2 files changed, 239 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-704342-Include-device-specifier-strings-in-acces.patch b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-704342-Include-device-specifier-strings-in-acces.patch
new file mode 100644
index 0000000000..44bdfbba35
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-704342-Include-device-specifier-strings-in-acces.patch
@@ -0,0 +1,238 @@
+From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Tue, 7 Sep 2021 20:36:12 +0100
+Subject: [PATCH] Bug 704342: Include device specifier strings in access
+ validation
+for the "%pipe%", %handle%" and %printer% io devices.
+We previously validated only the part after the "%pipe%" Postscript device
+specifier, but this proved insufficient.
+This rebuilds the original file name string, and validates it complete. The
+slight complication for "%pipe%" is it can be reached implicitly using
+"|" so we have to check both prefixes.
+Addresses CVE-2021-3781
+CVE: CVE-2021-3781
+Upstream-Status: Backport (http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a9bd3dec9fde03327a4a2c69dad1036bf9632e20)
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+---
+ base/gdevpipe.c | 22 +++++++++++++++-
+ base/gp_mshdl.c | 11 +++++++-
+ base/gp_msprn.c | 10 ++++++-
+ base/gp_os2pr.c | 13 +++++++++-
+ base/gslibctx.c | 69 ++++++++++---------------------------------------
+ 5 files changed, 65 insertions(+), 60 deletions(-)
+diff --git a/base/gdevpipe.c b/base/gdevpipe.c
+index 96d71f5d8..5bdc485be 100644
+--- a/base/gdevpipe.c
+++ b/base/gdevpipe.c
+@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access,
+ #else
+     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+     gs_fs_list_t *fs = ctx->core->fs;
+    /* The pipe device can be reached in two ways, explicltly with %pipe%
+       or implicitly with "|", so we have to check for both
+     */
+    char f[gp_file_name_sizeof];
+    const char *pipestr = "|";
+    const size_t pipestrlen = strlen(pipestr);
+    const size_t preflen = strlen(iodev->dname);
+    const size_t nlen = strlen(fname);
+    int code1;
+
+    if (preflen + nlen >= gp_file_name_sizeof)
+        return_error(gs_error_invalidaccess);
+
+    memcpy(f, iodev->dname, preflen);
+    memcpy(f + preflen, fname, nlen + 1);
+
+    code1 = gp_validate_path(mem, f, access);
+
+    memcpy(f, pipestr, pipestrlen);
+    memcpy(f + pipestrlen, fname, nlen + 1);
+ 
+-    if (gp_validate_path(mem, fname, access) != 0)
+    if (code1 != 0 && gp_validate_path(mem, f, access) != 0 )
+         return gs_error_invalidfileaccess;
+ 
+     /*
+diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c
+index 2b964ed74..8d87ceadc 100644
+--- a/base/gp_mshdl.c
+++ b/base/gp_mshdl.c
+@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access,
+     long hfile;        /* Correct for Win32, may be wrong for Win64 */
+     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+     gs_fs_list_t *fs = ctx->core->fs;
+    char f[gp_file_name_sizeof];
+    const size_t preflen = strlen(iodev->dname);
+    const size_t nlen = strlen(fname);
+ 
+-    if (gp_validate_path(mem, fname, access) != 0)
+    if (preflen + nlen >= gp_file_name_sizeof)
+        return_error(gs_error_invalidaccess);
+
+    memcpy(f, iodev->dname, preflen);
+    memcpy(f + preflen, fname, nlen + 1);
+
+    if (gp_validate_path(mem, f, access) != 0)
+         return gs_error_invalidfileaccess;
+ 
+     /* First we try the open_handle method. */
+diff --git a/base/gp_msprn.c b/base/gp_msprn.c
+index ed4827968..746a974f7 100644
+--- a/base/gp_msprn.c
+++ b/base/gp_msprn.c
+@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
+     uintptr_t *ptid = &((tid_t *)(iodev->state))->tid;
+     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+     gs_fs_list_t *fs = ctx->core->fs;
+    const size_t preflen = strlen(iodev->dname);
+    const size_t nlen = strlen(fname);
+ 
+-    if (gp_validate_path(mem, fname, access) != 0)
+    if (preflen + nlen >= gp_file_name_sizeof)
+        return_error(gs_error_invalidaccess);
+
+    memcpy(pname, iodev->dname, preflen);
+    memcpy(pname + preflen, fname, nlen + 1);
