ghostscript: fix CVE-2023-36664

Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix). Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-36664 Upstream commits: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4ceaf92815302863a8c86fcfcf2347e0118dd3a5 https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=fb342fdb60391073a69147cb71af1ac416a81099 (From OE-Core rev: 13534218ec37706d9decca5b5bd0453e312d72b0) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2023-09-26 10:01:05 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-10-04 05:17:51 -1000
commit: 16c91216f1d061db34eceaa7042e2c27f7a53c62 (patch)
tree: f066de3b5c0ce03a5a84a8474c5ef19b0f3f5fd9 /meta/recipes-extended
parent: e62c723b0c065ef5f35f24bd516681b0491b1c49 (diff)
download: poky-16c91216f1d061db34eceaa7042e2c27f7a53c62.tar.gz
4 files changed, 270 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch
new file mode 100644
index 0000000000..a3bbe958eb
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch
@@ -0,0 +1,145 @@
+From 5e65eeae225c7d02d447de5abaf4a8e6d234fcea Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 7 Jun 2023 10:23:06 +0100
+Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission validation
+For regular file names, we try to simplfy relative paths before we use them.
+Because the %pipe% device can, effectively, accept command line calls, we
+shouldn't be simplifying that string, because the command line syntax can end
+up confusing the path simplifying code. That can result in permitting a pipe
+command which does not match what was originally permitted.
+Special case "%pipe" in the validation code so we always deal with the entire
+string.
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=505eab7782b429017eb434b2b95120855f2b0e3c]
+CVE: CVE-2023-36664
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ base/gpmisc.c   | 31 +++++++++++++++++++--------
+ base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++-------------
+ 2 files changed, 64 insertions(+), 23 deletions(-)
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index c4fffae..09ac6b3 100644
+--- a/base/gpmisc.c
+++ b/base/gpmisc.c
+@@ -1046,16 +1046,29 @@ gp_validate_path_len(const gs_memory_t *mem,
+              && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
+           prefix_len = 0;
+     }
+-    rlen = len+1;
+-    bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+-    if (bufferfull == NULL)
+-        return gs_error_VMerror;
+-
+-    buffer = bufferfull + prefix_len;
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
+ 
+    /* "%pipe%" do not follow the normal rules for path definitions, so we
+       don't "reduce" them to avoid unexpected results
+     */
+    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+       bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
+       if (buffer == NULL)
+           return gs_error_VMerror;
+       memcpy(buffer, path, len);
+       buffer[len] = 0;
+       rlen = len;
+    }
+    else {
+       rlen = len+1;
+       bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+       if (bufferfull == NULL)
+           return gs_error_VMerror;
+
+       buffer = bufferfull + prefix_len;
+       if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+           return gs_error_invalidfileaccess;
+       buffer[rlen] = 0;
+    }
+     while (1) {
+         switch (mode[0])
+         {
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index 20c5eee..355c0e3 100644
+--- a/base/gslibctx.c
+++ b/base/gslibctx.c
+@@ -719,14 +719,28 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch
+             return gs_error_rangecheck;
+     }
+ 
+-    rlen = len+1;
+-    buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
+-    if (buffer == NULL)
+-        return gs_error_VMerror;
+    /* "%pipe%" do not follow the normal rules for path definitions, so we
+       don't "reduce" them to avoid unexpected results
+     */
+    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+       buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
+       if (buffer == NULL)
+           return gs_error_VMerror;
+       memcpy(buffer, path, len);
+       buffer[len] = 0;
+       rlen = len;
+    }
+    else {
+       rlen = len + 1;
+ 
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
+       buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
+       if (buffer == NULL)
+           return gs_error_VMerror;
+
+       if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+           return gs_error_invalidfileaccess;
+       buffer[rlen] = 0;
+    }
+ 
+     n = control->num;
+     for (i = 0; i < n; i++)
+@@ -802,14 +816,28 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const
+             return gs_error_rangecheck;
+     }
+ 
+-    rlen = len+1;
+-    buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
+-    if (buffer == NULL)
+-        return gs_error_VMerror;
+    /* "%pipe%" do not follow the normal rules for path definitions, so we
+       don't "reduce" them to avoid unexpected results
+     */
+    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+       buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
+       if (buffer == NULL)
+           return gs_error_VMerror;
+       memcpy(buffer, path, len);
+       buffer[len] = 0;
+       rlen = len;
+    }
+    else {
+       rlen = len+1;
+ 
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
+       buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
+       if (buffer == NULL)
+           return gs_error_VMerror;
+
+       if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+           return gs_error_invalidfileaccess;
+       buffer[rlen] = 0;
+    }
+ 
+     n = control->num;
+     for (i = 0; i < n; i++) {
+-- 
+2.25.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch
new file mode 100644
index 0000000000..e8c42f1deb
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch
@@ -0,0 +1,60 @@
+From fb342fdb60391073a69147cb71af1ac416a81099 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 14 Jun 2023 09:08:12 +0100
+Subject: [PATCH] Bug 706778: 706761 revisit
+Two problems with the original commit. The first a silly typo inverting the
+logic of a test.
