ghostscript: fix CVE-2018-15908 & CVE-2018-15909 & CVE-2018-15910 & CVE-2018-15911

(From OE-Core rev: b6d32d43fd2b016e932b7dc81fb943eb936b73bb) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Hongxu Jia <hongxu.jia@windriver.com> 2018-09-10 03:21:01 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-09-11 09:05:35 +0100
commit: c0f6e29c2146c66dffee65d7d650fc906a57a26c (patch)
tree: b8ce60a74495eba74959899d46bc4e26c3dcf370 /meta/recipes-extended
parent: 17f1496f841e0409e345bf889f3396cded2d7d69 (diff)
download: poky-c0f6e29c2146c66dffee65d7d650fc906a57a26c.tar.gz
6 files changed, 294 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch
new file mode 100644
index 0000000000..df654f721d
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch
@@ -0,0 +1,56 @@
+From b9fa1157e1f4982d42241146c9b7c6c789d6f076 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Thu, 23 Aug 2018 15:42:02 +0100
+Subject: [PATCH 1/5] Bug 699665 "memory corruption in aesdecode"
+The specimen file calls aesdecode without specifying the key to be
+used, though it does manage to do enough work with the PDF interpreter
+routines to get access to aesdecode (which isn't normally available).
+This causes us to read uninitialised memory, which can (and often does)
+lead to a segmentation fault.
+In this commit we set the key to NULL explicitly during intialisation
+and then check it before we read it. If its NULL we just return.
+It seems bizarre that we don't return error codes, we should probably
+look into that at some point, but this prevents the code trying to
+read uninitialised memory.
+CVE: CVE-2018-15911
+Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ base/aes.c  | 3 +++
+ base/saes.c | 1 +
+ 2 files changed, 4 insertions(+)
+diff --git a/base/aes.c b/base/aes.c
+index a6bce93..e86f000 100644
+--- a/base/aes.c
+++ b/base/aes.c
+@@ -662,6 +662,9 @@ void aes_crypt_ecb( aes_context *ctx,
+     }
+ #endif
+ 
+    if (ctx == NULL || ctx->rk == NULL)
+        return;
+
+     RK = ctx->rk;
+ 
+     GET_ULONG_LE( X0, input,  0 ); X0 ^= *RK++;
+diff --git a/base/saes.c b/base/saes.c
+index 6db0e8b..307ed74 100644
+--- a/base/saes.c
+++ b/base/saes.c
+@@ -120,6 +120,7 @@ s_aes_process(stream_state * ss, stream_cursor_read * pr,
+         gs_throw(gs_error_VMerror, "could not allocate aes context");
+         return ERRC;
+       }
+      memset(state->ctx, 0x00, sizeof(aes_context));
+       if (state->keylength < 1 || state->keylength > SAES_MAX_KEYLENGTH) {
+         gs_throw1(gs_error_rangecheck, "invalid aes key length (%d bytes)",
+                 state->keylength);
+-- 
+2.8.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch b/meta/recipes-extended/ghostscript/ghostscript/0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch
new file mode 100644
index 0000000000..a16f215bd3
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch
@@ -0,0 +1,53 @@
+From 1b516be5f6829ab6ce37835529ba08abd6d18663 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Tue, 21 Aug 2018 16:42:45 +0100
+Subject: [PATCH 2/5] Bug 699656: Handle LockDistillerParams not being a
+ boolean
+This caused a function call commented as "Can't fail" to fail, and resulted
+in memory correuption and a segfault.
+CVE: CVE-2018-15910
+Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ devices/vector/gdevpdfp.c | 2 +-
+ psi/iparam.c              | 7 ++++---
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+diff --git a/devices/vector/gdevpdfp.c b/devices/vector/gdevpdfp.c
+index 522db7a..f2816b9 100644
+--- a/devices/vector/gdevpdfp.c
+++ b/devices/vector/gdevpdfp.c
+@@ -364,7 +364,7 @@ gdev_pdf_put_params_impl(gx_device * dev, const gx_device_pdf * save_dev, gs_par
+      * LockDistillerParams is read again, and reset if necessary, in
+      * psdf_put_params.
