diff options
Diffstat (limited to 'meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch')
-rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch | 238 |
1 files changed, 238 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch new file mode 100644 index 0000000000..e3f9e81c45 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch | |||
@@ -0,0 +1,238 @@ | |||
1 | From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Tue, 7 Sep 2021 20:36:12 +0100 | ||
4 | Subject: [PATCH] Bug 704342: Include device specifier strings in access | ||
5 | validation | ||
6 | |||
7 | for the "%pipe%", %handle%" and %printer% io devices. | ||
8 | |||
9 | We previously validated only the part after the "%pipe%" Postscript device | ||
10 | specifier, but this proved insufficient. | ||
11 | |||
12 | This rebuilds the original file name string, and validates it complete. The | ||
13 | slight complication for "%pipe%" is it can be reached implicitly using | ||
14 | "|" so we have to check both prefixes. | ||
15 | |||
16 | Addresses CVE-2021-3781 | ||
17 | |||
18 | CVE: CVE-2021-3781 | ||
19 | |||
20 | Upstream-Status: Backport: | ||
21 | https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a9bd3dec9fde | ||
22 | |||
23 | Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> | ||
24 | --- | ||
25 | base/gdevpipe.c | 22 +++++++++++++++- | ||
26 | base/gp_mshdl.c | 11 +++++++- | ||
27 | base/gp_msprn.c | 10 ++++++- | ||
28 | base/gp_os2pr.c | 13 +++++++++- | ||
29 | base/gslibctx.c | 69 ++++++++++--------------------------------------- | ||
30 | 5 files changed, 65 insertions(+), 60 deletions(-) | ||
31 | |||
32 | diff --git a/base/gdevpipe.c b/base/gdevpipe.c | ||
33 | index 96d71f5d8..5bdc485be 100644 | ||
34 | --- a/base/gdevpipe.c | ||
35 | +++ b/base/gdevpipe.c | ||
36 | @@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access, | ||
37 | #else | ||
38 | gs_lib_ctx_t *ctx = mem->gs_lib_ctx; | ||
39 | gs_fs_list_t *fs = ctx->core->fs; | ||
40 | + /* The pipe device can be reached in two ways, explicltly with %pipe% | ||
41 | + or implicitly with "|", so we have to check for both | ||
42 | + */ | ||
43 | + char f[gp_file_name_sizeof]; | ||
44 | + const char *pipestr = "|"; | ||
45 | + const size_t pipestrlen = strlen(pipestr); | ||
46 | + const size_t preflen = strlen(iodev->dname); | ||
47 | + const size_t nlen = strlen(fname); | ||
48 | + int code1; | ||
49 | + | ||
50 | + if (preflen + nlen >= gp_file_name_sizeof) | ||
51 | + return_error(gs_error_invalidaccess); | ||
52 | + | ||
53 | + memcpy(f, iodev->dname, preflen); | ||
54 | + memcpy(f + preflen, fname, nlen + 1); | ||
55 | + | ||
56 | + code1 = gp_validate_path(mem, f, access); | ||
57 | + | ||
58 | + memcpy(f, pipestr, pipestrlen); | ||
59 | + memcpy(f + pipestrlen, fname, nlen + 1); | ||
60 | |||
61 | - if (gp_validate_path(mem, fname, access) != 0) | ||
62 | + if (code1 != 0 && gp_validate_path(mem, f, access) != 0 ) | ||
63 | return gs_error_invalidfileaccess; | ||
64 | |||
65 | /* | ||
66 | diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c | ||
67 | index 2b964ed74..8d87ceadc 100644 | ||
68 | --- a/base/gp_mshdl.c | ||
69 | +++ b/base/gp_mshdl.c | ||
70 | @@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access, | ||
71 | long hfile; /* Correct for Win32, may be wrong for Win64 */ | ||
72 | gs_lib_ctx_t *ctx = mem->gs_lib_ctx; | ||
73 | gs_fs_list_t *fs = ctx->core->fs; | ||
74 | + char f[gp_file_name_sizeof]; | ||