+
+    if (gp_validate_path(mem, pname, access) != 0)
+         return gs_error_invalidfileaccess;
+ 
+     /* First we try the open_printer method. */
+diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c
+index f852c71fc..ba54cde66 100644
+--- a/base/gp_os2pr.c
+++ b/base/gp_os2pr.c
+@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
+            FILE ** pfile, char *rfname, uint rnamelen)
+ {
+     os2_printer_t *pr = (os2_printer_t *)iodev->state;
+-    char driver_name[256];
+    char driver_name[gp_file_name_sizeof];
+     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+     gs_fs_list_t *fs = ctx->core->fs;
+    const size_t preflen = strlen(iodev->dname);
+    const int size_t = strlen(fname);
+
+    if (preflen + nlen >= gp_file_name_sizeof)
+        return_error(gs_error_invalidaccess);
+
+    memcpy(driver_name, iodev->dname, preflen);
+    memcpy(driver_name + preflen, fname, nlen + 1);
+
+    if (gp_validate_path(mem, driver_name, access) != 0)
+        return gs_error_invalidfileaccess;
+ 
+     /* First we try the open_printer method. */
+     /* Note that the loop condition here ensures we don't
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index 6dfed6cd5..318039fad 100644
+--- a/base/gslibctx.c
+++ b/base/gslibctx.c
+@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s)
+ int
+ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
+ {
+-    char *fp, f[gp_file_name_sizeof];
+-    const int pipe = 124; /* ASCII code for '|' */
+-    const int len = strlen(fname);
+-    int i, code;
+    char f[gp_file_name_sizeof];
+    int code;
+ 
+     /* Be sure the string copy will fit */
+-    if (len >= gp_file_name_sizeof)
+    if (strlen(fname) >= gp_file_name_sizeof)
+         return gs_error_rangecheck;
+     strcpy(f, fname);
+-    fp = f;
+     /* Try to rewrite any %d (or similar) in the string */
+     rewrite_percent_specifiers(f);
+-    for (i = 0; i < len; i++) {
+-        if (f[i] == pipe) {
+-           fp = &f[i + 1];
+-           /* Because we potentially have to check file permissions at two levels
+-              for the output file (gx_device_open_output_file and the low level
+-              fopen API, if we're using a pipe, we have to add both the full string,
+-              (including the '|', and just the command to which we pipe - since at
+-              the pipe_fopen(), the leading '|' has been stripped.
+-            */
+-           code = gs_add_control_path(mem, gs_permit_file_writing, f);
+-           if (code < 0)
+-               return code;
+-           code = gs_add_control_path(mem, gs_permit_file_control, f);
+-           if (code < 0)
+-               return code;
+-           break;
+-        }
+-        if (!IS_WHITESPACE(f[i]))
+-            break;
+-    }
+-    code = gs_add_control_path(mem, gs_permit_file_control, fp);
+
+    code = gs_add_control_path(mem, gs_permit_file_control, f);
+     if (code < 0)
+         return code;
+-    return gs_add_control_path(mem, gs_permit_file_writing, fp);
+    return gs_add_control_path(mem, gs_permit_file_writing, f);
+ }
+ 
+ int
+ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
+ {
+-    char *fp, f[gp_file_name_sizeof];
+-    const int pipe = 124; /* ASCII code for '|' */
+-    const int len = strlen(fname);
+-    int i, code;
+    char f[gp_file_name_sizeof];
+    int code;
+ 
+     /* Be sure the string copy will fit */
+-    if (len >= gp_file_name_sizeof)
+    if (strlen(fname) >= gp_file_name_sizeof)
+         return gs_error_rangecheck;
+     strcpy(f, fname);
+-    fp = f;
+     /* Try to rewrite any %d (or similar) in the string */
+-    for (i = 0; i < len; i++) {
+-        if (f[i] == pipe) {
+-           fp = &f[i + 1];
+-           /* Because we potentially have to check file permissions at two levels
+-              for the output file (gx_device_open_output_file and the low level
+-              fopen API, if we're using a pipe, we have to add both the full string,
+-              (including the '|', and just the command to which we pipe - since at
+-              the pipe_fopen(), the leading '|' has been stripped.
