[OE-core] [thud][PATCH] ghostscript: Fix CVE-2019-3835 and CVE-2019-3838
Burton, Ross
ross.burton at intel.com
Wed Apr 3 13:34:39 UTC 2019
Have all of these been resolved in master?
Ross
On Wed, 3 Apr 2019 at 13:39, Ovidiu Panait <ovidiu.panait at windriver.com> wrote:
>
> It was found that the superexec operator was available in the internal
> dictionary in ghostscript before 9.27. A specially crafted PostScript
> file could use this flaw in order to, for example, have access to the
> file system outside of the constrains imposed by -dSAFER.
>
> It was found that the forceput operator could be extracted from the
> DefineResource method in ghostscript before 9.27. A specially crafted
> PostScript file could use this flaw in order to, for example, have
> access to the file system outside of the constrains imposed by -dSAFER.
>
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2019-3835
> https://nvd.nist.gov/vuln/detail/CVE-2019-3838
>
> Upstream patches:
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=779664d
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e8acf6d
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd9
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e
>
> Signed-off-by: Ovidiu Panait <ovidiu.panait at windriver.com>
> ---
> .../ghostscript/CVE-2019-3835-0001.patch | 99 ++++++
> .../ghostscript/CVE-2019-3835-0002.patch | 71 +++++
> .../ghostscript/CVE-2019-3835-0003.patch | 295 ++++++++++++++++++
> .../ghostscript/CVE-2019-3835-0004.patch | 167 ++++++++++
> .../ghostscript/CVE-2019-3838-0001.patch | 34 ++
> .../ghostscript/CVE-2019-3838-0002.patch | 30 ++
> .../ghostscript/ghostscript_9.26.bb | 6 +
> 7 files changed, 702 insertions(+)
> create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0001.patch
> create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0002.patch
> create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0003.patch
> create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0004.patch
> create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0001.patch
> create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0002.patch
>
> diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0001.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0001.patch
> new file mode 100644
> index 0000000000..30ce04a7b1
> --- /dev/null
> +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0001.patch
> @@ -0,0 +1,99 @@
> +From ad3ad6b389653722507e588c5cb34d8731e49e89 Mon Sep 17 00:00:00 2001
> +From: Chris Liddell <chris.liddell at artifex.com>
> +Date: Mon, 26 Nov 2018 18:01:25 +0000
> +Subject: [PATCH] Have gs_cet.ps run from gs_init.ps
> +
> +Previously gs_cet.ps was run on the command line, to set up the interpreter
> +state so our output more closely matches the example output for the QL CET
> +tests.
> +
> +Allow a -dCETMODE command line switch, which will cause gs_init.ps to run the
> +file directly.
> +
> +This works better for gpdl as it means the changes are made in the intial
> +interpreter state, rather than after initialisation is complete.
> +
> +This also means adding a definition of the default procedure for black
> +generation and under color removal (rather it being defined in-line in
> +.setdefaultbgucr
> +
> +Also, add a check so gs_cet.ps only runs once - if we try to run it a second
> +time, we'll just skip over the file, flushing through to the end.
> +
> +CVE: CVE-2019-3835
> +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
> +
> +Signed-off-by: Ovidiu Panait <ovidiu.panait at windriver.com>
> +---
> + Resource/Init/gs_cet.ps | 11 ++++++++++-
> + Resource/Init/gs_init.ps | 13 ++++++++++++-
> + 2 files changed, 22 insertions(+), 2 deletions(-)
> +
> +diff --git a/Resource/Init/gs_cet.ps b/Resource/Init/gs_cet.ps
> +index d3e1686..75534bb 100644
> +--- a/Resource/Init/gs_cet.ps
> ++++ b/Resource/Init/gs_cet.ps
> +@@ -1,6 +1,11 @@
> + %!PS
> + % Set defaults for Ghostscript to match Adobe CPSI behaviour for CET
> +
> ++systemdict /product get (PhotoPRINT SE 5.0v2) readonly eq
> ++{
> ++ (%END GS_CET) .skipeof
> ++} if
> ++
> + % do this in the server level so it is persistent across jobs
> + //true 0 startjob not {
> + (*** Warning: CET startup is not in server default) = flush
> +@@ -25,7 +30,9 @@ currentglobal //true setglobal
> +
> + /UNROLLFORMS true def
> +
> +-{ } bind dup
> ++(%.defaultbgrucrproc) cvn { } bind def
> ++
> ++(%.defaultbgrucrproc) cvn load dup
> + setblackgeneration
> + setundercolorremoval
> + 0 array cvx readonly dup dup dup setcolortransfer
> +@@ -109,3 +116,5 @@ userdict /.smoothness currentsmoothness put
> + % end of slightly nasty hack to give consistent cluster results
> +
> + //false 0 startjob pop % re-enter encapsulated mode
> ++
> ++%END GS_CET
> +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
> +index 45bebf4..e6b9cd2 100644
> +--- a/Resource/Init/gs_init.ps
> ++++ b/Resource/Init/gs_init.ps
> +@@ -1538,10 +1538,18 @@ setpacking
> + % any-part-of-pixel rule.