+      */
+-    ecode = param_read_bool(plist, "LockDistillerParams", &locked);
+    ecode = param_read_bool(plist, (param_name = "LockDistillerParams"), &locked);
+     if (ecode < 0)
+         param_signal_error(plist, param_name, ecode);
+ 
+diff --git a/psi/iparam.c b/psi/iparam.c
+index 68c20d4..0279455 100644
+--- a/psi/iparam.c
+++ b/psi/iparam.c
+@@ -822,10 +822,11 @@ static int
+ ref_param_read_signal_error(gs_param_list * plist, gs_param_name pkey, int code)
+ {
+     iparam_list *const iplist = (iparam_list *) plist;
+-    iparam_loc loc;
+    iparam_loc loc = {0};
+ 
+-    ref_param_read(iplist, pkey, &loc, -1);    /* can't fail */
+-    *loc.presult = code;
+    ref_param_read(iplist, pkey, &loc, -1);
+    if (loc.presult)
+        *loc.presult = code;
+     switch (ref_param_read_get_policy(plist, pkey)) {
+         case gs_param_policy_ignore:
+             return 0;
+-- 
+2.8.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch b/meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch
new file mode 100644
index 0000000000..174f79e42a
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch
@@ -0,0 +1,91 @@
+From 759238fd904aab1706dc1007826a13a670cda320 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Thu, 23 Aug 2018 14:12:48 +0100
+Subject: [PATCH 3/5] Fix Bug 699660 "shading_param incomplete type checking"
+Its possible to pass a t_struct parameter to .shfill which is not a
+shading function built by .buildshading. This could then lead to memory
+corruption or a segmentation fault by treating the object passed in
+as if it were a shading.
+Its non-trivial to check the t_struct, because this function can take
+7 different kinds of structures as a parameter. Checking these is
+possible, of course, but would add a performance penalty.
+However, we can note that we never call .shfill without first calling
+.buildshading, and we never call .buildshading without immediately
+calling .shfill. So we can treat these as an atomic operation. The
+.buildshading function takes all its parameters as PostScript objects
+and validates them, so that should be safe.
+This allows us to 'hide' the .shfill operator preventing the possibility
+of passing an invalid parameter.
+CVE: CVE-2018-15909
+Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ Resource/Init/gs_init.ps  | 4 ++--
+ Resource/Init/gs_ll3.ps   | 7 ++++++-
+ Resource/Init/pdf_draw.ps | 3 +--
+ 3 files changed, 9 insertions(+), 5 deletions(-)
+diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
+index 6c8da53..1956ed5 100644
+--- a/Resource/Init/gs_init.ps
+++ b/Resource/Init/gs_init.ps
+@@ -2181,8 +2181,8 @@ SAFER { .setsafeglobal } if
+ /.getiodevice /.getdevparms /.putdevparams /.bbox_transform /.matchmedia /.matchpagesize /.defaultpapersize
+ /.oserrno /.setoserrno /.oserrorstring /.getCPSImode
+ /.getscanconverter /.setscanconverter /.type1encrypt /.type1decrypt/.languagelevel /.setlanguagelevel /.eqproc /.fillpage /.buildpattern1 /.saslprep
+-/.buildshading1 /.buildshadin2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern
+-/.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring
+/.buildshading1 /.buildshading2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern
+%/.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring
+ /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile
+ /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams
+ /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath
+diff --git a/Resource/Init/gs_ll3.ps b/Resource/Init/gs_ll3.ps
+index 5aa56a3..1d37e53 100644
+--- a/Resource/Init/gs_ll3.ps
+++ b/Resource/Init/gs_ll3.ps
+@@ -440,6 +440,11 @@ systemdict /.reuseparamdict mark
+     /shfill .systemvar /undefined signalerror
+   } ifelse
+ } bind def
+
+/.buildshading_and_shfill {
+  .buildshading .shfill
+} bind def
+
+ systemdict /.reuseparamdict undef
+ 
+ /.buildpattern2 {      % <template> <matrix> .buildpattern2
+@@ -464,7 +469,7 @@ systemdict /.reuseparamdict undef
+         % Currently, .shfill requires that the color space
+         % in the pattern be the current color space.
