Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Port all debian CVE patches for ghostscript #153

Closed
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions print/ghostscript-gpl/distinfo
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ SHA1 (ghostscript-9.06.tar.bz2) = 4c1c2b4cddd16d86b21f36ad4fc15f6100162238
RMD160 (ghostscript-9.06.tar.bz2) = 11ef74cf783ec5f7cde0ceaaf2823a1f62fb4d1d
SHA512 (ghostscript-9.06.tar.bz2) = 99f7a56316bf96d55c0cd7b07c0791ad4e6ee0d3a8f3bfa04ea28890ea9ed822ebcd7084cc8118cc38dc5def27c91c24eebc08a20a630463a9bf9d0193d0923b
Size (ghostscript-9.06.tar.bz2) = 29246039 bytes
SHA1 (patch-00-gxht_threads_c) = ab0326253d8a68e310b02459d9186c00c2fcd3a3
SHA1 (patch-CVE-2012-4405) = 1dcb4cfeceb366c144e0a1337c6ccc2d8e13e4ca
SHA1 (patch-CVE-2013-5653.patch) = 56cb9917fb8ba631a15c2bd9282a37a216738e3c
SHA1 (patch-CVE-2014-8137) = 5375f56f3d7cdfed0c9f900d291d75bbc3182b96
SHA1 (patch-CVE-2014-8138) = be161051680e3c6c9246f31237019470a447ee49
SHA1 (patch-CVE-2014-8157) = 18822069b9791fc3553e812878cfca483d881cd4
Expand All @@ -13,11 +15,37 @@ SHA1 (patch-CVE-2014-9029) = 9636c7d6909fc0dec7ad2102b59fb14d599bac6a
SHA1 (patch-CVE-2016-10217) = 85f2cb708bb38a88215573e63821be8a54bc019e
SHA1 (patch-CVE-2016-10219) = 24ef41da0579840360110cc5c1f79622210f8e6b
SHA1 (patch-CVE-2016-10220) = 6edfa87948ff0f9412a5509efb98bf2d063a5951
SHA1 (patch-CVE-2016-10317_gxht_thresh_c) = a1aad335c71f10d4ef4cdcb4174e33d1c3480f10
SHA1 (patch-CVE-2016-10317_gxipxel) = d77405a7c4300dcb0a9a81ff0e5922829e719e46
SHA1 (patch-CVE-2016-7976.patch) = 425f1b716818a9bf2b10b8563daca52a0ce8b18c
SHA1 (patch-CVE-2016-7977.patch) = a773ad325ef19a386d7b1b616f63369df9e48055
SHA1 (patch-CVE-2016-7979.patch) = c966b36a09c1f151347125b3c062e53c434398c6
SHA1 (patch-CVE-2017-5951) = a4af8e561b9f5a6a330fbc2f915257bf5ba3cb2a
SHA1 (patch-CVE-2017-6196) = 311d9236dd5abcd48ae0f412bf481e105b6207dc
SHA1 (patch-CVE-2017-7207) = 31f4a73b49b52942385eaa3c8cf2a94b5bbde6df
SHA1 (patch-CVE-2017-8291_eqproc) = 4963f1dd758b6f13739e6b411665507eb5eb2e9b
SHA1 (patch-CVE-2017-8291_rsdparams) = aeb9b161995fa63d9cbd0b2d69e94fb53b6b67af
SHA1 (patch-CVE-2018-11645.patch) = 9bcb99207e504d8a838a054bb723ee471045ba50
SHA1 (patch-CVE-2018-15908.patch) = 28628acb4421237f210097dd41f30c4c9ed52675
SHA1 (patch-CVE-2018-16509-part1) = d42af4b80614a497ceeeffe52eecd4556e9362f4
SHA1 (patch-CVE-2018-16509-part2) = c74c990de5b839510b254b22871a26e0d72f02df
SHA1 (patch-CVE-2018-16511) = 0d60dfc2782447826bba99ddb56f4a2ec2aa3172