> + 0.5 .setfilladjust
> + } bind def
> ++
> + % Set the default screen and BG/UCR.
> ++% We define the proc here, rather than inline in .setdefaultbgucr
> ++% for the benefit of gs_cet.ps so jobs that do anything that causes
> ++% .setdefaultbgucr to be called will still get the redefined proc
> ++% in gs_cet.ps
> ++(%.defaultbgrucrproc) cvn { pop 0 } def
> ++
> + /.setdefaultbgucr {
> + systemdict /setblackgeneration known {
> +- { pop 0 } dup setblackgeneration setundercolorremoval
> ++ (%.defaultbgrucrproc) cvn load dup
> ++ setblackgeneration setundercolorremoval
> + } if
> + } bind def
> + /.useloresscreen { % - .useloresscreen <bool>
> +@@ -2491,4 +2499,7 @@ WRITESYSTEMDICT {
> + % be 'true' in some cases.
> + userdict /AGM_preserve_spots //false put
> +
> ++systemdict /CETMODE .knownget
> ++{ { (gs_cet.ps) runlibfile } if } if
> ++
> + % The interpreter will run the initial procedure (start).
> +--
> +2.18.1
> +
> diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0002.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0002.patch
> new file mode 100644
> index 0000000000..590b92e186
> --- /dev/null
> +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0002.patch
> @@ -0,0 +1,71 @@
> +From ba6dbd6e61dbb3cc6ee6db9dd3a4f70cc18f706e Mon Sep 17 00:00:00 2001
> +From: Nancy Durgin <nancy.durgin at artifex.com>
> +Date: Thu, 14 Feb 2019 10:09:00 -0800
> +Subject: [PATCH] Undef /odef in gs_init.ps
> +
> +Made a new temporary utility function in gs_cet.ps (.odef) to use instead
> +of /odef. This makes it fine to undef odef with all the other operators in
> +gs_init.ps
> +
> +This punts the bigger question of what to do with .makeoperator, but it
> +doesn't make the situation any worse than it already was.
> +
> +CVE: CVE-2019-3835
> +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
> +
> +Signed-off-by: Ovidiu Panait <ovidiu.panait at windriver.com>
> +---
> + Resource/Init/gs_cet.ps | 10 ++++++++--
> + Resource/Init/gs_init.ps | 1 +
> + 2 files changed, 9 insertions(+), 2 deletions(-)
> +
> +diff --git a/Resource/Init/gs_cet.ps b/Resource/Init/gs_cet.ps
> +index 75534bb..dbc5c4e 100644
> +--- a/Resource/Init/gs_cet.ps
> ++++ b/Resource/Init/gs_cet.ps
> +@@ -1,6 +1,10 @@
> + %!PS
> + % Set defaults for Ghostscript to match Adobe CPSI behaviour for CET
> +
> ++/.odef { % <name> <proc> odef -
> ++ 1 index exch .makeoperator def
> ++} bind def
> ++
> + systemdict /product get (PhotoPRINT SE 5.0v2) readonly eq
> + {
> + (%END GS_CET) .skipeof
> +@@ -93,8 +97,8 @@ userdict /.smoothness currentsmoothness put
> + } {
> + /setsmoothness .systemvar /typecheck signalerror
> + } ifelse
> +-} bind odef
> +-/currentsmoothness { userdict /.smoothness get } bind odef % for 09-55.PS, 09-57.PS .
> ++} bind //.odef exec
> ++/currentsmoothness { userdict /.smoothness get } bind //.odef exec % for 09-55.PS, 09-57.PS .
