1 files changed, 238 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch
new file mode 100644
index 0000000000..e3f9e81c45
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch
@@ -0,0 +1,238 @@
+From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Tue, 7 Sep 2021 20:36:12 +0100
+Subject: [PATCH] Bug 704342: Include device specifier strings in access
+ validation
+for the "%pipe%", %handle%" and %printer% io devices.
+We previously validated only the part after the "%pipe%" Postscript device
+specifier, but this proved insufficient.
+This rebuilds the original file name string, and validates it complete. The
+slight complication for "%pipe%" is it can be reached implicitly using
+"|" so we have to check both prefixes.
+Addresses CVE-2021-3781
+CVE: CVE-2021-3781
+Upstream-Status: Backport:
+https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a9bd3dec9fde
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+ base/gdevpipe.c | 22 +++++++++++++++-
+ base/gp_mshdl.c | 11 +++++++-
+ base/gp_msprn.c | 10 ++++++-
+ base/gp_os2pr.c | 13 +++++++++-
+ base/gslibctx.c | 69 ++++++++++---------------------------------------
+ 5 files changed, 65 insertions(+), 60 deletions(-)
+diff --git a/base/gdevpipe.c b/base/gdevpipe.c
+index 96d71f5d8..5bdc485be 100644
+--- a/base/gdevpipe.c
+++ b/base/gdevpipe.c
+@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access,
+ #else
+     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+     gs_fs_list_t *fs = ctx->core->fs;
+    /* The pipe device can be reached in two ways, explicltly with %pipe%
+       or implicitly with "|", so we have to check for both
+     */
+    char f[gp_file_name_sizeof];
+    const char *pipestr = "|";
+    const size_t pipestrlen = strlen(pipestr);
+    const size_t preflen = strlen(iodev->dname);
+    const size_t nlen = strlen(fname);
+    int code1;
+
+    if (preflen + nlen >= gp_file_name_sizeof)
+        return_error(gs_error_invalidaccess);
+
+    memcpy(f, iodev->dname, preflen);
+    memcpy(f + preflen, fname, nlen + 1);
+
+    code1 = gp_validate_path(mem, f, access);
+
+    memcpy(f, pipestr, pipestrlen);
+    memcpy(f + pipestrlen, fname, nlen + 1);
+ 
+-    if (gp_validate_path(mem, fname, access) != 0)
+    if (code1 != 0 && gp_validate_path(mem, f, access) != 0 )
+         return gs_error_invalidfileaccess;
+ 
+     /*
+diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c
+index 2b964ed74..8d87ceadc 100644
+--- a/base/gp_mshdl.c
+++ b/base/gp_mshdl.c
+@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access,
+     long hfile;        /* Correct for Win32, may be wrong for Win64 */
+     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+     gs_fs_list_t *fs = ctx->core->fs;
+    char f[gp_file_name_sizeof];
+    const size_t preflen = strlen(iodev->dname);
+    const size_t nlen = strlen(fname);
+ 
+-    if (gp_validate_path(mem, fname, access) != 0)
+    if (preflen + nlen >= gp_file_name_sizeof)
+        return_error(gs_error_invalidaccess);
+
+    memcpy(f, iodev->dname, preflen);
+    memcpy(f + preflen, fname, nlen + 1);
+
+    if (gp_validate_path(mem, f, access) != 0)
+         return gs_error_invalidfileaccess;
+ 
+     /* First we try the open_handle method. */
+diff --git a/base/gp_msprn.c b/base/gp_msprn.c
+index ed4827968..746a974f7 100644
+--- a/base/gp_msprn.c
+++ b/base/gp_msprn.c
+@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
+     unsigned long *ptid = &((tid_t *)(iodev->state))->tid;
+     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+     gs_fs_list_t *fs = ctx->core->fs;
+    const size_t preflen = strlen(iodev->dname);
+    const size_t nlen = strlen(fname);
+ 
+-    if (gp_validate_path(mem, fname, access) != 0)
+    if (preflen + nlen >= gp_file_name_sizeof)
+        return_error(gs_error_invalidaccess);
+
+    memcpy(pname, iodev->dname, preflen);
+    memcpy(pname + preflen, fname, nlen + 1);
+
+    if (gp_validate_path(mem, pname, access) != 0)
+         return gs_error_invalidfileaccess;
+ 
