Accepting request 1096685 from Printing

Security fix CVE-2023-36664 bsc#1212711 for ghostscript and ghostscript-mini (forwarded request 1096684 from jsmeix)

OBS-URL: https://build.opensuse.org/request/show/1096685
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ghostscript?expand=0&rev=59

CVE-2023-36664.patch

@@ -0,0 +1,116 @@
+--- base/gpmisc.c.orig	2022-04-04 15:48:49.000000000 +0200
++++ base/gpmisc.c	2023-07-04 08:13:02.173325373 +0200
+@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *
+              && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
+           prefix_len = 0;
+     }
+-    rlen = len+1;
+-    bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+-    if (bufferfull == NULL)
+-        return gs_error_VMerror;
+ 
+-    buffer = bufferfull + prefix_len;
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
++    /* "%pipe%" do not follow the normal rules for path definitions, so we
++       don't "reduce" them to avoid unexpected results
++     */
++    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
++        bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
++        if (buffer == NULL)
++            return gs_error_VMerror;
++        memcpy(buffer, path, len);
++        buffer[len] = 0;
++        rlen = len;
++    }
++    else {
++        rlen = len+1;
++        bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
++        if (bufferfull == NULL)
++            return gs_error_VMerror;
+ 
++        buffer = bufferfull + prefix_len;
++        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
++            return gs_error_invalidfileaccess;
++        buffer[rlen] = 0;
++    }
+     while (1) {
+         switch (mode[0])
+         {
+--- base/gslibctx.c.orig	2022-04-04 15:48:49.000000000 +0200
++++ base/gslibctx.c	2023-07-04 08:09:47.834639430 +0200
+@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_m
+             return gs_error_rangecheck;
+     }
+ 
+-    rlen = len+1;
+-    buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
+-    if (buffer == NULL)
+-        return gs_error_VMerror;
+-
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
++    /* "%pipe%" do not follow the normal rules for path definitions, so we
++       don't "reduce" them to avoid unexpected results
++     */
++    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
++        buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
++        if (buffer == NULL)
++            return gs_error_VMerror;
++        memcpy(buffer, path, len);
++        buffer[len] = 0;
++        rlen = len;
++    }
++    else {
++        rlen = len + 1;
++
++        buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
++        if (buffer == NULL)
++            return gs_error_VMerror;
++
++        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
++            return gs_error_invalidfileaccess;
++        buffer[rlen] = 0;
++    }
+ 
+     n = control->num;
+     for (i = 0; i < n; i++)
+@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const g
+             return gs_error_rangecheck;
+     }
+ 
+-    rlen = len+1;
+-    buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
+-    if (buffer == NULL)
+-        return gs_error_VMerror;
+-
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
++    /* "%pipe%" do not follow the normal rules for path definitions, so we
++       don't "reduce" them to avoid unexpected results
++     */
++    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
++        buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
++        if (buffer == NULL)
++            return gs_error_VMerror;
++        memcpy(buffer, path, len);
++        buffer[len] = 0;
++        rlen = len;
++    }
++    else {
++        rlen = len+1;
++
++        buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
++        if (buffer == NULL)
++            return gs_error_VMerror;
++
++        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
++            return gs_error_invalidfileaccess;
++        buffer[rlen] = 0;
++    }
+ 
+     n = control->num;
+     for (i = 0; i < n; i++) {

ghostscript.changes

@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Tue Jul  4 06:16:33 UTC 2023 - Johannes Meixner <jsmeix@suse.com>
+
+- CVE-2023-36664.patch fixes CVE-2023-36664
+  see https://bugs.ghostscript.com/show_bug.cgi?id=706761
+  "OS command injection in %pipe% access"
+  and https://bugs.ghostscript.com/show_bug.cgi?id=706778
+  "%pipe% allowed_path bypass"
+  and bsc#1212711
+  "permission validation mishandling for pipe devices
+   (with the %pipe% prefix or the | pipe character prefix)"
+
 -------------------------------------------------------------------
 Wed Apr 26 19:08:09 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
 
@@ -15,35 +27,50 @@ Tue Apr 11 09:09:56 UTC 2023 - Johannes Meixner <jsmeix@suse.com>
 Mon Jul 18 07:28:54 UTC 2022 - Dirk Müller <dmueller@suse.com>
 
