summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended
diff options
context:
space:
mode:
authorOvidiu Panait <ovidiu.panait@windriver.com>2019-02-21 11:30:57 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-02-25 22:27:38 +0000
commit7756de368de1654f059343c3cd766a43d10b5d9b (patch)
tree82de6a3333fbd6636ad97eff17166de13b61446d /meta/recipes-extended
parent391d8a0fcaf6e90f73511451771a61fdb4547344 (diff)
downloadpoky-7756de368de1654f059343c3cd766a43d10b5d9b.tar.gz
ghostscript: Fix CVE-2019-6116
It was discovered that the ghostscript /invalidaccess checks fail under certain conditions. An attacker could possibly exploit this to bypass the -dSAFER protection and, for example, execute arbitrary shell commands via a specially crafted PostScript document. Reference: https://www.openwall.com/lists/oss-security/2019/01/23/5 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=13b0a36f8181db66a91bcc8cea139998b53a8996 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2db98f9c66135601efb103d8db7d020a672308db http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=99f13091a3f309bdc95d275ea9fec10bb9f42d9a http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=59d8f4deef90c1598ff50616519d5576756b4495 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2768d1a6dddb83f5c061207a7ed2813999c1b5c9 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=49c8092da88ef6bb0aa281fe294ae0925a44b5b9 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2ff600a3c4fc169e7c6c1e83874a6bf63a6fb42b (From OE-Core rev: af397d31e467d6af00ef835537221bc211d94ca6) Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended')
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0001.patch177
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0002.patch442
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0003.patch32
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0004.patch136
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0005.patch250
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0006.patch596
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0007.patch346
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript_9.26.bb7
8 files changed, 1986 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0001.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0001.patch
new file mode 100644
index 0000000000..b2c1ade4be
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0001.patch
@@ -0,0 +1,177 @@
1From c8c77690199b677f70093824382f0881e643e17b Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Wed, 5 Dec 2018 12:22:13 +0000
4Subject: [PATCH 1/7] Sanitize op stack for error conditions
5
6We save the stacks to an array and store the array for the error handler to
7access.
8
9For SAFER, we traverse the array, and deep copy any op arrays (procedures). As
10we make these copies, we check for operators that do *not* exist in systemdict,
11when we find one, we replace the operator with a name object (of the form
12"/--opname--").
13
14CVE: CVE-2019-6116
15Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
16
17Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
18---
19 psi/int.mak | 3 +-
20 psi/interp.c | 8 ++++++
21 psi/istack.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++
22 psi/istack.h | 3 ++
23 4 files changed, 91 insertions(+), 1 deletion(-)
24
25diff --git a/psi/int.mak b/psi/int.mak
26index 6ab5bf0..6b349cb 100644
27--- a/psi/int.mak
28+++ b/psi/int.mak
29@@ -204,7 +204,8 @@ $(PSOBJ)iparam.$(OBJ) : $(PSSRC)iparam.c $(GH)\
30 $(PSOBJ)istack.$(OBJ) : $(PSSRC)istack.c $(GH) $(memory__h)\
31 $(ierrors_h) $(gsstruct_h) $(gsutil_h)\
32 $(ialloc_h) $(istack_h) $(istkparm_h) $(istruct_h) $(iutil_h) $(ivmspace_h)\
33- $(store_h) $(INT_MAK) $(MAKEDIRS)
34+ $(store_h) $(icstate_h) $(iname_h) $(dstack_h) $(idict_h) \
35+ $(INT_MAK) $(MAKEDIRS)
36 $(PSCC) $(PSO_)istack.$(OBJ) $(C_) $(PSSRC)istack.c
37
38 $(PSOBJ)iutil.$(OBJ) : $(PSSRC)iutil.c $(GH) $(math__h) $(memory__h) $(string__h)\
39diff --git a/psi/interp.c b/psi/interp.c
40index 6dc0dda..aa5779c 100644
41--- a/psi/interp.c
42+++ b/psi/interp.c
43@@ -761,6 +761,7 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_stack_t * pstack, int skip, ref * arr)
44 uint size = ref_stack_count(pstack) - skip;
45 uint save_space = ialloc_space(idmemory);
46 int code, i;
47+ ref *safety, *safe;
48
49 if (size > 65535)
50 size = 65535;
51@@ -778,6 +779,13 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_stack_t * pstack, int skip, ref * arr)
52 make_null(&arr->value.refs[i]);
53 }
54 }
55+ if (pstack == &o_stack && dict_find_string(systemdict, "SAFETY", &safety) > 0 &&
56+ dict_find_string(safety, "safe", &safe) > 0 && r_has_type(safe, t_boolean) &&
57+ safe->value.boolval == true) {
58+ code = ref_stack_array_sanitize(i_ctx_p, arr, arr);
59+ if (code < 0)
60+ return code;
61+ }
62 ialloc_set_space(idmemory, save_space);
63 return code;
64 }
65diff --git a/psi/istack.c b/psi/istack.c
66index 8fe151f..f1a3e51 100644
67--- a/psi/istack.c
68+++ b/psi/istack.c
69@@ -27,6 +27,10 @@
70 #include "iutil.h"
71 #include "ivmspace.h" /* for local/global test */
72 #include "store.h"
73+#include "icstate.h"
74+#include "iname.h"
75+#include "dstack.h"
76+#include "idict.h"
77
78 /* Forward references */
79 static void init_block(ref_stack_t *pstack, const ref *pblock_array,
80@@ -294,6 +298,80 @@ ref_stack_store_check(const ref_stack_t *pstack, ref *parray, uint count,
81 return 0;
82 }
83
84+int
85+ref_stack_array_sanitize(i_ctx_t *i_ctx_p, ref *sarr, ref *darr)
86+{
87+ int i, code;
88+ ref obj, arr2;
89+ ref *pobj2;
90+ gs_memory_t *mem = (gs_memory_t *)idmemory->current;
91+
92+ if (!r_is_array(sarr) || !r_has_type(darr, t_array))
93+ return_error(gs_error_typecheck);
94+
95+ for (i = 0; i < r_size(sarr); i++) {
96+ code = array_get(mem, sarr, i, &obj);
97+ if (code < 0)
98+ make_null(&obj);
99+ switch(r_type(&obj)) {
100+ case t_operator:
101+ {
102+ int index = op_index(&obj);
103+
104+ if (index > 0 && index < op_def_count) {
105+ const byte *data = (const byte *)(op_index_def(index)->oname + 1);
106+ if (dict_find_string(systemdict, (const char *)data, &pobj2) <= 0) {
107+ byte *s = gs_alloc_bytes(mem, strlen((char *)data) + 5, "ref_stack_array_sanitize");
108+ if (s) {
109+ s[0] = '\0';
110+ strcpy((char *)s, "--");
111+ strcpy((char *)s + 2, (char *)data);
112+ strcpy((char *)s + strlen((char *)data) + 2, "--");
113+ }
114+ else {
115+ s = (byte *)data;
116+ }
117+ code = name_ref(imemory, s, strlen((char *)s), &obj, 1);
118+ if (code < 0) make_null(&obj);
119+ if (s != data)
120+ gs_free_object(mem, s, "ref_stack_array_sanitize");
121+ }
122+ }
123+ else {
124+ make_null(&obj);
125+ }
126+ ref_assign(darr->value.refs + i, &obj);
127+ break;
128+ }
129+ case t_array:
130+ case t_shortarray:
131+ case t_mixedarray:
132+ {
133+ int attrs = r_type_attrs(&obj) & (a_write | a_read | a_execute | a_executable);
134+ /* We only want to copy executable arrays */
135+ if (attrs & (a_execute | a_executable)) {
136+ code = ialloc_ref_array(&arr2, attrs, r_size(&obj), "ref_stack_array_sanitize");
137+ if (code < 0) {
138+ make_null(&arr2);
139+ }
140+ else {
141+ code = ref_stack_array_sanitize(i_ctx_p, &obj, &arr2);
142+ }
143+ ref_assign(darr->value.refs + i, &arr2);
144+ }
145+ else {
146+ ref_assign(darr->value.refs + i, &obj);
147+ }
148+ break;
149+ }
150+ default:
151+ ref_assign(darr->value.refs + i, &obj);
152+ }
153+ }
154+ return 0;
155+}
156+
157+
158 /*
159 * Store the top 'count' elements of a stack, starting 'skip' elements below
160 * the top, into an array, with or without store/undo checking. age=-1 for
161diff --git a/psi/istack.h b/psi/istack.h
162index 051dcbe..54be405 100644
163--- a/psi/istack.h
164+++ b/psi/istack.h
165@@ -129,6 +129,9 @@ int ref_stack_store(const ref_stack_t *pstack, ref *parray, uint count,
166 uint skip, int age, bool check,
167 gs_dual_memory_t *idmem, client_name_t cname);
168
169+int
170+ref_stack_array_sanitize(i_ctx_t *i_ctx_p, ref *sarr, ref *darr);
171+
172 /*
173 * Pop the top N elements off a stack.
174 * The number must not exceed the number of elements in use.
175--
1762.18.1
177
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0002.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0002.patch
new file mode 100644
index 0000000000..97c74e7e31
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0002.patch
@@ -0,0 +1,442 @@
1From 20001d2bdf3cc60e76241a6ae72b1df01c5424c5 Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Thu, 13 Dec 2018 15:28:34 +0000
4Subject: [PATCH 2/7] Any transient procedures that call .force* operators
5
6(i.e. for conditionals or loops) make them executeonly.