+         % Disable overprintmode for shfill
+-  { dup gsave 0 .setoverprintmode .buildshading .shfill } stopped
+  { dup gsave 0 .setoverprintmode .buildshading_and_shfill } stopped
+   grestore {
+     /$error .systemvar /errorinfo 2 copy known {
+       pop pop
+diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
+index e8ca213..a7144d3 100644
+--- a/Resource/Init/pdf_draw.ps
+++ b/Resource/Init/pdf_draw.ps
+@@ -1365,9 +1365,8 @@ drawopdict begin
+     { dup /.shading .knownget {
+         exch pop
+       } {
+-       .buildshading
+       .buildshading_and_shfill
+       } ifelse
+-      .shfill
+     } stopped {
+       pop
+       (   **** Error: Ignoring invalid smooth shading object, output may be incorrect.\n)
+-- 
+2.8.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0004-Hide-the-.shfill-operator.patch b/meta/recipes-extended/ghostscript/ghostscript/0004-Hide-the-.shfill-operator.patch
new file mode 100644
index 0000000000..7c6d002620
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/0004-Hide-the-.shfill-operator.patch
@@ -0,0 +1,35 @@
+From ee9e8065e7d7b3adbc25fd655727ca72861ee032 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Fri, 24 Aug 2018 12:44:26 +0100
+Subject: [PATCH 4/5] Hide the .shfill operator
+Commit 0b6cd1918e1ec4ffd087400a754a845180a4522b was supposed to make
+the .shfill operator unobtainable, but I accidentally left a comment
+in the line doing so.
+Fix it here, without this the operator can still be exploited.
+CVE: CVE-2018-15909
+Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ Resource/Init/gs_init.ps | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
+index 1956ed5..955b843 100644
+--- a/Resource/Init/gs_init.ps
+++ b/Resource/Init/gs_init.ps
+@@ -2182,7 +2182,7 @@ SAFER { .setsafeglobal } if
+ /.oserrno /.setoserrno /.oserrorstring /.getCPSImode
+ /.getscanconverter /.setscanconverter /.type1encrypt /.type1decrypt/.languagelevel /.setlanguagelevel /.eqproc /.fillpage /.buildpattern1 /.saslprep
+ /.buildshading1 /.buildshading2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern
+-%/.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring
+/.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring
+ /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile
+ /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams
+ /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath
+-- 
+2.8.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch b/meta/recipes-extended/ghostscript/ghostscript/0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch
new file mode 100644
index 0000000000..ccd40216c0
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch
@@ -0,0 +1,54 @@
+From f4f50ceea8e8852b8c3ac73f5807d8b54b735c3e Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Tue, 21 Aug 2018 20:17:05 +0100
+Subject: [PATCH 5/5] Bug 699657: properly apply file permissions to .tempfile
+CVE: CVE-2018-15908
+Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ psi/zfile.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+diff --git a/psi/zfile.c b/psi/zfile.c
+index a0acd5a..19996b0 100644
+--- a/psi/zfile.c
+++ b/psi/zfile.c
+@@ -134,7 +134,7 @@ check_file_permissions_reduced(i_ctx_t *i_ctx_p, const char *fname, int len,
+     /* we're protecting arbitrary file system accesses, not Postscript device accesses.
