3 files changed, 208 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0001.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0001.patch
new file mode 100644
index 0000000000..99fcc61b9b
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0001.patch
@@ -0,0 +1,146 @@
+From ed607fedbcd41f4a0e71df6af4ba5b07dd630209 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 7 Jun 2023 10:23:06 +0100
+Subject: [PATCH 1/2] Bug 706761: Don't "reduce" %pipe% file names for
+ permission validation
+For regular file names, we try to simplfy relative paths before we use them.
+Because the %pipe% device can, effectively, accept command line calls, we
+shouldn't be simplifying that string, because the command line syntax can end
+up confusing the path simplifying code. That can result in permitting a pipe
+command which does not match what was originally permitted.
+Special case "%pipe" in the validation code so we always deal with the entire
+string.
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea]
+CVE: CVE-2023-36664
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ base/gpmisc.c   | 31 +++++++++++++++++++--------
+ base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++-------------
+ 2 files changed, 64 insertions(+), 23 deletions(-)
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index 8b6458a..c61ab3f 100644
+--- a/base/gpmisc.c
+++ b/base/gpmisc.c
+@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *mem,
+              && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
+           prefix_len = 0;
+     }
+-    rlen = len+1;
+-    bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+-    if (bufferfull == NULL)
+-        return gs_error_VMerror;
+-
+-    buffer = bufferfull + prefix_len;
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
+    /* "%pipe%" do not follow the normal rules for path definitions, so we
+       don't "reduce" them to avoid unexpected results
+     */
+    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+        bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+        memcpy(buffer, path, len);
+        buffer[len] = 0;
+        rlen = len;
+    }
+    else {
+        rlen = len+1;
+        bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+        if (bufferfull == NULL)
+            return gs_error_VMerror;
+
+        buffer = bufferfull + prefix_len;
+        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+            return gs_error_invalidfileaccess;
+        buffer[rlen] = 0;
+    }
+     while (1) {
+         switch (mode[0])
+         {
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index 5bf497b..5fdfe25 100644
+--- a/base/gslibctx.c
+++ b/base/gslibctx.c
+@@ -734,14 +734,28 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co
+             return gs_error_rangecheck;
+     }
+-    rlen = len+1;
+-    buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
+-    if (buffer == NULL)
+-        return gs_error_VMerror;
+    /* "%pipe%" do not follow the normal rules for path definitions, so we
+       don't "reduce" them to avoid unexpected results
+     */
+    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+        buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+        memcpy(buffer, path, len);
+        buffer[len] = 0;
+        rlen = len;
+    }
+    else {
+        rlen = len + 1;
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
+        buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+
+        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+            return gs_error_invalidfileaccess;
+        buffer[rlen] = 0;
+    }
+     n = control->num;
+     for (i = 0; i < n; i++)
+@@ -827,14 +841,28 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type,
+             return gs_error_rangecheck;
+     }
+-    rlen = len+1;
+-    buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
+-    if (buffer == NULL)
+-        return gs_error_VMerror;
+    /* "%pipe%" do not follow the normal rules for path definitions, so we
+       don't "reduce" them to avoid unexpected results
+     */
+    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+        buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+        memcpy(buffer, path, len);
+        buffer[len] = 0;
+        rlen = len;
+    }
+    else {
+        rlen = len+1;
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
+        buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
+        if (buffer == NULL)
+            return gs_error_VMerror;
+
+        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+            return gs_error_invalidfileaccess;
+        buffer[rlen] = 0;
+    }
+     n = control->num;
+     for (i = 0; i < n; i++) {
+--
+2.40.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0002.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0002.patch
new file mode 100644
index 0000000000..7d78e6b1b1
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0002.patch
@@ -0,0 +1,60 @@
+From f96350aeb7f8c2e3f7129866c694a24f241db18c Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 14 Jun 2023 09:08:12 +0100
+Subject: [PATCH 2/2] Bug 706778: 706761 revisit
+Two problems with the original commit. The first a silly typo inverting the
+logic of a test.
+The second was forgetting that we actually actually validate two candidate
+strings for pipe devices. One with the expected "%pipe%" prefix, the other
+using the pipe character prefix: "|".
+This addresses both those.