+     /* First we try the open_printer method. */
+diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c
+index f852c71fc..ba54cde66 100644
+--- a/base/gp_os2pr.c
+++ b/base/gp_os2pr.c
+@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
+            FILE ** pfile, char *rfname, uint rnamelen)
+ {
+     os2_printer_t *pr = (os2_printer_t *)iodev->state;
+-    char driver_name[256];
+    char driver_name[gp_file_name_sizeof];
+     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+     gs_fs_list_t *fs = ctx->core->fs;
+    const size_t preflen = strlen(iodev->dname);
+    const int size_t = strlen(fname);
+
+    if (preflen + nlen >= gp_file_name_sizeof)
+        return_error(gs_error_invalidaccess);
+
+    memcpy(driver_name, iodev->dname, preflen);
+    memcpy(driver_name + preflen, fname, nlen + 1);
+
+    if (gp_validate_path(mem, driver_name, access) != 0)
+        return gs_error_invalidfileaccess;
+ 
+     /* First we try the open_printer method. */
+     /* Note that the loop condition here ensures we don't
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index 6dfed6cd5..318039fad 100644
+--- a/base/gslibctx.c
+++ b/base/gslibctx.c
+@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s)
+ int
+ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
+ {
+-    char *fp, f[gp_file_name_sizeof];
+-    const int pipe = 124; /* ASCII code for '|' */
+-    const int len = strlen(fname);
+-    int i, code;
+    char f[gp_file_name_sizeof];
+    int code;
+ 
+     /* Be sure the string copy will fit */
+-    if (len >= gp_file_name_sizeof)
+    if (strlen(fname) >= gp_file_name_sizeof)
+         return gs_error_rangecheck;
+     strcpy(f, fname);
+-    fp = f;
+     /* Try to rewrite any %d (or similar) in the string */
+     rewrite_percent_specifiers(f);
+-    for (i = 0; i < len; i++) {
+-        if (f[i] == pipe) {
+-           fp = &f[i + 1];
+-           /* Because we potentially have to check file permissions at two levels
+-              for the output file (gx_device_open_output_file and the low level
+-              fopen API, if we're using a pipe, we have to add both the full string,
+-              (including the '|', and just the command to which we pipe - since at
+-              the pipe_fopen(), the leading '|' has been stripped.
+-            */
+-           code = gs_add_control_path(mem, gs_permit_file_writing, f);
+-           if (code < 0)
+-               return code;
+-           code = gs_add_control_path(mem, gs_permit_file_control, f);
+-           if (code < 0)
+-               return code;
+-           break;
+-        }
+-        if (!IS_WHITESPACE(f[i]))
+-            break;
+-    }
+-    code = gs_add_control_path(mem, gs_permit_file_control, fp);
+
+    code = gs_add_control_path(mem, gs_permit_file_control, f);
+     if (code < 0)
+         return code;
+-    return gs_add_control_path(mem, gs_permit_file_writing, fp);
+    return gs_add_control_path(mem, gs_permit_file_writing, f);
+ }
+ 
+ int
+ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
+ {
+-    char *fp, f[gp_file_name_sizeof];
+-    const int pipe = 124; /* ASCII code for '|' */
+-    const int len = strlen(fname);
+-    int i, code;
+    char f[gp_file_name_sizeof];
+    int code;
+ 
+     /* Be sure the string copy will fit */
+-    if (len >= gp_file_name_sizeof)
+    if (strlen(fname) >= gp_file_name_sizeof)
+         return gs_error_rangecheck;
+     strcpy(f, fname);
+-    fp = f;
+     /* Try to rewrite any %d (or similar) in the string */
+-    for (i = 0; i < len; i++) {
+-        if (f[i] == pipe) {
+-           fp = &f[i + 1];
+-           /* Because we potentially have to check file permissions at two levels
+-              for the output file (gx_device_open_output_file and the low level
+-              fopen API, if we're using a pipe, we have to add both the full string,
+-              (including the '|', and just the command to which we pipe - since at
+-              the pipe_fopen(), the leading '|' has been stripped.