7
8CVE: CVE-2019-6116
9Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
10
11Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
12---
13 Resource/Init/gs_diskn.ps | 2 +-
14 Resource/Init/gs_dps1.ps | 4 ++--
15 Resource/Init/gs_fntem.ps | 4 ++--
16 Resource/Init/gs_fonts.ps | 12 ++++++------
17 Resource/Init/gs_init.ps | 4 ++--
18 Resource/Init/gs_lev2.ps | 11 ++++++-----
19 Resource/Init/gs_pdfwr.ps | 2 +-
20 Resource/Init/gs_res.ps | 4 ++--
21 Resource/Init/gs_setpd.ps | 2 +-
22 Resource/Init/pdf_base.ps | 13 ++++++++-----
23 Resource/Init/pdf_draw.ps | 16 +++++++++-------
24 Resource/Init/pdf_font.ps | 6 +++---
25 Resource/Init/pdf_main.ps | 4 ++--
26 Resource/Init/pdf_ops.ps | 7 ++++---
27 14 files changed, 49 insertions(+), 42 deletions(-)
28
29diff --git a/Resource/Init/gs_diskn.ps b/Resource/Init/gs_diskn.ps
30index fd694bc..8bf2054 100644
31--- a/Resource/Init/gs_diskn.ps
32+++ b/Resource/Init/gs_diskn.ps
33@@ -51,7 +51,7 @@ systemdict begin
34 mark 5 1 roll ] mark exch { { } forall } forall ]
35 //systemdict /.searchabledevs 2 index .forceput
36 exch .setglobal
37- }
38+ } executeonly
39 if
40 } .bind executeonly odef % must be bound and hidden for .forceput
41
42diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps
43index ec5db61..4fae283 100644
44--- a/Resource/Init/gs_dps1.ps
45+++ b/Resource/Init/gs_dps1.ps
46@@ -78,7 +78,7 @@ level2dict begin
47 .currentglobal
48 { % Current mode is global; delete from local directory too.
49 //systemdict /LocalFontDirectory .knownget
50- { 1 index .forceundef } % LocalFontDirectory is readonly
51+ { 1 index .forceundef } executeonly % LocalFontDirectory is readonly
52 if
53 }
54 { % Current mode is local; if there was a shadowed global
55@@ -126,7 +126,7 @@ level2dict begin
56 }
57 ifelse
58 } forall
59- pop counttomark 2 idiv { .forceundef } repeat pop % readonly
60+ pop counttomark 2 idiv { .forceundef } executeonly repeat pop % readonly
61 }
62 if
63 //SharedFontDirectory exch .forcecopynew pop
64diff --git a/Resource/Init/gs_fntem.ps b/Resource/Init/gs_fntem.ps
65index c1f7651..6eb672a 100644
66--- a/Resource/Init/gs_fntem.ps
67+++ b/Resource/Init/gs_fntem.ps
68@@ -401,12 +401,12 @@ currentdict end def
69 .forceput % FontInfo can be read-only.
70 pop % bool <font>
71 exit
72- } if
73+ } executeonly if
74 dup /FontInfo get % bool <font> <FI>
75 /GlyphNames2Unicode /Unicode /Decoding findresource
76 .forceput % FontInfo can be read-only.
77 exit
78- } loop
79+ } executeonly loop
80 exch setglobal
81 } .bind executeonly odef % must be bound and hidden for .forceput
82
83diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps
84index 803faca..290da0c 100644
85--- a/Resource/Init/gs_fonts.ps
86+++ b/Resource/Init/gs_fonts.ps
87@@ -374,7 +374,7 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
88 /.setnativefontmapbuilt { % set whether we've been run
89 dup type /booleantype eq {
90 systemdict exch /.nativefontmapbuilt exch .forceput
91- }
92+ } executeonly
93 {pop}
94 ifelse
95 } .bind executeonly odef
96@@ -1007,11 +1007,11 @@ $error /SubstituteFont { } put
97 { 2 index gcheck currentglobal
98 2 copy eq {
99 pop pop .forceput
100- } {
101+ } executeonly {
102 5 1 roll setglobal
103 dup length string copy
104 .forceput setglobal
105- } ifelse
106+ } executeonly ifelse
107 } .bind executeonly odef % must be bound and hidden for .forceput
108
109 % Attempt to load a font from a file.
110@@ -1084,7 +1084,7 @@ $error /SubstituteFont { } put
111 .FontDirectory 3 index .forceundef % readonly
112 1 index (r) file .loadfont .FontDirectory exch
113 /.setglobal .systemvar exec
114- }
115+ } executeonly
116 { .loadfont .FontDirectory
117 }
118 ifelse
119@@ -1105,7 +1105,7 @@ $error /SubstituteFont { } put
120 dup 3 index .fontknownget
121 { dup /PathLoad 4 index .putgstringcopy
122 4 1 roll pop pop pop //true exit
123- } if
124+ } executeonly if
125
126 % Maybe the file had a different FontName.
127 % See if we can get a FontName from the file, and if so,
128@@ -1134,7 +1134,7 @@ $error /SubstituteFont { } put
129 ifelse % Stack: origfontname fontdict
130 exch pop //true exit
131 % Stack: fontdict
132- }
133+ } executeonly
134 if pop % Stack: origfontname fontdirectory path
135 }
136 if pop pop % Stack: origfontname
137diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
138index d733124..56c0bd2 100644
139--- a/Resource/Init/gs_init.ps
140+++ b/Resource/Init/gs_init.ps
141@@ -2357,7 +2357,7 @@ SAFER { .setsafeglobal } if
142 % Update the copy of the user parameters.
143 mark .currentuserparams counttomark 2 idiv {
144 userparams 3 1 roll .forceput % userparams is read-only
145- } repeat pop
146+ } executeonly repeat pop
147 % Turn on idiom recognition, if available.
148 currentuserparams /IdiomRecognition known {
149 /IdiomRecognition //true .definepsuserparam
150@@ -2376,7 +2376,7 @@ SAFER { .setsafeglobal } if
151 % Remove real system params from pssystemparams.
152 mark .currentsystemparams counttomark 2 idiv {
153 pop pssystemparams exch .forceundef
154- } repeat pop
155+ } executeonly repeat pop
156 } if
157
158 % Set up AlignToPixels :
159diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
160index 44fe619..0f0d573 100644
161--- a/Resource/Init/gs_lev2.ps
162+++ b/Resource/Init/gs_lev2.ps
163@@ -154,7 +154,8 @@ end
164 % protect top level of parameters that we copied
165 dup type dup /arraytype eq exch /stringtype eq or { readonly } if
166 /userparams .systemvar 3 1 roll .forceput % userparams is read-only
167- } {
168+ } executeonly
169+ {
170 pop pop
171 } ifelse
172 } forall
173@@ -224,7 +225,7 @@ end
174 % protect top level parameters that we copied
175 dup type dup /arraytype eq exch /stringtype eq or { readonly } if
176 //pssystemparams 3 1 roll .forceput % pssystemparams is read-only
177- }
178+ } executeonly
179 { pop pop
180 }
181 ifelse
182@@ -934,7 +935,7 @@ mark
183 dup /PaintProc get
184 1 index /Implementation known not {
185 1 index dup /Implementation //null .forceput readonly pop
186- } if
187+ } executeonly if
188 exec
189 }.bind odef
190
191@@ -958,7 +959,7 @@ mark
192 dup /PaintProc get
193 1 index /Implementation known not {
194 1 index dup /Implementation //null .forceput readonly pop
195- } if
196+ } executeonly if
197 /UNROLLFORMS where {/UNROLLFORMS get}{false}ifelse not
198 %% [CTM] <<Form>> PaintProc .beginform -
199 {
200@@ -1005,7 +1006,7 @@ mark
201 %% Form dictioanry using the /Implementation key).
202 1 dict dup /FormID 4 -1 roll put
203 1 index exch /Implementation exch .forceput readonly pop
204- }
205+ } executeonly
206 ifelse
207 }
208 {
209diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps
210index 58e75d3..b425103 100644
211--- a/Resource/Init/gs_pdfwr.ps
212+++ b/Resource/Init/gs_pdfwr.ps
213@@ -650,7 +650,7 @@ currentdict /.pdfmarkparams .undef
214 } ifelse
215 } bind .makeoperator .forceput
216 systemdict /.pdf_hooked_DSC_Creator //true .forceput
217- } if
218+ } executeonly if
219 pop
220 } if
221 } {
222diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps
223index 8eb8bb0..d9b3459 100644
224--- a/Resource/Init/gs_res.ps
225+++ b/Resource/Init/gs_res.ps
226@@ -152,7 +152,7 @@ setglobal
227 % use .forceput / .forcedef later to replace the dummy,
228 % empty .Instances dictionary with the real one later.
229 readonly
230- } {
231+ }{
232 /defineresource cvx /typecheck signaloperror
233 } ifelse
234 } bind executeonly odef
235@@ -424,7 +424,7 @@ status {
236 % As noted above, Category dictionaries are read-only,
237 % so we have to use .forcedef here.
238 /.Instances 1 index .forcedef % Category dict is read-only
239- } if
240+ } executeonly if
241 }
242 { .LocalInstances dup //.emptydict eq
243 { pop 3 dict localinstancedict Category 2 index put
244diff --git a/Resource/Init/gs_setpd.ps b/Resource/Init/gs_setpd.ps
245index e22597e..7875d1f 100644
246--- a/Resource/Init/gs_setpd.ps
247+++ b/Resource/Init/gs_setpd.ps
248@@ -634,7 +634,7 @@ NOMEDIAATTRS {
249 SETPDDEBUG { (Rolling back.) = pstack flush } if
250 3 index 2 index 3 -1 roll .forceput
251 4 index 1 index .knownget
252- { 4 index 3 1 roll .forceput }
253+ { 4 index 3 1 roll .forceput } executeonly
254 { 3 index exch .undef }
255 ifelse
256 } bind executeonly odef
257diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps
258index b45e980..7312729 100644
259--- a/Resource/Init/pdf_base.ps
260+++ b/Resource/Init/pdf_base.ps
261@@ -130,26 +130,29 @@ currentdict /num-chars-dict .undef
262
263 /.pdfexectoken { % <count> <opdict> <exectoken> .pdfexectoken ?
