1 files changed, 121 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch
new file mode 100644
index 0000000000..033ba77f9a
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch
@@ -0,0 +1,121 @@
+From 3920a727fb19e19f597e518610ce2416d08cb75f Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Thu, 20 Aug 2020 17:19:09 +0100
+Subject: [PATCH] Fix pdfwrite "%d" mode with file permissions
+Firstly, in gx_device_delete_output_file the iodev pointer was being passed
+to the delete_method incorrectly (passing a pointer to that pointer). Thus
+when we attempted to use that to confirm permission to delete the file, it
+crashed. Credit to Ken for finding that.
+Secondly, due to the way pdfwrite works, when running with an output file per
+page, it creates the current output file immediately it has completed writing
+the previous one. Thus, it has to delete that partial file on exit.
+Previously, the output file was not added to the "control" permission list,
+so an attempt to delete it would result in an error. So add the output file
+to the "control" as well as "write" list.
+CVE: CVE-2021-3781
+Upstream-Status: Backport:
+https://git.ghostscript.com/?p=ghostpdl.git;a=commit;f=base/gslibctx.c;h=3920a727fb19e19f597e518610ce2416d08cb75f
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+ base/gsdevice.c |  2 +-
+ base/gslibctx.c | 20 ++++++++++++++------
+ 2 files changed, 15 insertions(+), 7 deletions(-)
+diff --git a/base/gsdevice.c b/base/gsdevice.c
+index 913119495..ac78af93f 100644
+--- a/base/gsdevice.c
+++ b/base/gsdevice.c
+@@ -1185,7 +1185,7 @@ int gx_device_delete_output_file(const gx_device * dev, const char *fname)
+         parsed.len = strlen(parsed.fname);
+     }
+     if (parsed.iodev)
+-        code = parsed.iodev->procs.delete_file((gx_io_device *)(&parsed.iodev), (const char *)parsed.fname);
+        code = parsed.iodev->procs.delete_file((gx_io_device *)(parsed.iodev), (const char *)parsed.fname);
+     else
+         code = gs_note_error(gs_error_invalidfileaccess);
+ 
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index d726c58b5..ff8fc895e 100644
+--- a/base/gslibctx.c
+++ b/base/gslibctx.c
+@@ -647,7 +647,7 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
+     char *fp, f[gp_file_name_sizeof];
+     const int pipe = 124; /* ASCII code for '|' */
+     const int len = strlen(fname);
+-    int i;
+    int i, code;
+ 
+     /* Be sure the string copy will fit */
+     if (len >= gp_file_name_sizeof)
+@@ -658,8 +658,6 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
+     rewrite_percent_specifiers(f);
+     for (i = 0; i < len; i++) {
+         if (f[i] == pipe) {
+-           int code;
+-
+            fp = &f[i + 1];
+            /* Because we potentially have to check file permissions at two levels
+               for the output file (gx_device_open_output_file and the low level
+@@ -671,10 +669,16 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
+            if (code < 0)
+                return code;
+            break;
+           code = gs_add_control_path(mem, gs_permit_file_control, f);
+           if (code < 0)
+               return code;
+         }
+         if (!IS_WHITESPACE(f[i]))
+             break;
+     }
+    code = gs_add_control_path(mem, gs_permit_file_control, fp);
+    if (code < 0)
+        return code;
+     return gs_add_control_path(mem, gs_permit_file_writing, fp);
+ }
+ 
+@@ -684,7 +688,7 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
+     char *fp, f[gp_file_name_sizeof];
+     const int pipe = 124; /* ASCII code for '|' */
+     const int len = strlen(fname);
+-    int i;
+    int i, code;
+ 
+     /* Be sure the string copy will fit */
+     if (len >= gp_file_name_sizeof)
+@@ -694,8 +698,6 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
+     /* Try to rewrite any %d (or similar) in the string */
+     for (i = 0; i < len; i++) {
+         if (f[i] == pipe) {
+-           int code;
+-
+            fp = &f[i + 1];
+            /* Because we potentially have to check file permissions at two levels
+               for the output file (gx_device_open_output_file and the low level
+@@ -704,6 +706,9 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
+               the pipe_fopen(), the leading '|' has been stripped.
+             */
+            code = gs_remove_control_path(mem, gs_permit_file_writing, f);
+           if (code < 0)
+               return code;
+           code = gs_remove_control_path(mem, gs_permit_file_control, f);
+            if (code < 0)
+                return code;
+            break;
+@@ -711,6 +716,9 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
+         if (!IS_WHITESPACE(f[i]))
+             break;
+     }
+    code = gs_remove_control_path(mem, gs_permit_file_control, fp);
+    if (code < 0)
+        return code;
+     return gs_remove_control_path(mem, gs_permit_file_writing, fp);
+ }
+ 
+-- 
+2.25.1

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch new file mode 100644 index 0000000000..033ba77f9a --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch
@@ -0,0 +1,121 @@
	1	From 3920a727fb19e19f597e518610ce2416d08cb75f Mon Sep 17 00:00:00 2001
	2	From: Chris Liddell <chris.liddell@artifex.com>
	3	Date: Thu, 20 Aug 2020 17:19:09 +0100
	4	Subject: [PATCH] Fix pdfwrite "%d" mode with file permissions
	5
	6	Firstly, in gx_device_delete_output_file the iodev pointer was being passed
	7	to the delete_method incorrectly (passing a pointer to that pointer). Thus
	8	when we attempted to use that to confirm permission to delete the file, it
	9	crashed. Credit to Ken for finding that.