SHA1 (patch-CVE-2018-16511-additional) = bd197d11a48940056e776825ec1d03d28e2ebae0
SHA1 (patch-CVE-2018-16513) = a12b39da733300febfc9a8bbfc8548edcb27bff6
SHA1 (patch-CVE-2018-16539-related.patch) = 9799c49edc782911ff64f88fd037247de5f81201
SHA1 (patch-CVE-2018-16540) = b4e3b74d4cd6985f0e332cbdcec857f1f98d4d63
SHA1 (patch-CVE-2018-16541) = ad98bb9a76aee7c8d062aaec0bd3db0daaf4cbf7
SHA1 (patch-CVE-2018-16542) = 7fa779cd0a6a48ec925fe763acca25ba951bbfdb
SHA1 (patch-CVE-2018-16543) = 2ef83bf8851dd9ee0ffa573d4a35908c906a2db7
SHA1 (patch-CVE-2018-16585_part1) = 1542e8ab7e1f6918d66c98069c29fdb84ac829de
SHA1 (patch-CVE-2018-16585_part2) = 76ff2adfe5c7a0d3ba67ccd3ffc3dcce3bd00ee1
SHA1 (patch-CVE-2018-16802) = 63296254a8777be1ef5633404224f6be0a5575d5
SHA1 (patch-CVE-2018-17183) = a53afa10e9c45791237a045c428198d3765a2ce4
SHA1 (patch-CVE-2018-17961_part1) = bab332b2b4114af5c521d4a3edb04604f82d34c7
SHA1 (patch-CVE-2018-17961_part2) = 16d3c16d610695bee16bf8c6a79e618ceb817031
SHA1 (patch-CVE-2018-17961_part3) = c76acaec0499dd85e48cd10ecf295d0811e3d318
SHA1 (patch-CVE-2018-18073) = 5504a67a374f6eee849ed94d1df7b408ff8711c3
SHA1 (patch-CVE-2018-18284) = 8b341fa18738b7c7a61a4a40abcce39454d5c3eb
SHA1 (patch-af) = ade76a99fdf5a1c5b05caf7641c4833fde612fd7
SHA1 (patch-ah) = 7548f6f78b8029febec044bc11214f9d6674c9d3
SHA1 (patch-ai) = 3962a3acac1d4537dbbe3fc3b205aba87387d485
Expand Down
12 changes: 12 additions & 0 deletions print/ghostscript-gpl/patches/patch-00-gxht_threads_c
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
--- base/gxht_thresh.c
+++ base/gxht_thresh.c
@@ -711,6 +711,9 @@ gxht_thresh_image_init(gx_image_enum *penum)
space */
max_height = (int) ceil(fixed2float(any_abs(penum->dst_height)) /
(float) penum->Height);
+ if ((max_height > 0) && (penum->ht_stride * spp_out > max_int / max_height))
+ return -1; /* overflow */
+
penum->ht_buffer =
gs_alloc_bytes(penum->memory,
penum->ht_stride * max_height * spp_out,
63 changes: 63 additions & 0 deletions print/ghostscript-gpl/patches/patch-CVE-2013-5653.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
Description: CVE-2013-5653: Information disclosure through getenv, filenameforall
Origin: backport, http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ab109aaeb3ddba59518b036fb288402a65cf7ce8
Bug: http://bugs.ghostscript.com/show_bug.cgi?id=694724
Bug-Debian: https://bugs.debian.org/839118
Forwarded: not-needed
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2016-10-07
---