264 PDFDEBUG {
265- pdfdict /PDFSTEPcount known not { pdfdict /PDFSTEPcount 1 .forceput } if
266+ pdfdict /PDFSTEPcount known not { pdfdict /PDFSTEPcount 1 .forceput } executeonly if
267 PDFSTEP {
268 pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput
269 PDFSTEPcount 1 gt {
270 pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput
271- } {
272+ } executeonly
273+ {
274 dup ==only
275 ( step # ) print PDFtokencount =only
276 ( ? ) print flush 1 //false .outputpage
277 (%stdin) (r) file 255 string readline {
278 token {
279 exch pop pdfdict /PDFSTEPcount 3 -1 roll .forceput
280- } {
281+ } executeonly
282+ {
283 pdfdict /PDFSTEPcount 1 .forceput
284- } ifelse % token
285+ } executeonly ifelse % token
286 } {
287 pop /PDFSTEP //false def % EOF on stdin
288 } ifelse % readline
289 } ifelse % PDFSTEPcount > 1
290- } {
291+ } executeonly
292+ {
293 dup ==only () = flush
294 } ifelse % PDFSTEP
295 } if % PDFDEBUG
296diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
297index 6b0ba93..40c6ac8 100644
298--- a/Resource/Init/pdf_draw.ps
299+++ b/Resource/Init/pdf_draw.ps
300@@ -1118,14 +1118,14 @@ currentdict end readonly def
301 pdfdict /.Qqwarning_issued //true .forceput
302 .setglobal
303 pdfformaterror
304- } ifelse
305+ } executeonly ifelse
306 }
307 {
308 currentglobal pdfdict gcheck .setglobal
309 pdfdict /.Qqwarning_issued //true .forceput
310 .setglobal
311 pdfformaterror
312- } ifelse
313+ } executeonly ifelse
314 end
315 } ifelse
316 } loop
317@@ -1141,14 +1141,14 @@ currentdict end readonly def
318 pdfdict /.Qqwarning_issued //true .forceput
319 .setglobal
320 pdfformaterror
321- } ifelse
322+ } executeonly ifelse
323 }
324 {
325 currentglobal pdfdict gcheck .setglobal
326 pdfdict /.Qqwarning_issued //true .forceput
327 .setglobal
328 pdfformaterror
329- } ifelse
330+ } executeonly ifelse
331 } if
332 pop
333
334@@ -2350,9 +2350,10 @@ currentdict /last-ditch-bpc-csp undef
335 /IncrementAppearanceNumber {
336 pdfdict /AppearanceNumber .knownget {
337 1 add pdfdict /AppearanceNumber 3 -1 roll .forceput
338- }{
339+ } executeonly
340+ {
341 pdfdict /AppearanceNumber 0 .forceput
342- } ifelse
343+ } executeonly ifelse
344 }bind executeonly odef
345
346 /MakeAppearanceName {
347@@ -2510,7 +2511,8 @@ currentdict /last-ditch-bpc-csp undef
348 %% want to preserve it.
349 pdfdict /.PreservePDFForm false .forceput
350 /q cvx /execform cvx 5 -2 roll
351- }{
352+ } executeonly
353+ {
354 /q cvx /PDFexecform cvx 5 -2 roll
355 } ifelse
356
357diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps
358index bea9ea9..4cd62b9 100644
359--- a/Resource/Init/pdf_font.ps
360+++ b/Resource/Init/pdf_font.ps
361@@ -714,7 +714,7 @@ currentdict end readonly def
362 pop pop pop
363 currentdict /.stackdepth .forceundef
364 currentdict /.dstackdepth .forceundef
365- }
366+ } executeonly
367 {pop pop pop}
368 ifelse
369
370@@ -1232,7 +1232,7 @@ currentdict /eexec_pdf_param_dict .undef
371 (\n **** Warning: Type 3 glyph has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
372 pdfformatwarning
373 pdfdict /.Qqwarning_issued //true .forceput
374- } if
375+ } executeonly if
376 Q
377 } repeat
378 Q
379@@ -2016,7 +2016,7 @@ currentdict /CMap_read_dict undef
380 /CIDFallBack /CIDFont findresource
381 } if
382 exit
383- } if
384+ } executeonly if
385 } if
386 } if
387
388diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps
389index 00da47a..37e69b3 100644
390--- a/Resource/Init/pdf_main.ps
391+++ b/Resource/Init/pdf_main.ps
392@@ -2701,14 +2701,14 @@ currentdict /PDF2PS_matrix_key undef
393 pdfdict /.Qqwarning_issued //true .forceput
394 .setglobal
395 pdfformaterror
396- } ifelse
397+ } executeonly ifelse
398 }
399 {
400 currentglobal pdfdict gcheck .setglobal
401 pdfdict /.Qqwarning_issued //true .forceput
402 .setglobal
403 pdfformaterror
404- } ifelse
405+ } executeonly ifelse
406 } if
407 } if
408 pop
409diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps
410index 8672d61..aa09641 100644
411--- a/Resource/Init/pdf_ops.ps
412+++ b/Resource/Init/pdf_ops.ps
413@@ -184,14 +184,14 @@ currentdict /gput_always_allow .undef
414 pdfdict /.Qqwarning_issued //true .forceput
415 .setglobal
416 pdfformaterror
417- } ifelse
418+ } executeonly ifelse
419 }
420 {
421 currentglobal pdfdict gcheck .setglobal
422 pdfdict /.Qqwarning_issued //true .forceput
423 .setglobal
424 pdfformaterror
425- } ifelse
426+ } executeonly ifelse
427 } if
428 } bind executeonly odef
429
430@@ -439,7 +439,8 @@ currentdict /gput_always_allow .undef
431 dup type /booleantype eq {
432 .currentSMask type /dicttype eq {
433 .currentSMask /Processed 2 index .forceput
434- } {
435+ } executeonly
436+ {
437 .setSMask
438 }ifelse
439 }{
440--
4412.18.1
442
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0003.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0003.patch
new file mode 100644
index 0000000000..02b1dc962f
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0003.patch
@@ -0,0 +1,32 @@
1From 60b77b8bf8b6e4d30519c47724631012b530cf0e Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Sat, 15 Dec 2018 09:08:32 +0000
4Subject: [PATCH 3/7] Bug700317: Fix logic for an older change
5
6Unlike almost every other function in gs, dict_find_string() returns 1 on
7success 0 or <0 on failure. The logic for this case was wrong.
8
9CVE: CVE-2019-6116
10Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
11
12Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
13---
14 psi/interp.c | 2 +-
15 1 file changed, 1 insertion(+), 1 deletion(-)
16
17diff --git a/psi/interp.c b/psi/interp.c
18index aa5779c..f6c45bb 100644
19--- a/psi/interp.c
20+++ b/psi/interp.c
21@@ -703,7 +703,7 @@ again:
22 * i.e. it's an internal operator we have hidden
23 */
24 code = dict_find_string(systemdict, (const char *)bufptr, &tobj);
25- if (code < 0) {
26+ if (code <= 0) {
27 buf[0] = buf[1] = buf[rlen + 2] = buf[rlen + 3] = '-';
28 rlen += 4;
29 bufptr = buf;
30--
312.18.1
32
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0004.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0004.patch
new file mode 100644
index 0000000000..cc15453f00
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0004.patch
@@ -0,0 +1,136 @@
1From d739565534e955c4336731e4ea4eebc895c09c5c Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Tue, 18 Dec 2018 10:42:10 +0000
4Subject: [PATCH 4/7] Harden some uses of .force* operators
5
6by adding a few immediate evalutions
7
8CVE: CVE-2019-6116
9Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
10
11Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
12---
13 Resource/Init/gs_dps1.ps | 4 ++--
14 Resource/Init/gs_fonts.ps | 20 ++++++++++----------
15 Resource/Init/gs_init.ps | 6 +++---
16 3 files changed, 15 insertions(+), 15 deletions(-)
17
18diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps
19index 4fae283..b75ea14 100644
20--- a/Resource/Init/gs_dps1.ps
21+++ b/Resource/Init/gs_dps1.ps
22@@ -74,7 +74,7 @@ level2dict begin
23 } odef
24 % undefinefont has to take local/global VM into account.
25 /undefinefont % <fontname> undefinefont -
26- { .FontDirectory 1 .argindex .forceundef % FontDirectory is readonly
27+ { //.FontDirectory 1 .argindex .forceundef % FontDirectory is readonly
28 .currentglobal
29 { % Current mode is global; delete from local directory too.
30 //systemdict /LocalFontDirectory .knownget
31@@ -85,7 +85,7 @@ level2dict begin
32 % definition, copy it into the local directory.
33 //systemdict /SharedFontDirectory .knownget
34 { 1 index .knownget
35- { .FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly
36+ { //.FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly
37 if
38 }
39 if
40diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps
41index 290da0c..c13a2fc 100644
42--- a/Resource/Init/gs_fonts.ps
43+++ b/Resource/Init/gs_fonts.ps
44@@ -516,7 +516,7 @@ buildfontdict 3 /.buildfont3 cvx put
45 if
46 }
47 if
48- dup .FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly
49+ dup //.FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly
50 % If the font originated as a resource, register it.
51 currentfile .currentresourcefile eq { dup .registerfont } if
52 readonly
53@@ -943,7 +943,7 @@ $error /SubstituteFont { } put
54 % Try to find a font using only the present contents of Fontmap.
55 /.tryfindfont { % <fontname> .tryfindfont <font> true
56 % <fontname> .tryfindfont false
57- .FontDirectory 1 index .fontknownget
58+ //.FontDirectory 1 index .fontknownget
59 { % Already loaded
60 exch pop //true
61 }
62@@ -975,7 +975,7 @@ $error /SubstituteFont { } put
63 { % Font with a procedural definition
64 exec % The procedure will load the font.
65 % Check to make sure this really happened.
66- .FontDirectory 1 index .knownget
67+ //.FontDirectory 1 index .knownget
68 { exch pop //true exit }
69 if
70 }
71@@ -1081,11 +1081,11 @@ $error /SubstituteFont { } put
72 % because it's different depending on language level.
73 .currentglobal exch /.setglobal .systemvar exec
74 % Remove the fake definition, if any.
