diff options
Diffstat (limited to 'meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch')
-rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch | 145 |
1 files changed, 145 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch new file mode 100644 index 0000000000..a3bbe958eb --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch | |||
@@ -0,0 +1,145 @@ | |||
1 | From 5e65eeae225c7d02d447de5abaf4a8e6d234fcea Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Wed, 7 Jun 2023 10:23:06 +0100 | ||
4 | Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission validation | ||
5 | |||
6 | For regular file names, we try to simplfy relative paths before we use them. | ||
7 | |||
8 | Because the %pipe% device can, effectively, accept command line calls, we | ||
9 | shouldn't be simplifying that string, because the command line syntax can end | ||
10 | up confusing the path simplifying code. That can result in permitting a pipe | ||
11 | command which does not match what was originally permitted. | ||
12 | |||
13 | Special case "%pipe" in the validation code so we always deal with the entire | ||
14 | string. | ||
15 | |||
16 | Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=505eab7782b429017eb434b2b95120855f2b0e3c] | ||
17 | CVE: CVE-2023-36664 | ||
18 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
19 | --- | ||
20 | base/gpmisc.c | 31 +++++++++++++++++++-------- | ||
21 | base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++------------- | ||
22 | 2 files changed, 64 insertions(+), 23 deletions(-) | ||
23 | |||
24 | diff --git a/base/gpmisc.c b/base/gpmisc.c | ||
25 | index c4fffae..09ac6b3 100644 | ||
26 | --- a/base/gpmisc.c | ||
27 | +++ b/base/gpmisc.c | ||
28 | @@ -1046,16 +1046,29 @@ gp_validate_path_len(const gs_memory_t *mem, | ||
29 | && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) { | ||
30 | prefix_len = 0; | ||
31 | } | ||
32 | - rlen = len+1; | ||
33 | - bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); | ||
34 | - if (bufferfull == NULL) | ||
35 | - return gs_error_VMerror; | ||
36 | - | ||
37 | - buffer = bufferfull + prefix_len; | ||
38 | - if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) | ||
39 | - return gs_error_invalidfileaccess; | ||
40 | - buffer[rlen] = 0; | ||
41 | |||
42 | + /* "%pipe%" do not follow the normal rules for path definitions, so we | ||
43 | + don't "reduce" them to avoid unexpected results | ||
44 | + */ | ||
45 | + if (len > 5 && memcmp(path, "%pipe", 5) != 0) { | ||
46 | + bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path"); | ||
47 | + if (buffer == NULL) | ||
48 | + return gs_error_VMerror; | ||
49 | + memcpy(buffer, path, len); | ||
50 | + buffer[len] = 0; | ||
51 | + rlen = len; | ||
52 | + } | ||
53 | + else { | ||
54 | + rlen = len+1; | ||
55 | + bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); | ||
56 | + if (bufferfull == NULL) | ||
57 | + return gs_error_VMerror; | ||
58 | + | ||
59 | + buffer = bufferfull + prefix_len; | ||
60 | + if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) | ||
61 | + return gs_error_invalidfileaccess; | ||
62 | + buffer[rlen] = 0; | ||
63 | + } | ||
64 | while (1) { | ||
65 | switch (mode[0]) | ||
66 | { | ||
67 | diff --git a/base/gslibctx.c b/base/gslibctx.c | ||
68 | index 20c5eee..355c0e3 100644 | ||
69 | --- a/base/gslibctx.c | ||
70 | +++ b/base/gslibctx.c | ||
71 | @@ -719,14 +719,28 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch | ||
72 | return gs_error_rangecheck; | ||
73 | } | ||
74 | |||
75 | - rlen = len+1; | ||
76 | - buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); | ||
77 | - if (buffer == NULL) | ||
78 | - return gs_error_VMerror; | ||
79 | + /* "%pipe%" do not follow the normal rules for path definitions, so we | ||
80 | + don't "reduce" them to avoid unexpected results | ||
81 | + */ | ||
82 | + if (len > 5 && memcmp(path, "%pipe", 5) != 0) { | ||
83 | + buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len"); | ||
84 | + if (buffer == NULL) | ||
85 | + return gs_error_VMerror; | ||
86 | + memcpy(buffer, path, len); | ||
87 | + buffer[len] = 0; | ||
88 | + rlen = len; | ||
89 | + } | ||
90 | + else { | ||
91 | + rlen = len + 1; | ||
92 | |||
93 | - if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) | ||
94 | - return gs_error_invalidfileaccess; | ||
95 | - buffer[rlen] = 0; | ||
96 | + buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len"); | ||
97 | + if (buffer == NULL) | ||
98 | + return gs_error_VMerror; | ||
99 | + | ||
100 | + if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) | ||
101 | + return gs_error_invalidfileaccess; | ||
102 | + buffer[rlen] = 0; | ||
103 | + } | ||
104 | |||
105 | n = control->num; | ||
106 | for (i = 0; i < n; i++) | ||
107 | @@ -802,14 +816,28 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const | ||
108 | return gs_error_rangecheck; | ||
109 | } | ||
110 | |||
111 | - rlen = len+1; | ||
112 | - buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); | ||
113 | - if (buffer == NULL) | ||
114 | - return gs_error_VMerror; | ||
115 | + /* "%pipe%" do not follow the normal rules for path definitions, so we | ||
116 | + don't "reduce" them to avoid unexpected results | ||
117 | + */ | ||
118 | + if (len > 5 && memcmp(path, "%pipe", 5) != 0) { | ||
119 | + buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len"); | ||
120 | + if (buffer == NULL) | ||
121 | + return gs_error_VMerror; | ||
122 | + memcpy(buffer, path, len); | ||
123 | + buffer[len] = 0; | ||
124 | + rlen = len; | ||
125 | + } | ||
126 | + else { | ||
127 | + rlen = len+1; | ||
128 | |||
129 | - if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) | ||
130 | - return gs_error_invalidfileaccess; | ||
131 | - buffer[rlen] = 0; | ||
132 | + buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len"); | ||
133 | + if (buffer == NULL) | ||
134 | + return gs_error_VMerror; | ||
135 | + | ||
136 | + if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) | ||
137 | + return gs_error_invalidfileaccess; | ||
138 | + buffer[rlen] = 0; | ||
139 | + } | ||
140 | |||
141 | n = control->num; | ||
142 | for (i = 0; i < n; i++) { | ||
143 | -- | ||
144 | 2.25.1 | ||
145 | |||