75 | + const size_t preflen = strlen(iodev->dname); | ||
76 | + const size_t nlen = strlen(fname); | ||
77 | |||
78 | - if (gp_validate_path(mem, fname, access) != 0) | ||
79 | + if (preflen + nlen >= gp_file_name_sizeof) | ||
80 | + return_error(gs_error_invalidaccess); | ||
81 | + | ||
82 | + memcpy(f, iodev->dname, preflen); | ||
83 | + memcpy(f + preflen, fname, nlen + 1); | ||
84 | + | ||
85 | + if (gp_validate_path(mem, f, access) != 0) | ||
86 | return gs_error_invalidfileaccess; | ||
87 | |||
88 | /* First we try the open_handle method. */ | ||
89 | diff --git a/base/gp_msprn.c b/base/gp_msprn.c | ||
90 | index ed4827968..746a974f7 100644 | ||
91 | --- a/base/gp_msprn.c | ||
92 | +++ b/base/gp_msprn.c | ||
93 | @@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, | ||
94 | unsigned long *ptid = &((tid_t *)(iodev->state))->tid; | ||
95 | gs_lib_ctx_t *ctx = mem->gs_lib_ctx; | ||
96 | gs_fs_list_t *fs = ctx->core->fs; | ||
97 | + const size_t preflen = strlen(iodev->dname); | ||
98 | + const size_t nlen = strlen(fname); | ||
99 | |||
100 | - if (gp_validate_path(mem, fname, access) != 0) | ||
101 | + if (preflen + nlen >= gp_file_name_sizeof) | ||
102 | + return_error(gs_error_invalidaccess); | ||
103 | + | ||
104 | + memcpy(pname, iodev->dname, preflen); | ||
105 | + memcpy(pname + preflen, fname, nlen + 1); | ||
106 | + | ||
107 | + if (gp_validate_path(mem, pname, access) != 0) | ||
108 | return gs_error_invalidfileaccess; | ||
109 | |||
110 | /* First we try the open_printer method. */ | ||
111 | diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c | ||
112 | index f852c71fc..ba54cde66 100644 | ||
113 | --- a/base/gp_os2pr.c | ||
114 | +++ b/base/gp_os2pr.c | ||
115 | @@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, | ||
116 | FILE ** pfile, char *rfname, uint rnamelen) | ||
117 | { | ||
118 | os2_printer_t *pr = (os2_printer_t *)iodev->state; | ||
119 | - char driver_name[256]; | ||
120 | + char driver_name[gp_file_name_sizeof]; | ||
121 | gs_lib_ctx_t *ctx = mem->gs_lib_ctx; | ||
122 | gs_fs_list_t *fs = ctx->core->fs; | ||
123 | + const size_t preflen = strlen(iodev->dname); | ||
124 | + const int size_t = strlen(fname); | ||
125 | + | ||
126 | + if (preflen + nlen >= gp_file_name_sizeof) | ||
127 | + return_error(gs_error_invalidaccess); | ||
128 | + | ||
129 | + memcpy(driver_name, iodev->dname, preflen); | ||
130 | + memcpy(driver_name + preflen, fname, nlen + 1); | ||
131 | + | ||
132 | + if (gp_validate_path(mem, driver_name, access) != 0) | ||
133 | + return gs_error_invalidfileaccess; | ||
134 | |||
135 | /* First we try the open_printer method. */ | ||
136 | /* Note that the loop condition here ensures we don't | ||
137 | diff --git a/base/gslibctx.c b/base/gslibctx.c | ||
138 | index 6dfed6cd5..318039fad 100644 | ||
139 | --- a/base/gslibctx.c | ||
140 | +++ b/base/gslibctx.c | ||
141 | @@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s) | ||
142 | int | ||
143 | gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) | ||
144 | { | ||
145 | - char *fp, f[gp_file_name_sizeof]; | ||
146 | - const int pipe = 124; /* ASCII code for '|' */ | ||
147 | - const int len = strlen(fname); | ||
148 | - int i, code; | ||
149 | + char f[gp_file_name_sizeof]; | ||
150 | + int code; | ||
151 | |||
152 | /* Be sure the string copy will fit */ | ||
153 | - if (len >= gp_file_name_sizeof) | ||
154 | + if (strlen(fname) >= gp_file_name_sizeof) | ||