+-            */
+-           code = gs_remove_control_path(mem, gs_permit_file_writing, f);
+-           if (code < 0)
+-               return code;
+-           code = gs_remove_control_path(mem, gs_permit_file_control, f);
+-           if (code < 0)
+-               return code;
+-           break;
+-        }
+-        if (!IS_WHITESPACE(f[i]))
+-            break;
+-    }
+-    code = gs_remove_control_path(mem, gs_permit_file_control, fp);
+    rewrite_percent_specifiers(f);
+
+    code = gs_remove_control_path(mem, gs_permit_file_control, f);
+     if (code < 0)
+         return code;
+-    return gs_remove_control_path(mem, gs_permit_file_writing, fp);
+    return gs_remove_control_path(mem, gs_permit_file_writing, f);
+ }
+ 
+ int
+-- 
+2.25.1

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch new file mode 100644 index 0000000000..e3f9e81c45 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch
@@ -0,0 +1,238 @@
	1	From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001
	2	From: Chris Liddell <chris.liddell@artifex.com>
	3	Date: Tue, 7 Sep 2021 20:36:12 +0100
	4	Subject: [PATCH] Bug 704342: Include device specifier strings in access
	5	validation
	6
	7	for the "%pipe%", %handle%" and %printer% io devices.
	8
	9	We previously validated only the part after the "%pipe%" Postscript device
	10	specifier, but this proved insufficient.
	11
	12	This rebuilds the original file name string, and validates it complete. The
	13	slight complication for "%pipe%" is it can be reached implicitly using
	14	"\|" so we have to check both prefixes.
	15
	16	Addresses CVE-2021-3781
	17
	18	CVE: CVE-2021-3781
	19
	20	Upstream-Status: Backport:
	21	https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a9bd3dec9fde
	22
	23	Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
	24	---
	25	base/gdevpipe.c \| 22 +++++++++++++++-
	26	base/gp_mshdl.c \| 11 +++++++-
	27	base/gp_msprn.c \| 10 ++++++-
	28	base/gp_os2pr.c \| 13 +++++++++-
	29	base/gslibctx.c \| 69 ++++++++++---------------------------------------
	30	5 files changed, 65 insertions(+), 60 deletions(-)
	31
	32	diff --git a/base/gdevpipe.c b/base/gdevpipe.c
	33	index 96d71f5d8..5bdc485be 100644
	34	--- a/base/gdevpipe.c
	35	+++ b/base/gdevpipe.c
	36	@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char fname, const char access,
	37	#else
	38	gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
	39	gs_fs_list_t *fs = ctx->core->fs;
	40	+ /* The pipe device can be reached in two ways, explicltly with %pipe%
	41	+ or implicitly with "\|", so we have to check for both
	42	+ */
	43	+ char f[gp_file_name_sizeof];
	44	+ const char *pipestr = "\|";
	45	+ const size_t pipestrlen = strlen(pipestr);
	46	+ const size_t preflen = strlen(iodev->dname);
	47	+ const size_t nlen = strlen(fname);
	48	+ int code1;
	49	+
	50	+ if (preflen + nlen >= gp_file_name_sizeof)
	51	+ return_error(gs_error_invalidaccess);
	52	+
	53	+ memcpy(f, iodev->dname, preflen);
	54	+ memcpy(f + preflen, fname, nlen + 1);
	55	+
	56	+ code1 = gp_validate_path(mem, f, access);
	57	+
	58	+ memcpy(f, pipestr, pipestrlen);
	59	+ memcpy(f + pipestrlen, fname, nlen + 1);
	60
	61	- if (gp_validate_path(mem, fname, access) != 0)
	62	+ if (code1 != 0 && gp_validate_path(mem, f, access) != 0 )
	63	return gs_error_invalidfileaccess;
	64
	65	/*
	66	diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c
	67	index 2b964ed74..8d87ceadc 100644
	68	--- a/base/gp_mshdl.c
	69	+++ b/base/gp_mshdl.c
	70	@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char fname, const char access,
	71	long hfile; /* Correct for Win32, may be wrong for Win64 */
	72	gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
	73	gs_fs_list_t *fs = ctx->core->fs;