--- Resource/Init/gs_init.ps
+++ Resource/Init/gs_init.ps
@@ -2011,6 +2011,7 @@ readonly def
>> setuserparams
}
if
+ systemdict /getenv {pop //false} put
% setpagedevice has the side effect of clearing the page, but
% we will just document that. Using setpagedevice keeps the device
% properties and pagedevice .LockSafetyParams in agreement even
--- psi/zfile.c
+++ psi/zfile.c
@@ -371,22 +371,25 @@ file_continue(i_ctx_t *i_ctx_p)

if (len < devlen)
return_error(e_rangecheck); /* not even room for device len */
- memcpy((char *)pscratch->value.bytes, iodev->dname, devlen);
- code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen,
- len - devlen);
- if (code == ~(uint) 0) { /* all done */
- esp -= 5; /* pop proc, pfen, devlen, iodev , mark */
- return o_pop_estack;
- } else if (code > len) /* overran string */
- return_error(e_rangecheck);
- else {
- push(1);
- ref_assign(op, pscratch);
- r_set_size(op, code + devlen);
- push_op_estack(file_continue); /* come again */
- *++esp = pscratch[2]; /* proc */
- return o_push_estack;
- }
+ do {
+ memcpy((char *)pscratch->value.bytes, iodev->dname, devlen);
+ code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen,
+ len - devlen);
+ if (code == ~(uint) 0) { /* all done */
+ esp -= 5; /* pop proc, pfen, devlen, iodev , mark */
+ return o_pop_estack;
+ } else if (code > len) /* overran string */
+ return_error(e_rangecheck);
+ else if (iodev != iodev_default(imemory)
+ || (check_file_permissions_reduced(i_ctx_p, (char *)pscratch->value.bytes, code + devlen, "PermitFileReading")) == 0) {
+ push(1);
+ ref_assign(op, pscratch);
+ r_set_size(op, code + devlen);
+ push_op_estack(file_continue); /* come again */
+ *++esp = pscratch[2]; /* proc */
+ return o_push_estack;
+ }
+ } while(1);
}
/* Cleanup procedure for enumerating files */
static int
43 changes: 43 additions & 0 deletions print/ghostscript-gpl/patches/patch-CVE-2016-10317_gxht_thresh_c
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
--- base/gxht_thresh.c
+++ base/gxht_thresh.c
@@ -711,7 +711,9 @@ gxht_thresh_image_init(gx_image_enum *penum)
space */
max_height = (int) ceil(fixed2float(any_abs(penum->dst_height)) /
(float) penum->Height);
- if ((max_height > 0) && (penum->ht_stride * spp_out > max_int / max_height))
+ if (max_height <= 0)
+ return -1; /* shouldn't happen, but check so we don't div by zero */
+ if (penum->ht_stride * spp_out > max_int / max_height)
return -1; /* overflow */

penum->ht_buffer =
@@ -734,6 +736,11 @@ gxht_thresh_image_init(gx_image_enum *penum)
Also allow a 15 sample over run during the execution. */
temp = (int) ceil((float) ((dev_width + 15.0) + 15.0)/16.0);
penum->line_size = bitmap_raster(temp * 16 * 8); /* The stride */
+ if (penum->line_size > max_int / max_height) {
+ gs_free_object(penum->memory, penum->ht_buffer, "gxht_thresh");
+ penum->ht_buffer = NULL;
+ return -1; /* thresh_buffer size overflow */
+ }
penum->line = gs_alloc_bytes(penum->memory, penum->line_size * spp_out,
"gxht_thresh");
penum->thresh_buffer = gs_alloc_bytes(penum->memory,
@@ -754,7 +761,7 @@ gxht_thresh_image_init(gx_image_enum *penum)
}

static void
-fill_threshhold_buffer(byte *dest_strip, byte *src_strip, int src_width,
+fill_threshold_buffer(byte *dest_strip, byte *src_strip, int src_width,
int left_offset, int left_width, int num_tiles,
int right_width)
{
@@ -908,7 +915,7 @@ gxht_thresh_planes(gx_image_enum *penum, fixed xrun,
to update with stride */
position = contone_stride * k;
/* Tile into the 128 bit aligned threshold strip */
- fill_threshhold_buffer(&(thresh_align[position]),
+ fill_threshold_buffer(&(thresh_align[position]),
thresh_tile, thresh_width, dx, left_width,
num_full_tiles, right_tile_width);
}
11 changes: 11 additions & 0 deletions print/ghostscript-gpl/patches/patch-CVE-2016-10317_gxipxel
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
--- base/gxipixel.c
+++ base/gxipixel.c
@@ -758,7 +758,7 @@ gx_image_enum_begin(gx_device * dev, const gs_gstate * pgs,
penum->memory = mem;
penum->buffer = buffer;
penum->buffer_size = bsize;
- penum->line = 0;
+ penum->line = NULL;
penum->icc_link = NULL;
penum->color_cache = NULL;
penum->ht_buffer = NULL;
151 changes: 151 additions & 0 deletions print/ghostscript-gpl/patches/patch-CVE-2016-7976.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,151 @@
Description: CVE-2016-7976: Various userparams allow %pipe% in paths, allowing remote shell command execution
Origin: backport, http://git.ghostscript.com/?p=ghostpdl.git;h=6d444c273da5499a4cd72f21cb6d4c9a5256807d
Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697178
Bug-Debian: https://bugs.debian.org/839260
Forwarded: not-needed
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2016-10-07
---

