Browse Source

update to new upstream

Signed-off-by: Toshaan Bharvani <toshaan@powerel.org>
master
Toshaan Bharvani 6 months ago
parent
commit
d6ac29606e
  1. 44
      SOURCES/ghostscript-9.54.0-CVE-2023-28879.patch
  2. 142
      SOURCES/ghostscript-9.54.0-CVE-2023-36664.patch
  3. 27
      SOURCES/ghostscript-9.54.0-CVE-2023-38559.patch
  4. 21
      SOURCES/ghostscript-9.54.0-CVE-2023-43115.patch
  5. 88
      SOURCES/ghostscript-9.54.0-Deal-with-different-VM-modes-during-CIDFont-loading.patch
  6. 22
      SOURCES/ghostscript-9.54.0-ESC-Page-driver-does-not-set-page-size-correctly.patch
  7. 106
      SOURCES/ghostscript-9.54.0-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch
  8. 36
      SPECS/ghostscript.spec

44
SOURCES/ghostscript-9.54.0-CVE-2023-28879.patch

@ -0,0 +1,44 @@
From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Fri, 24 Mar 2023 13:19:57 +0000
Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding

Bug #706494 "Buffer Overflow in s_xBCPE_process"

As described in detail in the bug report, if the write buffer is filled
to one byte less than full, and we then try to write an escaped
character, we overrun the buffer because we don't check before
writing two bytes to it.

This just checks if we have two bytes before starting to write an
escaped character and exits if we don't (replacing the consumed byte
of the input).

Up for further discussion; why do we even permit a BCP encoding filter
anyway ? I think we should remove this, at least when SAFER is true.
---
base/sbcp.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/base/sbcp.c b/base/sbcp.c
index 979ae0992..47fc233ec 100644
--- a/base/sbcp.c
+++ b/base/sbcp.c
@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr,
byte ch = *++p;
if (ch <= 31 && escaped[ch]) {
+ /* Make sure we have space to store two characters in the write buffer,
+ * if we don't then exit without consuming the input character, we'll process
+ * that on the next time round.
+ */
+ if (pw->limit - q < 2) {
+ p--;
+ break;
+ }
if (p == rlimit) {
p--;
break;
--
2.39.2

142
SOURCES/ghostscript-9.54.0-CVE-2023-36664.patch

@ -0,0 +1,142 @@
From 505eab7782b429017eb434b2b95120855f2b0e3c Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 7 Jun 2023 10:23:06 +0100
Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission
validation

For regular file names, we try to simplfy relative paths before we use them.

Because the %pipe% device can, effectively, accept command line calls, we
shouldn't be simplifying that string, because the command line syntax can end
up confusing the path simplifying code. That can result in permitting a pipe
command which does not match what was originally permitted.

Special case "%pipe" in the validation code so we always deal with the entire
string.
---
base/gpmisc.c | 31 +++++++++++++++++++--------
base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++-------------
2 files changed, 64 insertions(+), 23 deletions(-)

diff --git a/base/gpmisc.c b/base/gpmisc.c
index 5f39ebba7..2fb87f769 100644
--- a/base/gpmisc.c
+++ b/base/gpmisc.c
@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *mem,
&& !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
prefix_len = 0;
}
- rlen = len+1;
- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
- if (bufferfull == NULL)
- return gs_error_VMerror;
-
- buffer = bufferfull + prefix_len;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len+1;
+ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+ if (bufferfull == NULL)
+ return gs_error_VMerror;
+
+ buffer = bufferfull + prefix_len;
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
while (1) {
switch (mode[0])
{
diff --git a/base/gslibctx.c b/base/gslibctx.c
index eb566ed06..d2a1aa91d 100644
--- a/base/gslibctx.c
+++ b/base/gslibctx.c
@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co
return gs_error_rangecheck;
}
- rlen = len+1;
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
- if (buffer == NULL)
- return gs_error_VMerror;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len + 1;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
n = control->num;
for (i = 0; i < n; i++)
@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type,
return gs_error_rangecheck;
}
- rlen = len+1;
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
- if (buffer == NULL)
- return gs_error_VMerror;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len+1;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
n = control->num;
for (i = 0; i < n; i++) {
--
2.41.0

27
SOURCES/ghostscript-9.54.0-CVE-2023-38559.patch

@ -0,0 +1,27 @@
From d81b82c70bc1fb9991bb95f1201abb5dea55f57f Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Mon, 17 Jul 2023 14:06:37 +0100
Subject: [PATCH] Bug 706897: Copy pcx buffer overrun fix from
devices/gdevpcx.c