> +
> + % slightly nasty hack to give consistent cluster results
> + /ofnfa systemdict /filenameforall get def
> +@@ -113,6 +117,8 @@ userdict /.smoothness currentsmoothness put
> + } ifelse
> + ofnfa
> + } bind def
> ++
> ++currentdict /.odef undef
> + % end of slightly nasty hack to give consistent cluster results
> +
> + //false 0 startjob pop % re-enter encapsulated mode
> +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
> +index e6b9cd2..80d9585 100644
> +--- a/Resource/Init/gs_init.ps
> ++++ b/Resource/Init/gs_init.ps
> +@@ -2257,6 +2257,7 @@ SAFER { .setsafeglobal } if
> + /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams
> + /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath /.currentoutputdevice
> + /.type /.writecvs /.setSMask /.currentSMask /.needinput /.countexecstack /.execstack /.applypolicies
> ++ /odef
> +
> + % Used by a free user in the Library of Congress. Apparently this is used to
> + % draw a partial page, which is then filled in by the results of a barcode
> +--
> +2.18.1
> +
> diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0003.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0003.patch
> new file mode 100644
> index 0000000000..a339fa2f33
> --- /dev/null
> +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0003.patch
> @@ -0,0 +1,295 @@
> +From 4203e04ef9e6ca22ed68a1ab10a878aa9ceaeedc Mon Sep 17 00:00:00 2001
> +From: Ray Johnston <ray.johnston at artifex.com>
> +Date: Thu, 14 Feb 2019 10:20:03 -0800
> +Subject: [PATCH] Fix bug 700585: Restrict superexec and remove it from
> + internals and gs_cet.ps
> +
> +Also while changing things, restructure the CETMODE so that it will
> +work with -dSAFER. The gs_cet.ps is now run when we are still at save
> +level 0 with systemdict writeable. Allows us to undefine .makeoperator
> +and .setCPSImode internal operators after CETMODE is handled.
> +
> +Change previous uses of superexec to using .forceput (with the usual
> +.bind executeonly to hide it).
> +
> +CVE: CVE-2019-3835
> +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
> +
> +Signed-off-by: Ovidiu Panait <ovidiu.panait at windriver.com>
> +---
> + Resource/Init/gs_cet.ps | 38 ++++++++++++++------------------------
> + Resource/Init/gs_dps1.ps | 2 +-
> + Resource/Init/gs_fonts.ps | 8 ++++----
> + Resource/Init/gs_init.ps | 38 +++++++++++++++++++++++++++-----------
> + Resource/Init/gs_ttf.ps | 8 ++++----
> + Resource/Init/gs_type1.ps | 6 +++---
> + 6 files changed, 53 insertions(+), 47 deletions(-)
> +
> +diff --git a/Resource/Init/gs_cet.ps b/Resource/Init/gs_cet.ps
> +index dbc5c4e..3cc6883 100644
> +--- a/Resource/Init/gs_cet.ps
> ++++ b/Resource/Init/gs_cet.ps
> +@@ -1,37 +1,29 @@
> + %!PS
> + % Set defaults for Ghostscript to match Adobe CPSI behaviour for CET
> +
> +-/.odef { % <name> <proc> odef -
> +- 1 index exch .makeoperator def
> +-} bind def
> +-
> ++% skip if we've already run this -- based on fake "product"
> + systemdict /product get (PhotoPRINT SE 5.0v2) readonly eq
> + {
> + (%END GS_CET) .skipeof
> + } if
> +
> +-% do this in the server level so it is persistent across jobs
> +-//true 0 startjob not {
> +- (*** Warning: CET startup is not in server default) = flush
> +-} if
> ++% Note: this must be run at save level 0 and when systemdict is writeable
> ++currentglobal //true setglobal
> ++systemdict dup dup dup
> ++/version (3017.102) readonly .forceput % match CPSI 3017.102
> ++/product (PhotoPRINT SE 5.0v2) readonly .forceput % match CPSI 3017.102
> ++/revision 0 put % match CPSI 3017.103 Tek shows revision 5
> ++/serialnumber dup {233640} readonly .makeoperator .forceput % match CPSI 3017.102 Tek shows serialnumber 1401788461
> ++
> ++systemdict /.odef { % <name> <proc> odef -
> ++ 1 index exch //.makeoperator def
> ++} .bind .forceput % this will be undefined at the end