+      * Although, note that %pipe% is explicitly checked for and disallowed elsewhere
+      */
+-    if (iodev != iodev_default(imemory)) {
+    if (iodev && iodev != iodev_default(imemory)) {
+         return 0;
+     }
+ 
+@@ -734,7 +734,23 @@ ztempfile(i_ctx_t *i_ctx_p)
+     }
+ 
+     if (gp_file_name_is_absolute(pstr, strlen(pstr))) {
+-        if (check_file_permissions(i_ctx_p, pstr, strlen(pstr),
+        int plen = strlen(pstr);
+        const char *sep = gp_file_name_separator();
+#ifdef DEBUG
+        int seplen = strlen(sep);
+        if (seplen != 1)
+            return_error(gs_error_Fatal);
+#endif
+        /* strip off the file name prefix, leave just the directory name
+         * so we can check if we are allowed to write to it
+         */
+        for ( ; plen >=0; plen--) {
+            if (pstr[plen] == sep[0])
+                break;
+        }
+        memcpy(fname, pstr, plen);
+        fname[plen] = '\0';
+        if (check_file_permissions(i_ctx_p, fname, strlen(fname),
+                                    NULL, "PermitFileWriting") < 0) {
+             code = gs_note_error(gs_error_invalidfileaccess);
+             goto done;
+-- 
+2.8.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.23.bb b/meta/recipes-extended/ghostscript/ghostscript_9.23.bb
index 019d99b021..898b6cd985 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.23.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.23.bb
@@ -26,6 +26,11 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://avoid-host-contamination.patch \
                file://mkdir-p.patch \
                file://remove-direct-symlink.patch \
+                file://0001-Bug-699665-memory-corruption-in-aesdecode.patch \
+                file://0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch \
+                file://0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch \
+                file://0004-Hide-the-.shfill-operator.patch \
+                file://0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \
author	Hongxu Jia <hongxu.jia@windriver.com>	2018-09-10 03:21:01 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-09-11 09:05:35 +0100
commit	c0f6e29c2146c66dffee65d7d650fc906a57a26c (patch)
tree	b8ce60a74495eba74959899d46bc4e26c3dcf370 /meta/recipes-extended
parent	17f1496f841e0409e345bf889f3396cded2d7d69 (diff)
download	poky-c0f6e29c2146c66dffee65d7d650fc906a57a26c.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch new file mode 100644 index 0000000000..df654f721d --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch
@@ -0,0 +1,56 @@
		1	From b9fa1157e1f4982d42241146c9b7c6c789d6f076 Mon Sep 17 00:00:00 2001
		2	From: Ken Sharp <ken.sharp@artifex.com>
		3	Date: Thu, 23 Aug 2018 15:42:02 +0100
		4	Subject: [PATCH 1/5] Bug 699665 "memory corruption in aesdecode"
		5
		6	The specimen file calls aesdecode without specifying the key to be
		7	used, though it does manage to do enough work with the PDF interpreter
		8	routines to get access to aesdecode (which isn't normally available).
		9
		10	This causes us to read uninitialised memory, which can (and often does)
		11	lead to a segmentation fault.
		12
		13	In this commit we set the key to NULL explicitly during intialisation
		14	and then check it before we read it. If its NULL we just return.
		15
		16	It seems bizarre that we don't return error codes, we should probably
		17	look into that at some point, but this prevents the code trying to
		18	read uninitialised memory.
		19
		20	CVE: CVE-2018-15911
		21	Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
		22	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		23	---
		24	base/aes.c \| 3 +++
		25	base/saes.c \| 1 +
		26	2 files changed, 4 insertions(+)
		27
		28	diff --git a/base/aes.c b/base/aes.c
		29	index a6bce93..e86f000 100644
		30	--- a/base/aes.c
		31	+++ b/base/aes.c
		32	@@ -662,6 +662,9 @@ void aes_crypt_ecb( aes_context *ctx,
		33	}
		34	#endif
		35
		36	+ if (ctx == NULL \|\| ctx->rk == NULL)
		37	+ return;
		38	+
		39	RK = ctx->rk;
		40
		41	GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
		42	diff --git a/base/saes.c b/base/saes.c
		43	index 6db0e8b..307ed74 100644
		44	--- a/base/saes.c
		45	+++ b/base/saes.c
		46	@@ -120,6 +120,7 @@ s_aes_process(stream_state * ss, stream_cursor_read * pr,
		47	gs_throw(gs_error_VMerror, "could not allocate aes context");
		48	return ERRC;
		49	}
		50	+ memset(state->ctx, 0x00, sizeof(aes_context));
		51	if (state->keylength < 1 \|\| state->keylength > SAES_MAX_KEYLENGTH) {
		52	gs_throw1(gs_error_rangecheck, "invalid aes key length (%d bytes)",
		53	state->keylength);
		54	--
		55	2.8.1
		56


diff --git a/meta/recipes-extended/ghostscript/ghostscript/0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch b/meta/recipes-extended/ghostscript/ghostscript/0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch new file mode 100644 index 0000000000..a16f215bd3 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch
@@ -0,0 +1,53 @@
		1	From 1b516be5f6829ab6ce37835529ba08abd6d18663 Mon Sep 17 00:00:00 2001
		2	From: Chris Liddell <chris.liddell@artifex.com>
		3	Date: Tue, 21 Aug 2018 16:42:45 +0100
		4	Subject: [PATCH 2/5] Bug 699656: Handle LockDistillerParams not being a
		5	boolean
		6
		7	This caused a function call commented as "Can't fail" to fail, and resulted
		8	in memory correuption and a segfault.
