summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorStefan Ghinea <stefan.ghinea@windriver.com>2019-11-21 17:28:04 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-11-25 17:57:23 +0000
commitfb458983d67e8f8dcbb89354f4bfd71d75070f3e (patch)
tree4631f78d26c17e4f2e4250c4159178ce18fe484c /meta
parent6675b184334b186d0967fe43af7735395f87e4d7 (diff)
downloadpoky-fb458983d67e8f8dcbb89354f4bfd71d75070f3e.tar.gz
ghostscript: CVE-2019-14869
A flaw was found in all versions of ghostscript 9.x before 9.28, where the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges within the Ghostscript and access files outside of restricted areas or execute commands. References: https://nvd.nist.gov/vuln/detail/CVE-2019-14869 Upstream patches: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904 (From OE-Core rev: 0bb88ac63b4e1728373c6425477a32f7a6362b2c) Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14869-0001.patch70
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript_9.27.bb1
2 files changed, 71 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14869-0001.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14869-0001.patch
new file mode 100644
index 0000000000..715ec1c450
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14869-0001.patch
@@ -0,0 +1,70 @@
1From 485904772c5f0aa1140032746e5a0abfc40f4cef Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Tue, 5 Nov 2019 09:45:27 +0000
4Subject: [PATCH] Bug 701841: remove .forceput from /.charkeys
5
6When loading Type 1 or Truetype fonts from disk, we attempt to extend the glyph
7name table to include all identifiable glyph names from the Adobe Glyph List.
8
9In the case of Type 1 fonts, the font itself (almost always) marks the
10CharStrings dictionary as read-only, hence we have to use .forceput for that
11case.
12
13But for Truetype fonts, the CharStrings dictionary is created internally and is
14not read-only until *after* we have fully populated it (including the extended
15glyph names from the AGL), hence there is no need for .forceput, and no need to
16carry the security risk of using it.
17
18Replace with regular put.
19
20CVE: CVE-2019-14869
21Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
22
23Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
24---
25 Resource/Init/gs_ttf.ps | 8 ++++----
26 1 file changed, 4 insertions(+), 4 deletions(-)
27
28diff --git a/Resource/Init/gs_ttf.ps b/Resource/Init/gs_ttf.ps
29index e34967d..5354ff0 100644
30--- a/Resource/Init/gs_ttf.ps
31+++ b/Resource/Init/gs_ttf.ps
32@@ -1301,7 +1301,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef
33 TTFDEBUG { (\n1 setting alias: ) print dup ==only
34 ( to be the same as ) print 2 index //== exec } if
35
36- 7 index 2 index 3 -1 roll exch .forceput
37+ 7 index 2 index 3 -1 roll exch put
38 } forall
39 pop pop pop
40 }
41@@ -1319,7 +1319,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef
42 exch pop
43 TTFDEBUG { (\n2 setting alias: ) print 1 index ==only
44 ( to use glyph index: ) print dup //== exec } if
45- 5 index 3 1 roll .forceput
46+ 5 index 3 1 roll put
47 //false
48 }
49 {
50@@ -1336,7 +1336,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef
51 { % CharStrings(dict) isunicode(boolean) cmap(dict) RAGL(dict) gname(name) codep(integer) gindex(integer)
52 TTFDEBUG { (\3 nsetting alias: ) print 1 index ==only
53 ( to be index: ) print dup //== exec } if
54- exch pop 5 index 3 1 roll .forceput
55+ exch pop 5 index 3 1 roll put
56 }
57 {
58 pop pop
59@@ -1366,7 +1366,7 @@ currentdict /.pickcmap_with_no_xlatmap .undef
60 } ifelse
61 ]
62 TTFDEBUG { (Encoding: ) print dup === flush } if
63-} .bind executeonly odef % hides .forceput
64+} .bind odef
65
66 % ---------------- CIDFontType 2 font loading ---------------- %
67
68--
692.20.1
70
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.27.bb b/meta/recipes-extended/ghostscript/ghostscript_9.27.bb
index 9e1f3e2f49..32f938f254 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.27.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.27.bb
@@ -28,6 +28,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
28 file://CVE-2019-14811-0001.patch \ 28 file://CVE-2019-14811-0001.patch \
29 file://CVE-2019-14817-0001.patch \ 29 file://CVE-2019-14817-0001.patch \
30 file://CVE-2019-14817-0002.patch \ 30 file://CVE-2019-14817-0002.patch \
31 file://CVE-2019-14869-0001.patch \
31" 32"
32 33
33SRC_URI = "${SRC_URI_BASE} \ 34SRC_URI = "${SRC_URI_BASE} \