diff options
Diffstat (limited to 'meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch')
-rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch | 121 |
1 files changed, 121 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch new file mode 100644 index 0000000000..033ba77f9a --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch | |||
@@ -0,0 +1,121 @@ | |||
1 | From 3920a727fb19e19f597e518610ce2416d08cb75f Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Thu, 20 Aug 2020 17:19:09 +0100 | ||
4 | Subject: [PATCH] Fix pdfwrite "%d" mode with file permissions | ||
5 | |||
6 | Firstly, in gx_device_delete_output_file the iodev pointer was being passed | ||
7 | to the delete_method incorrectly (passing a pointer to that pointer). Thus | ||
8 | when we attempted to use that to confirm permission to delete the file, it | ||
9 | crashed. Credit to Ken for finding that. | ||
10 | |||
11 | Secondly, due to the way pdfwrite works, when running with an output file per | ||
12 | page, it creates the current output file immediately it has completed writing | ||
13 | the previous one. Thus, it has to delete that partial file on exit. | ||
14 | |||
15 | Previously, the output file was not added to the "control" permission list, | ||
16 | so an attempt to delete it would result in an error. So add the output file | ||
17 | to the "control" as well as "write" list. | ||
18 | |||
19 | CVE: CVE-2021-3781 | ||
20 | |||
21 | Upstream-Status: Backport: | ||
22 | https://git.ghostscript.com/?p=ghostpdl.git;a=commit;f=base/gslibctx.c;h=3920a727fb19e19f597e518610ce2416d08cb75f | ||
23 | |||
24 | Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> | ||
25 | --- | ||
26 | base/gsdevice.c | 2 +- | ||
27 | base/gslibctx.c | 20 ++++++++++++++------ | ||
28 | 2 files changed, 15 insertions(+), 7 deletions(-) | ||
29 | |||
30 | diff --git a/base/gsdevice.c b/base/gsdevice.c | ||
31 | index 913119495..ac78af93f 100644 | ||
32 | --- a/base/gsdevice.c | ||
33 | +++ b/base/gsdevice.c | ||
34 | @@ -1185,7 +1185,7 @@ int gx_device_delete_output_file(const gx_device * dev, const char *fname) | ||
35 | parsed.len = strlen(parsed.fname); | ||
36 | } | ||
37 | if (parsed.iodev) | ||
38 | - code = parsed.iodev->procs.delete_file((gx_io_device *)(&parsed.iodev), (const char *)parsed.fname); | ||
39 | + code = parsed.iodev->procs.delete_file((gx_io_device *)(parsed.iodev), (const char *)parsed.fname); | ||
40 | else | ||
41 | code = gs_note_error(gs_error_invalidfileaccess); | ||
42 | |||
43 | diff --git a/base/gslibctx.c b/base/gslibctx.c | ||
44 | index d726c58b5..ff8fc895e 100644 | ||
45 | --- a/base/gslibctx.c | ||
46 | +++ b/base/gslibctx.c | ||
47 | @@ -647,7 +647,7 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) | ||
48 | char *fp, f[gp_file_name_sizeof]; | ||
49 | const int pipe = 124; /* ASCII code for '|' */ | ||
50 | const int len = strlen(fname); | ||
51 | - int i; | ||
52 | + int i, code; | ||
53 | |||
54 | /* Be sure the string copy will fit */ | ||
55 | if (len >= gp_file_name_sizeof) | ||
56 | @@ -658,8 +658,6 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) | ||
57 | rewrite_percent_specifiers(f); | ||
58 | for (i = 0; i < len; i++) { | ||
59 | if (f[i] == pipe) { | ||
60 | - int code; | ||
61 | - | ||
62 | fp = &f[i + 1]; | ||
63 | /* Because we potentially have to check file permissions at two levels | ||
64 | for the output file (gx_device_open_output_file and the low level | ||
65 | @@ -671,10 +669,16 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) | ||
66 | if (code < 0) | ||
67 | return code; | ||
68 | break; | ||
69 | + code = gs_add_control_path(mem, gs_permit_file_control, f); | ||
70 | + if (code < 0) | ||
71 | + return code; | ||
72 | } | ||
73 | if (!IS_WHITESPACE(f[i])) | ||
74 | break; | ||
75 | } | ||
76 | + code = gs_add_control_path(mem, gs_permit_file_control, fp); | ||
77 | + if (code < 0) | ||
78 | + return code; | ||
79 | return gs_add_control_path(mem, gs_permit_file_writing, fp); | ||
80 | } | ||
81 | |||
82 | @@ -684,7 +688,7 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) | ||
83 | char *fp, f[gp_file_name_sizeof]; | ||
84 | const int pipe = 124; /* ASCII code for '|' */ | ||
85 | const int len = strlen(fname); | ||
86 | - int i; | ||
87 | + int i, code; | ||
88 | |||
89 | /* Be sure the string copy will fit */ | ||
90 | if (len >= gp_file_name_sizeof) | ||
91 | @@ -694,8 +698,6 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) | ||
92 | /* Try to rewrite any %d (or similar) in the string */ | ||
93 | for (i = 0; i < len; i++) { | ||
94 | if (f[i] == pipe) { | ||
95 | - int code; | ||
96 | - | ||
97 | fp = &f[i + 1]; | ||
98 | /* Because we potentially have to check file permissions at two levels | ||
99 | for the output file (gx_device_open_output_file and the low level | ||
100 | @@ -704,6 +706,9 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) | ||
101 | the pipe_fopen(), the leading '|' has been stripped. | ||
102 | */ | ||
103 | code = gs_remove_control_path(mem, gs_permit_file_writing, f); | ||
104 | + if (code < 0) | ||
105 | + return code; | ||
106 | + code = gs_remove_control_path(mem, gs_permit_file_control, f); | ||
107 | if (code < 0) | ||
108 | return code; | ||
109 | break; | ||
110 | @@ -711,6 +716,9 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) | ||
111 | if (!IS_WHITESPACE(f[i])) | ||
112 | break; | ||
113 | } | ||
114 | + code = gs_remove_control_path(mem, gs_permit_file_control, fp); | ||
115 | + if (code < 0) | ||
116 | + return code; | ||
117 | return gs_remove_control_path(mem, gs_permit_file_writing, fp); | ||
118 | } | ||
119 | |||
120 | -- | ||
121 | 2.25.1 | ||