2 files changed, 166 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/cve-2023-36664.patch b/meta/recipes-extended/ghostscript/ghostscript/cve-2023-36664.patch
new file mode 100644
index 0000000000..fea0665523
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/cve-2023-36664.patch
@@ -0,0 +1,165 @@
+From 6f244ecef4a740b3b2dde15303b13a93a83706c1 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 7 Jun 2023 10:23:06 +0100
+Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission
+ validation
+For regular file names, we try to simplfy relative paths before we use them.
+Because the %pipe% device can, effectively, accept command line calls, we
+shouldn't be simplifying that string, because the command line syntax can end
+up confusing the path simplifying code. That can result in permitting a pipe
+command which does not match what was originally permitted.
+Special case "%pipe" in the validation code so we always deal with the entire
+string.
+Bug 706778: 706761 revisit
+Two problems with the original commit. The first a silly typo inverting the
+logic of a test.
+The second was forgetting that we actually actually validate two candidate
+strings for pipe devices. One with the expected "%pipe%" prefix, the other
+using the pipe character prefix: "|".
+This addresses both those.
+---
+CVE: CVE-2023-36664
+Upstream-Status: Backport [see text]
+From git://git.ghostscript.com/ghostpdl
+  commit 5e65eeae225c7d02d447de5abaf4a8e6d234fcea
+  commit fb342fdb60391073a69147cb71af1ac416a81099
+  
+The second commit fixes errors in the first one, so we combine them.
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+---
+ base/gpmisc.c   | 31 +++++++++++++++++++--------
+ base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++-------------
+ 2 files changed, 64 insertions(+), 23 deletions(-)
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index 3d878ac..f9a9230 100644
+--- a/base/gpmisc.c
+++ b/base/gpmisc.c
+@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *mem,
+              && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
+           prefix_len = 0;
+     }
+-    rlen = len+1;
+-    bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+-    if (bufferfull == NULL)
+-        return gs_error_VMerror;
+-
+-    buffer = bufferfull + prefix_len;
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
+ 
+    /* "%pipe%" do not follow the normal rules for path definitions, so we
+       don't "reduce" them to avoid unexpected results
+     */
+    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+        bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+        memcpy(buffer, path, len);
+        buffer[len] = 0;
+        rlen = len;
+    }
+    else {
+        rlen = len+1;
+        bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+        if (bufferfull == NULL)
+            return gs_error_VMerror;
+
+        buffer = bufferfull + prefix_len;
+        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+            return gs_error_invalidfileaccess;
+        buffer[rlen] = 0;
+    }
+     while (1) {
+         switch (mode[0])
+         {
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index 1862482..8bfe4bb 100644
+--- a/base/gslibctx.c
+++ b/base/gslibctx.c
+@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co
+             return gs_error_rangecheck;
+     }
+ 
+-    rlen = len+1;
+-    buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
+-    if (buffer == NULL)
+-        return gs_error_VMerror;
+    /* "%pipe%" do not follow the normal rules for path definitions, so we
+       don't "reduce" them to avoid unexpected results
+     */
+    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+        buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+        memcpy(buffer, path, len);
+        buffer[len] = 0;
+        rlen = len;
+    }
+    else {
+        rlen = len + 1;
+ 
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
+        buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+
+        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+            return gs_error_invalidfileaccess;
+        buffer[rlen] = 0;
+    }
+ 
+     n = control->num;
+     for (i = 0; i < n; i++)
+@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type,
+             return gs_error_rangecheck;
+     }
+ 
+-    rlen = len+1;
+-    buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
+-    if (buffer == NULL)
+-        return gs_error_VMerror;
+    /* "%pipe%" do not follow the normal rules for path definitions, so we
+       don't "reduce" them to avoid unexpected results
+     */
+    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+        buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+        memcpy(buffer, path, len);
+        buffer[len] = 0;
+        rlen = len;
+    }
+    else {
+        rlen = len+1;
+ 
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
+        buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+
+        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+            return gs_error_invalidfileaccess;
+        buffer[rlen] = 0;
+    }
+ 
+     n = control->num;
+     for (i = 0; i < n; i++) {
+-- 
+2.35.5
diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb
index 86ecdbe24a..9a900ee04f 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb
@@ -35,6 +35,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://mkdir-p.patch \
                file://cross-compile.patch \
                file://cve-2023-28879.patch \
+                file://cve-2023-36664.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \

diff --git a/meta/recipes-extended/ghostscript/ghostscript/cve-2023-36664.patch b/meta/recipes-extended/ghostscript/ghostscript/cve-2023-36664.patch new file mode 100644 index 0000000000..fea0665523 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/cve-2023-36664.patch
@@ -0,0 +1,165 @@
		1	From 6f244ecef4a740b3b2dde15303b13a93a83706c1 Mon Sep 17 00:00:00 2001
		2	From: Chris Liddell <chris.liddell@artifex.com>
		3	Date: Wed, 7 Jun 2023 10:23:06 +0100
		4	Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission
		5	validation
		6
		7	For regular file names, we try to simplfy relative paths before we use them.
		8
		9	Because the %pipe% device can, effectively, accept command line calls, we
		10	shouldn't be simplifying that string, because the command line syntax can end
		11	up confusing the path simplifying code. That can result in permitting a pipe
		12	command which does not match what was originally permitted.
		13
		14	Special case "%pipe" in the validation code so we always deal with the entire
		15	string.
		16
		17	Bug 706778: 706761 revisit
		18
		19	Two problems with the original commit. The first a silly typo inverting the
		20	logic of a test.