75- .FontDirectory 3 index .forceundef % readonly
76- 1 index (r) file .loadfont .FontDirectory exch
77+ //.FontDirectory 3 index .forceundef % readonly
78+ 1 index (r) file .loadfont //.FontDirectory exch
79 /.setglobal .systemvar exec
80 } executeonly
81- { .loadfont .FontDirectory
82+ { .loadfont //.FontDirectory
83 }
84 ifelse
85 % Stack: fontname fontfilename fontdirectory
86@@ -1119,8 +1119,8 @@ $error /SubstituteFont { } put
87 % Stack: origfontname fontdirectory filefontname fontdict
88 3 -1 roll pop
89 % Stack: origfontname filefontname fontdict
90- dup /FontName get dup FontDirectory exch .forceundef
91- GlobalFontDirectory exch .forceundef
92+ dup /FontName get dup //.FontDirectory exch .forceundef
93+ /GlobalFontDirectory .systemvar exch .forceundef
94 dup length dict .copydict dup 3 index /FontName exch put
95 2 index exch definefont
96 exch
97@@ -1176,10 +1176,10 @@ currentdict /.putgstringcopy .undef
98 {
99 {
100 pop dup type /stringtype eq { cvn } if
101- .FontDirectory 1 index known not {
102+ //.FontDirectory 1 index known not {
103 2 dict dup /FontName 3 index put
104 dup /FontType 1 put
105- .FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly
106+ //.FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly
107 } {
108 pop
109 } ifelse
110diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
111index 56c0bd2..d9a0829 100644
112--- a/Resource/Init/gs_init.ps
113+++ b/Resource/Init/gs_init.ps
114@@ -1168,8 +1168,8 @@ errordict /unknownerror .undef
115 }ifelse
116 }forall
117 noaccess pop
118- systemdict /.setsafeerrors .forceundef
119- systemdict /.SAFERERRORLIST .forceundef
120+ //systemdict /.setsafeerrors .forceundef
121+ //systemdict /.SAFERERRORLIST .forceundef
122 } bind executeonly odef
123
124 SAFERERRORS {.setsafererrors} if
125@@ -2114,7 +2114,7 @@ currentdict /tempfilepaths undef
126
127 /.locksafe {
128 .locksafe_userparams
129- systemdict /getenv {pop //false} .forceput
130+ //systemdict /getenv {pop //false} .forceput
131 % setpagedevice has the side effect of clearing the page, but
132 % we will just document that. Using setpagedevice keeps the device
133 % properties and pagedevice .LockSafetyParams in agreement even
134--
1352.18.1
136
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0005.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0005.patch
new file mode 100644
index 0000000000..db70bba215
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0005.patch
@@ -0,0 +1,250 @@
1From 1e830cafa56c6e3e1b08d246eaf5496fe81a0032 Mon Sep 17 00:00:00 2001
2From: Nancy Durgin <nancy.durgin@artifex.com>
3Date: Tue, 27 Nov 2018 12:36:14 -0800
4Subject: [PATCH 5/7] Undef a bunch of internal things in gs_res.ps
5
6CVE: CVE-2019-6116
7Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
8
9Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
10---
11 Resource/Init/gs_res.ps | 72 +++++++++++++++++++++++++--------------
12 Resource/Init/gs_resmp.ps | 4 +--
13 2 files changed, 49 insertions(+), 27 deletions(-)
14
15diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps
16index d9b3459..18d5452 100644
17--- a/Resource/Init/gs_res.ps
18+++ b/Resource/Init/gs_res.ps
19@@ -197,7 +197,7 @@ setglobal
20 /.findresource { % <key> <category> findresource <instance>
21 2 copy dup /Category eq
22 { pop //Category 0 get begin } { .findcategory } ifelse
23- /FindResource .resourceexec exch pop exch pop
24+ /FindResource //.resourceexec exec exch pop exch pop
25 } bind
26 end % .Instances of Category
27 def
28@@ -223,7 +223,7 @@ def
29 not { /defineresource cvx /typecheck signaloperror } if
30 } if
31 } if
32- /DefineResource .resourceexec
33+ /DefineResource //.resourceexec exec
34 4 1 roll pop pop pop
35 } .errorexec
36 } bind executeonly odef
37@@ -252,7 +252,7 @@ def
38 % without the check.
39 /resourcestatus cvx /typecheck signalerror
40 } if
41- 2 copy .findcategory /ResourceStatus .resourceexec
42+ 2 copy .findcategory /ResourceStatus //.resourceexec exec
43 { 4 2 roll pop pop //true } { pop pop //false } ifelse
44 } stopped {
45 % Although resourcestatus is an operator, Adobe uses executable name
46@@ -266,7 +266,7 @@ def
47 } if
48 1 .argindex 1 index % catch stackunderflow
49
50- { .findcategory /UndefineResource .resourceexec pop pop
51+ { .findcategory /UndefineResource //.resourceexec exec pop pop
52 } stopped {
53 % Although undefineresource is an operator, Adobe uses executable name
54 % here but uses operator for the errors above. CET 23-33
55@@ -315,10 +315,10 @@ currentdict /pssystemparams known not {
56 /pssystemparams 10 dict readonly def
57 } if
58 pssystemparams begin
59- .default_resource_dir
60- /FontResourceDir (Font) .resource_dir_name
61+ //.default_resource_dir exec
62+ /FontResourceDir (Font) //.resource_dir_name exec
63 readonly .forcedef % pssys'params is r-o
64- /GenericResourceDir () .resource_dir_name
65+ /GenericResourceDir () //.resource_dir_name exec
66 readonly .forcedef % pssys'params is r-o
67 pop % .default_resource_dir
68 /GenericResourcePathSep
69@@ -387,13 +387,13 @@ status {
70 } bind def
71 /.localresourceforall { % <key> <value> <args> .localr'forall -
72 exch pop
73- 2 copy 0 get .stringmatch { .enumerateresource } { pop pop } ifelse
74+ 2 copy 0 get .stringmatch { //.enumerateresource exec } { pop pop } ifelse
75 } bind def
76 /.globalresourceforall { % <key> <value> <args> .globalr'forall -
77 exch pop
78 2 copy 0 get .stringmatch {
79 dup 3 get begin .LocalInstances end 2 index known not {
80- .enumerateresource
81+ //.enumerateresource exec
82 } {
83 pop pop
84 } ifelse
85@@ -408,7 +408,7 @@ status {
86 3 index known {
87 pop pop pop
88 } {
89- 2 index known { pop pop } { .enumerateresource } ifelse
90+ 2 index known { pop pop } { //.enumerateresource exec } ifelse
91 } ifelse
92 } bind def
93
94@@ -468,19 +468,19 @@ status {
95 % .knownget doesn't fail on null
96 /findresource cvx /typecheck signaloperror
97 } if
98- dup .getvminstance {
99+ dup //.getvminstance exec {
100 exch pop 0 get
101 } {
102 dup ResourceStatus {
103 pop 1 gt {
104- .DoLoadResource .getvminstance not {
105- /findresource cvx .undefinedresource
106+ .DoLoadResource //.getvminstance exec not {
107+ /findresource cvx //.undefinedresource exec
108 } if 0 get
109 } {
110 .GetInstance pop 0 get
111 } ifelse
112 } {
113- /findresource cvx .undefinedresource
114+ /findresource cvx //.undefinedresource exec
115 } ifelse
116 } ifelse
117 } bind executeonly
118@@ -621,7 +621,7 @@ status {
119 .currentglobal not .setglobal
120 vmstatus pop exch pop add
121 } repeat
122-} bind def
123+} bind executeonly odef
124 /.DoLoadResource {
125 % .LoadResource may push entries on the operand stack.
126 % It is an undocumented feature of Adobe implementations,
127@@ -633,8 +633,8 @@ status {
128 {.LoadResource} 4 1 roll 4 .execn
129 % Stack: ... count key memused
130 .vmused exch sub
131- 1 index .getvminstance not {
132- pop dup .undefinedresource % didn't load
133+ 1 index //.getvminstance exec not {
134+ pop dup //.undefinedresource exec % didn't load
135 } if
136 dup 1 1 put
137 2 3 -1 roll put
138@@ -648,7 +648,7 @@ status {
139 { //true setglobal { .runresource } stopped //false setglobal { stop } if }
140 ifelse
141 }
142- { dup .undefinedresource
143+ { dup //.undefinedresource exec
144 }
145 ifelse
146 } bind
147@@ -758,7 +758,7 @@ counttomark 2 idiv
148 /FindResource
149 { .Instances 1 index .knownget
150 { exch pop }
151- { /findresource cvx .undefinedresource }
152+ { /findresource cvx //.undefinedresource exec }
153 ifelse
154 } bind executeonly
155 /ResourceStatus
156@@ -862,7 +862,7 @@ userdict /.localcsdefaults //false put
157 2 copy /Generic /Category findresource /DefineResource get exec
158 exch pop
159 exch //.defaultcsnames exch .knownget {
160- 1 index .definedefaultcs
161+ 1 index //.definedefaultcs exec
162 currentglobal not { .userdict /.localcsdefaults //true put } if
163 } if
164 } bind executeonly
165@@ -872,13 +872,13 @@ userdict /.localcsdefaults //false put
166 //.defaultcsnames 1 index .knownget {
167 % Stack: resname index
168 currentglobal {
169- .undefinedefaultcs pop
170+ //.undefinedefaultcs exec pop
171 } {
172 % We removed the local definition, but there might be a global one.
173 exch .GetInstance {
174- 0 get .definedefaultcs
175+ 0 get //.definedefaultcs exec
176 } {
177- .undefinedefaultcs
178+ //.undefinedefaultcs exec
179 } ifelse
180 % Recompute .localcsdefaults by scanning. This is rarely needed.
181 .userdict /.localcsdefaults //false //.defaultcsnames {
182@@ -997,7 +997,7 @@ currentdict /.fontstatusaux .undef
183 /Generic /Category findresource /UndefineResource get exec
184 } bind executeonly
185 /FindResource {
186- dup .getvminstance {
187+ dup //.getvminstance exec {
188 exch pop 0 get
189 } {
190 dup ResourceStatus {
191@@ -1024,7 +1024,7 @@ currentdict /.fontstatusaux .undef
192 % stack: name font vmused
193 % findfont has the prerogative of not calling definefont
194 % in certain obscure cases of font substitution.
