diff options
author | Trevor Gamblin <trevor.gamblin@windriver.com> | 2021-10-29 11:09:21 -0400 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-11-03 11:19:04 +0000 |
commit | d416648255ac1fd49cf70360104ac67f5d2397d5 (patch) | |
tree | fd203ddd872a52986b3a06fff8d60304847f88e2 /meta | |
parent | b035d49f9406833017ec528268ce028d835de86e (diff) | |
download | poky-d416648255ac1fd49cf70360104ac67f5d2397d5.tar.gz |
ghostscript: Fix CVE-2021-3781
Backport a patch file from upstream, since doing an uprev of the recipe
to the version with the fix (9.55) would introduce functional changes.
CVE: CVE-2021-3781
(From OE-Core rev: db413a3a4fa42ac05824c2217f633a0af7ab50cd)
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript/0001-Bug-704342-Include-device-specifier-strings-in-acces.patch | 238 | ||||
-rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb | 1 |
2 files changed, 239 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-704342-Include-device-specifier-strings-in-acces.patch b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-704342-Include-device-specifier-strings-in-acces.patch new file mode 100644 index 0000000000..44bdfbba35 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-704342-Include-device-specifier-strings-in-acces.patch | |||
@@ -0,0 +1,238 @@ | |||
1 | From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Tue, 7 Sep 2021 20:36:12 +0100 | ||
4 | Subject: [PATCH] Bug 704342: Include device specifier strings in access | ||
5 | validation | ||
6 | |||
7 | for the "%pipe%", %handle%" and %printer% io devices. | ||
8 | |||
9 | We previously validated only the part after the "%pipe%" Postscript device | ||
10 | specifier, but this proved insufficient. | ||
11 | |||
12 | This rebuilds the original file name string, and validates it complete. The | ||
13 | slight complication for "%pipe%" is it can be reached implicitly using | ||
14 | "|" so we have to check both prefixes. | ||
15 | |||
16 | Addresses CVE-2021-3781 | ||
17 | |||
18 | CVE: CVE-2021-3781 | ||
19 | |||
20 | Upstream-Status: Backport (http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a9bd3dec9fde03327a4a2c69dad1036bf9632e20) | ||
21 | |||
22 | Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> | ||
23 | --- | ||
24 | base/gdevpipe.c | 22 +++++++++++++++- | ||
25 | base/gp_mshdl.c | 11 +++++++- | ||
26 | base/gp_msprn.c | 10 ++++++- | ||
27 | base/gp_os2pr.c | 13 +++++++++- | ||
28 | base/gslibctx.c | 69 ++++++++++--------------------------------------- | ||
29 | 5 files changed, 65 insertions(+), 60 deletions(-) | ||
30 | |||
31 | diff --git a/base/gdevpipe.c b/base/gdevpipe.c | ||
32 | index 96d71f5d8..5bdc485be 100644 | ||
33 | --- a/base/gdevpipe.c | ||
34 | +++ b/base/gdevpipe.c | ||
35 | @@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access, | ||
36 | #else | ||
37 | gs_lib_ctx_t *ctx = mem->gs_lib_ctx; | ||
38 | gs_fs_list_t *fs = ctx->core->fs; | ||
39 | + /* The pipe device can be reached in two ways, explicltly with %pipe% | ||
40 | + or implicitly with "|", so we have to check for both | ||
41 | + */ | ||
42 | + char f[gp_file_name_sizeof]; | ||
43 | + const char *pipestr = "|"; | ||
44 | + const size_t pipestrlen = strlen(pipestr); | ||
45 | + const size_t preflen = strlen(iodev->dname); | ||
46 | + const size_t nlen = strlen(fname); | ||
47 | + int code1; | ||
48 | + | ||
49 | + if (preflen + nlen >= gp_file_name_sizeof) | ||
50 | + return_error(gs_error_invalidaccess); | ||
51 | + | ||
52 | + memcpy(f, iodev->dname, preflen); | ||
53 | + memcpy(f + preflen, fname, nlen + 1); | ||
54 | + | ||
55 | + code1 = gp_validate_path(mem, f, access); | ||
56 | + | ||
57 | + memcpy(f, pipestr, pipestrlen); | ||
58 | + memcpy(f + pipestrlen, fname, nlen + 1); | ||
59 | |||
60 | - if (gp_validate_path(mem, fname, access) != 0) | ||
61 | + if (code1 != 0 && gp_validate_path(mem, f, access) != 0 ) | ||
62 | return gs_error_invalidfileaccess; | ||
63 | |||
64 | /* | ||
65 | diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c | ||