	74	+ char f[gp_file_name_sizeof];
	75	+ const size_t preflen = strlen(iodev->dname);
	76	+ const size_t nlen = strlen(fname);
	77
	78	- if (gp_validate_path(mem, fname, access) != 0)
	79	+ if (preflen + nlen >= gp_file_name_sizeof)
	80	+ return_error(gs_error_invalidaccess);
	81	+
	82	+ memcpy(f, iodev->dname, preflen);
	83	+ memcpy(f + preflen, fname, nlen + 1);
	84	+
	85	+ if (gp_validate_path(mem, f, access) != 0)
	86	return gs_error_invalidfileaccess;
	87
	88	/* First we try the open_handle method. */
	89	diff --git a/base/gp_msprn.c b/base/gp_msprn.c
	90	index ed4827968..746a974f7 100644
	91	--- a/base/gp_msprn.c
	92	+++ b/base/gp_msprn.c
	93	@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char fname, const char access,
	94	unsigned long ptid = &((tid_t )(iodev->state))->tid;
	95	gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
	96	gs_fs_list_t *fs = ctx->core->fs;
	97	+ const size_t preflen = strlen(iodev->dname);
	98	+ const size_t nlen = strlen(fname);
	99
	100	- if (gp_validate_path(mem, fname, access) != 0)
	101	+ if (preflen + nlen >= gp_file_name_sizeof)
	102	+ return_error(gs_error_invalidaccess);
	103	+
	104	+ memcpy(pname, iodev->dname, preflen);
	105	+ memcpy(pname + preflen, fname, nlen + 1);
	106	+
	107	+ if (gp_validate_path(mem, pname, access) != 0)
	108	return gs_error_invalidfileaccess;
	109
	110	/* First we try the open_printer method. */
	111	diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c
	112	index f852c71fc..ba54cde66 100644
	113	--- a/base/gp_os2pr.c
	114	+++ b/base/gp_os2pr.c
	115	@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char fname, const char access,
	116	FILE ** pfile, char *rfname, uint rnamelen)
	117	{
	118	os2_printer_t pr = (os2_printer_t )iodev->state;
	119	- char driver_name[256];
	120	+ char driver_name[gp_file_name_sizeof];
	121	gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
	122	gs_fs_list_t *fs = ctx->core->fs;
	123	+ const size_t preflen = strlen(iodev->dname);
	124	+ const int size_t = strlen(fname);
	125	+
	126	+ if (preflen + nlen >= gp_file_name_sizeof)
	127	+ return_error(gs_error_invalidaccess);
	128	+
	129	+ memcpy(driver_name, iodev->dname, preflen);
	130	+ memcpy(driver_name + preflen, fname, nlen + 1);
	131	+
	132	+ if (gp_validate_path(mem, driver_name, access) != 0)
	133	+ return gs_error_invalidfileaccess;
	134
	135	/* First we try the open_printer method. */
	136	/* Note that the loop condition here ensures we don't
	137	diff --git a/base/gslibctx.c b/base/gslibctx.c
	138	index 6dfed6cd5..318039fad 100644
	139	--- a/base/gslibctx.c
	140	+++ b/base/gslibctx.c
	141	@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s)
	142	int
	143	gs_add_outputfile_control_path(gs_memory_t mem, const char fname)
	144	{
	145	- char *fp, f[gp_file_name_sizeof];
	146	- const int pipe = 124; /* ASCII code for '\|' */
	147	- const int len = strlen(fname);
	148	- int i, code;
	149	+ char f[gp_file_name_sizeof];
	150	+ int code;
	151
	152	/* Be sure the string copy will fit */
	153	- if (len >= gp_file_name_sizeof)
	154	+ if (strlen(fname) >= gp_file_name_sizeof)
	155	return gs_error_rangecheck;
	156	strcpy(f, fname);
	157	- fp = f;
	158	/* Try to rewrite any %d (or similar) in the string */
	159	rewrite_percent_specifiers(f);
	160	- for (i = 0; i < len; i++) {
	161	- if (f[i] == pipe) {
	162	- fp = &f[i + 1];
	163	- /* Because we potentially have to check file permissions at two levels
	164	- for the output file (gx_device_open_output_file and the low level
	165	- fopen API, if we're using a pipe, we have to add both the full string,
	166	- (including the '\|', and just the command to which we pipe - since at
	167	- the pipe_fopen(), the leading '\|' has been stripped.