> +
> + 300 .sethiresscreen % needed for language switch build since it
> + % processes gs_init.ps BEFORE setting the resolution
> +
> + 0 array 0 setdash % CET 09-08 wants local setdash
> +
> +-currentglobal //true setglobal
> +-
> +-{
> +- systemdict dup dup dup
> +- /version (3017.102) readonly put % match CPSI 3017.102
> +- /product (PhotoPRINT SE 5.0v2) readonly put % match CPSI 3017.102
> +- /revision 0 put % match CPSI 3017.103 Tek shows revision 5
> +- /serialnumber dup {233640} readonly .makeoperator put % match CPSI 3017.102 Tek shows serialnumber 1401788461
> +- systemdict /deviceinfo undef % for CET 20-23-1
> +-% /UNROLLFORMS true put % CET files do unreasonable things inside forms
> +-} 1183615869 internaldict /superexec get exec
> +-
> + /UNROLLFORMS true def
> +
> + (%.defaultbgrucrproc) cvn { } bind def
> +@@ -118,9 +110,7 @@ userdict /.smoothness currentsmoothness put
> + ofnfa
> + } bind def
> +
> +-currentdict /.odef undef
> +-% end of slightly nasty hack to give consistent cluster results
> +-
> +-//false 0 startjob pop % re-enter encapsulated mode
> ++systemdict /.odef .undef
> +
> ++% end of slightly nasty hack to give consistent cluster results
> + %END GS_CET
> +diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps
> +index 3d2cf7a..c4fd839 100644
> +--- a/Resource/Init/gs_dps1.ps
> ++++ b/Resource/Init/gs_dps1.ps
> +@@ -89,7 +89,7 @@ level2dict begin
> + % definition, copy it into the local directory.
> + //systemdict /SharedFontDirectory .knownget
> + { 1 index .knownget
> +- { //.FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly
> ++ { //.FontDirectory 2 index 3 -1 roll .forceput } % readonly
> + if
> + }
> + if
> +diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps
> +index 0562235..f2b4e19 100644
> +--- a/Resource/Init/gs_fonts.ps
> ++++ b/Resource/Init/gs_fonts.ps
> +@@ -519,11 +519,11 @@ buildfontdict 3 /.buildfont3 cvx put
> + % the font in LocalFontDirectory.
> + .currentglobal
> + { //systemdict /LocalFontDirectory .knownget
> +- { 2 index 2 index { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly
> ++ { 2 index 2 index .forceput } % readonly
> + if
> + }
> + if
> +- dup //.FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly
> ++ dup //.FontDirectory 4 -2 roll .forceput % readonly
> + % If the font originated as a resource, register it.
> + currentfile .currentresourcefile eq { dup .registerfont } if
> + readonly
> +@@ -1191,13 +1191,13 @@ $error /SubstituteFont { } put
> + //.FontDirectory 1 index known not {
> + 2 dict dup /FontName 3 index put
> + dup /FontType 1 put
> +- //.FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly
> ++ //.FontDirectory 3 1 roll //.forceput exec % readonly
> + } {
> + pop
> + } ifelse
> + } forall
> + } forall
> +- }
> ++ } executeonly % hide .forceput
> + FAKEFONTS { exch } if pop def % don't bind, .current/setglobal get redefined
> +
> + % Install initial fonts from Fontmap.
> +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
> +index 80d9585..0d5c4f7 100644
> +--- a/Resource/Init/gs_init.ps
> ++++ b/Resource/Init/gs_init.ps
> +@@ -2188,9 +2188,6 @@ SAFER { .setsafeglobal } if
> + /.endtransparencygroup % transparency-example.ps
> + /.setdotlength % Bug687720.ps
> + /.sort /.setdebug /.mementolistnewblocks /getenv
> +-
> +- /.makeoperator /.setCPSImode % gs_cet.ps, this won't work on cluster with -dSAFER
> +-
> + /unread
> + ]
> + {systemdict exch .forceundef} forall
> +@@ -2270,7 +2267,6 @@ SAFER { .setsafeglobal } if
> +
> + % Used by our own test suite files
> + %/.fileposition %image-qa.ps
> +- %/.makeoperator /.setCPSImode % gs_cet.ps
> +
> + % Either our code uses these in ways which mean they can't be undefined, or they are used directly by
> + % test files/utilities, or engineers expressed a desire to keep them visible.