195- 2 index .getvminstance {
196+ 2 index //.getvminstance exec {
197 dup 1 1 put
198 2 3 -1 roll put
199 } {
200@@ -1159,3 +1159,25 @@ end % level2dict
201
202 %% Replace 1 (gs_resmp.ps)
203 (gs_resmp.ps) dup runlibfile VMDEBUG
204+
205+[
206+ /.default_resource_dir
207+ /.resource_dir_name
208+]
209+{systemdict exch .forceundef} forall
210+
211+[
212+ /.definedefaultcs
213+ /.undefinedefaultcs
214+ /.defaultcsnames
215+ /.enumerateresource
216+ /.externalresourceforall
217+ /.getvminstance
218+ /.globalresourceforall
219+ /.localresourceforall
220+ /resourceforall1
221+ /.resourceexec
222+ /.undefinedresource
223+ /.vmused
224+]
225+{level2dict exch .forceundef} forall
226diff --git a/Resource/Init/gs_resmp.ps b/Resource/Init/gs_resmp.ps
227index 9bb4263..cb948d1 100644
228--- a/Resource/Init/gs_resmp.ps
229+++ b/Resource/Init/gs_resmp.ps
230@@ -230,7 +230,7 @@ currentpacking //false setpacking
231 } {
232 dup dup .map exch .knownget { % /Name /Name <<record>>
233 dup dup /RecordVirtualMethods get /IsActive get exec {
234- 1 index .getvminstance { % /Name /Name <<record>> holder
235+ 1 index //.getvminstance exec { % /Name /Name <<record>> holder
236 1 get 1 eq
237 } {
238 //true
239@@ -242,7 +242,7 @@ currentpacking //false setpacking
240 DefineResource exec % size bStatusIs1 /Name Instance
241 % Make ResourceStatus to return correct values for this instance :
242 % Hack: we replace status values in the instance holder :
243- exch .getvminstance pop % size bStatusIs1 Instance holder
244+ exch //.getvminstance exec pop % size bStatusIs1 Instance holder
245 dup 5 -1 roll 2 exch put % bStatusIs1 Instance holder
246 3 2 roll { % Instance holder
247 1 1 put % Instance
248--
2492.18.1
250
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0006.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0006.patch
new file mode 100644
index 0000000000..79e640b18f
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0006.patch
@@ -0,0 +1,596 @@
1From 97f9052ce49e6844b06a49ff9e4b8fc1eaf6bd10 Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Wed, 9 Jan 2019 14:24:07 +0000
4Subject: [PATCH 6/7] Undefine a bunch of gs_fonts.ps specific procs
5
6Also reorder and add some immediate evaluation, so it still works with the
7undefining.
8
9CVE: CVE-2019-6116
10Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
11
12Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
13---
14 Resource/Init/gs_dps1.ps | 3 +-
15 Resource/Init/gs_fonts.ps | 275 +++++++++++++++++++++-----------------
16 Resource/Init/gs_res.ps | 7 +-
17 3 files changed, 157 insertions(+), 128 deletions(-)
18
19diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps
20index b75ea14..8700c8c 100644
21--- a/Resource/Init/gs_dps1.ps
22+++ b/Resource/Init/gs_dps1.ps
23@@ -67,7 +67,8 @@ level2dict begin
24
25 /selectfont % <fontname> <size> selectfont -
26 {
27- { 1 .argindex findfont
28+ {
29+ 1 .argindex findfont
30 1 index dup type /arraytype eq { makefont } { scalefont } ifelse
31 setfont pop pop
32 } stopped { /selectfont .systemvar $error /errorname get signalerror } if
33diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps
34index c13a2fc..0562235 100644
35--- a/Resource/Init/gs_fonts.ps
36+++ b/Resource/Init/gs_fonts.ps
37@@ -100,7 +100,7 @@ userdict /.nativeFontmap .FontDirectory maxlength dict put
38 { 2 index token not
39 { (Fontmap entry for ) print 1 index =only
40 ( ends prematurely! Giving up.) = flush
41- {.loadFontmap} 0 get 1 .quit
42+ {//.loadFontmap exec} 0 get 1 .quit
43 } if
44 dup /; eq { pop 3 index 3 1 roll .growput exit } if
45 pop
46@@ -202,6 +202,14 @@ NOFONTPATH { /FONTPATH () def } if
47 { pop }
48 { /FONTPATH (GS_FONTPATH) getenv not { () } if def }
49 ifelse
50+
51+% The following are dummy definitions that, if we have a FONTPATH, will
52+% be replaced in the following section.
53+% They are here so immediately evaulation will work, and allow them to
54+% undefined at the bottom of the file.
55+/.scanfontbegin{} bind def
56+/.scanfontdir {} bind def
57+
58 FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
59 /FONTPATH [ FONTPATH .pathlist ] def
60
61@@ -242,12 +250,12 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
62 /.scanfontbegin
63 { % Construct the table of all file names already in Fontmap.
64 currentglobal //true setglobal
65- .scanfontdict dup maxlength Fontmap length 2 add .max .setmaxlength
66+ //.scanfontdict dup maxlength Fontmap length 2 add .max .setmaxlength
67 Fontmap
68 { exch pop
69 { dup type /stringtype eq
70- { .splitfilename pop .fonttempstring copy .lowerstring cvn
71- .scanfontdict exch //true put
72+ { //.splitfilename exec pop //.fonttempstring copy //.lowerstring exec cvn
73+ //.scanfontdict exch //true put
74 }
75 { pop
76 }
77@@ -280,9 +288,9 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
78 /txt //true
79 .dicttomark def
80 /.scan1fontstring 8192 string def
81-% %%BeginFont: is not per Adobe documentation, but a few fonts have it.
82+% BeginFont: is not per Adobe documentation, but a few fonts have it.
83 /.scanfontheaders [(%!PS-Adobe*) (%!FontType*) (%%BeginFont:*)] def
84-0 .scanfontheaders { length .max } forall 6 add % extra for PFB header
85+0 //.scanfontheaders { length .max } forall 6 add % extra for PFB header
86 /.scan1fontfirst exch string def
87 /.scanfontdir % <dirname> .scanfontdir -
88 { currentglobal exch //true setglobal
89@@ -291,10 +299,10 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
90 0 0 0 4 -1 roll % found scanned files
91 { % stack: <fontcount> <scancount> <filecount> <filename>
92 exch 1 add exch % increment filecount
93- dup .splitfilename .fonttempstring copy .lowerstring
94+ dup //.splitfilename exec //.fonttempstring copy //.lowerstring exec
95 % stack: <fontcount> <scancount> <filecount+1> <filename>
96 % <BASE> <ext>
97- .scanfontskip exch known exch .scanfontdict exch known or
98+ //.scanfontskip exch known exch //.scanfontdict exch known or
99 { pop
100 % stack: <fontcount> <scancount> <filecount+1>
101 }
102@@ -309,7 +317,7 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
103 % On some platforms, the file operator will open directories,
104 % but an error will occur if we try to read from one.
105 % Handle this possibility here.
106- dup .scan1fontfirst { readstring } .internalstopped
107+ dup //.scan1fontfirst { readstring } .internalstopped
108 { pop pop () }
109 { pop }
110 ifelse
111@@ -322,7 +330,7 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
112 { dup length 6 sub 6 exch getinterval }
113 if
114 % Check for font file headers.
115- //false .scanfontheaders
116+ //false //.scanfontheaders
117 { 2 index exch .stringmatch or
118 }
119 forall exch pop
120@@ -335,7 +343,7 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
121 { exch copystring exch
122 DEBUG { ( ) print dup =only flush } if
123 1 index .definenativefontmap
124- .splitfilename pop //true .scanfontdict 3 1 roll .growput
125+ //.splitfilename exec pop //true //.scanfontdict 3 1 roll .growput
126 % Increment fontcount.
127 3 -1 roll 1 add 3 1 roll
128 }
129@@ -352,7 +360,7 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
130 }
131 ifelse
132 }
133- .scan1fontstring filenameforall
134+ //.scan1fontstring filenameforall
135 QUIET
136 { pop pop pop }
137 { ( ) print =only ( files, ) print =only ( scanned, ) print
138@@ -422,7 +430,6 @@ systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt
139 //true .setnativefontmapbuilt
140 } ifelse
141 } bind def
142-currentdict /.setnativefontmapbuilt .forceundef
143
144 % Create the dictionary that registers the .buildfont procedure
145 % (called by definefont) for each FontType.
146@@ -526,7 +533,8 @@ buildfontdict 3 /.buildfont3 cvx put
147 % We use this only for explicitly aliased fonts, not substituted fonts:
148 % we think this matches the observed behavior of Adobe interpreters.
149 /.aliasfont % <name> <font> .aliasfont <newFont>
150- { .currentglobal 3 1 roll dup .gcheck .setglobal
151+ {
152+ currentglobal 3 1 roll dup gcheck setglobal
153 % <bool> <name> <font>
154 dup length 2 add dict % <bool> <name> <font> <dict>
155 dup 3 -1 roll % <bool> <name> <dict> <dict> <font>
156@@ -541,7 +549,7 @@ buildfontdict 3 /.buildfont3 cvx put
157 % whose FontName is a local non-string, if someone passed a
158 % garbage value to findfont. In this case, just don't
159 % call definefont at all.
160- 2 index dup type /stringtype eq exch .gcheck or 1 index .gcheck not or
161+ 2 index dup type /stringtype eq exch gcheck or 1 index gcheck not or
162 { pop % <bool> <name> <dict>
163 1 index dup type /stringtype eq { cvn } if
164 % <bool> <name> <dict> <name1>
165@@ -566,10 +574,11 @@ buildfontdict 3 /.buildfont3 cvx put
166 % Don't bind in definefont, since Level 2 redefines it.
167 /definefont .systemvar exec
168 }
169- { /findfont cvx {.completefont} .errorexec pop exch pop
170+ {
171+ /findfont cvx {.completefont} //.errorexec exec pop exch pop
172 }
173 ifelse
174- exch .setglobal
175+ exch setglobal
176 } odef % so findfont will bind it
177
178 % Define .loadfontfile for loading a font. If we recognize Type 1 and/or
179@@ -669,10 +678,19 @@ buildfontdict 3 /.buildfont3 cvx put
180 [(Cn) 4] [(Cond) 4] [(Narrow) 4] [(Pkg) 4] [(Compr) 4]
181 [(Serif) 8] [(Sans) -8]
182 ] readonly def
183+
184+/.fontnamestring { % <fontname> .fontnamestring <string|name>
185+ dup type dup /nametype eq {
186+ pop .namestring
187+ } {
188+ /stringtype ne { pop () } if
189+ } ifelse
190+} bind def
191+
192 /.fontnameproperties { % <int> <string|name> .fontnameproperties
193 % <int'>
194- .fontnamestring
195- .substituteproperties {
196+ //.fontnamestring exec
197+ //.substituteproperties {
198 2 copy 0 get search {
199 pop pop pop dup length 1 sub 1 exch getinterval 3 -1 roll exch {
200 dup 0 ge { or } { neg not and } ifelse
201@@ -710,13 +728,7 @@ buildfontdict 3 /.buildfont3 cvx put
202 % <other> .nametostring <other>
203 dup type /nametype eq { .namestring } if
204 } bind def
205-/.fontnamestring { % <fontname> .fontnamestring <string|name>
206- dup type dup /nametype eq {
207- pop .namestring
208- } {
209- /stringtype ne { pop () } if
210- } ifelse
211-} bind def
212+
213 /.substitutefontname { % <fontname> <properties> .substitutefontname
214 % <altname|null>
215 % Look for properties and/or a face name in the font name.