		9
		10	CVE: CVE-2018-15910
		11	Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
		12
		13	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		14	---
		15	devices/vector/gdevpdfp.c \| 2 +-
		16	psi/iparam.c \| 7 ++++---
		17	2 files changed, 5 insertions(+), 4 deletions(-)
		18
		19	diff --git a/devices/vector/gdevpdfp.c b/devices/vector/gdevpdfp.c
		20	index 522db7a..f2816b9 100644
		21	--- a/devices/vector/gdevpdfp.c
		22	+++ b/devices/vector/gdevpdfp.c
		23	@@ -364,7 +364,7 @@ gdev_pdf_put_params_impl(gx_device * dev, const gx_device_pdf * save_dev, gs_par
		24	* LockDistillerParams is read again, and reset if necessary, in
		25	* psdf_put_params.
		26	*/
		27	- ecode = param_read_bool(plist, "LockDistillerParams", &locked);
		28	+ ecode = param_read_bool(plist, (param_name = "LockDistillerParams"), &locked);
		29	if (ecode < 0)
		30	param_signal_error(plist, param_name, ecode);
		31
		32	diff --git a/psi/iparam.c b/psi/iparam.c
		33	index 68c20d4..0279455 100644
		34	--- a/psi/iparam.c
		35	+++ b/psi/iparam.c
		36	@@ -822,10 +822,11 @@ static int
		37	ref_param_read_signal_error(gs_param_list * plist, gs_param_name pkey, int code)
		38	{
		39	iparam_list const iplist = (iparam_list ) plist;
		40	- iparam_loc loc;
		41	+ iparam_loc loc = {0};
		42
		43	- ref_param_read(iplist, pkey, &loc, -1); /* can't fail */
		44	- *loc.presult = code;
		45	+ ref_param_read(iplist, pkey, &loc, -1);
		46	+ if (loc.presult)
		47	+ *loc.presult = code;
		48	switch (ref_param_read_get_policy(plist, pkey)) {
		49	case gs_param_policy_ignore:
		50	return 0;
		51	--
		52	2.8.1
		53


diff --git a/meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch b/meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch new file mode 100644 index 0000000000..174f79e42a --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch
@@ -0,0 +1,91 @@
		1	From 759238fd904aab1706dc1007826a13a670cda320 Mon Sep 17 00:00:00 2001
		2	From: Ken Sharp <ken.sharp@artifex.com>
		3	Date: Thu, 23 Aug 2018 14:12:48 +0100
		4	Subject: [PATCH 3/5] Fix Bug 699660 "shading_param incomplete type checking"
		5
		6	Its possible to pass a t_struct parameter to .shfill which is not a
		7	shading function built by .buildshading. This could then lead to memory
		8	corruption or a segmentation fault by treating the object passed in
		9	as if it were a shading.
		10
		11	Its non-trivial to check the t_struct, because this function can take
		12	7 different kinds of structures as a parameter. Checking these is
		13	possible, of course, but would add a performance penalty.
		14
		15	However, we can note that we never call .shfill without first calling
		16	.buildshading, and we never call .buildshading without immediately
		17	calling .shfill. So we can treat these as an atomic operation. The
		18	.buildshading function takes all its parameters as PostScript objects
		19	and validates them, so that should be safe.
		20
		21	This allows us to 'hide' the .shfill operator preventing the possibility
		22	of passing an invalid parameter.
