diff --git a/ghostscript-mini.changes b/ghostscript-mini.changes index 10299ee..fcc6206 100644 --- a/ghostscript-mini.changes +++ b/ghostscript-mini.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Mon Sep 16 11:58:41 UTC 2019 - Dr. Werner Fink + +- Add patch gs-CVE-2019-14811-885444fc.patch to fix bsc#1146882 + for CVE-2019-14811,CVE-2019-14812,CVE-2019-14813 +- Add patch gs-CVE-2019-14817-cd1b1cac.patch to fix bsc#1146884 + for CVE-2019-14817 + +------------------------------------------------------------------- +Fri Sep 13 14:15:10 UTC 2019 - Dr. Werner Fink + +- Add patch openjpeg4gs-CVE-2018-6616-8ee33522.patch to fix bsc#1140359 + for CVE-2019-12973 + ------------------------------------------------------------------- Thu Aug 22 06:20:43 UTC 2019 - Jan Engelhardt @@ -8,7 +22,7 @@ Tue Aug 13 12:38:45 UTC 2019 - Dr. Werner Fink - Use update-alternatives to get the real ghostscript binary from /usr/bin/gs to /usr/bin/gs.bin and allow the gswrap package to - use this with ist wrapper script + use this with its wrapper script ------------------------------------------------------------------- Thu Apr 4 14:37:09 CEST 2019 - jsmeix@suse.de diff --git a/ghostscript-mini.spec b/ghostscript-mini.spec index c71aa6a..2d9d18d 100644 --- a/ghostscript-mini.spec +++ b/ghostscript-mini.spec @@ -78,6 +78,12 @@ Release: 0 Source0: ghostscript-%{version}.tar.gz Source1: apparmor_ghostscript # Patch0...Patch9 is for patches from upstream: ++# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616 +Patch0: openjpeg4gs-CVE-2018-6616-8ee33522.patch +# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813 +Patch1: gs-CVE-2019-14811-885444fc.patch +# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817 +Patch2: gs-CVE-2019-14817-cd1b1cac.patch # Source10...Source99 is for sources from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream: # Source100...Source999 is for sources from SUSE which are not intended for upstream: @@ -144,6 +150,13 @@ This package contains the development files for Minimal Ghostscript. # Be quiet when unpacking and # use a directory name matching Source0 to make it work also for ghostscript-mini: %setup -q -n ghostscript-%{tarball_version} +# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616 +# openjpeg4gs-CVE-2018-6616-8ee33522.patch +%patch0 +# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813 +%patch1 -p1 +# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817 +%patch2 -p1 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball. # Again use the zlib sources from Ghostscript upstream diff --git a/ghostscript.changes b/ghostscript.changes index c06e8f1..a9b1c50 100644 --- a/ghostscript.changes +++ b/ghostscript.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Mon Sep 16 11:58:41 UTC 2019 - Dr. Werner Fink + +- Add patch gs-CVE-2019-14811-885444fc.patch to fix bsc#1146882 + for CVE-2019-14811,CVE-2019-14812,CVE-2019-14813 +- Add patch gs-CVE-2019-14817-cd1b1cac.patch to fix bsc#1146884 + for CVE-2019-14817 + +------------------------------------------------------------------- +Fri Sep 13 14:15:10 UTC 2019 - Dr. Werner Fink + +- Add patch openjpeg4gs-CVE-2018-6616-8ee33522.patch to fix bsc#1140359 + for CVE-2019-12973 + ------------------------------------------------------------------- Thu Aug 22 06:20:43 UTC 2019 - Jan Engelhardt @@ -8,7 +22,7 @@ Tue Aug 13 12:38:45 UTC 2019 - Dr. Werner Fink - Use update-alternatives to get the real ghostscript binary from /usr/bin/gs to /usr/bin/gs.bin and allow the gswrap package to - use this with ist wrapper script + use this with its wrapper script ------------------------------------------------------------------- Wed May 8 08:46:43 UTC 2019 - jsegitz@suse.com diff --git a/ghostscript.spec b/ghostscript.spec index 7839038..5401438 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -46,6 +46,8 @@ BuildRequires: update-alternatives