216@@ -724,7 +736,7 @@ buildfontdict 3 /.buildfont3 cvx put
217 % base font; otherwise, use the default font.
218 % Note that the "substituted" font name may be the same as
219 % the requested one; the caller must check this.
220- exch .fontnamestring {
221+ exch //.fontnamestring exec {
222 defaultfontname /Helvetica-Oblique /Helvetica-Bold /Helvetica-BoldOblique
223 /Helvetica-Narrow /Helvetica-Narrow-Oblique
224 /Helvetica-Narrow-Bold /Helvetica-Narrow-BoldOblique
225@@ -734,12 +746,12 @@ buildfontdict 3 /.buildfont3 cvx put
226 } 3 1 roll
227 % Stack: facelist properties fontname
228 % Look for a face name.
229- .substitutefaces {
230+ //.substitutefaces {
231 2 copy 0 get search {
232 pop pop pop
233 % Stack: facelist properties fontname [(pattern) family properties]
234 dup 2 get 4 -1 roll or 3 1 roll
235- 1 get .substitutefamilies exch get
236+ 1 get //.substitutefamilies exch get
237 4 -1 roll pop 3 1 roll
238 } {
239 pop pop
240@@ -748,7 +760,7 @@ buildfontdict 3 /.buildfont3 cvx put
241 1 index length mod get exec
242 } bind def
243 /.substitutefont { % <fontname> .substitutefont <altname>
244- dup 0 exch .fontnameproperties .substitutefontname
245+ dup 0 exch //.fontnameproperties exec .substitutefontname
246 % Only accept fonts known in the Fontmap.
247 Fontmap 1 index known not
248 {
249@@ -814,7 +826,7 @@ FAKEFONTS not { (%END FAKEFONTS) .skipeof } if
250 counttomark 1 sub { .aliasfont } repeat end
251 % <fontname> mark <font>
252 exch pop exch pop
253-} odef
254+} bind odef
255 /findfont {
256 .findfont
257 } bind def
258@@ -860,7 +872,7 @@ FAKEFONTS not { (%END FAKEFONTS) .skipeof } if
259 } {
260 dup .substitutefont
261 2 copy eq { pop defaultfontname } if
262- .checkalias
263+ //.checkalias exec
264 QUIET not {
265 SHORTERRORS {
266 (%%[) print 1 index =only
267@@ -886,8 +898,8 @@ $error /SubstituteFont { } put
268 //null 0 1 FONTPATH length 1 sub {
269 FONTPATH 1 index get //null ne { exch pop exit } if pop
270 } for dup //null ne {
271- dup 0 eq { .scanfontbegin } if
272- FONTPATH 1 index get .scanfontdir
273+ dup 0 eq { //.scanfontbegin exec} if
274+ FONTPATH 1 index get //.scanfontdir exec
275 FONTPATH exch //null put //true
276 } {
277 pop //false
278@@ -897,11 +909,10 @@ $error /SubstituteFont { } put
279 % scanning of FONTPATH.
280 /.dofindfont { % mark <fontname> .dofindfont % mark <alias> ... <font>
281 .tryfindfont not {
282-
283 % We didn't find the font. If we haven't scanned
284 % all the directories in FONTPATH, scan the next one
285 % now and look for the font again.
286- .scannextfontdir {
287+ //.scannextfontdir exec {
288 % Start over with an empty alias list.
289 counttomark 1 sub { pop } repeat % mark <fontname>
290 .dofindfont
291@@ -927,6 +938,7 @@ $error /SubstituteFont { } put
292 } if
293 % Substitute for the font. Don't alias.
294 % Same stack as at the beginning of .dofindfont.
295+
296 $error /SubstituteFont get exec
297 %
298 % igorm: I guess the surrounding code assumes that .stdsubstfont
299@@ -935,72 +947,11 @@ $error /SubstituteFont { } put
300 % used in .dofindfont and through .stdsubstfont
301 % just to represent a simple iteration,
302 % which accumulates the aliases after the mark.
303- .stdsubstfont
304+ //.stdsubstfont exec
305 } ifelse
306 } ifelse
307 } if
308 } bind def
309-% Try to find a font using only the present contents of Fontmap.
310-/.tryfindfont { % <fontname> .tryfindfont <font> true
311- % <fontname> .tryfindfont false
312- //.FontDirectory 1 index .fontknownget
313- { % Already loaded
314- exch pop //true
315- }
316- {
317- dup Fontmap exch .knownget
318- { //true //true }
319- { % Unknown font name. Look for a file with the
320- % same name as the requested font.
321- dup .tryloadfont
322- { exch pop //true //false }
323- {
324- % if we can't load by name check the native font map
325- dup .nativeFontmap exch .knownget
326- { //true //true }
327- { //false //false } ifelse
328- } ifelse
329- } ifelse
330-
331- { % Try each element of the Fontmap in turn.
332- pop
333- //false exch % (in case we exhaust the list)
334- % Stack: fontname false fontmaplist
335- { exch pop
336- dup type /nametype eq
337- { % Font alias
338- .checkalias .tryfindfont exit
339- }
340- { dup dup type dup /arraytype eq exch /packedarraytype eq or exch xcheck and
341- { % Font with a procedural definition
342- exec % The procedure will load the font.
343- % Check to make sure this really happened.
344- //.FontDirectory 1 index .knownget
345- { exch pop //true exit }
346- if
347- }
348- { % Font file name
349- //true .loadfontloop { //true exit } if
350- }
351- ifelse
352- }
353- ifelse //false
354- }
355- forall
356- % Stack: font true -or- fontname false
357- { //true
358- }
359- { % None of the Fontmap entries worked.
360- % Try loading a file with the same name
361- % as the requested font.
362- .tryloadfont
363- }
364- ifelse
365- }
366- if
367- }
368- ifelse
369- } bind def
370
371 % any user of .putgstringcopy must use bind and executeonly
372 /.putgstringcopy % <dict> <name> <string> .putgstringcopy -
373@@ -1014,25 +965,6 @@ $error /SubstituteFont { } put
374 } executeonly ifelse
375 } .bind executeonly odef % must be bound and hidden for .forceput
376
377-% Attempt to load a font from a file.
378-/.tryloadfont { % <fontname> .tryloadfont <font> true
379- % <fontname> .tryloadfont false
380- dup .nametostring
381- % Hack: check for the presence of the resource machinery.
382- /.genericrfn where {
383- pop
384- pop dup .fonttempstring /FontResourceDir getsystemparam .genericrfn
385- {//false .loadfontloop} .internalstopped {//false} if {
386- //true
387- } {
388- dup .nametostring
389- {//true .loadfontloop} .internalstopped {//false} if
390- } ifelse
391- } {
392- {//true .loadfontloop} .internalstopped {//false} if
393- } ifelse
394-} bind def
395-
396 /.loadfontloop { % <fontname> <filename> <libflag> .loadfontloop
397 % <font> true
398 % -or-
399@@ -1102,7 +1034,7 @@ $error /SubstituteFont { } put
400 } if
401
402 % Check to make sure the font was actually loaded.
403- dup 3 index .fontknownget
404+ dup 3 index //.fontknownget exec
405 { dup /PathLoad 4 index .putgstringcopy
406 4 1 roll pop pop pop //true exit
407 } executeonly if
408@@ -1113,7 +1045,7 @@ $error /SubstituteFont { } put
409 exch dup % Stack: origfontname fontdirectory path path
410 (r) file .findfontname
411 { % Stack: origfontname fontdirectory path filefontname
412- 2 index 1 index .fontknownget
413+ 2 index 1 index //.fontknownget exec
414 { % Yes. Stack: origfontname fontdirectory path filefontname fontdict
415 dup 4 -1 roll /PathLoad exch .putgstringcopy
416 % Stack: origfontname fontdirectory filefontname fontdict
417@@ -1136,7 +1068,7 @@ $error /SubstituteFont { } put
418 % Stack: fontdict
419 } executeonly
420 if pop % Stack: origfontname fontdirectory path
421- }
422+ } executeonly
423 if pop pop % Stack: origfontname
424
425 % The font definitely did not load correctly.
426@@ -1150,7 +1082,87 @@ $error /SubstituteFont { } put
427
428 } bind executeonly odef % must be bound and hidden for .putgstringcopy
429
430-currentdict /.putgstringcopy .undef
431+% Attempt to load a font from a file.
432+/.tryloadfont { % <fontname> .tryloadfont <font> true
433+ % <fontname> .tryloadfont false
434+ dup //.nametostring exec
435+ % Hack: check for the presence of the resource machinery.
436+ /.genericrfn where {
437+ pop
438+ pop dup //.fonttempstring /FontResourceDir getsystemparam .genericrfn
439+ {//false .loadfontloop} .internalstopped {//false} if {
440+ //true
441+ } {
442+ dup //.nametostring exec
443+ {//true .loadfontloop} .internalstopped {//false} if
444+ } ifelse
445+ } {
446+ {//true .loadfontloop} .internalstopped {//false} if
447+ } ifelse
448+} bind def
449+
450+% Try to find a font using only the present contents of Fontmap.
451+/.tryfindfont { % <fontname> .tryfindfont <font> true
452+ % <fontname> .tryfindfont false
453+ //.FontDirectory 1 index //.fontknownget exec
454+ { % Already loaded
455+ exch pop //true
456+ }
457+ {
458+ dup Fontmap exch .knownget
459+ { //true //true }
460+ { % Unknown font name. Look for a file with the
461+ % same name as the requested font.
462+ dup //.tryloadfont exec
463+ { exch pop //true //false }
464+ {
465+ % if we can't load by name check the native font map
466+ dup .nativeFontmap exch .knownget
467+ { //true //true }
468+ { //false //false } ifelse
469+ } ifelse
470+ } ifelse
471+
472+ { % Try each element of the Fontmap in turn.
473+ pop
474+ //false exch % (in case we exhaust the list)
475+ % Stack: fontname false fontmaplist
476+ { exch pop
477+ dup type /nametype eq
478+ { % Font alias
479+ //.checkalias exec
480+ .tryfindfont exit
481+ }
482+ { dup dup type dup /arraytype eq exch /packedarraytype eq or exch xcheck and
483+ { % Font with a procedural definition
484+ exec % The procedure will load the font.
485+ % Check to make sure this really happened.