 - update to 9.56.1:
-  * New PDF Interpreter: This is an entirely new implementation written in C
-    (rather than PostScript, as before)
-  * Calling Ghostscript via the GS API is now thread safe. The one limitation
-    is that the X11 devices for Unix-like systems (x11, x11alpha, x11cmyk,
-    x11cmyk2, x11cmyk4, x11cmyk8, x11gray2, x11gray4 and x11mono) cannot be
-    made thread safe, due to their interaction with the X11 server, those
-    devices have been modified to only allow one instance in an executable.
-  * The PSD output device now writes ICC profiles to their output files, for
-    improved color fidelity.
+  Highlights in this release include
+  (excerpts from the Ghostscript upstream release summary
+   in https://ghostscript.com/docs/9.56.1/News.htm):
+  * New PDF Interpreter: This is an entirely new implementation
+    written in C (rather than PostScript, as before)
+  * Calling Ghostscript via the GS API is now thread safe. The one
+    limitation is that the X11 devices for Unix-like systems (x11,
+    x11alpha, x11cmyk, x11cmyk2, x11cmyk4, x11cmyk8, x11gray2,
+    x11gray4 and x11mono) cannot be made thread safe, due to their
+    interaction with the X11 server, those devices have been
+    modified to only allow one instance in an executable.
+  * The PSD output device now writes ICC profiles to their output
+    files, for improved color fidelity.
   * Our efforts in code hygiene and maintainability continue.
-  * The usual round of bug fixes, compatibility changes, and incremental
-    improvements.
+  * The usual round of bug fixes, compatibility changes, and
+    incremental improvements.
   * We have added the capability to build with the Tesseract OCR
-    engine. In such a build, new devices are available (pdfocr8/pdfocr24/
-    pdfocr32) which render the output file to an image, OCR that image, and
-    output the image "wrapped" up as a PDF file, with the OCR generated text
-    information included as "invisible" text (in PDF terms, text rendering mode
-    3).
-- drop CVE-2021-3781.patch, CVE-2021-45949.patch: upstream
+    engine. In such a build, new devices are available
+    (pdfocr8/pdfocr24/pdfocr32) which render the output file to an
+    image, OCR that image, and output the image "wrapped" up as a
+    PDF file, with the OCR generated text information included
+    as "invisible" text (in PDF terms, text rendering mode 3).
+    Mainly due to time constraints, we only support including
+    Tesseract from source included in our release packages,
+    and not linking to Tesseract/Leptonica shared libraries.
+    Whether we add this capability will be largely dependent
+    on community demand for the feature. See Enabling OCR
+    at https://www.ghostscript.com/ocr.html for more details.
+  For a release summary see:
+  https://www.ghostscript.com/doc/9.54.0/News.htm
+  For details see the News.htm and History9.htm files.
+- Configure --without-tesseract because this requires C++ (it
+  might be added if Tesseract support in Ghostscript is needed).
+- Drop CVE-2021-3781.patch, CVE-2021-45949.patch: upstream
 
 -------------------------------------------------------------------
 Mon Jul 18 06:38:01 UTC 2022 - Dirk Müller <dmueller@suse.com>
 
-- use _multibuild 
+- Use _multibuild 
 
 -------------------------------------------------------------------
 Wed Apr 13 11:12:39 UTC 2022 - Dirk Müller <dmueller@suse.com>
 
-- use system zlib (bsc#1198449) 
+- Use system zlib (bsc#1198449) 
 
 -------------------------------------------------------------------
 Thu Apr  7 08:14:51 UTC 2022 - Frederic Crozat <fcrozat@suse.com>