Bounds check the buffer, before dereferencing the pointer.
---
base/gdevdevn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/base/gdevdevn.c b/base/gdevdevn.c
index 7b14d9c71..6351fb77a 100644
--- a/base/gdevdevn.c
+++ b/base/gdevdevn.c
@@ -1983,7 +1983,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file
byte data = *from;
from += step;
- if (data != *from || from == end) {
+ if (from >= end || data != *from) {
if (data >= 0xc0)
gp_fputc(0xc1, file);
} else {
--
2.41.0

21
SOURCES/ghostscript-9.54.0-CVE-2023-43115.patch

@ -0,0 +1,21 @@
--- a/devices/gdevijs.c
+++ b/devices/gdevijs.c
@@ -934,6 +934,9 @@
static const char rgb[] = "DeviceRGB";
gx_device_ijs *ijsdev = (gx_device_ijs *)dev;
+ if (ijsdev->memory->gs_lib_ctx->core->path_control_active)
+ return_error(gs_error_invalidaccess);
+
code = gx_default_finish_copydevice(dev, from_dev);
if(code < 0)
return code;
@@ -1363,7 +1366,7 @@
if (code >= 0)
code = gsijs_read_string(plist, "IjsServer",
ijsdev->IjsServer, sizeof(ijsdev->IjsServer),
- dev->LockSafetyParams, is_open);
+ ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open);
if (code >= 0)
code = gsijs_read_string_malloc(plist, "DeviceManufacturer",

88
SOURCES/ghostscript-9.54.0-Deal-with-different-VM-modes-during-CIDFont-loading.patch

@ -0,0 +1,88 @@
From 0b74b65ecc0f36d40b8d04a7fa1fa8b5f9d2b3ff Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Thu, 13 Oct 2022 14:55:28 +0100
Subject: [PATCH] Deal with different VM modes during CIDFont loading

To help differentiate between a substituted CIDFont and an embedded one, a
change was made to store the file path in the CIDFont dictionary. That change
failed to account for the possibility that the file object and the CIDFont
dictionary may not be in compatible VM modes.

This adds code to ensure that the string holding the path is in a suitable VM
mode to be stored into the dictionary.

Reported by Richard Lescak <rlescak@redhat.com>
---
Resource/Init/gs_cidfn.ps | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/Resource/Init/gs_cidfn.ps b/Resource/Init/gs_cidfn.ps
index 870a2e11c..fa050ed7a 100644
--- a/Resource/Init/gs_cidfn.ps
+++ b/Resource/Init/gs_cidfn.ps
@@ -1,4 +1,4 @@
-% Copyright (C) 2001-2021 Artifex Software, Inc.
+% Copyright (C) 2001-2022 Artifex Software, Inc.
% All Rights Reserved.
%
% This software is provided AS-IS with no warranty, either express or
@@ -36,6 +36,17 @@
30 dict begin
+/.gcompatstringcopy % <string> <global> .gcompatstringcopy <string>
+{
+ dup 2 index gcheck eq
+ { pop }
+ {
+ currentglobal 3 1 roll setglobal
+ dup length string copy
+ exch setglobal
+ } ifelse
+} bind def
+
% The key in .cidfonttypes is the CIDFontType value;
% the value is a procedure that takes a font name and the CIDFont dictionary
% and replaces the latter with a real font.
@@ -58,7 +69,7 @@ dup 0 {
end
} if
1 index exch .buildfont9
- .currentresourcefile dup type /filetype eq { //.filename {1 index exch /ResourcePath exch put} if }{ pop} ifelse
+ .currentresourcefile dup type /filetype eq { //.filename {1 index gcheck //.gcompatstringcopy exec 1 index exch /ResourcePath exch put} if }{ pop} ifelse
exch pop
} put % Don't bind it here, because gs_fapi.ps redefines .buildfont9
@@ -138,10 +149,11 @@ dup 0 {
% ------ CIDFontType 1 (FontType 10) ------ %
+
dup 1 {
10 //.checkfonttype exec pop
1 index exch .buildfont10
- .currentresourcefile dup type /filetype eq { //.filename {1 index exch /ResourcePath exch put} if }{ pop} ifelse
+ .currentresourcefile dup type /filetype eq { //.filename {1 index gcheck //.gcompatstringcopy exec 1 index exch /ResourcePath exch put} if }{ pop} ifelse
exch pop
} put % Don't bind it here because gs_fapi.ps redefines .buildfont10
@@ -150,12 +162,15 @@ dup 1 {
dup 2 {
11 //.checkfonttype exec pop
1 index exch .buildfont11
- .currentresourcefile dup type /filetype eq { //.filename {1 index exch /ResourcePath exch put} if }{ pop} ifelse
+ .currentresourcefile dup type /filetype eq { //.filename {1 index gcheck //.gcompatstringcopy exec 1 index exch /ResourcePath exch put} if }{ pop} ifelse
exch pop
} put % Don't bind it here because gs_fapi.ps redefines .buildfont11
+currentdict /.gcompatstringcopy .undef
+
pop % .cidfonttypes
+
% ---------------- Reading CIDFontType 0 files ---------------- %
/StartData { % <(Binary)|(Hex)> <datalength> StartData -
--
2.37.3