+The second was forgetting that we actually actually validate two candidate
+strings for pipe devices. One with the expected "%pipe%" prefix, the other
+using the pipe character prefix: "|".
+This addresses both those.
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb342fdb60391073a69147cb71af1ac416a81099]
+CVE: CVE-2023-36664
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ base/gpmisc.c   | 2 +-
+ base/gslibctx.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index 09ac6b3..01d449f 100644
+--- a/base/gpmisc.c
+++ b/base/gpmisc.c
+@@ -1050,7 +1050,7 @@ gp_validate_path_len(const gs_memory_t *mem,
+     /* "%pipe%" do not follow the normal rules for path definitions, so we
+        don't "reduce" them to avoid unexpected results
+      */
+-    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+        bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index 355c0e3..d8f74a3 100644
+--- a/base/gslibctx.c
+++ b/base/gslibctx.c
+@@ -722,7 +722,7 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch
+     /* "%pipe%" do not follow the normal rules for path definitions, so we
+        don't "reduce" them to avoid unexpected results
+      */
+-    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+        buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+@@ -819,7 +819,7 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const
+     /* "%pipe%" do not follow the normal rules for path definitions, so we
+        don't "reduce" them to avoid unexpected results
+      */
+-    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+        buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+-- 
+2.25.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch
new file mode 100644
index 0000000000..662736bb3d
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch
@@ -0,0 +1,62 @@
+From 4ceaf92815302863a8c86fcfcf2347e0118dd3a5 Mon Sep 17 00:00:00 2001
+From: Ray Johnston <ray.johnston@artifex.com>
+Date: Tue, 22 Sep 2020 13:10:04 -0700
+Subject: [PATCH] Fix gp_file allocations to use thread_safe_memory.
+The gpmisc.c does allocations for gp_file objects and buffers used by
+gp_fprintf, as well as gp_validate_path_len. The helgrind run with
+-dBGPrint -dNumRenderingThreads=4 and PCL input showed up the gp_fprintf
+problem since the clist rendering would call gp_fprintf using the same
+allocator (PCL's chunk allocator which is non_gc_memory). The chunk
+allocator is intentionally not thread safe (for performance).
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4ceaf92815302863a8c86fcfcf2347e0118dd3a5]
+CVE: CVE-2023-36664 #Dependency Patch1
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ base/gpmisc.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index 34cd71f..c4fffae 100644
+--- a/base/gpmisc.c
+++ b/base/gpmisc.c
+@@ -435,7 +435,7 @@ generic_pwrite(gp_file *f, size_t count, gs_offset_t offset, const void *buf)
+ 
+ gp_file *gp_file_alloc(gs_memory_t *mem, const gp_file_ops_t *prototype, size_t size, const char *cname)
+ {
+-    gp_file *file = (gp_file *)gs_alloc_bytes(mem->non_gc_memory, size, cname ? cname : "gp_file");
+    gp_file *file = (gp_file *)gs_alloc_bytes(mem->thread_safe_memory, size, cname ? cname : "gp_file");
+     if (file == NULL)
+         return NULL;
+ 
+@@ -449,7 +449,7 @@ gp_file *gp_file_alloc(gs_memory_t *mem, const gp_file_ops_t *prototype, size_t
+         memset(((char *)file)+sizeof(*prototype),
+                0,
+                size - sizeof(*prototype));
+-    file->memory = mem->non_gc_memory;
+    file->memory = mem->thread_safe_memory;
+ 
+     return file;
+ }
+@@ -1047,7 +1047,7 @@ gp_validate_path_len(const gs_memory_t *mem,
+           prefix_len = 0;
+     }
+     rlen = len+1;
+-    bufferfull = (char *)gs_alloc_bytes(mem->non_gc_memory, rlen + prefix_len, "gp_validate_path");
+    bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+     if (bufferfull == NULL)
+         return gs_error_VMerror;
+ 
+@@ -1093,7 +1093,7 @@ gp_validate_path_len(const gs_memory_t *mem,
+         break;
+     }
+ 
+-    gs_free_object(mem->non_gc_memory, bufferfull, "gp_validate_path");
+    gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path");
+ #ifdef EACCES
+     if (code == gs_error_invalidfileaccess)
+         errno = EACCES;
+-- 
+2.25.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
index 37e9ed8e84..0a2f9f5046 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
@@ -41,6 +41,9 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://CVE-2021-3781_3.patch \