ghostscript.spec

@@ -53,6 +53,18 @@ Patch101:       ijs_exec_server_dont_use_sh.patch
 # cf. https://bugs.ghostscript.com/show_bug.cgi?id=706494
 # and https://bugzilla.suse.com/show_bug.cgi?id=1210062
 Patch102:       CVE-2023-28879.patch
+# Patch103 CVE-2023-36664.patch is
+# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=505eab7782b429017eb434b2b95120855f2b0e3c
+# and
+# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d
+# that fixes CVE-2023-36664
+# see https://bugs.ghostscript.com/show_bug.cgi?id=706761
+# "OS command injection in %pipe% access"
+# and https://bugs.ghostscript.com/show_bug.cgi?id=706778
+# "%pipe% allowed_path bypass"
+# and https://bugzilla.suse.com/show_bug.cgi?id=1212711
+# "permission validation mishandling for pipe devices (with the %pipe% prefix or the | pipe character prefix)"
+Patch103:       CVE-2023-36664.patch
 BuildRequires:  freetype2-devel
 BuildRequires:  libjpeg-devel
 BuildRequires:  liblcms2-devel
@@ -257,6 +269,18 @@ This package contains the development files for Ghostscript.
 # cf. https://bugs.ghostscript.com/show_bug.cgi?id=706494
 # and https://bugzilla.suse.com/show_bug.cgi?id=1210062
 %patch102
+# Patch103 CVE-2023-36664.patch is
+# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=505eab7782b429017eb434b2b95120855f2b0e3c
+# and
+# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d
+# that fixes CVE-2023-36664
+# see https://bugs.ghostscript.com/show_bug.cgi?id=706761
+# "OS command injection in %pipe% access"
+# and https://bugs.ghostscript.com/show_bug.cgi?id=706778
+# "%pipe% allowed_path bypass"
+# and https://bugzilla.suse.com/show_bug.cgi?id=1212711
+# "permission validation mishandling for pipe devices (with the %pipe% prefix or the | pipe character prefix)"
+%patch103
 # Remove patch backup files to avoid packaging
 # cf. https://build.opensuse.org/request/show/581052
 rm -f Resource/Init/*.ps.orig
@@ -325,15 +349,27 @@ autoreconf -fi
 #   (replacing JasPer - although JasPer is still included for this release)
 #   Performance, reliability and memory use whilst decoding JPX streams are all improved.
 #   see also http://bugs.ghostscript.com/show_bug.cgi?id=691430
-# --without-ufst and --without-luratech because those are relevant to commercial releases only
+# --without-ufst because this is relevant to commercial releases only
 #   which would require a commercial license.
 # --disable-compile-inits to disable compiling of resources (Fonts, init postscript files, ...)
 #   into the library, which is the upstream recommendation for distributions. This also allows
 #   unbundling the 35 Postscript Standard fonts, provided by the URW font package
 # --without-libpaper disables libpaper support because SUSE does not have libpaper.
+# --without-tesseract because this requires C++ (it might be added if Tesseract support in Ghostscript is needed).
 %define gs_font_path %{_datadir}/fonts/truetype:%{_datadir}/fonts/Type1:%{_datadir}/fonts/CID:%{_datadir}/fonts/URW
 # See http://bugs.ghostscript.com/show_bug.cgi?id=693100
 export SUSE_ASNEEDED=0
+# The RPM configure macro results in the build log e.g. on Tumbleweed x86_64 (very long line shown wrapped here)
+#   ./configure --host=x86_64-suse-linux-gnu --build=x86_64-suse-linux-gnu --program-prefix= --disable-dependency-tracking
+#     --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share
+#     --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib
+#     --mandir=/usr/share/man --infodir=/usr/share/info
+#     --with-fontpath=/usr/share/fonts/truetype:/usr/share/fonts/Type1:/usr/share/fonts/CID:/usr/share/fonts/URW
+#     --with-libiconv=maybe --enable-freetype --with-jbig2dec --enable-openjpeg --enable-dynamic --disable-compile-inits
+#     --without-local-zlib --with-ijs --enable-cups --with-drivers=ALL --with-x
+#     --disable-gtk --without-ufst --without-libpaper --without-tesseract
+#   configure: WARNING: unrecognized options: --disable-dependency-tracking
+# so the "unrecognized options: --disable-dependency-tracking" warning comes from the RPM configure macro.
 %configure \
     --with-fontpath=%{gs_font_path} \
     --with-libiconv=maybe \
@@ -358,8 +394,8 @@ export SUSE_ASNEEDED=0
 %endif
     --disable-gtk \
     --without-ufst \
-    --without-luratech \
-    --without-libpaper
+    --without-libpaper \
+    --without-tesseract
 
 # Make libgs.so and two programs which use it, gsx and gsc:
 # With --disable-gtk, gsx and gsc are identical. It provides a command line