22
SOURCES/ghostscript-9.54.0-ESC-Page-driver-does-not-set-page-size-correctly.patch

@ -0,0 +1,22 @@
diff -x .git -Napur ghostscript-9.27.old/contrib/japanese/gdevespg.c ghostscript-9.27.new/contrib/japanese/gdevespg.c
--- ghostscript-9.27.old/contrib/japanese/gdevespg.c 2019-04-04 00:43:14.000000000 -0700
+++ ghostscript-9.27.new/contrib/japanese/gdevespg.c 2023-01-24 11:25:32.588189093 -0800
@@ -273,6 +273,9 @@
int width, height, w, h, wp, hp, bLandscape;
EpagPaperTable *pt;
+ /* Page size match tolerance in points */
+ #define TOL 5
+
width = (int)pdev->MediaSize[0];
height = (int)pdev->MediaSize[1];
@@ -291,7 +294,7 @@
}
for (pt = epagPaperTable; pt->escpage > 0; pt++)
- if (pt->width == w && pt->height == h)
+ if (abs(w - pt->width) <= TOL && abs(h - pt->height) <= TOL)
break;
gp_fprintf(fp, "%c%d", GS, pt->escpage);

106
SOURCES/ghostscript-9.54.0-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch

@ -0,0 +1,106 @@
From 346f12459aa67cdb5ff9e267c2c8cccc17f4a376 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 15 Mar 2023 15:38:29 +0000
Subject: [PATCH] Bug 706478: pdfwrite: Substituted TTF CIDFont CID handling

The PS interpreter callback that handles converting a CID to a TTF GID did
not handle the case of substituted CIDFonts.

It requires looking up the CID on the Decoding (to get a Unicode code point),
and then looking up the code point in the TTF cmap table to get the GID.

The rendering code already handled it.
---
psi/zfcid1.c | 73 +++++++++++++++++++++++++++++++++-------------------
1 file changed, 46 insertions(+), 27 deletions(-)

diff --git a/psi/zfcid1.c b/psi/zfcid1.c
index fd502ff12..55de85d45 100644
--- a/psi/zfcid1.c
+++ b/psi/zfcid1.c
@@ -77,37 +77,56 @@
int gdbytes = pfont->cidata.common.GDBytes;
int gnum = 0;
const byte *data;
- int i, code;
+ int i, code = -1;
ref rcid;
ref *prgnum;
+ ref *p, *fdict = pfont_dict(pfont);
+
+ if (r_has_type(fdict, t_dictionary) && dict_find_string(fdict, "Path", &p)) {
+ ref *Decoding = NULL, *TT_cmap = NULL, *SubstNWP = NULL, src_type, dst_type;
+ uint c;
+
+ code = dict_find_string(fdict, "Decoding", &Decoding);
+ if (code > 0)
+ code = dict_find_string(fdict, "TT_cmap", &TT_cmap);
+ if (code > 0)
+ code = dict_find_string(fdict, "SubstNWP", &SubstNWP);
+ if (code > 0) {
+ code = cid_to_TT_charcode(pfont->memory, Decoding, TT_cmap, SubstNWP, cid, &c, &src_type, &dst_type);
+ if (code >= 0)
+ gnum = c;
+ }
+ }
- switch (r_type(pcidmap)) {
- case t_string:
- if (cid >= r_size(pcidmap) / gdbytes)
- return_error(gs_error_rangecheck);
- data = pcidmap->value.const_bytes + cid * gdbytes;
- break;
- case t_integer:
- return cid + pcidmap->value.intval;
- case t_dictionary:
- make_int(&rcid, cid);
- code = dict_find(pcidmap, &rcid, &prgnum);
- if (code <= 0)
- return (code < 0 ? code : gs_note_error(gs_error_undefined));
- if (!r_has_type(prgnum, t_integer))
- return_error(gs_error_typecheck);
- return prgnum->value.intval;
- default: /* array type */
- code = string_array_access_proc(pfont->memory, pcidmap, 1, cid * gdbytes,
- gdbytes, NULL, NULL, &data);
+ if (code < 0) {
+ switch (r_type(pcidmap)) {
+ case t_string:
+ if (cid >= r_size(pcidmap) / gdbytes)
+ return_error(gs_error_rangecheck);
+ data = pcidmap->value.const_bytes + cid * gdbytes;
+ break;
+ case t_integer:
+ return cid + pcidmap->value.intval;
+ case t_dictionary:
+ make_int(&rcid, cid);
+ code = dict_find(pcidmap, &rcid, &prgnum);
+ if (code <= 0)
+ return (code < 0 ? code : gs_note_error(gs_error_undefined));
+ if (!r_has_type(prgnum, t_integer))
+ return_error(gs_error_typecheck);
+ return prgnum->value.intval;
+ default: /* array type */
+ code = string_array_access_proc(pfont->memory, pcidmap, 1, cid * gdbytes,
+ gdbytes, NULL, NULL, &data);
- if (code < 0)
- return code;
- if ( code > 0 )
- return_error(gs_error_invalidfont);
+ if (code < 0)
+ return code;
+ if ( code > 0 )
+ return_error(gs_error_invalidfont);
+ }
+ for (i = 0; i < gdbytes; ++i)
+ gnum = (gnum << 8) + data[i];
}
- for (i = 0; i < gdbytes; ++i)
- gnum = (gnum << 8) + data[i];
if (gnum >= pfont->data.trueNumGlyphs)
return_error(gs_error_invalidfont);
return gnum;
--
2.39.2