		23
		24	CVE: CVE-2018-15909
		25	Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
		26
		27	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		28	---
		29	Resource/Init/gs_init.ps \| 4 ++--
		30	Resource/Init/gs_ll3.ps \| 7 ++++++-
		31	Resource/Init/pdf_draw.ps \| 3 +--
		32	3 files changed, 9 insertions(+), 5 deletions(-)
		33
		34	diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
		35	index 6c8da53..1956ed5 100644
		36	--- a/Resource/Init/gs_init.ps
		37	+++ b/Resource/Init/gs_init.ps
		38	@@ -2181,8 +2181,8 @@ SAFER { .setsafeglobal } if
		39	/.getiodevice /.getdevparms /.putdevparams /.bbox_transform /.matchmedia /.matchpagesize /.defaultpapersize
		40	/.oserrno /.setoserrno /.oserrorstring /.getCPSImode
		41	/.getscanconverter /.setscanconverter /.type1encrypt /.type1decrypt/.languagelevel /.setlanguagelevel /.eqproc /.fillpage /.buildpattern1 /.saslprep
		42	-/.buildshading1 /.buildshadin2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern
		43	-/.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring
		44	+/.buildshading1 /.buildshading2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern
		45	+%/.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring
		46	/.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile
		47	/.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams
		48	/.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath
		49	diff --git a/Resource/Init/gs_ll3.ps b/Resource/Init/gs_ll3.ps
		50	index 5aa56a3..1d37e53 100644
		51	--- a/Resource/Init/gs_ll3.ps
		52	+++ b/Resource/Init/gs_ll3.ps
		53	@@ -440,6 +440,11 @@ systemdict /.reuseparamdict mark
		54	/shfill .systemvar /undefined signalerror
		55	} ifelse
		56	} bind def
		57	+
		58	+/.buildshading_and_shfill {
		59	+ .buildshading .shfill
		60	+} bind def
		61	+
		62	systemdict /.reuseparamdict undef
		63
		64	/.buildpattern2 { % <template> <matrix> .buildpattern2
		65	@@ -464,7 +469,7 @@ systemdict /.reuseparamdict undef
		66	% Currently, .shfill requires that the color space
		67	% in the pattern be the current color space.
		68	% Disable overprintmode for shfill
		69	- { dup gsave 0 .setoverprintmode .buildshading .shfill } stopped
		70	+ { dup gsave 0 .setoverprintmode .buildshading_and_shfill } stopped
		71	grestore {
		72	/$error .systemvar /errorinfo 2 copy known {
		73	pop pop
		74	diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
		75	index e8ca213..a7144d3 100644
		76	--- a/Resource/Init/pdf_draw.ps
		77	+++ b/Resource/Init/pdf_draw.ps
		78	@@ -1365,9 +1365,8 @@ drawopdict begin
		79	{ dup /.shading .knownget {
		80	exch pop
		81	} {
		82	- .buildshading
		83	+ .buildshading_and_shfill
		84	} ifelse
		85	- .shfill
		86	} stopped {
		87	pop
		88	( **** Error: Ignoring invalid smooth shading object, output may be incorrect.\n)
		89	--
		90	2.8.1
		91


diff --git a/meta/recipes-extended/ghostscript/ghostscript/0004-Hide-the-.shfill-operator.patch b/meta/recipes-extended/ghostscript/ghostscript/0004-Hide-the-.shfill-operator.patch new file mode 100644 index 0000000000..7c6d002620 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/0004-Hide-the-.shfill-operator.patch
@@ -0,0 +1,35 @@
		1	From ee9e8065e7d7b3adbc25fd655727ca72861ee032 Mon Sep 17 00:00:00 2001
		2	From: Ken Sharp <ken.sharp@artifex.com>
		3	Date: Fri, 24 Aug 2018 12:44:26 +0100
		4	Subject: [PATCH 4/5] Hide the .shfill operator
		5
		6	Commit 0b6cd1918e1ec4ffd087400a754a845180a4522b was supposed to make
		7	the .shfill operator unobtainable, but I accidentally left a comment
		8	in the line doing so.