--- base/gsicc_manage.c
+++ base/gsicc_manage.c
@@ -916,9 +916,12 @@ gsicc_open_search(const char* pname, int
}

/* First just try it like it is */
- str = sfopen(pname, "rb", mem_gc);
- if (str != NULL)
- return(str);
+ if (gs_check_file_permission(mem_gc, pname, namelen, "r") >= 0) {
+ str = sfopen(pname, "r", mem_gc);
+ if (str != NULL) {
+ return(str);
+ }
+ }

/* If that fails, try %rom% */ /* FIXME: Not sure this is needed or correct */
/* A better approach might be to have built in defaults */
--- base/gslibctx.c
+++ base/gslibctx.c
@@ -111,6 +111,7 @@ int gs_lib_ctx_init( gs_memory_t *mem )
pio->profiledir_len = 0;
gs_lib_ctx_set_icc_directory(mem, DEFAULT_DIR_ICC, strlen(DEFAULT_DIR_ICC));

+ pio->client_check_file_permission = NULL;
gp_get_realtime(pio->real_time_0);

return 0;
@@ -192,3 +193,13 @@ void errflush(const gs_memory_t *mem)
fflush(mem->gs_lib_ctx->fstderr);
/* else nothing to flush */
}
+
+int
+gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission)
+{
+ int code = 0;
+ if (mem->gs_lib_ctx->client_check_file_permission != NULL) {
+ code = mem->gs_lib_ctx->client_check_file_permission(mem, fname, len, permission);
+ }
+ return code;
+}
--- base/gslibctx.h
+++ base/gslibctx.h
@@ -27,6 +27,9 @@ typedef struct name_table_s *name_table_
# define gs_font_dir_DEFINED
typedef struct gs_font_dir_s gs_font_dir;
#endif
+
+typedef int (*client_check_file_permission_t) (gs_memory_t *mem, const char *fname, const int len, const char *permission);
+
typedef struct gs_lib_ctx_s
{
gs_memory_t *memory; /* mem->gs_lib_ctx->memory == mem */
@@ -54,6 +57,7 @@ typedef struct gs_lib_ctx_s
bool dict_auto_expand; /* ps dictionary: false level 1 true level 2 or 3 */
/* A table of local copies of the IODevices */
struct gx_io_device_s **io_device_table;
+ client_check_file_permission_t client_check_file_permission;
/* Define the default value of AccurateScreens that affects setscreen
and setcolorscreen. */
bool screen_accurate_screens;
@@ -91,4 +95,7 @@ gs_memory_t * gs_lib_ctx_get_non_gc_memo
void gs_lib_ctx_set_icc_directory(const gs_memory_t *mem_gc, const char* pname,
int dir_namelen);

+int
+gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission);
+
#endif /* GSLIBCTX_H */
--- psi/imain.c
+++ psi/imain.c
@@ -51,6 +51,7 @@
#include "ivmspace.h"
#include "idisp.h" /* for setting display device callback */
#include "iplugin.h"
+#include "zfile.h"

/* ------ Exported data ------ */

@@ -196,6 +197,7 @@ gs_main_init1(gs_main_instance * minst)
"the_gs_name_table");
if (code < 0)
return code;
+ mem->gs_lib_ctx->client_check_file_permission = z_check_file_permissions;
}
code = obj_init(&minst->i_ctx_p, &idmem); /* requires name_init */
if (code < 0)
--- psi/int.mak
+++ psi/int.mak
@@ -2044,7 +2044,8 @@ $(PSOBJ)imain.$(OBJ) : $(PSSRC)imain.c $
$(ialloc_h) $(iconf_h) $(idebug_h) $(idict_h) $(idisp_h) $(iinit_h)\
$(iname_h) $(interp_h) $(iplugin_h) $(isave_h) $(iscan_h) $(ivmspace_h)\
$(iinit_h) $(main_h) $(oper_h) $(ostack_h)\
- $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h)
+ $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h) $(zfile_h)\
+ $(INT_MAK) $(MAKEDIRS)
$(PSCC) $(PSO_)imain.$(OBJ) $(C_) $(PSSRC)imain.c