36
SPECS/ghostscript.spec

@ -42,7 +42,7 @@
Name: ghostscript Name: ghostscript
Summary: Interpreter for PostScript language & PDF Summary: Interpreter for PostScript language & PDF
Version: 9.54.0 Version: 9.54.0
Release: 7%{?dist} Release: 14%{?dist}


License: AGPLv3+ License: AGPLv3+


@ -106,6 +106,13 @@ Patch002: ghostscript-9.54.0-include-pipe-handle-in-validation.patch
Patch003: ghostscript-9.54.0-covscan-fixes.patch Patch003: ghostscript-9.54.0-covscan-fixes.patch
#2049767 - CVE-2021-45949 heap-based buffer overflow in sampled_data_finish #2049767 - CVE-2021-45949 heap-based buffer overflow in sampled_data_finish
Patch004: ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch Patch004: ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch
Patch005: ghostscript-9.54.0-Deal-with-different-VM-modes-during-CIDFont-loading.patch
Patch006: ghostscript-9.54.0-ESC-Page-driver-does-not-set-page-size-correctly.patch
Patch007: ghostscript-9.54.0-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch
Patch008: ghostscript-9.54.0-CVE-2023-28879.patch
Patch009: ghostscript-9.54.0-CVE-2023-36664.patch
Patch010: ghostscript-9.54.0-CVE-2023-38559.patch
Patch011: ghostscript-9.54.0-CVE-2023-43115.patch


# Downstream patches -- these should be always included when doing rebase: # Downstream patches -- these should be always included when doing rebase:
# ------------------ # ------------------
@ -439,6 +446,33 @@ done
# ============================================================================= # =============================================================================


%changelog %changelog
* Thu Oct 12 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-14
- fix for CVE-2023-43115
- Resolves: RHEL-10184

* Fri Aug 04 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-13
- fix for CVE-2023-38559
- Resolves: rhbz#2224372

* Tue Aug 01 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-12
- fix for CVE-2023-36664
- Resolves: rhbz#2217810

* Fri May 05 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-11
- fix for CVE-2023-28879
- Resolves: rhbz#2188300

* Fri Mar 17 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-10
- fix embedding of CIDFonts
- Resolves: rhbz#2179023

* Thu Feb 02 2023 Richard Lescak <rlescak@redhat.com> - 9.54.0-9
- set the page size for A4 correctly in ESC/Page driver
- Resolves: rhbz#2164613

* Fri Dec 09 2022 Richard Lescak <rlescak@redhat.com> - 9.54.0-8
- fix loading of CIDFonts (#2138795)

* Thu Feb 24 2022 Richard Lescak <rlescak@redhat.com> - 9.54.0-7 * Thu Feb 24 2022 Richard Lescak <rlescak@redhat.com> - 9.54.0-7
- Fix patch for covscan issues (#2032789) - Fix patch for covscan issues (#2032789)



Loading…
Cancel
Save