155 | return gs_error_rangecheck; | ||
156 | strcpy(f, fname); | ||
157 | - fp = f; | ||
158 | /* Try to rewrite any %d (or similar) in the string */ | ||
159 | rewrite_percent_specifiers(f); | ||
160 | - for (i = 0; i < len; i++) { | ||
161 | - if (f[i] == pipe) { | ||
162 | - fp = &f[i + 1]; | ||
163 | - /* Because we potentially have to check file permissions at two levels | ||
164 | - for the output file (gx_device_open_output_file and the low level | ||
165 | - fopen API, if we're using a pipe, we have to add both the full string, | ||
166 | - (including the '|', and just the command to which we pipe - since at | ||
167 | - the pipe_fopen(), the leading '|' has been stripped. | ||
168 | - */ | ||
169 | - code = gs_add_control_path(mem, gs_permit_file_writing, f); | ||
170 | - if (code < 0) | ||
171 | - return code; | ||
172 | - code = gs_add_control_path(mem, gs_permit_file_control, f); | ||
173 | - if (code < 0) | ||
174 | - return code; | ||
175 | - break; | ||
176 | - } | ||
177 | - if (!IS_WHITESPACE(f[i])) | ||
178 | - break; | ||
179 | - } | ||
180 | - code = gs_add_control_path(mem, gs_permit_file_control, fp); | ||
181 | + | ||
182 | + code = gs_add_control_path(mem, gs_permit_file_control, f); | ||
183 | if (code < 0) | ||
184 | return code; | ||
185 | - return gs_add_control_path(mem, gs_permit_file_writing, fp); | ||
186 | + return gs_add_control_path(mem, gs_permit_file_writing, f); | ||
187 | } | ||
188 | |||
189 | int | ||
190 | gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) | ||
191 | { | ||
192 | - char *fp, f[gp_file_name_sizeof]; | ||
193 | - const int pipe = 124; /* ASCII code for '|' */ | ||
194 | - const int len = strlen(fname); | ||
195 | - int i, code; | ||
196 | + char f[gp_file_name_sizeof]; | ||
197 | + int code; | ||
198 | |||
199 | /* Be sure the string copy will fit */ | ||
200 | - if (len >= gp_file_name_sizeof) | ||
201 | + if (strlen(fname) >= gp_file_name_sizeof) | ||
202 | return gs_error_rangecheck; | ||
203 | strcpy(f, fname); | ||
204 | - fp = f; | ||
205 | /* Try to rewrite any %d (or similar) in the string */ | ||
206 | - for (i = 0; i < len; i++) { | ||
207 | - if (f[i] == pipe) { | ||
208 | - fp = &f[i + 1]; | ||
209 | - /* Because we potentially have to check file permissions at two levels | ||
210 | - for the output file (gx_device_open_output_file and the low level | ||
211 | - fopen API, if we're using a pipe, we have to add both the full string, | ||
212 | - (including the '|', and just the command to which we pipe - since at | ||
213 | - the pipe_fopen(), the leading '|' has been stripped. | ||
214 | - */ | ||
215 | - code = gs_remove_control_path(mem, gs_permit_file_writing, f); | ||
216 | - if (code < 0) | ||
217 | - return code; | ||
218 | - code = gs_remove_control_path(mem, gs_permit_file_control, f); | ||
219 | - if (code < 0) | ||
220 | - return code; | ||
221 | - break; | ||
222 | - } | ||
223 | - if (!IS_WHITESPACE(f[i])) | ||
224 | - break; | ||
225 | - } | ||
226 | - code = gs_remove_control_path(mem, gs_permit_file_control, fp); | ||
227 | + rewrite_percent_specifiers(f); | ||
228 | + | ||
229 | + code = gs_remove_control_path(mem, gs_permit_file_control, f); | ||
230 | if (code < 0) | ||
231 | return code; | ||
232 | - return gs_remove_control_path(mem, gs_permit_file_writing, fp); | ||
233 | + return gs_remove_control_path(mem, gs_permit_file_writing, f); | ||
234 | } | ||
235 | |||
236 | int | ||
237 | -- | ||
238 | 2.25.1 | ||