1 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch
new file mode 100644
index 0000000000..3acb8a503c
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch
@@ -0,0 +1,62 @@
+From 8b0f20002536867bd73ff4552408a72597190cbe Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Thu, 24 Aug 2023 15:24:35 +0100
+Subject: [PATCH] IJS device - try and secure the IJS server startup
+Bug #707051 ""ijs" device can execute arbitrary commands"
+The problem is that the 'IJS' device needs to start the IJS server, and
+that is indeed an arbitrary command line. There is (apparently) no way
+to validate it. Indeed, this is covered quite clearly in the comments
+at the start of the source:
+ * WARNING: The ijs server can be selected on the gs command line
+ * which is a security risk, since any program can be run.
+Previously this used the awful LockSafetyParams hackery, which we
+abandoned some time ago because it simply couldn't be made secure (it
+was implemented in PostScript and was therefore vulnerable to PostScript
+programs).
+This commit prevents PostScript programs switching to the IJS device
+after SAFER has been activated, and prevents changes to the IjsServer
+parameter after SAFER has been activated.
+SAFER is activated, unless explicitly disabled, before any user
+PostScript is executed which means that the device and the server
+invocation can only be configured on the command line. This does at
+least provide minimal security against malicious PostScript programs.
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5]
+CVE: CVE-2023-43115
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ devices/gdevijs.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/devices/gdevijs.c b/devices/gdevijs.c
+index 3d337c5..e50d69f 100644
+--- a/devices/gdevijs.c
+++ b/devices/gdevijs.c
+@@ -934,6 +934,9 @@ gsijs_finish_copydevice(gx_device *dev, const gx_device *from_dev)
+     static const char rgb[] = "DeviceRGB";
+     gx_device_ijs *ijsdev = (gx_device_ijs *)dev;
+ 
+    if (ijsdev->memory->gs_lib_ctx->core->path_control_active)
+       return_error(gs_error_invalidaccess);
+
+     code = gx_default_finish_copydevice(dev, from_dev);
+     if(code < 0)
+         return code;
+@@ -1363,7 +1366,7 @@ gsijs_put_params(gx_device *dev, gs_param_list *plist)
+     if (code >= 0)
+         code = gsijs_read_string(plist, "IjsServer",
+             ijsdev->IjsServer, sizeof(ijsdev->IjsServer),
+-            dev->LockSafetyParams, is_open);
+           ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open);
+ 
+     if (code >= 0)
+         code = gsijs_read_string_malloc(plist, "DeviceManufacturer",
+-- 
+2.25.1

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch new file mode 100644 index 0000000000..3acb8a503c --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch
@@ -0,0 +1,62 @@
	1	From 8b0f20002536867bd73ff4552408a72597190cbe Mon Sep 17 00:00:00 2001
	2	From: Ken Sharp <ken.sharp@artifex.com>
	3	Date: Thu, 24 Aug 2023 15:24:35 +0100
	4	Subject: [PATCH] IJS device - try and secure the IJS server startup
	5
	6	Bug #707051 ""ijs" device can execute arbitrary commands"
	7
	8	The problem is that the 'IJS' device needs to start the IJS server, and
	9	that is indeed an arbitrary command line. There is (apparently) no way
	10	to validate it. Indeed, this is covered quite clearly in the comments
	11	at the start of the source:
	12
	13	* WARNING: The ijs server can be selected on the gs command line
	14	* which is a security risk, since any program can be run.
	15
	16	Previously this used the awful LockSafetyParams hackery, which we
	17	abandoned some time ago because it simply couldn't be made secure (it
	18	was implemented in PostScript and was therefore vulnerable to PostScript
	19	programs).
	20
	21	This commit prevents PostScript programs switching to the IJS device
	22	after SAFER has been activated, and prevents changes to the IjsServer
	23	parameter after SAFER has been activated.
	24
	25	SAFER is activated, unless explicitly disabled, before any user
	26	PostScript is executed which means that the device and the server
	27	invocation can only be configured on the command line. This does at
	28	least provide minimal security against malicious PostScript programs.
	29
	30	Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5]
	31	CVE: CVE-2023-43115
	32	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	33	---
	34	devices/gdevijs.c \| 5 ++++-
	35	1 file changed, 4 insertions(+), 1 deletion(-)
	36
	37	diff --git a/devices/gdevijs.c b/devices/gdevijs.c
	38	index 3d337c5..e50d69f 100644
	39	--- a/devices/gdevijs.c
	40	+++ b/devices/gdevijs.c
	41	@@ -934,6 +934,9 @@ gsijs_finish_copydevice(gx_device dev, const gx_device from_dev)
	42	static const char rgb[] = "DeviceRGB";
	43	gx_device_ijs ijsdev = (gx_device_ijs )dev;
	44
	45	+ if (ijsdev->memory->gs_lib_ctx->core->path_control_active)
	46	+ return_error(gs_error_invalidaccess);
	47	+
	48	code = gx_default_finish_copydevice(dev, from_dev);
	49	if(code < 0)
	50	return code;
	51	@@ -1363,7 +1366,7 @@ gsijs_put_params(gx_device dev, gs_param_list plist)
	52	if (code >= 0)
	53	code = gsijs_read_string(plist, "IjsServer",
	54	ijsdev->IjsServer, sizeof(ijsdev->IjsServer),
	55	- dev->LockSafetyParams, is_open);
	56	+ ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open);
	57
	58	if (code >= 0)
	59	code = gsijs_read_string_malloc(plist, "DeviceManufacturer",
	60	--
	61	2.25.1
	62