486+ //.FontDirectory 1 index .knownget
487+ { exch pop //true exit }
488+ if
489+ }
490+ { % Font file name
491+ //true .loadfontloop { //true exit } if
492+ }
493+ ifelse
494+ }
495+ ifelse //false
496+ }
497+ forall
498+ % Stack: font true -or- fontname false
499+ { //true
500+ }
501+ { % None of the Fontmap entries worked.
502+ % Try loading a file with the same name
503+ % as the requested font.
504+ //.tryloadfont exec
505+ }
506+ ifelse
507+ }
508+ if
509+ }
510+ ifelse
511+ } bind def
512
513 % Define a procedure to load all known fonts.
514 % This isn't likely to be very useful.
515@@ -1192,9 +1204,9 @@ FAKEFONTS { exch } if pop def % don't bind, .current/setglobal get redefined
516 /.loadinitialfonts
517 { NOFONTMAP not
518 { /FONTMAP where
519- { pop [ FONTMAP .pathlist ]
520+ { pop [ FONTMAP //.pathlist exec]
521 { dup VMDEBUG findlibfile
522- { exch pop .loadFontmap }
523+ { exch pop //.loadFontmap exec }
524 { /undefinedfilename signalerror }
525 ifelse
526 }
527@@ -1208,7 +1220,7 @@ FAKEFONTS { exch } if pop def % don't bind, .current/setglobal get redefined
528 pop pop
529 defaultfontmap_content { .definefontmap } forall
530 } {
531- .loadFontmap
532+ //.loadFontmap exec
533 } ifelse
534 } {
535 pop pop
536@@ -1272,3 +1284,18 @@ FAKEFONTS { exch } if pop def % don't bind, .current/setglobal get redefined
537 { .makemodifiedfont
538 dup /FontName get exch definefont pop
539 } bind def
540+
541+% Undef these, not needed outside this file
542+[
543+ % /.fonttempstring /.scannextfontdir - are also used in gs_res.ps, so are undefined there
544+ % /.fontnameproperties - is used in pdf_font.ps
545+ % /.scanfontheaders - used in gs_cff.ps, gs_ttf.ps
546+ /.loadfontloop /.tryloadfont /.findfont /.pathlist /.loadFontmap /.lowerstring
547+ /.splitfilename /.scanfontdict /.scanfontbegin
548+ /.scanfontskip /.scan1fontstring
549+ /.scan1fontfirst /.scanfontdir
550+ /.setnativefontmapbuilt /.aliasfont
551+ /.setloadingfont /.substitutefaces /.substituteproperties /.substitutefamilies
552+ /.nametostring /.fontnamestring /.checkalias /.fontknownget /.stdsubstfont
553+ /.putgstringcopy
554+] {systemdict exch .forceundef} forall
555diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps
556index 18d5452..b016113 100644
557--- a/Resource/Init/gs_res.ps
558+++ b/Resource/Init/gs_res.ps
559@@ -961,7 +961,7 @@ userdict /.localcsdefaults //false put
560 dup type /nametype eq { .namestring } if
561 dup type /stringtype ne { //false exit } if
562 % Check the resource directory.
563- dup .fonttempstring /FontResourceDir getsystemparam .genericrfn
564+ dup //.fonttempstring /FontResourceDir getsystemparam .genericrfn
565 status {
566 pop pop pop pop //true exit
567 } if
568@@ -969,7 +969,7 @@ userdict /.localcsdefaults //false put
569 % as the font.
570 findlibfile { closefile //true exit } if
571 % Scan a FONTPATH directory and try again.
572- .scannextfontdir not { //false exit } if
573+ //.scannextfontdir exec not { //false exit } if
574 } loop
575 } bind def
576
577@@ -1008,7 +1008,7 @@ currentdict /.fontstatusaux .undef
578 } ifelse
579 } bind executeonly
580 /ResourceForAll {
581- { .scannextfontdir not { exit } if } loop
582+ { //.scannextfontdir exec not { exit } if } loop
583 /Generic /Category findresource /ResourceForAll get exec
584 } bind executeonly
585 /.ResourceFileStatus {
586@@ -1163,6 +1163,7 @@ end % level2dict
587 [
588 /.default_resource_dir
589 /.resource_dir_name
590+ /.fonttempstring /.scannextfontdir % from gs_fonts.ps
591 ]
592 {systemdict exch .forceundef} forall
593
594--
5952.18.1
596
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0007.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0007.patch
new file mode 100644
index 0000000000..5c1f839597
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-6116-0007.patch
@@ -0,0 +1,346 @@
1From 5c49efe24dda0f2dbd2a09b9159e683cce99b6d8 Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Fri, 11 Jan 2019 13:36:36 +0000
4Subject: [PATCH 7/7] Remove .forcedef, and harden .force* ops more
5
6Remove .forcedef and replace all uses with a direct call to .forceput instead.
7
8Ensure every procedure (named and trasient) that calls .forceput is
9executeonly.
10
11CVE: CVE-2019-6116
12Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
13
14Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
15---
16 Resource/Init/gs_dps1.ps | 15 +++++++-----
17 Resource/Init/gs_init.ps | 28 ++++++++-------------
18 Resource/Init/gs_lev2.ps | 51 +++++++++++++++++++--------------------
19 Resource/Init/gs_ll3.ps | 5 ++--
20 Resource/Init/gs_res.ps | 29 +++++++++++-----------
21 Resource/Init/gs_statd.ps | 4 +--
22 6 files changed, 63 insertions(+), 69 deletions(-)
23
24diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps
25index 8700c8c..3d2cf7a 100644
26--- a/Resource/Init/gs_dps1.ps
27+++ b/Resource/Init/gs_dps1.ps
28@@ -33,14 +33,17 @@ systemdict begin
29
30 /SharedFontDirectory .FontDirectory .gcheck
31 { .currentglobal //false .setglobal
32+ currentdict
33 /LocalFontDirectory .FontDirectory dup maxlength dict copy
34- .forcedef % LocalFontDirectory is local, systemdict is global
35+ .forceput % LocalFontDirectory is local, systemdict is global
36 .setglobal .FontDirectory
37- }
38- { /LocalFontDirectory .FontDirectory
39- .forcedef % LocalFontDirectory is local, systemdict is global
40+ } executeonly
41+ {
42+ currentdict
43+ /LocalFontDirectory .FontDirectory
44+ .forceput % LocalFontDirectory is local, systemdict is global
45 50 dict
46- }
47+ }executeonly
48 ifelse def
49
50 end % systemdict
51@@ -55,7 +58,7 @@ level2dict begin
52 { //SharedFontDirectory }
53 { /LocalFontDirectory .systemvar } % can't embed ref to local VM
54 ifelse .forceput pop % LocalFontDirectory is local, systemdict is global
55- } .bind odef
56+ } .bind executeonly odef
57 % Don't just copy (load) the definition of .setglobal:
58 % it gets redefined for LL3.
59 /setshared { /.setglobal .systemvar exec } odef
60diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
61index d9a0829..45bebf4 100644
62--- a/Resource/Init/gs_init.ps
63+++ b/Resource/Init/gs_init.ps
64@@ -54,7 +54,7 @@ systemdict exch
65 dup /userdict
66 currentdict dup 200 .setmaxlength % userdict
67 .forceput % userdict is local, systemdict is global
68- }
69+ } executeonly
70 if begin
71
72 % Define dummy local/global operators if needed.
73@@ -299,13 +299,6 @@ QUIET not { printgreeting flush } if
74 1 index exch .makeoperator def
75 } .bind def
76
77-% Define a special version of def for storing local objects into global
78-% dictionaries. Like .forceput, this exists only during initialization.
79-/.forcedef { % <key> <value> .forcedef -
80- 1 .argindex pop % check # of args
81- currentdict 3 1 roll .forceput
82-} .bind odef
83-
84 % Define procedures for accessing variables in systemdict and userdict
85 % regardless of the contents of the dictionary stack.
86 /.systemvar { % <name> .systemvar <value>
87@@ -347,7 +340,7 @@ DELAYBIND
88 }
89 ifelse
90 } .bind def
91-} if
92+} executeonly if
93
94 %**************** BACKWARD COMPATIBILITY ****************
95 /hwsizedict mark /HWSize //null .dicttomark readonly def
96@@ -655,7 +648,7 @@ currentdict /.typenames .undef
97 /ifelse .systemvar
98 ] cvx executeonly
99 exch .setglobal
100-} odef
101+} executeonly odef
102 systemdict /internaldict dup .makeinternaldict .makeoperator
103 .forceput % proc is local, systemdict is global
104
105@@ -1093,7 +1086,7 @@ def
106
107 % Define $error. This must be in local VM.
108 .currentglobal //false .setglobal
109-/$error 40 dict .forcedef % $error is local, systemdict is global
110+currentdict /$error 40 dict .forceput % $error is local, systemdict is global
111 % newerror, errorname, command, errorinfo,
112 % ostack, estack, dstack, recordstacks,
113 % binary, globalmode,
114@@ -1112,8 +1105,8 @@ end
115 % Define errordict similarly. It has one entry per error name,
116 % plus handleerror. However, some astonishingly badly written PostScript
117 % files require it to have at least one empty slot.
118-/errordict ErrorNames length 3 add dict
119-.forcedef % errordict is local, systemdict is global
120+currentdict /errordict ErrorNames length 3 add dict
121+.forceput % errordict is local, systemdict is global
122 .setglobal % back to global VM
123 % gserrordict contains all the default error handling methods, but unlike
124 % errordict it is noaccess after creation (also it is in global VM).
125@@ -1273,8 +1266,9 @@ end
126 (END PROCS) VMDEBUG
127
128 % Define the font directory.
129+currentdict
130 /FontDirectory //false .setglobal 100 dict //true .setglobal
131-.forcedef % FontDirectory is local, systemdict is global
132+.forceput % FontDirectory is local, systemdict is global
133
134 % Define the encoding dictionary.
135 /EncodingDirectory 16 dict def % enough for Level 2 + PDF standard encodings
136@@ -2333,7 +2327,6 @@ SAFER { .setsafeglobal } if
137 //systemdict /UndefinePostScriptOperators get exec
138 //systemdict /UndefinePDFOperators get exec
139 //systemdict /.forcecopynew .forceundef % remove temptation
140- //systemdict /.forcedef .forceundef % ditto
141 //systemdict /.forceput .forceundef % ditto
142 //systemdict /.undef .forceundef % ditto
143 //systemdict /.forceundef .forceundef % ditto
144@@ -2368,9 +2361,9 @@ SAFER { .setsafeglobal } if
145 % (and, if implemented, context switching).