+-            */
+-           code = gs_remove_control_path(mem, gs_permit_file_writing, f);
+-           if (code < 0)
+-               return code;
+-           code = gs_remove_control_path(mem, gs_permit_file_control, f);
+-           if (code < 0)
+-               return code;
+-           break;
+-        }
+-        if (!IS_WHITESPACE(f[i]))
+-            break;
+-    }
+-    code = gs_remove_control_path(mem, gs_permit_file_control, fp);
+    rewrite_percent_specifiers(f);
+
+    code = gs_remove_control_path(mem, gs_permit_file_control, f);
+     if (code < 0)
+         return code;
+-    return gs_remove_control_path(mem, gs_permit_file_writing, fp);
+    return gs_remove_control_path(mem, gs_permit_file_writing, f);
+ }
+ 
+ int
+-- 
+2.33.0
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb b/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb
index 35826c2549..216822478f 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb
@@ -33,6 +33,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://do-not-check-local-libpng-source.patch \
                file://avoid-host-contamination.patch \
                file://mkdir-p.patch \
+                file://0001-Bug-704342-Include-device-specifier-strings-in-acces.patch \
 "
 SRC_URI = "${SRC_URI_BASE} \

diff --git a/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-704342-Include-device-specifier-strings-in-acces.patch b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-704342-Include-device-specifier-strings-in-acces.patch new file mode 100644 index 0000000000..44bdfbba35 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-704342-Include-device-specifier-strings-in-acces.patch
@@ -0,0 +1,238 @@
		1	From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001
		2	From: Chris Liddell <chris.liddell@artifex.com>
		3	Date: Tue, 7 Sep 2021 20:36:12 +0100
		4	Subject: [PATCH] Bug 704342: Include device specifier strings in access
		5	validation
		6
		7	for the "%pipe%", %handle%" and %printer% io devices.
		8
		9	We previously validated only the part after the "%pipe%" Postscript device
		10	specifier, but this proved insufficient.
		11
		12	This rebuilds the original file name string, and validates it complete. The
		13	slight complication for "%pipe%" is it can be reached implicitly using
		14	"\|" so we have to check both prefixes.
		15
		16	Addresses CVE-2021-3781
		17
		18	CVE: CVE-2021-3781
		19
		20	Upstream-Status: Backport (http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a9bd3dec9fde03327a4a2c69dad1036bf9632e20)
		21
		22	Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
		23	---
		24	base/gdevpipe.c \| 22 +++++++++++++++-
		25	base/gp_mshdl.c \| 11 +++++++-
		26	base/gp_msprn.c \| 10 ++++++-
		27	base/gp_os2pr.c \| 13 +++++++++-
		28	base/gslibctx.c \| 69 ++++++++++---------------------------------------
		29	5 files changed, 65 insertions(+), 60 deletions(-)
		30
		31	diff --git a/base/gdevpipe.c b/base/gdevpipe.c
		32	index 96d71f5d8..5bdc485be 100644
		33	--- a/base/gdevpipe.c
		34	+++ b/base/gdevpipe.c
		35	@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char fname, const char access,
		36	#else
		37	gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
		38	gs_fs_list_t *fs = ctx->core->fs;
		39	+ /* The pipe device can be reached in two ways, explicltly with %pipe%
		40	+ or implicitly with "\|", so we have to check for both
		41	+ */
		42	+ char f[gp_file_name_sizeof];
		43	+ const char *pipestr = "\|";
		44	+ const size_t pipestrlen = strlen(pipestr);
		45	+ const size_t preflen = strlen(iodev->dname);
		46	+ const size_t nlen = strlen(fname);
		47	+ int code1;
		48	+
		49	+ if (preflen + nlen >= gp_file_name_sizeof)
		50	+ return_error(gs_error_invalidaccess);
		51	+
		52	+ memcpy(f, iodev->dname, preflen);
		53	+ memcpy(f + preflen, fname, nlen + 1);
		54	+
		55	+ code1 = gp_validate_path(mem, f, access);
		56	+
		57	+ memcpy(f, pipestr, pipestrlen);
		58	+ memcpy(f + pipestrlen, fname, nlen + 1);
		59
		60	- if (gp_validate_path(mem, fname, access) != 0)
		61	+ if (code1 != 0 && gp_validate_path(mem, f, access) != 0 )
		62	return gs_error_invalidfileaccess;
		63
		64	/*
