1 files changed, 145 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch
new file mode 100644
index 0000000000..a3bbe958eb
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch
@@ -0,0 +1,145 @@
+From 5e65eeae225c7d02d447de5abaf4a8e6d234fcea Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 7 Jun 2023 10:23:06 +0100
+Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission validation
+For regular file names, we try to simplfy relative paths before we use them.
+Because the %pipe% device can, effectively, accept command line calls, we
+shouldn't be simplifying that string, because the command line syntax can end
+up confusing the path simplifying code. That can result in permitting a pipe
+command which does not match what was originally permitted.
+Special case "%pipe" in the validation code so we always deal with the entire
+string.
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=505eab7782b429017eb434b2b95120855f2b0e3c]
+CVE: CVE-2023-36664
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ base/gpmisc.c   | 31 +++++++++++++++++++--------
+ base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++-------------
+ 2 files changed, 64 insertions(+), 23 deletions(-)
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index c4fffae..09ac6b3 100644
+--- a/base/gpmisc.c
+++ b/base/gpmisc.c
+@@ -1046,16 +1046,29 @@ gp_validate_path_len(const gs_memory_t *mem,
+              && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
+           prefix_len = 0;
+     }
+-    rlen = len+1;
+-    bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+-    if (bufferfull == NULL)
+-        return gs_error_VMerror;
+-
+-    buffer = bufferfull + prefix_len;
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
+ 
+    /* "%pipe%" do not follow the normal rules for path definitions, so we
+       don't "reduce" them to avoid unexpected results
+     */
+    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+       bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
+       if (buffer == NULL)
+           return gs_error_VMerror;
+       memcpy(buffer, path, len);
+       buffer[len] = 0;
+       rlen = len;
+    }
+    else {
+       rlen = len+1;
+       bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+       if (bufferfull == NULL)
+           return gs_error_VMerror;
+
+       buffer = bufferfull + prefix_len;
+       if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+           return gs_error_invalidfileaccess;
+       buffer[rlen] = 0;
+    }
+     while (1) {
+         switch (mode[0])
+         {
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index 20c5eee..355c0e3 100644
+--- a/base/gslibctx.c
+++ b/base/gslibctx.c
+@@ -719,14 +719,28 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch
+             return gs_error_rangecheck;
+     }
+ 
+-    rlen = len+1;
+-    buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
+-    if (buffer == NULL)
+-        return gs_error_VMerror;
+    /* "%pipe%" do not follow the normal rules for path definitions, so we
+       don't "reduce" them to avoid unexpected results
+     */
+    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+       buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
+       if (buffer == NULL)
+           return gs_error_VMerror;
+       memcpy(buffer, path, len);
+       buffer[len] = 0;
+       rlen = len;
+    }
+    else {
+       rlen = len + 1;
+ 
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
+       buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
+       if (buffer == NULL)
+           return gs_error_VMerror;
+
+       if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+           return gs_error_invalidfileaccess;
+       buffer[rlen] = 0;
+    }
+ 
+     n = control->num;
+     for (i = 0; i < n; i++)
+@@ -802,14 +816,28 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const
+             return gs_error_rangecheck;
+     }
+ 
+-    rlen = len+1;
+-    buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
+-    if (buffer == NULL)
+-        return gs_error_VMerror;
+    /* "%pipe%" do not follow the normal rules for path definitions, so we
+       don't "reduce" them to avoid unexpected results
+     */
+    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+       buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
+       if (buffer == NULL)
+           return gs_error_VMerror;
+       memcpy(buffer, path, len);
+       buffer[len] = 0;
+       rlen = len;
+    }
+    else {
+       rlen = len+1;
+ 
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
+       buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
+       if (buffer == NULL)
+           return gs_error_VMerror;
+
+       if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+           return gs_error_invalidfileaccess;
+       buffer[rlen] = 0;
+    }
+ 
+     n = control->num;
+     for (i = 0; i < n; i++) {
+-- 
+2.25.1

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch new file mode 100644 index 0000000000..a3bbe958eb --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch
@@ -0,0 +1,145 @@
	1	From 5e65eeae225c7d02d447de5abaf4a8e6d234fcea Mon Sep 17 00:00:00 2001
	2	From: Chris Liddell <chris.liddell@artifex.com>
	3	Date: Wed, 7 Jun 2023 10:23:06 +0100
	4	Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission validation
	5
	6	For regular file names, we try to simplfy relative paths before we use them.
	7
	8	Because the %pipe% device can, effectively, accept command line calls, we
	9	shouldn't be simplifying that string, because the command line syntax can end
	10	up confusing the path simplifying code. That can result in permitting a pipe
	11	command which does not match what was originally permitted.