146 .currentglobal //false .setglobal
147 mark userparams { } forall .dicttomark readonly
148- /userparams exch .forcedef % systemdict is read-only
149+ currentdict exch /userparams exch .forceput % systemdict is read-only
150 .setglobal
151-} if
152+} executeonly if
153 /.currentsystemparams where {
154 pop
155 % Remove real system params from pssystemparams.
156@@ -2458,7 +2451,6 @@ end
157 DELAYBIND not {
158 systemdict /.bindnow .undef % We only need this for DELAYBIND
159 systemdict /.forcecopynew .undef % remove temptation
160- systemdict /.forcedef .undef % ditto
161 systemdict /.forceput .undef % ditto
162 systemdict /.forceundef .undef % ditto
163 } if
164diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
165index 0f0d573..9c0c3a6 100644
166--- a/Resource/Init/gs_lev2.ps
167+++ b/Resource/Init/gs_lev2.ps
168@@ -304,31 +304,30 @@ end
169 psuserparams exch /.checkFilePermitparams load put
170 .setglobal
171
172-pssystemparams begin
173- /CurDisplayList 0 .forcedef
174- /CurFormCache 0 .forcedef
175- /CurInputDevice () .forcedef
176- /CurOutlineCache 0 .forcedef
177- /CurOutputDevice () .forcedef
178- /CurPatternCache 0 .forcedef
179- /CurUPathCache 0 .forcedef
180- /CurScreenStorage 0 .forcedef
181- /CurSourceList 0 .forcedef
182- /DoPrintErrors //false .forcedef
183- /JobTimeout 0 .forcedef
184- /LicenseID (LN-001) .forcedef % bogus
185- /MaxDisplayList 140000 .forcedef
186- /MaxFormCache 100000 .forcedef
187- /MaxImageBuffer 524288 .forcedef
188- /MaxOutlineCache 65000 .forcedef
189- /MaxPatternCache 100000 .forcedef
190- /MaxUPathCache 300000 .forcedef
191- /MaxScreenStorage 84000 .forcedef
192- /MaxSourceList 25000 .forcedef
193- /PrinterName product .forcedef
194- /RamSize 4194304 .forcedef
195- /WaitTimeout 40 .forcedef
196-end
197+pssystemparams
198+dup /CurDisplayList 0 .forceput
199+dup /CurFormCache 0 .forceput
200+dup /CurInputDevice () .forceput
201+dup /CurOutlineCache 0 .forceput
202+dup /CurOutputDevice () .forceput
203+dup /CurPatternCache 0 .forceput
204+dup /CurUPathCache 0 .forceput
205+dup /CurScreenStorage 0 .forceput
206+dup /CurSourceList 0 .forceput
207+dup /DoPrintErrors //false .forceput
208+dup /JobTimeout 0 .forceput
209+dup /LicenseID (LN-001) .forceput % bogus
210+dup /MaxDisplayList 140000 .forceput
211+dup /MaxFormCache 100000 .forceput
212+dup /MaxImageBuffer 524288 .forceput
213+dup /MaxOutlineCache 65000 .forceput
214+dup /MaxPatternCache 100000 .forceput
215+dup /MaxUPathCache 300000 .forceput
216+dup /MaxScreenStorage 84000 .forceput
217+dup /MaxSourceList 25000 .forceput
218+dup /PrinterName product .forceput
219+dup /RamSize 4194304 .forceput
220+ /WaitTimeout 40 .forceput
221
222 % Define the procedures for handling comment scanning. The names
223 % %ProcessComment and %ProcessDSCComment are known to the interpreter.
224@@ -710,7 +709,7 @@ pop % currentsystemparams
225 /statusdict currentdict def
226
227 currentdict end
228-/statusdict exch .forcedef % statusdict is local, systemdict is global
229+currentdict exch /statusdict exch .forceput % statusdict is local, systemdict is global
230
231 % The following compatibility operators are in systemdict. They are
232 % defined here, rather than in gs_init.ps, because they require the
233diff --git a/Resource/Init/gs_ll3.ps b/Resource/Init/gs_ll3.ps
234index c86721f..881af44 100644
235--- a/Resource/Init/gs_ll3.ps
236+++ b/Resource/Init/gs_ll3.ps
237@@ -521,9 +521,8 @@ end
238 % Define additional user and system parameters.
239 /HalftoneMode 0 .definepsuserparam
240 /MaxSuperScreen 1016 .definepsuserparam
241-pssystemparams begin % read-only, so use .forcedef
242- /MaxDisplayAndSourceList 160000 .forcedef
243-end
244+% read-only, so use .forceput
245+pssystemparams /MaxDisplayAndSourceList 160000 .forceput
246
247 % Define the IdiomSet resource category.
248 { /IdiomSet } {
249diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps
250index b016113..89c0ed6 100644
251--- a/Resource/Init/gs_res.ps
252+++ b/Resource/Init/gs_res.ps
253@@ -41,10 +41,10 @@ level2dict begin
254 % However, Ed Taft of Adobe says their interpreters don't implement this
255 % either, so we aren't going to worry about it for a while.
256
257-currentglobal //false setglobal systemdict begin
258- /localinstancedict 5 dict
259- .forcedef % localinstancedict is local, systemdict is global
260-end //true setglobal
261+currentglobal //false setglobal
262+ systemdict /localinstancedict 5 dict
263+ .forceput % localinstancedict is local, systemdict is global
264+//true setglobal
265 /.emptydict 0 dict readonly def
266 setglobal
267
268@@ -149,7 +149,7 @@ setglobal
269 dup [ exch 0 -1 ] exch
270 .Instances 4 2 roll put
271 % Make the Category dictionary read-only. We will have to
272- % use .forceput / .forcedef later to replace the dummy,
273+ % use .forceput / .forceput later to replace the dummy,
274 % empty .Instances dictionary with the real one later.
275 readonly
276 }{
277@@ -304,7 +304,8 @@ systemdict begin
278 dup () ne {
279 .file_name_directory_separator concatstrings
280 } if
281- 2 index exch //false .file_name_combine not {
282+ 2 index exch //false
283+ .file_name_combine not {
284 (Error: .default_resource_dir returned ) print exch print ( that can't combine with ) print =
285 /.default_resource_dir cvx /configurationerror signalerror
286 } if
287@@ -317,14 +318,14 @@ currentdict /pssystemparams known not {
288 pssystemparams begin
289 //.default_resource_dir exec
290 /FontResourceDir (Font) //.resource_dir_name exec
291- readonly .forcedef % pssys'params is r-o
292+ readonly currentdict 3 1 roll .forceput % pssys'params is r-o
293 /GenericResourceDir () //.resource_dir_name exec
294- readonly .forcedef % pssys'params is r-o
295+ readonly currentdict 3 1 roll .forceput % pssys'params is r-o
296 pop % .default_resource_dir
297 /GenericResourcePathSep
298- .file_name_separator readonly .forcedef % pssys'params is r-o
299- (%diskFontResourceDir) cvn (/Resource/Font/) readonly .forcedef % pssys'params is r-o
300- (%diskGenericResourceDir) cvn (/Resource/) readonly .forcedef % pssys'params is r-o
301+ .file_name_separator readonly currentdict 3 1 roll .forceput % pssys'params is r-o
302+ currentdict (%diskFontResourceDir) cvn (/Resource/Font/) readonly .forceput % pssys'params is r-o
303+ currentdict (%diskGenericResourceDir) cvn (/Resource/) readonly .forceput % pssys'params is r-o
304 end
305 end
306
307@@ -422,8 +423,8 @@ status {
308 .Instances dup //.emptydict eq {
309 pop 3 dict
310 % As noted above, Category dictionaries are read-only,
311- % so we have to use .forcedef here.
312- /.Instances 1 index .forcedef % Category dict is read-only
313+ % so we have to use .forceput here.
314+ currentdict /.Instances 2 index .forceput % Category dict is read-only
315 } executeonly if
316 }
317 { .LocalInstances dup //.emptydict eq
318@@ -441,7 +442,7 @@ status {
319 { /defineresource cvx /typecheck signaloperror
320 }
321 ifelse
322-} .bind executeonly .makeoperator % executeonly to prevent access to .forcedef
323+} .bind executeonly .makeoperator % executeonly to prevent access to .forceput
324 /UndefineResource
325 { { dup 2 index .knownget
326 { dup 1 get 1 ge
327diff --git a/Resource/Init/gs_statd.ps b/Resource/Init/gs_statd.ps
328index 20d4c96..b6a7659 100644
329--- a/Resource/Init/gs_statd.ps
330+++ b/Resource/Init/gs_statd.ps
331@@ -21,10 +21,10 @@ systemdict begin
332 % We make statusdict a little larger for Level 2 stuff.
333 % Note that it must be allocated in local VM.
334 .currentglobal //false .setglobal
335- /statusdict 91 dict .forcedef % statusdict is local, sys'dict global
336+ currentdict /statusdict 91 dict .forceput % statusdict is local, sys'dict global
337 % To support the Level 2 job control features,
338 % serverdict must also be in local VM.
339- /serverdict 10 dict .forcedef % serverdict is local, sys'dict global
340+ currentdict /serverdict 10 dict .forceput % serverdict is local, sys'dict global
341 .setglobal
342 end
343
344--
3452.18.1
346
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.26.bb b/meta/recipes-extended/ghostscript/ghostscript_9.26.bb
index 5ca978f86c..ad4c5e17d2 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.26.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.26.bb
@@ -32,6 +32,13 @@ SRC_URI = "${SRC_URI_BASE} \
32 file://ghostscript-9.02-genarch.patch \ 32 file://ghostscript-9.02-genarch.patch \
33 file://objarch.h \ 33 file://objarch.h \
34 file://cups-no-gcrypt.patch \ 34 file://cups-no-gcrypt.patch \
35 file://CVE-2019-6116-0001.patch \
36 file://CVE-2019-6116-0002.patch \
37 file://CVE-2019-6116-0003.patch \
38 file://CVE-2019-6116-0004.patch \
39 file://CVE-2019-6116-0005.patch \
40 file://CVE-2019-6116-0006.patch \
41 file://CVE-2019-6116-0007.patch \
35 " 42 "
36 43
37SRC_URI_class-native = "${SRC_URI_BASE} \ 44SRC_URI_class-native = "${SRC_URI_BASE} \
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-10 20:24:02 +0000