		65	diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c
		66	index 2b964ed74..8d87ceadc 100644
		67	--- a/base/gp_mshdl.c
		68	+++ b/base/gp_mshdl.c
		69	@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char fname, const char access,
		70	long hfile; /* Correct for Win32, may be wrong for Win64 */
		71	gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
		72	gs_fs_list_t *fs = ctx->core->fs;
		73	+ char f[gp_file_name_sizeof];
		74	+ const size_t preflen = strlen(iodev->dname);
		75	+ const size_t nlen = strlen(fname);
		76
		77	- if (gp_validate_path(mem, fname, access) != 0)
		78	+ if (preflen + nlen >= gp_file_name_sizeof)
		79	+ return_error(gs_error_invalidaccess);
		80	+
		81	+ memcpy(f, iodev->dname, preflen);
		82	+ memcpy(f + preflen, fname, nlen + 1);
		83	+
		84	+ if (gp_validate_path(mem, f, access) != 0)
		85	return gs_error_invalidfileaccess;
		86
		87	/* First we try the open_handle method. */
		88	diff --git a/base/gp_msprn.c b/base/gp_msprn.c
		89	index ed4827968..746a974f7 100644
		90	--- a/base/gp_msprn.c
		91	+++ b/base/gp_msprn.c
		92	@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char fname, const char access,
		93	uintptr_t ptid = &((tid_t )(iodev->state))->tid;
		94	gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
		95	gs_fs_list_t *fs = ctx->core->fs;
		96	+ const size_t preflen = strlen(iodev->dname);
		97	+ const size_t nlen = strlen(fname);
		98
		99	- if (gp_validate_path(mem, fname, access) != 0)
		100	+ if (preflen + nlen >= gp_file_name_sizeof)
		101	+ return_error(gs_error_invalidaccess);
		102	+
		103	+ memcpy(pname, iodev->dname, preflen);
		104	+ memcpy(pname + preflen, fname, nlen + 1);
		105	+
		106	+ if (gp_validate_path(mem, pname, access) != 0)
		107	return gs_error_invalidfileaccess;
		108
		109	/* First we try the open_printer method. */
		110	diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c
		111	index f852c71fc..ba54cde66 100644
		112	--- a/base/gp_os2pr.c
		113	+++ b/base/gp_os2pr.c
		114	@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char fname, const char access,
		115	FILE ** pfile, char *rfname, uint rnamelen)
		116	{
		117	os2_printer_t pr = (os2_printer_t )iodev->state;
		118	- char driver_name[256];
		119	+ char driver_name[gp_file_name_sizeof];
		120	gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
		121	gs_fs_list_t *fs = ctx->core->fs;
		122	+ const size_t preflen = strlen(iodev->dname);
		123	+ const int size_t = strlen(fname);
		124	+
		125	+ if (preflen + nlen >= gp_file_name_sizeof)
		126	+ return_error(gs_error_invalidaccess);
		127	+
		128	+ memcpy(driver_name, iodev->dname, preflen);
		129	+ memcpy(driver_name + preflen, fname, nlen + 1);
		130	+
		131	+ if (gp_validate_path(mem, driver_name, access) != 0)
		132	+ return gs_error_invalidfileaccess;
		133
		134	/* First we try the open_printer method. */
		135	/* Note that the loop condition here ensures we don't
		136	diff --git a/base/gslibctx.c b/base/gslibctx.c
		137	index 6dfed6cd5..318039fad 100644
		138	--- a/base/gslibctx.c
		139	+++ b/base/gslibctx.c
		140	@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s)
		141	int
		142	gs_add_outputfile_control_path(gs_memory_t mem, const char fname)
		143	{
		144	- char *fp, f[gp_file_name_sizeof];
		145	- const int pipe = 124; /* ASCII code for '\|' */
		146	- const int len = strlen(fname);
		147	- int i, code;
		148	+ char f[gp_file_name_sizeof];
		149	+ int code;
		150
		151	/* Be sure the string copy will fit */
		152	- if (len >= gp_file_name_sizeof)
		153	+ if (strlen(fname) >= gp_file_name_sizeof)
		154	return gs_error_rangecheck;
		155	strcpy(f, fname);
		156	- fp = f;
		157	/* Try to rewrite any %d (or similar) in the string */
		158	rewrite_percent_specifiers(f);
		159	- for (i = 0; i < len; i++) {
		160	- if (f[i] == pipe) {
		161	- fp = &f[i + 1];
		162	- /* Because we potentially have to check file permissions at two levels
		163	- for the output file (gx_device_open_output_file and the low level
		164	- fopen API, if we're using a pipe, we have to add both the full string,
		165	- (including the '\|', and just the command to which we pipe - since at
		166	- the pipe_fopen(), the leading '\|' has been stripped.