> +@@ -2457,6 +2453,16 @@ end
> + /vmreclaim where
> + { pop NOGC not { 2 .vmreclaim 0 vmreclaim } if
> + } if
> ++
> ++% Do this before systemdict is locked (see below for additional CETMODE setup using gs_cet.ps)
> ++systemdict /CETMODE .knownget {
> ++ {
> ++ (gs_cet.ps) runlibfile
> ++ } if
> ++} if
> ++systemdict /.makeoperator .undef % must be after gs_cet.ps
> ++systemdict /.setCPSImode .undef % must be after gs_cet.ps
> ++
> + DELAYBIND not {
> + systemdict /.bindnow .undef % We only need this for DELAYBIND
> + systemdict /.forcecopynew .undef % remove temptation
> +@@ -2464,16 +2470,29 @@ DELAYBIND not {
> + systemdict /.forceundef .undef % ditto
> + } if
> +
> +-% Move superexec to internaldict if superexec is defined.
> +-systemdict /superexec .knownget {
> +- 1183615869 internaldict /superexec 3 -1 roll put
> +- systemdict /superexec .undef
> ++% Move superexec to internaldict if superexec is defined. (Level 2 or later)
> ++systemdict /superexec known {
> ++ % restrict superexec to single known use by PScript5.dll
> ++ % We could do this only for SAFER mode, but internaldict and superexec are
> ++ % not very well documented, and we don't want them to be used.
> ++ 1183615869 internaldict /superexec {
> ++ 2 index /Private eq % first check for typical use in PScript5.dll
> ++ 1 index length 1 eq and % expected usage is: dict /Private <value> {put} superexec
> ++ 1 index 0 get systemdict /put get eq and
> ++ {
> ++ //superexec exec % the only usage we allow
> ++ } {
> ++ /superexec load /invalidaccess signalerror
> ++ } ifelse
> ++ } bind cvx executeonly put
> ++ systemdict /superexec .undef % get rid of the dangerous (unrestricted) operator
> + } if
> +
> + % Can't remove this one until the last minute :-)
> + DELAYBIND not {
> + systemdict /.undef .undef
> + } if
> ++
> + WRITESYSTEMDICT {
> + SAFER {
> + (\n *** WARNING - you have selected SAFER, indicating you want Ghostscript\n) print
> +@@ -2500,7 +2519,4 @@ WRITESYSTEMDICT {
> + % be 'true' in some cases.
> + userdict /AGM_preserve_spots //false put
> +
> +-systemdict /CETMODE .knownget
> +-{ { (gs_cet.ps) runlibfile } if } if
> +-
> + % The interpreter will run the initial procedure (start).
> +diff --git a/Resource/Init/gs_ttf.ps b/Resource/Init/gs_ttf.ps
> +index 05943c5..da97afa 100644
> +--- a/Resource/Init/gs_ttf.ps
> ++++ b/Resource/Init/gs_ttf.ps
> +@@ -1421,7 +1421,7 @@ mark
> + TTFDEBUG { (\n1 setting alias: ) print dup ==only
> + ( to be the same as ) print 2 index //== exec } if
> +
> +- 7 index 2 index 3 -1 roll exch //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse
> ++ 7 index 2 index 3 -1 roll exch .forceput
> + } forall
> + pop pop pop
> + }
> +@@ -1439,7 +1439,7 @@ mark
> + exch pop
> + TTFDEBUG { (\n2 setting alias: ) print 1 index ==only
> + ( to use glyph index: ) print dup //== exec } if
> +- 5 index 3 1 roll //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse
> ++ 5 index 3 1 roll .forceput
> + //false
> + }
> + {
> +@@ -1456,7 +1456,7 @@ mark
> + { % CharStrings(dict) isunicode(boolean) cmap(dict) RAGL(dict) gname(name) codep(integer) gindex(integer)
> + TTFDEBUG { (\3 nsetting alias: ) print 1 index ==only
> + ( to be index: ) print dup //== exec } if
> +- exch pop 5 index 3 1 roll //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse
> ++ exch pop 5 index 3 1 roll .forceput
> + }
> + {
> + pop pop
> +@@ -1486,7 +1486,7 @@ mark
> + } ifelse
> + ]
> + TTFDEBUG { (Encoding: ) print dup === flush } if
> +-} bind def
> ++} .bind executeonly odef % hides .forceput
> +
> + % to be removed 9.09......