                file://CVE-2023-28879.patch \
                file://0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch \
+                file://CVE-2023-36664-pre1.patch \
+                file://CVE-2023-36664-1.patch \
+                file://CVE-2023-36664-2.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \
author	Vijay Anusuri <vanusuri@mvista.com>	2023-09-26 10:01:05 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-10-04 05:17:51 -1000
commit	16c91216f1d061db34eceaa7042e2c27f7a53c62 (patch)
tree	f066de3b5c0ce03a5a84a8474c5ef19b0f3f5fd9 /meta/recipes-extended
parent	e62c723b0c065ef5f35f24bd516681b0491b1c49 (diff)
download	poky-16c91216f1d061db34eceaa7042e2c27f7a53c62.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch new file mode 100644 index 0000000000..a3bbe958eb --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch
@@ -0,0 +1,145 @@
		1	From 5e65eeae225c7d02d447de5abaf4a8e6d234fcea Mon Sep 17 00:00:00 2001
		2	From: Chris Liddell <chris.liddell@artifex.com>
		3	Date: Wed, 7 Jun 2023 10:23:06 +0100
		4	Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission validation
		5
		6	For regular file names, we try to simplfy relative paths before we use them.
		7
		8	Because the %pipe% device can, effectively, accept command line calls, we
		9	shouldn't be simplifying that string, because the command line syntax can end
		10	up confusing the path simplifying code. That can result in permitting a pipe
		11	command which does not match what was originally permitted.
		12
		13	Special case "%pipe" in the validation code so we always deal with the entire
		14	string.
		15
		16	Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=505eab7782b429017eb434b2b95120855f2b0e3c]
		17	CVE: CVE-2023-36664
		18	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		19	---
		20	base/gpmisc.c \| 31 +++++++++++++++++++--------
		21	base/gslibctx.c \| 56 ++++++++++++++++++++++++++++++++++++-------------
		22	2 files changed, 64 insertions(+), 23 deletions(-)
		23
		24	diff --git a/base/gpmisc.c b/base/gpmisc.c
		25	index c4fffae..09ac6b3 100644
		26	--- a/base/gpmisc.c
		27	+++ b/base/gpmisc.c
		28	@@ -1046,16 +1046,29 @@ gp_validate_path_len(const gs_memory_t *mem,
		29	&& !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
		30	prefix_len = 0;
		31	}
		32	- rlen = len+1;
		33	- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
		34	- if (bufferfull == NULL)
		35	- return gs_error_VMerror;
		36	-
		37	- buffer = bufferfull + prefix_len;
		38	- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
		39	- return gs_error_invalidfileaccess;
		40	- buffer[rlen] = 0;
		41
		42	+ /* "%pipe%" do not follow the normal rules for path definitions, so we
		43	+ don't "reduce" them to avoid unexpected results
		44	+ */
		45	+ if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
		46	+ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
		47	+ if (buffer == NULL)
		48	+ return gs_error_VMerror;
		49	+ memcpy(buffer, path, len);
		50	+ buffer[len] = 0;
		51	+ rlen = len;
		52	+ }
		53	+ else {
		54	+ rlen = len+1;
		55	+ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
		56	+ if (bufferfull == NULL)
		57	+ return gs_error_VMerror;
		58	+
		59	+ buffer = bufferfull + prefix_len;
		60	+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
		61	+ return gs_error_invalidfileaccess;
		62	+ buffer[rlen] = 0;
		63	+ }
		64	while (1) {
		65	switch (mode[0])
		66	{
		67	diff --git a/base/gslibctx.c b/base/gslibctx.c
		68	index 20c5eee..355c0e3 100644
		69	--- a/base/gslibctx.c
		70	+++ b/base/gslibctx.c
		71	@@ -719,14 +719,28 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch
		72	return gs_error_rangecheck;
		73	}
		74
		75	- rlen = len+1;
		76	- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
		77	- if (buffer == NULL)
		78	- return gs_error_VMerror;
		79	+ /* "%pipe%" do not follow the normal rules for path definitions, so we
		80	+ don't "reduce" them to avoid unexpected results
		81	+ */
		82	+ if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
		83	+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
		84	+ if (buffer == NULL)
		85	+ return gs_error_VMerror;
		86	+ memcpy(buffer, path, len);
		87	+ buffer[len] = 0;
		88	+ rlen = len;
		89	+ }
		90	+ else {
		91	+ rlen = len + 1;
		92
		93	- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
		94	- return gs_error_invalidfileaccess;
		95	- buffer[rlen] = 0;
		96	+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