BuildRequires: xorg-x11-devel BuildRequires: xorg-x11-fonts BuildRequires: zlib-devel +# Always check if latest version of penjpeg becomes compatible with ghostscript +#BuildRequires: pkgconfig(libopenjp2) %if 0%{?suse_version} >= 1500 BuildRequires: apparmor-abstractions BuildRequires: apparmor-rpm-macros @@ -98,6 +100,12 @@ Release: 0 Source0: ghostscript-%{version}.tar.gz Source1: apparmor_ghostscript # Patch0...Patch9 is for patches from upstream: +# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616 +Patch0: openjpeg4gs-CVE-2018-6616-8ee33522.patch +# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813 +Patch1: gs-CVE-2019-14811-885444fc.patch +# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817 +Patch2: gs-CVE-2019-14817-cd1b1cac.patch # Source10...Source99 is for sources from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream: # Source100...Source999 is for sources from SUSE which are not intended for upstream: @@ -277,6 +285,13 @@ This package contains the development files for Ghostscript. # Be quiet when unpacking and # use a directory name matching Source0 to make it work also for ghostscript-mini: %setup -q -n ghostscript-%{tarball_version} +# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616 +# openjpeg4gs-CVE-2018-6616-8ee33522.patch +%patch0 +# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813 +%patch1 -p1 +# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817 +%patch2 -p1 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball. # Again use the zlib sources from Ghostscript upstream diff --git a/gs-CVE-2019-14811-885444fc.patch b/gs-CVE-2019-14811-885444fc.patch new file mode 100644 index 0000000..31cb84e --- /dev/null +++ b/gs-CVE-2019-14811-885444fc.patch @@ -0,0 +1,59 @@ +Based on 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Tue, 20 Aug 2019 10:10:28 +0100 +Subject: [PATCH] make .forceput inaccessible + +Bug #701343, #701344, #701345 + +More defensive programming. We don't want people to access .forecput +even though it is no longer sufficient to bypass SAFER. The exploit +in #701343 didn't work anyway because of earlier work to stop the error +handler being used, but nevertheless, prevent access to .forceput from +.setuserparams2. + +--- + Resource/Init/gs_lev2.ps | 6 +++--- + Resource/Init/gs_pdfwr.ps | 4 ++-- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps +--- a/Resource/Init/gs_lev2.ps ++++ b/Resource/Init/gs_lev2.ps +@@ -158,7 +158,7 @@ end + { + pop pop + } ifelse +- } forall ++ } executeonly forall + % A context switch might have occurred during the above loop, + % causing the interpreter-level parameters to be reset. + % Set them again to the new values. From here on, we are safe, +@@ -229,9 +229,9 @@ end + { pop pop + } + ifelse +- } ++ } executeonly + forall pop +-} .bind odef ++} .bind executeonly odef + + % Initialize the passwords. + % NOTE: the names StartJobPassword and SystemParamsPassword are known to +diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps +--- a/Resource/Init/gs_pdfwr.ps ++++ b/Resource/Init/gs_pdfwr.ps +@@ -652,11 +652,11 @@ currentdict /.pdfmarkparams .undef + systemdict /.pdf_hooked_DSC_Creator //true .forceput + } executeonly if + pop +- } if ++ } executeonly if + } { + pop + } ifelse +- } ++ } executeonly + { + pop + } ifelse diff --git a/gs-CVE-2019-14817-cd1b1cac.patch b/gs-CVE-2019-14817-cd1b1cac.patch new file mode 100644 index 0000000..51b9438 --- /dev/null +++ b/gs-CVE-2019-14817-cd1b1cac.patch @@ -0,0 +1,200 @@ +Based on cd1b1cacadac2479e291efe611979bdc1b3bdb19 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Wed, 21 Aug 2019 10:10:51 +0100 +Subject: [PATCH] PDF interpreter - review .forceput security + +Bug #701450 "Safer Mode Bypass by .forceput Exposure in .pdfexectoken" + +By abusing the error handler it was possible to get the PDFDEBUG portion +of .pdfexectoken, which uses .forceput left