	12
	13	Special case "%pipe" in the validation code so we always deal with the entire
	14	string.
	15
	16	Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=505eab7782b429017eb434b2b95120855f2b0e3c]
	17	CVE: CVE-2023-36664
	18	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	19	---
	20	base/gpmisc.c \| 31 +++++++++++++++++++--------
	21	base/gslibctx.c \| 56 ++++++++++++++++++++++++++++++++++++-------------
	22	2 files changed, 64 insertions(+), 23 deletions(-)
	23
	24	diff --git a/base/gpmisc.c b/base/gpmisc.c
	25	index c4fffae..09ac6b3 100644
	26	--- a/base/gpmisc.c
	27	+++ b/base/gpmisc.c
	28	@@ -1046,16 +1046,29 @@ gp_validate_path_len(const gs_memory_t *mem,
	29	&& !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
	30	prefix_len = 0;
	31	}
	32	- rlen = len+1;
	33	- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
	34	- if (bufferfull == NULL)
	35	- return gs_error_VMerror;
	36	-
	37	- buffer = bufferfull + prefix_len;
	38	- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
	39	- return gs_error_invalidfileaccess;
	40	- buffer[rlen] = 0;
	41
	42	+ /* "%pipe%" do not follow the normal rules for path definitions, so we
	43	+ don't "reduce" them to avoid unexpected results
	44	+ */
	45	+ if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
	46	+ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
	47	+ if (buffer == NULL)
	48	+ return gs_error_VMerror;
	49	+ memcpy(buffer, path, len);
	50	+ buffer[len] = 0;
	51	+ rlen = len;
	52	+ }
	53	+ else {
	54	+ rlen = len+1;
	55	+ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
	56	+ if (bufferfull == NULL)
	57	+ return gs_error_VMerror;
	58	+
	59	+ buffer = bufferfull + prefix_len;
	60	+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
	61	+ return gs_error_invalidfileaccess;
	62	+ buffer[rlen] = 0;
	63	+ }
	64	while (1) {
	65	switch (mode[0])
	66	{
	67	diff --git a/base/gslibctx.c b/base/gslibctx.c
	68	index 20c5eee..355c0e3 100644
	69	--- a/base/gslibctx.c
	70	+++ b/base/gslibctx.c
	71	@@ -719,14 +719,28 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch
	72	return gs_error_rangecheck;
	73	}
	74
	75	- rlen = len+1;
	76	- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
	77	- if (buffer == NULL)
	78	- return gs_error_VMerror;
	79	+ /* "%pipe%" do not follow the normal rules for path definitions, so we
	80	+ don't "reduce" them to avoid unexpected results
	81	+ */
	82	+ if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
	83	+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
	84	+ if (buffer == NULL)
	85	+ return gs_error_VMerror;
	86	+ memcpy(buffer, path, len);
	87	+ buffer[len] = 0;
	88	+ rlen = len;
	89	+ }
	90	+ else {
	91	+ rlen = len + 1;
	92
	93	- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
	94	- return gs_error_invalidfileaccess;
	95	- buffer[rlen] = 0;
	96	+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
	97	+ if (buffer == NULL)
	98	+ return gs_error_VMerror;
	99	+
	100	+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
	101	+ return gs_error_invalidfileaccess;
	102	+ buffer[rlen] = 0;
	103	+ }
	104
	105	n = control->num;
	106	for (i = 0; i < n; i++)
	107	@@ -802,14 +816,28 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const
	108	return gs_error_rangecheck;
	109	}
	110
	111	- rlen = len+1;
	112	- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
	113	- if (buffer == NULL)
	114	- return gs_error_VMerror;
	115	+ /* "%pipe%" do not follow the normal rules for path definitions, so we
	116	+ don't "reduce" them to avoid unexpected results
	117	+ */
	118	+ if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
	119	+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
	120	+ if (buffer == NULL)
	121	+ return gs_error_VMerror;
	122	+ memcpy(buffer, path, len);
	123	+ buffer[len] = 0;
	124	+ rlen = len;
	125	+ }
	126	+ else {
	127	+ rlen = len+1;
	128
	129	- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
	130	- return gs_error_invalidfileaccess;
	131	- buffer[rlen] = 0;
	132	+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
	133	+ if (buffer == NULL)
	134	+ return gs_error_VMerror;
	135	+
	136	+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
	137	+ return gs_error_invalidfileaccess;
	138	+ buffer[rlen] = 0;
	139	+ }
	140
	141	n = control->num;
	142	for (i = 0; i < n; i++) {
	143	--
	144	2.25.1
	145