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=fb342fdb60391073a69147cb71af1ac416a81099]
+CVE: CVE-2023-36664
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ base/gpmisc.c   | 2 +-
+ base/gslibctx.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index c61ab3f..e459f6a 100644
+--- a/base/gpmisc.c
+++ b/base/gpmisc.c
+@@ -1080,7 +1080,7 @@ gp_validate_path_len(const gs_memory_t *mem,
+     /* "%pipe%" do not follow the normal rules for path definitions, so we
+        don't "reduce" them to avoid unexpected results
+      */
+-    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+         bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
+         if (buffer == NULL)
+             return gs_error_VMerror;
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index 5fdfe25..2a1addf 100644
+--- a/base/gslibctx.c
+++ b/base/gslibctx.c
+@@ -737,7 +737,7 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co
+     /* "%pipe%" do not follow the normal rules for path definitions, so we
+        don't "reduce" them to avoid unexpected results
+      */
+-    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+         buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
+         if (buffer == NULL)
+             return gs_error_VMerror;
+@@ -844,7 +844,7 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type,
+     /* "%pipe%" do not follow the normal rules for path definitions, so we
+        don't "reduce" them to avoid unexpected results
+      */
+-    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+         buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
+         if (buffer == NULL)
+             return gs_error_VMerror;
+--
+2.40.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index f29c57beea..48508fd6a2 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -35,6 +35,8 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://mkdir-p.patch \
                file://CVE-2022-2085.patch \
                file://cve-2023-28879.patch \
+                file://CVE-2023-36664-0001.patch \
+                file://CVE-2023-36664-0002.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0001.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0001.patch new file mode 100644 index 0000000000..99fcc61b9b --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0001.patch
@@ -0,0 +1,146 @@
		1	From ed607fedbcd41f4a0e71df6af4ba5b07dd630209 Mon Sep 17 00:00:00 2001
		2	From: Chris Liddell <chris.liddell@artifex.com>
		3	Date: Wed, 7 Jun 2023 10:23:06 +0100
		4	Subject: [PATCH 1/2] Bug 706761: Don't "reduce" %pipe% file names for
		5	permission validation
		6
		7	For regular file names, we try to simplfy relative paths before we use them.
		8
		9	Because the %pipe% device can, effectively, accept command line calls, we
		10	shouldn't be simplifying that string, because the command line syntax can end
		11	up confusing the path simplifying code. That can result in permitting a pipe
		12	command which does not match what was originally permitted.
		13
		14	Special case "%pipe" in the validation code so we always deal with the entire
		15	string.
		16
		17	Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea]
		18	CVE: CVE-2023-36664
		19
		20	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		21	---
		22	base/gpmisc.c \| 31 +++++++++++++++++++--------
		23	base/gslibctx.c \| 56 ++++++++++++++++++++++++++++++++++++-------------
		24	2 files changed, 64 insertions(+), 23 deletions(-)
		25
		26	diff --git a/base/gpmisc.c b/base/gpmisc.c
		27	index 8b6458a..c61ab3f 100644
		28	--- a/base/gpmisc.c
		29	+++ b/base/gpmisc.c
		30	@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *mem,
		31	&& !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
		32	prefix_len = 0;
		33	}
		34	- rlen = len+1;
		35	- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
		36	- if (bufferfull == NULL)
		37	- return gs_error_VMerror;
		38	-
		39	- buffer = bufferfull + prefix_len;
		40	- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
		41	- return gs_error_invalidfileaccess;
		42	- buffer[rlen] = 0;
		43
		44	+ /* "%pipe%" do not follow the normal rules for path definitions, so we
		45	+ don't "reduce" them to avoid unexpected results
		46	+ */
		47	+ if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
		48	+ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
		49	+ if (buffer == NULL)
		50	+ return gs_error_VMerror;
		51	+ memcpy(buffer, path, len);
		52	+ buffer[len] = 0;
		53	+ rlen = len;
		54	+ }
		55	+ else {
		56	+ rlen = len+1;
		57	+ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
		58	+ if (bufferfull == NULL)
		59	+ return gs_error_VMerror;
		60	+
		61	+ buffer = bufferfull + prefix_len;
		62	+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
		63	+ return gs_error_invalidfileaccess;
		64	+ buffer[rlen] = 0;
		65	+ }
		66	while (1) {
		67	switch (mode[0])
		68	{
		69	diff --git a/base/gslibctx.c b/base/gslibctx.c
		70	index 5bf497b..5fdfe25 100644
		71	--- a/base/gslibctx.c
		72	+++ b/base/gslibctx.c
		73	@@ -734,14 +734,28 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co
		74	return gs_error_rangecheck;
		75	}
		76
		77	- rlen = len+1;
		78	- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
		79	- if (buffer == NULL)
		80	- return gs_error_VMerror;
		81	+ /* "%pipe%" do not follow the normal rules for path definitions, so we
		82	+ don't "reduce" them to avoid unexpected results