		21
		22	The second was forgetting that we actually actually validate two candidate
		23	strings for pipe devices. One with the expected "%pipe%" prefix, the other
		24	using the pipe character prefix: "\|".
		25
		26	This addresses both those.
		27	---
		28	CVE: CVE-2023-36664
		29
		30	Upstream-Status: Backport [see text]
		31
		32	From git://git.ghostscript.com/ghostpdl
		33	commit 5e65eeae225c7d02d447de5abaf4a8e6d234fcea
		34	commit fb342fdb60391073a69147cb71af1ac416a81099
		35
		36	The second commit fixes errors in the first one, so we combine them.
		37
		38	Signed-off-by: Joe Slater <joe.slater@windriver.com>
		39	---
		40	base/gpmisc.c \| 31 +++++++++++++++++++--------
		41	base/gslibctx.c \| 56 ++++++++++++++++++++++++++++++++++++-------------
		42	2 files changed, 64 insertions(+), 23 deletions(-)
		43
		44	diff --git a/base/gpmisc.c b/base/gpmisc.c
		45	index 3d878ac..f9a9230 100644
		46	--- a/base/gpmisc.c
		47	+++ b/base/gpmisc.c
		48	@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *mem,
		49	&& !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
		50	prefix_len = 0;
		51	}
		52	- rlen = len+1;
		53	- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
		54	- if (bufferfull == NULL)
		55	- return gs_error_VMerror;
		56	-
		57	- buffer = bufferfull + prefix_len;
		58	- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
		59	- return gs_error_invalidfileaccess;
		60	- buffer[rlen] = 0;
		61
		62	+ /* "%pipe%" do not follow the normal rules for path definitions, so we
		63	+ don't "reduce" them to avoid unexpected results
		64	+ */
		65	+ if (path[0] == '\|' \|\| (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
		66	+ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
		67	+ if (buffer == NULL)
		68	+ return gs_error_VMerror;
		69	+ memcpy(buffer, path, len);
		70	+ buffer[len] = 0;
		71	+ rlen = len;
		72	+ }
		73	+ else {
		74	+ rlen = len+1;
		75	+ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
		76	+ if (bufferfull == NULL)
		77	+ return gs_error_VMerror;
		78	+
		79	+ buffer = bufferfull + prefix_len;
		80	+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
		81	+ return gs_error_invalidfileaccess;
		82	+ buffer[rlen] = 0;
		83	+ }
		84	while (1) {
		85	switch (mode[0])
		86	{
		87	diff --git a/base/gslibctx.c b/base/gslibctx.c
		88	index 1862482..8bfe4bb 100644
		89	--- a/base/gslibctx.c
		90	+++ b/base/gslibctx.c
		91	@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co
		92	return gs_error_rangecheck;
		93	}
		94
		95	- rlen = len+1;
		96	- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
		97	- if (buffer == NULL)
		98	- return gs_error_VMerror;
		99	+ /* "%pipe%" do not follow the normal rules for path definitions, so we
		100	+ don't "reduce" them to avoid unexpected results
		101	+ */
		102	+ if (path[0] == '\|' \|\| (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
		103	+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
		104	+ if (buffer == NULL)
		105	+ return gs_error_VMerror;
		106	+ memcpy(buffer, path, len);
		107	+ buffer[len] = 0;
		108	+ rlen = len;
		109	+ }
		110	+ else {
		111	+ rlen = len + 1;
		112
		113	- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
		114	- return gs_error_invalidfileaccess;
		115	- buffer[rlen] = 0;
		116	+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
		117	+ if (buffer == NULL)
		118	+ return gs_error_VMerror;
		119	+
		120	+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
		121	+ return gs_error_invalidfileaccess;
		122	+ buffer[rlen] = 0;
		123	+ }
		124
		125	n = control->num;
		126	for (i = 0; i < n; i++)
		127	@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type,
		128	return gs_error_rangecheck;
		129	}
		130
		131	- rlen = len+1;
		132	- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
		133	- if (buffer == NULL)
		134	- return gs_error_VMerror;
		135	+ /* "%pipe%" do not follow the normal rules for path definitions, so we
		136	+ don't "reduce" them to avoid unexpected results
		137	+ */
		138	+ if (path[0] == '\|' \|\| (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
		139	+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
		140	+ if (buffer == NULL)
		141	+ return gs_error_VMerror;
		142	+ memcpy(buffer, path, len);
		143	+ buffer[len] = 0;
		144	+ rlen = len;
		145	+ }
		146	+ else {
		147	+ rlen = len+1;
		148
		149	- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
		150	- return gs_error_invalidfileaccess;
		151	- buffer[rlen] = 0;
		152	+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
		153	+ if (buffer == NULL)
		154	+ return gs_error_VMerror;
		155	+
		156	+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
		157	+ return gs_error_invalidfileaccess;
		158	+ buffer[rlen] = 0;
		159	+ }
		160
		161	n = control->num;
		162	for (i = 0; i < n; i++) {
		163	--
		164	2.35.5
		165


diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb index 86ecdbe24a..9a900ee04f 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb
@@ -35,6 +35,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
35	file://mkdir-p.patch \	35	file://mkdir-p.patch \
36	file://cross-compile.patch \	36	file://cross-compile.patch \
37	file://cve-2023-28879.patch \	37	file://cve-2023-28879.patch \
		38	file://cve-2023-36664.patch \
38	"	39	"
39		40
40	SRC_URI = "${SRC_URI_BASE} \	41	SRC_URI = "${SRC_URI_BASE} \