> + currentdict /postalias undef
> +diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps
> +index 96e1ced..61f5269 100644
> +--- a/Resource/Init/gs_type1.ps
> ++++ b/Resource/Init/gs_type1.ps
> +@@ -116,7 +116,7 @@
> + { % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname aglname
> + CFFDEBUG { (\nsetting alias: ) print dup ==only
> + ( to be the same as glyph: ) print 1 index //== exec } if
> +- 3 index exch 3 index //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse
> ++ 3 index exch 3 index .forceput
> + % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
> + }
> + {pop} ifelse
> +@@ -135,7 +135,7 @@
> + 3 1 roll pop pop
> + } if
> + pop
> +- dup /.AGLprocessed~GS //true //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse
> ++ dup /.AGLprocessed~GS //true .forceput
> + } if
> +
> + %% We need to excute the C .buildfont1 in a stopped context so that, if there
> +@@ -148,7 +148,7 @@
> + {//.buildfont1} stopped
> + 4 3 roll .setglobal
> + {//.buildfont1 $error /errorname get signalerror} if
> +- } bind def
> ++ } .bind executeonly def % hide .forceput
> +
> + % If the diskfont feature isn't included, define a dummy .loadfontdict.
> + /.loadfontdict where
> +--
> +2.20.1
> +
> diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0004.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0004.patch
> new file mode 100644
> index 0000000000..5228cace24
> --- /dev/null
> +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0004.patch
> @@ -0,0 +1,167 @@
> +From 5845e667dda3c945ee793fbe6af021533cb4fbec Mon Sep 17 00:00:00 2001
> +From: Ray Johnston <ray.johnston at artifex.com>
> +Date: Sun, 24 Feb 2019 22:01:04 -0800
> +Subject: [PATCH] Bug 700585: Obliterate "superexec". We don't need it, nor
> + do any known apps.
> +
> +We were under the impression that the Windows driver 'PScript5.dll' used
> +superexec, but after testing with our extensive suite of PostScript file,
> +and analysis of the PScript5 "Adobe CoolType ProcSet, it does not appear
> +that this operator is needed anymore. Get rid of superexec and all of the
> +references to it, since it is a potential security hole.
> +
> +CVE: CVE-2019-3835
> +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
> +
> +Signed-off-by: Ovidiu Panait <ovidiu.panait at windriver.com>
> +---
> + Resource/Init/gs_init.ps | 18 ------------------
> + psi/icontext.c | 1 -
> + psi/icstate.h | 1 -
> + psi/zcontrol.c | 30 ------------------------------
> + psi/zdict.c | 6 ++----
> + psi/zgeneric.c | 3 +--
> + 6 files changed, 3 insertions(+), 56 deletions(-)
> +
> +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
> +index 0d5c4f7..c5ac82a 100644
> +--- a/Resource/Init/gs_init.ps
> ++++ b/Resource/Init/gs_init.ps
> +@@ -2470,24 +2470,6 @@ DELAYBIND not {
> + systemdict /.forceundef .undef % ditto
> + } if
> +
> +-% Move superexec to internaldict if superexec is defined. (Level 2 or later)
> +-systemdict /superexec known {
> +- % restrict superexec to single known use by PScript5.dll
> +- % We could do this only for SAFER mode, but internaldict and superexec are
> +- % not very well documented, and we don't want them to be used.