		83	+ */
		84	+ if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
		85	+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
		86	+ if (buffer == NULL)
		87	+ return gs_error_VMerror;
		88	+ memcpy(buffer, path, len);
		89	+ buffer[len] = 0;
		90	+ rlen = len;
		91	+ }
		92	+ else {
		93	+ rlen = len + 1;
		94
		95	- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
		96	- return gs_error_invalidfileaccess;
		97	- buffer[rlen] = 0;
		98	+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
		99	+ if (buffer == NULL)
		100	+ return gs_error_VMerror;
		101	+
		102	+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
		103	+ return gs_error_invalidfileaccess;
		104	+ buffer[rlen] = 0;
		105	+ }
		106
		107	n = control->num;
		108	for (i = 0; i < n; i++)
		109	@@ -827,14 +841,28 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type,
		110	return gs_error_rangecheck;
		111	}
		112
		113	- rlen = len+1;
		114	- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
		115	- if (buffer == NULL)
		116	- return gs_error_VMerror;
		117	+ /* "%pipe%" do not follow the normal rules for path definitions, so we
		118	+ don't "reduce" them to avoid unexpected results
		119	+ */
		120	+ if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
		121	+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
		122	+ if (buffer == NULL)
		123	+ return gs_error_VMerror;
		124	+ memcpy(buffer, path, len);
		125	+ buffer[len] = 0;
		126	+ rlen = len;
		127	+ }
		128	+ else {
		129	+ rlen = len+1;
		130
		131	- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
		132	- return gs_error_invalidfileaccess;
		133	- buffer[rlen] = 0;
		134	+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
		135	+ if (buffer == NULL)
		136	+ return gs_error_VMerror;
		137	+
		138	+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
		139	+ return gs_error_invalidfileaccess;
		140	+ buffer[rlen] = 0;
		141	+ }
		142
		143	n = control->num;
		144	for (i = 0; i < n; i++) {
		145	--
		146	2.40.1


diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0002.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0002.patch new file mode 100644 index 0000000000..7d78e6b1b1 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0002.patch
@@ -0,0 +1,60 @@
		1	From f96350aeb7f8c2e3f7129866c694a24f241db18c Mon Sep 17 00:00:00 2001
		2	From: Chris Liddell <chris.liddell@artifex.com>
		3	Date: Wed, 14 Jun 2023 09:08:12 +0100
		4	Subject: [PATCH 2/2] Bug 706778: 706761 revisit
		5
		6	Two problems with the original commit. The first a silly typo inverting the
		7	logic of a test.
		8
		9	The second was forgetting that we actually actually validate two candidate
		10	strings for pipe devices. One with the expected "%pipe%" prefix, the other
		11	using the pipe character prefix: "\|".
		12
		13	This addresses both those.
		14
		15	Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=fb342fdb60391073a69147cb71af1ac416a81099]
		16	CVE: CVE-2023-36664
		17
		18	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		19	---
		20	base/gpmisc.c \| 2 +-
		21	base/gslibctx.c \| 4 ++--
		22	2 files changed, 3 insertions(+), 3 deletions(-)
		23
		24	diff --git a/base/gpmisc.c b/base/gpmisc.c
		25	index c61ab3f..e459f6a 100644
		26	--- a/base/gpmisc.c
		27	+++ b/base/gpmisc.c
		28	@@ -1080,7 +1080,7 @@ gp_validate_path_len(const gs_memory_t *mem,
		29	/* "%pipe%" do not follow the normal rules for path definitions, so we
		30	don't "reduce" them to avoid unexpected results
		31	*/
		32	- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
		33	+ if (path[0] == '\|' \|\| (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
		34	bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
		35	if (buffer == NULL)
		36	return gs_error_VMerror;
		37	diff --git a/base/gslibctx.c b/base/gslibctx.c
		38	index 5fdfe25..2a1addf 100644
		39	--- a/base/gslibctx.c
		40	+++ b/base/gslibctx.c
		41	@@ -737,7 +737,7 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co
		42	/* "%pipe%" do not follow the normal rules for path definitions, so we
		43	don't "reduce" them to avoid unexpected results
		44	*/
		45	- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
		46	+ if (path[0] == '\|' \|\| (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
		47	buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
		48	if (buffer == NULL)
		49	return gs_error_VMerror;
		50	@@ -844,7 +844,7 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type,
		51	/* "%pipe%" do not follow the normal rules for path definitions, so we
		52	don't "reduce" them to avoid unexpected results
		53	*/
		54	- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
		55	+ if (path[0] == '\|' \|\| (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
		56	buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
		57	if (buffer == NULL)
		58	return gs_error_VMerror;
		59	--
		60	2.40.1


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index f29c57beea..48508fd6a2 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -35,6 +35,8 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
35	file://mkdir-p.patch \	35	file://mkdir-p.patch \
36	file://CVE-2022-2085.patch \	36	file://CVE-2022-2085.patch \
37	file://cve-2023-28879.patch \	37	file://cve-2023-28879.patch \
		38	file://CVE-2023-36664-0001.patch \
		39	file://CVE-2023-36664-0002.patch \
38	"	40	"
39		41
40	SRC_URI = "${SRC_URI_BASE} \	42	SRC_URI = "${SRC_URI_BASE} \