#****** $(CCINT) interp.c
--- psi/zfile.c
+++ psi/zfile.c
@@ -197,6 +197,25 @@ check_file_permissions(i_ctx_t *i_ctx_p,
return check_file_permissions_reduced(i_ctx_p, fname_reduced, rlen, permitgroup);
}

+/* z_check_file_permissions: see zfile.h for explanation
+ */
+int
+z_check_file_permissions(gs_memory_t *mem, const char *fname, const int len, const char *permission)
+{
+ i_ctx_t *i_ctx_p = get_minst_from_memory(mem)->i_ctx_p;
+ gs_parsed_file_name_t pname;
+ const char *permitgroup = permission[0] == 'r' ? "PermitFileReading" : "PermitFileWriting";
+ int code = gs_parse_file_name(&pname, fname, len, imemory);
+ if (code < 0)
+ return code;
+
+ if (pname.iodev && i_ctx_p->LockFilePermissions && strcmp(pname.iodev->dname, "%pipe%") == 0)
+ return gs_error_invalidfileaccess;
+
+ code = check_file_permissions(i_ctx_p, fname, len, permitgroup);
+ return code;
+}
+
/* <name_string> <access_string> file <file> */
int /* exported for zsysvm.c */
zfile(i_ctx_t *i_ctx_p)
--- psi/zfile.h
+++ psi/zfile.h
@@ -22,4 +22,11 @@
int zopen_file(i_ctx_t *i_ctx_p, const gs_parsed_file_name_t *pfn,
const char *file_access, stream **ps, gs_memory_t *mem);

+/* z_check_file_permissions: a callback (via mem->gs_lib_ctx->client_check_file_permission)
+ * to allow applying the above permissions checks when opening file(s) from
+ * the graphics library
+ */
+int
+z_check_file_permissions(gs_memory_t *mem, const char *fname,
+ const int len, const char *permission);
#endif
27 changes: 27 additions & 0 deletions print/ghostscript-gpl/patches/patch-CVE-2016-7977.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
Description: CVE-2016-7977: .libfile doesn't check PermitFileReading array, allowing remote file disclosure
Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=8abd22010eb4db0fb1b10e430d5f5d83e015ef70
Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697169
Bug-Debian: https://bugs.debian.org/839841
Forwarded: not-needed
Author: Chris Liddell <chris.liddell@artifex.com>
Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2016-10-08
---

diff --git a/psi/zfile.c b/psi/zfile.c
index b6caea2..2c6c958 100644
--- psi/zfile.c
+++ psi/zfile.c
@@ -1081,6 +1081,9 @@ lib_file_open(gs_file_path_ptr lib_path, const gs_memory_t *mem, i_ctx_t *i_ctx
gs_main_instance *minst = get_minst_from_memory(mem);
int code;

+ if (i_ctx_p && starting_arg_file)
+ i_ctx_p->starting_arg_file = false;
+
/* when starting arg files (@ files) iodev_default is not yet set */
if (iodev == 0)
iodev = (gx_io_device *)gx_io_device_table[0];
--
2.9.3

33 changes: 33 additions & 0 deletions print/ghostscript-gpl/patches/patch-CVE-2016-7979.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
Description: CVE-2016-7979: type confusion in .initialize_dsc_parser allows remote code execution
Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=875a0095f37626a721c7ff57d606a0f95af03913
Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697190
Bug-Debian: https://bugs.debian.org/839846
Forwarded: not-needed
Author: Ken Sharp <ken.sharp@artifex.com>
Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2016-10-08
---

--- psi/zdscpars.c
+++ psi/zdscpars.c
@@ -132,11 +132,16 @@ zinitialize_dsc_parser(i_ctx_t *i_ctx_p)
ref local_ref;
int code;
os_ptr const op = osp;
- dict * const pdict = op->value.pdict;
- gs_memory_t * const mem = (gs_memory_t *)dict_memory(pdict);
- dsc_data_t * const data =
- gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init");
+ dict *pdict;
+ gs_memory_t *mem;
+ dsc_data_t *data;

+ check_read_type(*op, t_dictionary);
+
+ pdict = op->value.pdict;
+ mem = (gs_memory_t *)dict_memory(pdict);
+
+ data = gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init");
if (!data)
return_error(e_VMerror);
data->document_level = 0;
Loading