66 | index 2b964ed74..8d87ceadc 100644 | ||
67 | --- a/base/gp_mshdl.c | ||
68 | +++ b/base/gp_mshdl.c | ||
69 | @@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access, | ||
70 | long hfile; /* Correct for Win32, may be wrong for Win64 */ | ||
71 | gs_lib_ctx_t *ctx = mem->gs_lib_ctx; | ||
72 | gs_fs_list_t *fs = ctx->core->fs; | ||
73 | + char f[gp_file_name_sizeof]; | ||
74 | + const size_t preflen = strlen(iodev->dname); | ||
75 | + const size_t nlen = strlen(fname); | ||
76 | |||
77 | - if (gp_validate_path(mem, fname, access) != 0) | ||
78 | + if (preflen + nlen >= gp_file_name_sizeof) | ||
79 | + return_error(gs_error_invalidaccess); | ||
80 | + | ||
81 | + memcpy(f, iodev->dname, preflen); | ||
82 | + memcpy(f + preflen, fname, nlen + 1); | ||
83 | + | ||
84 | + if (gp_validate_path(mem, f, access) != 0) | ||
85 | return gs_error_invalidfileaccess; | ||
86 | |||
87 | /* First we try the open_handle method. */ | ||
88 | diff --git a/base/gp_msprn.c b/base/gp_msprn.c | ||
89 | index ed4827968..746a974f7 100644 | ||
90 | --- a/base/gp_msprn.c | ||
91 | +++ b/base/gp_msprn.c | ||
92 | @@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, | ||
93 | uintptr_t *ptid = &((tid_t *)(iodev->state))->tid; | ||
94 | gs_lib_ctx_t *ctx = mem->gs_lib_ctx; | ||
95 | gs_fs_list_t *fs = ctx->core->fs; | ||
96 | + const size_t preflen = strlen(iodev->dname); | ||
97 | + const size_t nlen = strlen(fname); | ||
98 | |||
99 | - if (gp_validate_path(mem, fname, access) != 0) | ||
100 | + if (preflen + nlen >= gp_file_name_sizeof) | ||
101 | + return_error(gs_error_invalidaccess); | ||
102 | + | ||
103 | + memcpy(pname, iodev->dname, preflen); | ||
104 | + memcpy(pname + preflen, fname, nlen + 1); | ||
105 | + | ||
106 | + if (gp_validate_path(mem, pname, access) != 0) | ||
107 | return gs_error_invalidfileaccess; | ||
108 | |||
109 | /* First we try the open_printer method. */ | ||
110 | diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c | ||
111 | index f852c71fc..ba54cde66 100644 | ||
112 | --- a/base/gp_os2pr.c | ||
113 | +++ b/base/gp_os2pr.c | ||
114 | @@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, | ||
115 | FILE ** pfile, char *rfname, uint rnamelen) | ||
116 | { | ||
117 | os2_printer_t *pr = (os2_printer_t *)iodev->state; | ||
118 | - char driver_name[256]; | ||
119 | + char driver_name[gp_file_name_sizeof]; | ||
120 | gs_lib_ctx_t *ctx = mem->gs_lib_ctx; | ||
121 | gs_fs_list_t *fs = ctx->core->fs; | ||
122 | + const size_t preflen = strlen(iodev->dname); | ||
123 | + const int size_t = strlen(fname); | ||
124 | + | ||
125 | + if (preflen + nlen >= gp_file_name_sizeof) | ||
126 | + return_error(gs_error_invalidaccess); | ||
127 | + | ||
128 | + memcpy(driver_name, iodev->dname, preflen); | ||
129 | + memcpy(driver_name + preflen, fname, nlen + 1); | ||
130 | + | ||
131 | + if (gp_validate_path(mem, driver_name, access) != 0) | ||
132 | + return gs_error_invalidfileaccess; | ||
133 | |||
134 | /* First we try the open_printer method. */ | ||
135 | /* Note that the loop condition here ensures we don't | ||
136 | diff --git a/base/gslibctx.c b/base/gslibctx.c | ||
137 | index 6dfed6cd5..318039fad 100644 | ||
138 | --- a/base/gslibctx.c | ||
139 | +++ b/base/gslibctx.c | ||
140 | @@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s) | ||
141 | int | ||
142 | gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) | ||
143 | { | ||
144 | - char *fp, f[gp_file_name_sizeof]; | ||
145 | - const int pipe = 124; /* ASCII code for '|' */ | ||
146 | - const int len = strlen(fname); | ||
147 | - int i, code; | ||
148 | + char f[gp_file_name_sizeof]; | ||
149 | + int code; | ||
150 | |||
151 | /* Be sure the string copy will fit */ | ||
152 | - if (len >= gp_file_name_sizeof) | ||
153 | + if (strlen(fname) >= gp_file_name_sizeof) | ||
154 | return gs_error_rangecheck; | ||
155 | strcpy(f, fname); | ||
156 | - fp = f; | ||
157 | /* Try to rewrite any %d (or similar) in the string */ | ||
158 | rewrite_percent_specifiers(f); | ||