		167	- */
		168	- code = gs_add_control_path(mem, gs_permit_file_writing, f);
		169	- if (code < 0)
		170	- return code;
		171	- code = gs_add_control_path(mem, gs_permit_file_control, f);
		172	- if (code < 0)
		173	- return code;
		174	- break;
		175	- }
		176	- if (!IS_WHITESPACE(f[i]))
		177	- break;
		178	- }
		179	- code = gs_add_control_path(mem, gs_permit_file_control, fp);
		180	+
		181	+ code = gs_add_control_path(mem, gs_permit_file_control, f);
		182	if (code < 0)
		183	return code;
		184	- return gs_add_control_path(mem, gs_permit_file_writing, fp);
		185	+ return gs_add_control_path(mem, gs_permit_file_writing, f);
		186	}
		187
		188	int
		189	gs_remove_outputfile_control_path(gs_memory_t mem, const char fname)
		190	{
		191	- char *fp, f[gp_file_name_sizeof];
		192	- const int pipe = 124; /* ASCII code for '\|' */
		193	- const int len = strlen(fname);
		194	- int i, code;
		195	+ char f[gp_file_name_sizeof];
		196	+ int code;
		197
		198	/* Be sure the string copy will fit */
		199	- if (len >= gp_file_name_sizeof)
		200	+ if (strlen(fname) >= gp_file_name_sizeof)
		201	return gs_error_rangecheck;
		202	strcpy(f, fname);
		203	- fp = f;
		204	/* Try to rewrite any %d (or similar) in the string */
		205	- for (i = 0; i < len; i++) {
		206	- if (f[i] == pipe) {
		207	- fp = &f[i + 1];
		208	- /* Because we potentially have to check file permissions at two levels
		209	- for the output file (gx_device_open_output_file and the low level
		210	- fopen API, if we're using a pipe, we have to add both the full string,
		211	- (including the '\|', and just the command to which we pipe - since at
		212	- the pipe_fopen(), the leading '\|' has been stripped.
		213	- */
		214	- code = gs_remove_control_path(mem, gs_permit_file_writing, f);
		215	- if (code < 0)
		216	- return code;
		217	- code = gs_remove_control_path(mem, gs_permit_file_control, f);
		218	- if (code < 0)
		219	- return code;
		220	- break;
		221	- }
		222	- if (!IS_WHITESPACE(f[i]))
		223	- break;
		224	- }
		225	- code = gs_remove_control_path(mem, gs_permit_file_control, fp);
		226	+ rewrite_percent_specifiers(f);
		227	+
		228	+ code = gs_remove_control_path(mem, gs_permit_file_control, f);
		229	if (code < 0)
		230	return code;
		231	- return gs_remove_control_path(mem, gs_permit_file_writing, fp);
		232	+ return gs_remove_control_path(mem, gs_permit_file_writing, f);
		233	}
		234
		235	int
		236	--
		237	2.33.0
		238


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb b/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb index 35826c2549..216822478f 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb
@@ -33,6 +33,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
33	file://do-not-check-local-libpng-source.patch \	33	file://do-not-check-local-libpng-source.patch \
34	file://avoid-host-contamination.patch \	34	file://avoid-host-contamination.patch \
35	file://mkdir-p.patch \	35	file://mkdir-p.patch \
		36	file://0001-Bug-704342-Include-device-specifier-strings-in-acces.patch \
36	"	37	"
37		38
38	SRC_URI = "${SRC_URI_BASE} \	39	SRC_URI = "${SRC_URI_BASE} \