	10
	11	Secondly, due to the way pdfwrite works, when running with an output file per
	12	page, it creates the current output file immediately it has completed writing
	13	the previous one. Thus, it has to delete that partial file on exit.
	14
	15	Previously, the output file was not added to the "control" permission list,
	16	so an attempt to delete it would result in an error. So add the output file
	17	to the "control" as well as "write" list.
	18
	19	CVE: CVE-2021-3781
	20
	21	Upstream-Status: Backport:
	22	https://git.ghostscript.com/?p=ghostpdl.git;a=commit;f=base/gslibctx.c;h=3920a727fb19e19f597e518610ce2416d08cb75f
	23
	24	Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
	25	---
	26	base/gsdevice.c \| 2 +-
	27	base/gslibctx.c \| 20 ++++++++++++++------
	28	2 files changed, 15 insertions(+), 7 deletions(-)
	29
	30	diff --git a/base/gsdevice.c b/base/gsdevice.c
	31	index 913119495..ac78af93f 100644
	32	--- a/base/gsdevice.c
	33	+++ b/base/gsdevice.c
	34	@@ -1185,7 +1185,7 @@ int gx_device_delete_output_file(const gx_device * dev, const char *fname)
	35	parsed.len = strlen(parsed.fname);
	36	}
	37	if (parsed.iodev)
	38	- code = parsed.iodev->procs.delete_file((gx_io_device )(&parsed.iodev), (const char )parsed.fname);
	39	+ code = parsed.iodev->procs.delete_file((gx_io_device )(parsed.iodev), (const char )parsed.fname);
	40	else
	41	code = gs_note_error(gs_error_invalidfileaccess);
	42
	43	diff --git a/base/gslibctx.c b/base/gslibctx.c
	44	index d726c58b5..ff8fc895e 100644
	45	--- a/base/gslibctx.c
	46	+++ b/base/gslibctx.c
	47	@@ -647,7 +647,7 @@ gs_add_outputfile_control_path(gs_memory_t mem, const char fname)
	48	char *fp, f[gp_file_name_sizeof];
	49	const int pipe = 124; /* ASCII code for '\|' */
	50	const int len = strlen(fname);
	51	- int i;
	52	+ int i, code;
	53
	54	/* Be sure the string copy will fit */
	55	if (len >= gp_file_name_sizeof)
	56	@@ -658,8 +658,6 @@ gs_add_outputfile_control_path(gs_memory_t mem, const char fname)
	57	rewrite_percent_specifiers(f);
	58	for (i = 0; i < len; i++) {
	59	if (f[i] == pipe) {
	60	- int code;
	61	-
	62	fp = &f[i + 1];
	63	/* Because we potentially have to check file permissions at two levels
	64	for the output file (gx_device_open_output_file and the low level
	65	@@ -671,10 +669,16 @@ gs_add_outputfile_control_path(gs_memory_t mem, const char fname)
	66	if (code < 0)
	67	return code;
	68	break;
	69	+ code = gs_add_control_path(mem, gs_permit_file_control, f);
	70	+ if (code < 0)
	71	+ return code;
	72	}
	73	if (!IS_WHITESPACE(f[i]))
	74	break;
	75	}
	76	+ code = gs_add_control_path(mem, gs_permit_file_control, fp);
	77	+ if (code < 0)
	78	+ return code;
	79	return gs_add_control_path(mem, gs_permit_file_writing, fp);
	80	}
	81
	82	@@ -684,7 +688,7 @@ gs_remove_outputfile_control_path(gs_memory_t mem, const char fname)
	83	char *fp, f[gp_file_name_sizeof];
	84	const int pipe = 124; /* ASCII code for '\|' */
	85	const int len = strlen(fname);
	86	- int i;
	87	+ int i, code;
	88
	89	/* Be sure the string copy will fit */
	90	if (len >= gp_file_name_sizeof)
	91	@@ -694,8 +698,6 @@ gs_remove_outputfile_control_path(gs_memory_t mem, const char fname)
	92	/* Try to rewrite any %d (or similar) in the string */
	93	for (i = 0; i < len; i++) {
	94	if (f[i] == pipe) {
	95	- int code;
	96	-
	97	fp = &f[i + 1];
	98	/* Because we potentially have to check file permissions at two levels
	99	for the output file (gx_device_open_output_file and the low level
	100	@@ -704,6 +706,9 @@ gs_remove_outputfile_control_path(gs_memory_t mem, const char fname)
	101	the pipe_fopen(), the leading '\|' has been stripped.
	102	*/
	103	code = gs_remove_control_path(mem, gs_permit_file_writing, f);
	104	+ if (code < 0)
	105	+ return code;
	106	+ code = gs_remove_control_path(mem, gs_permit_file_control, f);
	107	if (code < 0)
	108	return code;
	109	break;
	110	@@ -711,6 +716,9 @@ gs_remove_outputfile_control_path(gs_memory_t mem, const char fname)
	111	if (!IS_WHITESPACE(f[i]))
	112	break;
	113	}
	114	+ code = gs_remove_control_path(mem, gs_permit_file_control, fp);
	115	+ if (code < 0)
	116	+ return code;
	117	return gs_remove_control_path(mem, gs_permit_file_writing, fp);
	118	}
	119
	120	--
	121	2.25.1