	168	- */
	169	- code = gs_add_control_path(mem, gs_permit_file_writing, f);
	170	- if (code < 0)
	171	- return code;
	172	- code = gs_add_control_path(mem, gs_permit_file_control, f);
	173	- if (code < 0)
	174	- return code;
	175	- break;
	176	- }
	177	- if (!IS_WHITESPACE(f[i]))
	178	- break;
	179	- }
	180	- code = gs_add_control_path(mem, gs_permit_file_control, fp);
	181	+
	182	+ code = gs_add_control_path(mem, gs_permit_file_control, f);
	183	if (code < 0)
	184	return code;
	185	- return gs_add_control_path(mem, gs_permit_file_writing, fp);
	186	+ return gs_add_control_path(mem, gs_permit_file_writing, f);
	187	}
	188
	189	int
	190	gs_remove_outputfile_control_path(gs_memory_t mem, const char fname)
	191	{
	192	- char *fp, f[gp_file_name_sizeof];
	193	- const int pipe = 124; /* ASCII code for '\|' */
	194	- const int len = strlen(fname);
	195	- int i, code;
	196	+ char f[gp_file_name_sizeof];
	197	+ int code;
	198
	199	/* Be sure the string copy will fit */
	200	- if (len >= gp_file_name_sizeof)
	201	+ if (strlen(fname) >= gp_file_name_sizeof)
	202	return gs_error_rangecheck;
	203	strcpy(f, fname);
	204	- fp = f;
	205	/* Try to rewrite any %d (or similar) in the string */
	206	- for (i = 0; i < len; i++) {
	207	- if (f[i] == pipe) {
	208	- fp = &f[i + 1];
	209	- /* Because we potentially have to check file permissions at two levels
	210	- for the output file (gx_device_open_output_file and the low level
	211	- fopen API, if we're using a pipe, we have to add both the full string,
	212	- (including the '\|', and just the command to which we pipe - since at
	213	- the pipe_fopen(), the leading '\|' has been stripped.
	214	- */
	215	- code = gs_remove_control_path(mem, gs_permit_file_writing, f);
	216	- if (code < 0)
	217	- return code;
	218	- code = gs_remove_control_path(mem, gs_permit_file_control, f);
	219	- if (code < 0)
	220	- return code;
	221	- break;
	222	- }
	223	- if (!IS_WHITESPACE(f[i]))
	224	- break;
	225	- }
	226	- code = gs_remove_control_path(mem, gs_permit_file_control, fp);
	227	+ rewrite_percent_specifiers(f);
	228	+
	229	+ code = gs_remove_control_path(mem, gs_permit_file_control, f);
	230	if (code < 0)
	231	return code;
	232	- return gs_remove_control_path(mem, gs_permit_file_writing, fp);
	233	+ return gs_remove_control_path(mem, gs_permit_file_writing, f);
	234	}
	235
	236	int
	237	--
	238	2.25.1