159 | - for (i = 0; i < len; i++) { | ||
160 | - if (f[i] == pipe) { | ||
161 | - fp = &f[i + 1]; | ||
162 | - /* Because we potentially have to check file permissions at two levels | ||
163 | - for the output file (gx_device_open_output_file and the low level | ||
164 | - fopen API, if we're using a pipe, we have to add both the full string, | ||
165 | - (including the '|', and just the command to which we pipe - since at | ||
166 | - the pipe_fopen(), the leading '|' has been stripped. | ||
167 | - */ | ||
168 | - code = gs_add_control_path(mem, gs_permit_file_writing, f); | ||
169 | - if (code < 0) | ||
170 | - return code; | ||
171 | - code = gs_add_control_path(mem, gs_permit_file_control, f); | ||
172 | - if (code < 0) | ||
173 | - return code; | ||
174 | - break; | ||
175 | - } | ||
176 | - if (!IS_WHITESPACE(f[i])) | ||
177 | - break; | ||
178 | - } | ||
179 | - code = gs_add_control_path(mem, gs_permit_file_control, fp); | ||
180 | + | ||
181 | + code = gs_add_control_path(mem, gs_permit_file_control, f); | ||
182 | if (code < 0) | ||
183 | return code; | ||
184 | - return gs_add_control_path(mem, gs_permit_file_writing, fp); | ||
185 | + return gs_add_control_path(mem, gs_permit_file_writing, f); | ||
186 | } | ||
187 | |||
188 | int | ||
189 | gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) | ||
190 | { | ||
191 | - char *fp, f[gp_file_name_sizeof]; | ||
192 | - const int pipe = 124; /* ASCII code for '|' */ | ||
193 | - const int len = strlen(fname); | ||
194 | - int i, code; | ||
195 | + char f[gp_file_name_sizeof]; | ||
196 | + int code; | ||
197 | |||
198 | /* Be sure the string copy will fit */ | ||
199 | - if (len >= gp_file_name_sizeof) | ||
200 | + if (strlen(fname) >= gp_file_name_sizeof) | ||
201 | return gs_error_rangecheck; | ||
202 | strcpy(f, fname); | ||
203 | - fp = f; | ||
204 | /* Try to rewrite any %d (or similar) in the string */ | ||
205 | - for (i = 0; i < len; i++) { | ||
206 | - if (f[i] == pipe) { | ||
207 | - fp = &f[i + 1]; | ||
208 | - /* Because we potentially have to check file permissions at two levels | ||
209 | - for the output file (gx_device_open_output_file and the low level | ||
210 | - fopen API, if we're using a pipe, we have to add both the full string, | ||
211 | - (including the '|', and just the command to which we pipe - since at | ||
212 | - the pipe_fopen(), the leading '|' has been stripped. | ||
213 | - */ | ||
214 | - code = gs_remove_control_path(mem, gs_permit_file_writing, f); | ||
215 | - if (code < 0) | ||
216 | - return code; | ||
217 | - code = gs_remove_control_path(mem, gs_permit_file_control, f); | ||
218 | - if (code < 0) | ||
219 | - return code; | ||
220 | - break; | ||
221 | - } | ||
222 | - if (!IS_WHITESPACE(f[i])) | ||
223 | - break; | ||
224 | - } | ||
225 | - code = gs_remove_control_path(mem, gs_permit_file_control, fp); | ||
226 | + rewrite_percent_specifiers(f); | ||
227 | + | ||
228 | + code = gs_remove_control_path(mem, gs_permit_file_control, f); | ||
229 | if (code < 0) | ||
230 | return code; | ||
231 | - return gs_remove_control_path(mem, gs_permit_file_writing, fp); | ||
232 | + return gs_remove_control_path(mem, gs_permit_file_writing, f); | ||
233 | } | ||
234 | |||
235 | int | ||
236 | -- | ||
237 | 2.33.0 | ||
238 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb b/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb index 35826c2549..216822478f 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb | |||
@@ -33,6 +33,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d | |||
33 | file://do-not-check-local-libpng-source.patch \ | 33 | file://do-not-check-local-libpng-source.patch \ |
34 | file://avoid-host-contamination.patch \ | 34 | file://avoid-host-contamination.patch \ |
35 | file://mkdir-p.patch \ | 35 | file://mkdir-p.patch \ |
36 | file://0001-Bug-704342-Include-device-specifier-strings-in-acces.patch \ | ||
36 | " | 37 | " |
37 | 38 | ||
38 | SRC_URI = "${SRC_URI_BASE} \ | 39 | SRC_URI = "${SRC_URI_BASE} \ |