		9
		10	Fix it here, without this the operator can still be exploited.
		11
		12	CVE: CVE-2018-15909
		13	Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
		14
		15	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		16	---
		17	Resource/Init/gs_init.ps \| 2 +-
		18	1 file changed, 1 insertion(+), 1 deletion(-)
		19
		20	diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
		21	index 1956ed5..955b843 100644
		22	--- a/Resource/Init/gs_init.ps
		23	+++ b/Resource/Init/gs_init.ps
		24	@@ -2182,7 +2182,7 @@ SAFER { .setsafeglobal } if
		25	/.oserrno /.setoserrno /.oserrorstring /.getCPSImode
		26	/.getscanconverter /.setscanconverter /.type1encrypt /.type1decrypt/.languagelevel /.setlanguagelevel /.eqproc /.fillpage /.buildpattern1 /.saslprep
		27	/.buildshading1 /.buildshading2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern
		28	-%/.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring
		29	+/.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring
		30	/.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile
		31	/.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams
		32	/.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath
		33	--
		34	2.8.1
		35


diff --git a/meta/recipes-extended/ghostscript/ghostscript/0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch b/meta/recipes-extended/ghostscript/ghostscript/0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch new file mode 100644 index 0000000000..ccd40216c0 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch
@@ -0,0 +1,54 @@
		1	From f4f50ceea8e8852b8c3ac73f5807d8b54b735c3e Mon Sep 17 00:00:00 2001
		2	From: Chris Liddell <chris.liddell@artifex.com>
		3	Date: Tue, 21 Aug 2018 20:17:05 +0100
		4	Subject: [PATCH 5/5] Bug 699657: properly apply file permissions to .tempfile
		5
		6	CVE: CVE-2018-15908
		7	Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
		8
		9	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		10	---
		11	psi/zfile.c \| 20 ++++++++++++++++++--
		12	1 file changed, 18 insertions(+), 2 deletions(-)
		13
		14	diff --git a/psi/zfile.c b/psi/zfile.c
		15	index a0acd5a..19996b0 100644
		16	--- a/psi/zfile.c
		17	+++ b/psi/zfile.c
		18	@@ -134,7 +134,7 @@ check_file_permissions_reduced(i_ctx_t i_ctx_p, const char fname, int len,
		19	/* we're protecting arbitrary file system accesses, not Postscript device accesses.
		20	* Although, note that %pipe% is explicitly checked for and disallowed elsewhere
		21	*/
		22	- if (iodev != iodev_default(imemory)) {
		23	+ if (iodev && iodev != iodev_default(imemory)) {
		24	return 0;
		25	}
		26
		27	@@ -734,7 +734,23 @@ ztempfile(i_ctx_t *i_ctx_p)
		28	}
		29
		30	if (gp_file_name_is_absolute(pstr, strlen(pstr))) {
		31	- if (check_file_permissions(i_ctx_p, pstr, strlen(pstr),
		32	+ int plen = strlen(pstr);
		33	+ const char *sep = gp_file_name_separator();
		34	+#ifdef DEBUG
		35	+ int seplen = strlen(sep);
		36	+ if (seplen != 1)
		37	+ return_error(gs_error_Fatal);
		38	+#endif
		39	+ /* strip off the file name prefix, leave just the directory name
		40	+ * so we can check if we are allowed to write to it
		41	+ */
		42	+ for ( ; plen >=0; plen--) {
		43	+ if (pstr[plen] == sep[0])
		44	+ break;
		45	+ }
		46	+ memcpy(fname, pstr, plen);
		47	+ fname[plen] = '\0';
		48	+ if (check_file_permissions(i_ctx_p, fname, strlen(fname),
		49	NULL, "PermitFileWriting") < 0) {
		50	code = gs_note_error(gs_error_invalidfileaccess);
		51	goto done;
		52	--
		53	2.8.1
		54


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.23.bb b/meta/recipes-extended/ghostscript/ghostscript_9.23.bb index 019d99b021..898b6cd985 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.23.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.23.bb
@@ -26,6 +26,11 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
26	file://avoid-host-contamination.patch \	26	file://avoid-host-contamination.patch \
27	file://mkdir-p.patch \	27	file://mkdir-p.patch \
28	file://remove-direct-symlink.patch \	28	file://remove-direct-symlink.patch \
		29	file://0001-Bug-699665-memory-corruption-in-aesdecode.patch \
		30	file://0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch \
		31	file://0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch \
		32	file://0004-Hide-the-.shfill-operator.patch \
		33	file://0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch \
29	"	34	"
30		35
31	SRC_URI = "${SRC_URI_BASE} \	36	SRC_URI = "${SRC_URI_BASE} \