		97	+ if (buffer == NULL)
		98	+ return gs_error_VMerror;
		99	+
		100	+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
		101	+ return gs_error_invalidfileaccess;
		102	+ buffer[rlen] = 0;
		103	+ }
		104
		105	n = control->num;
		106	for (i = 0; i < n; i++)
		107	@@ -802,14 +816,28 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const
		108	return gs_error_rangecheck;
		109	}
		110
		111	- rlen = len+1;
		112	- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
		113	- if (buffer == NULL)
		114	- return gs_error_VMerror;
		115	+ /* "%pipe%" do not follow the normal rules for path definitions, so we
		116	+ don't "reduce" them to avoid unexpected results
		117	+ */
		118	+ if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
		119	+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
		120	+ if (buffer == NULL)
		121	+ return gs_error_VMerror;
		122	+ memcpy(buffer, path, len);
		123	+ buffer[len] = 0;
		124	+ rlen = len;
		125	+ }
		126	+ else {
		127	+ rlen = len+1;
		128
		129	- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
		130	- return gs_error_invalidfileaccess;
		131	- buffer[rlen] = 0;
		132	+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
		133	+ if (buffer == NULL)
		134	+ return gs_error_VMerror;
		135	+
		136	+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
		137	+ return gs_error_invalidfileaccess;
		138	+ buffer[rlen] = 0;
		139	+ }
		140
		141	n = control->num;
		142	for (i = 0; i < n; i++) {
		143	--
		144	2.25.1
		145


diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch new file mode 100644 index 0000000000..e8c42f1deb --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch
@@ -0,0 +1,60 @@
		1	From fb342fdb60391073a69147cb71af1ac416a81099 Mon Sep 17 00:00:00 2001
		2	From: Chris Liddell <chris.liddell@artifex.com>
		3	Date: Wed, 14 Jun 2023 09:08:12 +0100
		4	Subject: [PATCH] Bug 706778: 706761 revisit
		5
		6	Two problems with the original commit. The first a silly typo inverting the
		7	logic of a test.
		8
		9	The second was forgetting that we actually actually validate two candidate
		10	strings for pipe devices. One with the expected "%pipe%" prefix, the other
		11	using the pipe character prefix: "\|".
		12
		13	This addresses both those.
		14
		15	Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb342fdb60391073a69147cb71af1ac416a81099]
		16	CVE: CVE-2023-36664
		17	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		18	---
		19	base/gpmisc.c \| 2 +-
		20	base/gslibctx.c \| 4 ++--
		21	2 files changed, 3 insertions(+), 3 deletions(-)
		22
		23	diff --git a/base/gpmisc.c b/base/gpmisc.c
		24	index 09ac6b3..01d449f 100644
		25	--- a/base/gpmisc.c
		26	+++ b/base/gpmisc.c
		27	@@ -1050,7 +1050,7 @@ gp_validate_path_len(const gs_memory_t *mem,
		28	/* "%pipe%" do not follow the normal rules for path definitions, so we
		29	don't "reduce" them to avoid unexpected results
		30	*/
		31	- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
		32	+ if (path[0] == '\|' \|\| (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
		33	bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
		34	if (buffer == NULL)
		35	return gs_error_VMerror;
		36	diff --git a/base/gslibctx.c b/base/gslibctx.c
		37	index 355c0e3..d8f74a3 100644
		38	--- a/base/gslibctx.c
		39	+++ b/base/gslibctx.c
		40	@@ -722,7 +722,7 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch
		41	/* "%pipe%" do not follow the normal rules for path definitions, so we
		42	don't "reduce" them to avoid unexpected results
		43	*/
		44	- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
		45	+ if (path[0] == '\|' \|\| (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
		46	buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
		47	if (buffer == NULL)
		48	return gs_error_VMerror;
		49	@@ -819,7 +819,7 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const
		50	/* "%pipe%" do not follow the normal rules for path definitions, so we
		51	don't "reduce" them to avoid unexpected results
		52	*/
		53	- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
		54	+ if (path[0] == '\|' \|\| (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
		55	buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
		56	if (buffer == NULL)
		57	return gs_error_VMerror;
		58	--
		59	2.25.1
		60


diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch new file mode 100644 index 0000000000..662736bb3d --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch
@@ -0,0 +1,62 @@
		1	From 4ceaf92815302863a8c86fcfcf2347e0118dd3a5 Mon Sep 17 00:00:00 2001
		2	From: Ray Johnston <ray.johnston@artifex.com>
		3	Date: Tue, 22 Sep 2020 13:10:04 -0700
		4	Subject: [PATCH] Fix gp_file allocations to use thread_safe_memory.
		5
		6	The gpmisc.c does allocations for gp_file objects and buffers used by
		7	gp_fprintf, as well as gp_validate_path_len. The helgrind run with
		8	-dBGPrint -dNumRenderingThreads=4 and PCL input showed up the gp_fprintf
		9	problem since the clist rendering would call gp_fprintf using the same
		10	allocator (PCL's chunk allocator which is non_gc_memory). The chunk
		11	allocator is intentionally not thread safe (for performance).
		12
		13	Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4ceaf92815302863a8c86fcfcf2347e0118dd3a5]
		14	CVE: CVE-2023-36664 #Dependency Patch1
		15	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		16	---
		17	base/gpmisc.c \| 8 ++++----
		18	1 file changed, 4 insertions(+), 4 deletions(-)
		19
		20	diff --git a/base/gpmisc.c b/base/gpmisc.c
		21	index 34cd71f..c4fffae 100644
		22	--- a/base/gpmisc.c
		23	+++ b/base/gpmisc.c
		24	@@ -435,7 +435,7 @@ generic_pwrite(gp_file f, size_t count, gs_offset_t offset, const void buf)
		25
		26	gp_file gp_file_alloc(gs_memory_t mem, const gp_file_ops_t prototype, size_t size, const char cname)
		27	{
		28	- gp_file file = (gp_file )gs_alloc_bytes(mem->non_gc_memory, size, cname ? cname : "gp_file");
		29	+ gp_file file = (gp_file )gs_alloc_bytes(mem->thread_safe_memory, size, cname ? cname : "gp_file");
		30	if (file == NULL)
		31	return NULL;
		32
		33	@@ -449,7 +449,7 @@ gp_file gp_file_alloc(gs_memory_t mem, const gp_file_ops_t *prototype, size_t
		34	memset(((char )file)+sizeof(prototype),
		35	0,
		36	size - sizeof(*prototype));
		37	- file->memory = mem->non_gc_memory;
		38	+ file->memory = mem->thread_safe_memory;
		39
		40	return file;
		41	}
		42	@@ -1047,7 +1047,7 @@ gp_validate_path_len(const gs_memory_t *mem,
		43	prefix_len = 0;
		44	}
		45	rlen = len+1;
		46	- bufferfull = (char *)gs_alloc_bytes(mem->non_gc_memory, rlen + prefix_len, "gp_validate_path");
		47	+ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
		48	if (bufferfull == NULL)
		49	return gs_error_VMerror;
		50
		51	@@ -1093,7 +1093,7 @@ gp_validate_path_len(const gs_memory_t *mem,
		52	break;
		53	}
		54
		55	- gs_free_object(mem->non_gc_memory, bufferfull, "gp_validate_path");
		56	+ gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path");
		57	#ifdef EACCES
		58	if (code == gs_error_invalidfileaccess)
		59	errno = EACCES;
		60	--
		61	2.25.1
		62


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb index 37e9ed8e84..0a2f9f5046 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
@@ -41,6 +41,9 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
41	file://CVE-2021-3781_3.patch \	41	file://CVE-2021-3781_3.patch \
42	file://CVE-2023-28879.patch \	42	file://CVE-2023-28879.patch \
43	file://0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch \	43	file://0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch \
		44	file://CVE-2023-36664-pre1.patch \
		45	file://CVE-2023-36664-1.patch \
		46	file://CVE-2023-36664-2.patch \
44	"	47	"
45		48
46	SRC_URI = "${SRC_URI_BASE} \	49	SRC_URI = "${SRC_URI_BASE} \