> +- 1183615869 internaldict /superexec {
> +- 2 index /Private eq % first check for typical use in PScript5.dll
> +- 1 index length 1 eq and % expected usage is: dict /Private <value> {put} superexec
> +- 1 index 0 get systemdict /put get eq and
> +- {
> +- //superexec exec % the only usage we allow
> +- } {
> +- /superexec load /invalidaccess signalerror
> +- } ifelse
> +- } bind cvx executeonly put
> +- systemdict /superexec .undef % get rid of the dangerous (unrestricted) operator
> +-} if
> +-
> + % Can't remove this one until the last minute :-)
> + DELAYBIND not {
> + systemdict /.undef .undef
> +diff --git a/psi/icontext.c b/psi/icontext.c
> +index 1fbe486..7462ea3 100644
> +--- a/psi/icontext.c
> ++++ b/psi/icontext.c
> +@@ -151,7 +151,6 @@ context_state_alloc(gs_context_state_t ** ppcst,
> + pcst->rand_state = rand_state_initial;
> + pcst->usertime_total = 0;
> + pcst->keep_usertime = false;
> +- pcst->in_superexec = 0;
> + pcst->plugin_list = 0;
> + make_t(&pcst->error_object, t__invalid);
> + { /*
> +diff --git a/psi/icstate.h b/psi/icstate.h
> +index 4c6a14d..1009d85 100644
> +--- a/psi/icstate.h
> ++++ b/psi/icstate.h
> +@@ -54,7 +54,6 @@ struct gs_context_state_s {
> + long usertime_total; /* total accumulated usertime, */
> + /* not counting current time if running */
> + bool keep_usertime; /* true if context ever executed usertime */
> +- int in_superexec; /* # of levels of superexec */
> + /* View clipping is handled in the graphics state. */
> + ref error_object; /* t__invalid or error object from operator */
> + ref userparams; /* t_dictionary */
> +diff --git a/psi/zcontrol.c b/psi/zcontrol.c
> +index 0362cf4..dc813e8 100644
> +--- a/psi/zcontrol.c
> ++++ b/psi/zcontrol.c
> +@@ -158,34 +158,6 @@ zexecn(i_ctx_t *i_ctx_p)
> + return o_push_estack;
> + }
> +
> +-/* <obj> superexec - */
> +-static int end_superexec(i_ctx_t *);
> +-static int
> +-zsuperexec(i_ctx_t *i_ctx_p)
> +-{
> +- os_ptr op = osp;
> +- es_ptr ep;
> +-
> +- check_op(1);
> +- if (!r_has_attr(op, a_executable))
> +- return 0; /* literal object just gets pushed back */
> +- check_estack(2);
> +- ep = esp += 3;
> +- make_mark_estack(ep - 2, es_other, end_superexec); /* error case */
> +- make_op_estack(ep - 1, end_superexec); /* normal case */
> +- ref_assign(ep, op);
> +- esfile_check_cache();
> +- pop(1);
> +- i_ctx_p->in_superexec++;
> +- return o_push_estack;
> +-}
> +-static int
> +-end_superexec(i_ctx_t *i_ctx_p)
> +-{
> +- i_ctx_p->in_superexec--;
> +- return 0;
> +-}
> +-
> + /* <array> <executable> .runandhide <obj> */
> + /* before executing <executable>, <array> is been removed from */
> + /* the operand stack and placed on the execstack with attributes */
> +@@ -971,8 +943,6 @@ const op_def zcontrol3_op_defs[] = {
> + {"0%loop_continue", loop_continue},
> + {"0%repeat_continue", repeat_continue},
> + {"0%stopped_push", stopped_push},
> +- {"1superexec", zsuperexec},
> +- {"0%end_superexec", end_superexec},
> + {"2.runandhide", zrunandhide},
> + {"0%end_runandhide", end_runandhide},
> + op_def_end(0)
> +diff --git a/psi/zdict.c b/psi/zdict.c
> +index b0deaaa..e2e525d 100644
> +--- a/psi/zdict.c
> ++++ b/psi/zdict.c
> +@@ -212,8 +212,7 @@ zundef(i_ctx_t *i_ctx_p)
> + int code;
> +
> + check_type(*op1, t_dictionary);
> +- if (i_ctx_p->in_superexec == 0)
> +- check_dict_write(*op1);
> ++ check_dict_write(*op1);
> + code = idict_undef(op1, op);
> + if (code < 0 && code != gs_error_undefined) /* ignore undefined error */
> + return code;
> +@@ -504,8 +503,7 @@ zsetmaxlength(i_ctx_t *i_ctx_p)
> + int code;
> +
> + check_type(*op1, t_dictionary);
> +- if (i_ctx_p->in_superexec == 0)
> +- check_dict_write(*op1);
> ++ check_dict_write(*op1);
> + check_type(*op, t_integer);
> + if (op->value.intval < 0)
> + return_error(gs_error_rangecheck);
> +diff --git a/psi/zgeneric.c b/psi/zgeneric.c
> +index 8048e28..d4edddb 100644
> +--- a/psi/zgeneric.c
> ++++ b/psi/zgeneric.c
> +@@ -204,8 +204,7 @@ zput(i_ctx_t *i_ctx_p)
> +
> + switch (r_type(op2)) {
> + case t_dictionary:
> +- if (i_ctx_p->in_superexec == 0)
> +- check_dict_write(*op2);
> ++ check_dict_write(*op2);
> + {
> + int code = idict_put(op2, op1, op);
> +
> +--
> +2.18.1
> +
> diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0001.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0001.patch
> new file mode 100644
> index 0000000000..593109fb9f
> --- /dev/null
> +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0001.patch
> @@ -0,0 +1,34 @@
> +From 53f0cb4c54ac951697704cb87d24154ae08aecce Mon Sep 17 00:00:00 2001
> +From: Chris Liddell <chris.liddell at artifex.com>
> +Date: Wed, 20 Feb 2019 09:54:28 +0000
> +Subject: [PATCH] Bug 700576: Make a transient proc executeonly (in
> + DefineResource).
