ghostscript : fix CVE-2019-10216

(From OE-Core rev: 4620180a073b721dbc91d14ab64285187bec4cb7) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2020-05-18 16:20:24 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-06-02 13:32:49 +0100
commit: 1cd36a832e2927027635478e9f3aa6e5a0642773 (patch)
tree: 38c933ec0a93d2d33bded329683225da20894b7c /meta/recipes-extended
parent: 7ed7e1e332048fc5ff2dcb94338004b0cd647fcd (diff)
download: poky-1cd36a832e2927027635478e9f3aa6e5a0642773.tar.gz
2 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-10216.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-10216.patch
new file mode 100644
index 0000000000..9bec7343f5
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-10216.patch
@@ -0,0 +1,53 @@
+From 5b85ddd19a8420a1bd2d5529325be35d78e94234 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Fri, 2 Aug 2019 15:18:26 +0100
+Subject: [PATCH] Bug 701394: protect use of .forceput with executeonly
+Upstream-Status: Backport [http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19] 
+CVE: CVE-2019-10216
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ Resource/Init/gs_type1.ps | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps
+index 6c7735bc0..a039ccee3 100644
+--- a/Resource/Init/gs_type1.ps
+++ b/Resource/Init/gs_type1.ps
+@@ -118,25 +118,25 @@
+                          ( to be the same as glyph: ) print 1 index //== exec } if
+                    3 index exch 3 index .forceput
+                                                                  % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
+-                 }
+                 }executeonly
+                  {pop} ifelse
+-               } forall
+               } executeonly forall
+                pop pop
+-             }
+             } executeonly
+              {
+                pop pop pop
+              } ifelse
+-           }
+           } executeonly
+            {
+                                                                % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
+              pop pop
+            } ifelse
+-         } forall
+         } executeonly forall
+          3 1 roll pop pop
+-     } if
+     } executeonly if
+      pop
+      dup /.AGLprocessed~GS //true .forceput
+-   } if
+   } executeonly if
+ 
+    %% We need to excute the C .buildfont1 in a stopped context so that, if there
+    %% are errors we can put the stack back sanely and exit. Otherwise callers won't
+-- 
+2.17.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.27.bb b/meta/recipes-extended/ghostscript/ghostscript_9.27.bb
index 32f938f254..bbd17104e1 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.27.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.27.bb
@@ -29,6 +29,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://CVE-2019-14817-0001.patch \
                file://CVE-2019-14817-0002.patch \
                file://CVE-2019-14869-0001.patch \
+                file://CVE-2019-10216.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \
author	Lee Chee Yang <chee.yang.lee@intel.com>	2020-05-18 16:20:24 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-06-02 13:32:49 +0100
commit	1cd36a832e2927027635478e9f3aa6e5a0642773 (patch)
tree	38c933ec0a93d2d33bded329683225da20894b7c /meta/recipes-extended
parent	7ed7e1e332048fc5ff2dcb94338004b0cd647fcd (diff)
download	poky-1cd36a832e2927027635478e9f3aa6e5a0642773.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-10216.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-10216.patch new file mode 100644 index 0000000000..9bec7343f5 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-10216.patch
@@ -0,0 +1,53 @@
		1	From 5b85ddd19a8420a1bd2d5529325be35d78e94234 Mon Sep 17 00:00:00 2001
		2	From: Chris Liddell <chris.liddell@artifex.com>
		3	Date: Fri, 2 Aug 2019 15:18:26 +0100
		4	Subject: [PATCH] Bug 701394: protect use of .forceput with executeonly
		5
		6	Upstream-Status: Backport [http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19]
		7	CVE: CVE-2019-10216
		8	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		9
		10	---
		11	Resource/Init/gs_type1.ps \| 14 +++++++-------
		12	1 file changed, 7 insertions(+), 7 deletions(-)
		13
		14	diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps
		15	index 6c7735bc0..a039ccee3 100644
		16	--- a/Resource/Init/gs_type1.ps
		17	+++ b/Resource/Init/gs_type1.ps
		18	@@ -118,25 +118,25 @@
		19	( to be the same as glyph: ) print 1 index //== exec } if
		20	3 index exch 3 index .forceput
		21	% scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
		22	- }
		23	+ }executeonly
		24	{pop} ifelse
		25	- } forall
		26	+ } executeonly forall
		27	pop pop
		28	- }
		29	+ } executeonly
		30	{
		31	pop pop pop
		32	} ifelse
		33	- }
		34	+ } executeonly
		35	{
		36	% scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
		37	pop pop
		38	} ifelse
		39	- } forall
		40	+ } executeonly forall
		41	3 1 roll pop pop
		42	- } if
		43	+ } executeonly if
		44	pop
		45	dup /.AGLprocessed~GS //true .forceput
		46	- } if
		47	+ } executeonly if
		48
		49	%% We need to excute the C .buildfont1 in a stopped context so that, if there
		50	%% are errors we can put the stack back sanely and exit. Otherwise callers won't
		51	--
		52	2.17.1
		53


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.27.bb b/meta/recipes-extended/ghostscript/ghostscript_9.27.bb index 32f938f254..bbd17104e1 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.27.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.27.bb
@@ -29,6 +29,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
29	file://CVE-2019-14817-0001.patch \	29	file://CVE-2019-14817-0001.patch \
30	file://CVE-2019-14817-0002.patch \	30	file://CVE-2019-14817-0002.patch \
31	file://CVE-2019-14869-0001.patch \	31	file://CVE-2019-14869-0001.patch \
		32	file://CVE-2019-10216.patch \
32	"	33	"
33		34
34	SRC_URI = "${SRC_URI_BASE} \	35	SRC_URI = "${SRC_URI_BASE} \