard internal
+PostScript operators and procedures.
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b]
+CVE: CVE-2020-15900
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ psi/zstring.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+diff --git a/psi/zstring.c b/psi/zstring.c
+index 33662dafa..58e1af2b3 100644
+--- a/psi/zstring.c
+++ b/psi/zstring.c
+@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
+     return 0;
+ found:
+     op->tas.type_attrs = op1->tas.type_attrs;
+-    op->value.bytes = ptr;
+-    r_set_size(op, size);
+    op->value.bytes = ptr;                             /* match */
+    op->tas.rsize = size;                              /* match */
+     push(2);
+-    op[-1] = *op1;
+-    r_set_size(op - 1, ptr - op[-1].value.bytes);
+-    op1->value.bytes = ptr + size;
+-    r_set_size(op1, count + (!forward ? (size - 1) : 0));
+    op[-1] = *op1;                                     /* pre */
+    op[-3].value.bytes = ptr + size;                   /* post */
+    if (forward) {
+        op[-1].tas.rsize = ptr - op[-1].value.bytes;   /* pre */
+        op[-3].tas.rsize = count;                      /* post */
+    } else {
+        op[-1].tas.rsize = count;                      /* pre */
+        op[-3].tas.rsize -= count + size;              /* post */
+    }
+     make_true(op);
+     return 0;
+ }
+-- 
+2.17.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
index 4cdb6e00d8..65135f5821 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
@@ -34,6 +34,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
 SRC_URI = "${SRC_URI_BASE} \
           file://ghostscript-9.21-prevent_recompiling.patch \
           file://cups-no-gcrypt.patch \
+           file://CVE-2020-15900.patch \
           "
 SRC_URI_class-native = "${SRC_URI_BASE} \
author	Lee Chee Yang <chee.yang.lee@intel.com>	2020-08-06 17:46:17 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-08-08 09:17:48 +0100
commit	6ec51d096ecd45a713cb4ca71ee70930a40749e7 (patch)
tree	8bf1e74175cf235d09ada95388c94f4ff7a060d9 /meta/recipes-extended
parent	ddd3e25679b7bc62205f64ecce7f64ccaba8e955 (diff)
download	poky-6ec51d096ecd45a713cb4ca71ee70930a40749e7.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch new file mode 100644 index 0000000000..d7c5f034e5 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch
@@ -0,0 +1,54 @@
		1	From 5d499272b95a6b890a1397e11d20937de000d31b Mon Sep 17 00:00:00 2001
		2	From: Ray Johnston <ray.johnston@artifex.com>
		3	Date: Wed, 22 Jul 2020 09:57:54 -0700
		4	Subject: [PATCH] Bug 702582, CVE 2020-15900 Memory Corruption in Ghostscript
		5	9.52
		6
		7	Fix the 'rsearch' calculation for the 'post' size to give the correct
		8	size. Previous calculation would result in a size that was too large,
		9	and could underflow to max uint32_t. Also fix 'rsearch' to return the
		10	correct 'pre' string with empty string match.
		11
		12	A future change may 'undefine' this undocumented, non-standard operator
		13	during initialization as we do with the many other non-standard internal
		14	PostScript operators and procedures.
		15
		16	Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b]
		17	CVE: CVE-2020-15900
		18	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		19	---
		20	psi/zstring.c \| 17 +++++++++++------
		21	1 file changed, 11 insertions(+), 6 deletions(-)
		22
		23	diff --git a/psi/zstring.c b/psi/zstring.c
		24	index 33662dafa..58e1af2b3 100644
		25	--- a/psi/zstring.c
		26	+++ b/psi/zstring.c
		27	@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
		28	return 0;
		29	found:
		30	op->tas.type_attrs = op1->tas.type_attrs;
		31	- op->value.bytes = ptr;
		32	- r_set_size(op, size);
		33	+ op->value.bytes = ptr; /* match */
		34	+ op->tas.rsize = size; /* match */
		35	push(2);
		36	- op[-1] = *op1;
		37	- r_set_size(op - 1, ptr - op[-1].value.bytes);
		38	- op1->value.bytes = ptr + size;
		39	- r_set_size(op1, count + (!forward ? (size - 1) : 0));
		40	+ op[-1] = op1; / pre */
		41	+ op[-3].value.bytes = ptr + size; /* post */
		42	+ if (forward) {
		43	+ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */
		44	+ op[-3].tas.rsize = count; /* post */
		45	+ } else {
		46	+ op[-1].tas.rsize = count; /* pre */
		47	+ op[-3].tas.rsize -= count + size; /* post */
		48	+ }
		49	make_true(op);
		50	return 0;
		51	}
		52	--
		53	2.17.1
		54


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb index 4cdb6e00d8..65135f5821 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
@@ -34,6 +34,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
34	SRC_URI = "${SRC_URI_BASE} \	34	SRC_URI = "${SRC_URI_BASE} \
35	file://ghostscript-9.21-prevent_recompiling.patch \	35	file://ghostscript-9.21-prevent_recompiling.patch \
36	file://cups-no-gcrypt.patch \	36	file://cups-no-gcrypt.patch \
		37	file://CVE-2020-15900.patch \
37	"	38	"
38		39
39	SRC_URI_class-native = "${SRC_URI_BASE} \	40	SRC_URI_class-native = "${SRC_URI_BASE} \