> +
> +This prevents access to .forceput
> +
> +Solution originally suggested by cbuissar at redhat.com.
> +
> +CVE: CVE-2019-3838
> +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
> +
> +Signed-off-by: Ovidiu Panait <ovidiu.panait at windriver.com>
> +---
> + Resource/Init/gs_res.ps | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps
> +index 89c0ed6..a163541 100644
> +--- a/Resource/Init/gs_res.ps
> ++++ b/Resource/Init/gs_res.ps
> +@@ -426,7 +426,7 @@ status {
> + % so we have to use .forceput here.
> + currentdict /.Instances 2 index .forceput % Category dict is read-only
> + } executeonly if
> +- }
> ++ } executeonly
> + { .LocalInstances dup //.emptydict eq
> + { pop 3 dict localinstancedict Category 2 index put
> + }
> +--
> +2.18.1
> +
> diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0002.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0002.patch
> new file mode 100644
> index 0000000000..921e5b6876
> --- /dev/null
> +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0002.patch
> @@ -0,0 +1,30 @@
> +From 0cb5e967c0200559f946291b5b54f8da30c32cd6 Mon Sep 17 00:00:00 2001
> +From: Chris Liddell <chris.liddell at artifex.com>
> +Date: Fri, 22 Feb 2019 12:28:23 +0000
> +Subject: [PATCH] Bug 700576(redux): an extra transient proc needs
> + executeonly'ed.
> +
> +CVE: CVE-2019-3838
> +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
> +
> +Signed-off-by: Ovidiu Panait <ovidiu.panait at windriver.com>
> +---
> + Resource/Init/gs_res.ps | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps
> +index a163541..8ce4ae3 100644
> +--- a/Resource/Init/gs_res.ps
> ++++ b/Resource/Init/gs_res.ps
> +@@ -438,7 +438,7 @@ status {
> + % Now make the resource value read-only.
> + 0 2 copy get { readonly } .internalstopped pop
> + dup 4 1 roll put exch pop exch pop
> +- }
> ++ } executeonly
> + { /defineresource cvx /typecheck signaloperror
> + }
> + ifelse
> +--
> +2.18.1
> +
> diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.26.bb b/meta/recipes-extended/ghostscript/ghostscript_9.26.bb
> index ad4c5e17d2..bb32347880 100644
> --- a/meta/recipes-extended/ghostscript/ghostscript_9.26.bb
> +++ b/meta/recipes-extended/ghostscript/ghostscript_9.26.bb
> @@ -39,6 +39,12 @@ SRC_URI = "${SRC_URI_BASE} \
> file://CVE-2019-6116-0005.patch \
> file://CVE-2019-6116-0006.patch \
> file://CVE-2019-6116-0007.patch \
> + file://CVE-2019-3835-0001.patch \
> + file://CVE-2019-3835-0002.patch \
> + file://CVE-2019-3835-0003.patch \
> + file://CVE-2019-3835-0004.patch \
> + file://CVE-2019-3838-0001.patch \
> + file://CVE-2019-3838-0002.patch \
> "
>
> SRC_URI_class-native = "${SRC_URI_BASE} \
> --
> 2.20.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
More information about the Openembedded-core
mailing list