diff options
Diffstat (limited to 'meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch')
-rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch new file mode 100644 index 0000000000..3acb8a503c --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | From 8b0f20002536867bd73ff4552408a72597190cbe Mon Sep 17 00:00:00 2001 | ||
2 | From: Ken Sharp <ken.sharp@artifex.com> | ||
3 | Date: Thu, 24 Aug 2023 15:24:35 +0100 | ||
4 | Subject: [PATCH] IJS device - try and secure the IJS server startup | ||
5 | |||
6 | Bug #707051 ""ijs" device can execute arbitrary commands" | ||
7 | |||
8 | The problem is that the 'IJS' device needs to start the IJS server, and | ||
9 | that is indeed an arbitrary command line. There is (apparently) no way | ||
10 | to validate it. Indeed, this is covered quite clearly in the comments | ||
11 | at the start of the source: | ||
12 | |||
13 | * WARNING: The ijs server can be selected on the gs command line | ||
14 | * which is a security risk, since any program can be run. | ||
15 | |||
16 | Previously this used the awful LockSafetyParams hackery, which we | ||
17 | abandoned some time ago because it simply couldn't be made secure (it | ||
18 | was implemented in PostScript and was therefore vulnerable to PostScript | ||
19 | programs). | ||
20 | |||
21 | This commit prevents PostScript programs switching to the IJS device | ||
22 | after SAFER has been activated, and prevents changes to the IjsServer | ||
23 | parameter after SAFER has been activated. | ||
24 | |||
25 | SAFER is activated, unless explicitly disabled, before any user | ||
26 | PostScript is executed which means that the device and the server | ||
27 | invocation can only be configured on the command line. This does at | ||
28 | least provide minimal security against malicious PostScript programs. | ||
29 | |||
30 | Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5] | ||
31 | CVE: CVE-2023-43115 | ||
32 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
33 | --- | ||
34 | devices/gdevijs.c | 5 ++++- | ||
35 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
36 | |||
37 | diff --git a/devices/gdevijs.c b/devices/gdevijs.c | ||
38 | index 3d337c5..e50d69f 100644 | ||
39 | --- a/devices/gdevijs.c | ||
40 | +++ b/devices/gdevijs.c | ||
41 | @@ -934,6 +934,9 @@ gsijs_finish_copydevice(gx_device *dev, const gx_device *from_dev) | ||
42 | static const char rgb[] = "DeviceRGB"; | ||
43 | gx_device_ijs *ijsdev = (gx_device_ijs *)dev; | ||
44 | |||
45 | + if (ijsdev->memory->gs_lib_ctx->core->path_control_active) | ||
46 | + return_error(gs_error_invalidaccess); | ||
47 | + | ||
48 | code = gx_default_finish_copydevice(dev, from_dev); | ||
49 | if(code < 0) | ||
50 | return code; | ||
51 | @@ -1363,7 +1366,7 @@ gsijs_put_params(gx_device *dev, gs_param_list *plist) | ||
52 | if (code >= 0) | ||
53 | code = gsijs_read_string(plist, "IjsServer", | ||
54 | ijsdev->IjsServer, sizeof(ijsdev->IjsServer), | ||
55 | - dev->LockSafetyParams, is_open); | ||
56 | + ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open); | ||
57 | |||
58 | if (code >= 0) | ||
59 | code = gsijs_read_string_malloc(plist, "DeviceManufacturer", | ||
60 | -- | ||
61 | 2.25.1 | ||
62 | |||