readable. + +Add an executeonly appropriately to make sure that clause isn't readable +no mstter what. + +Review all the uses of .forceput searching for similar cases, add +executeonly as required to secure those. All cases in the PostScript +support files seem to be covered already. + +--- + Resource/Init/pdf_base.ps | 2 +- + Resource/Init/pdf_draw.ps | 14 +++++++------- + Resource/Init/pdf_font.ps | 21 +++++++++++---------- + Resource/Init/pdf_main.ps | 6 +++--- + Resource/Init/pdf_ops.ps | 11 ++++++----- + 5 files changed, 28 insertions(+), 26 deletions(-) + +diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps +--- a/Resource/Init/pdf_base.ps ++++ b/Resource/Init/pdf_base.ps +@@ -157,7 +157,7 @@ currentdict /num-chars-dict .undef + { + dup ==only () = flush + } ifelse % PDFSTEP +- } if % PDFDEBUG ++ } executeonly if % PDFDEBUG + 2 copy .knownget { + exch pop exch pop exch pop exec + } { +diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps +--- a/Resource/Init/pdf_draw.ps ++++ b/Resource/Init/pdf_draw.ps +@@ -501,8 +501,8 @@ end + ( Output may be incorrect.\n) pdfformaterror + //pdfdict /.gs_warning_issued //true .forceput + PDFSTOPONERROR { /gs /undefined signalerror } if +- } if +- } ++ } executeonly if ++ } executeonly + ifelse + } bind executeonly def + +@@ -1142,7 +1142,7 @@ currentdict end readonly def + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput +@@ -1150,8 +1150,8 @@ currentdict end readonly def + pdfformaterror + } executeonly ifelse + end +- } ifelse +- } loop ++ } executeonly ifelse ++ } executeonly loop + { + (\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n) + //pdfdict /.Qqwarning_issued .knownget +@@ -1165,14 +1165,14 @@ currentdict end readonly def + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +- } if ++ } executeonly if + pop + + % restore pdfemptycount +diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps +--- a/Resource/Init/pdf_font.ps ++++ b/Resource/Init/pdf_font.ps +@@ -701,9 +701,9 @@ currentdict end readonly def + } if + PDFDEBUG { + (.processToUnicode end) = +- } if +- } if +- } stopped ++ } executeonly if ++ } executeonly if ++ } executeonly stopped + { + .dstackdepth 1 countdictstack 1 sub + {pop end} for +@@ -1233,19 +1233,20 @@ currentdict /eexec_pdf_param_dict .undef + //pdfdict /.Qqwarning_issued //true .forceput + } executeonly if + Q +- } repeat ++ } executeonly repeat + Q +- } PDFfile fileposition 2 .execn % Keep pdfcount valid. ++ } executeonly PDFfile fileposition 2 .execn % Keep pdfcount valid. + PDFfile exch setfileposition +- } ifelse +- } { ++ } executeonly ifelse ++ } executeonly ++ { + % PDF Type 3 fonts don't use .notdef + % d1 implementation adjusts the width as needed + 0 0 0 0 0 0 + pdfopdict /d1 get exec + } ifelse + end end +- } bdef ++ } executeonly bdef + dup currentdict Encoding .processToUnicode + currentdict end .completefont exch pop + } bind executeonly odef +@@ -2045,9 +2046,9 @@ currentdict /CMap_read_dict undef + (Will continue, but content may be missing.) = flush + } ifelse + } if +- } if ++ } executeonly if + /findresource cvx /undefined signalerror +- } loop ++ } executeonly loop + } bind executeonly odef + + /buildCIDType0 { % buildCIDType0 +diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps +--- a/Resource/Init/pdf_main.ps ++++ b/Resource/Init/pdf_main.ps +@@ -2749,15 +2749,15 @@ currentdict /PDF2PS_matrix_key undef + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +- } if +- } if ++ } executeonly if ++ } executeonly if + pop + count PDFexecstackcount sub { pop } repeat + (after exec) VMDEBUG +diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps +--- a/Resource/Init/pdf_ops.ps ++++ b/Resource/Init/pdf_ops.ps +@@ -186,14 +186,14 @@ currentdict /gput_always_allow .undef + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +- } if ++ } executeonly if + } bind executeonly odef + + % Save PDF gstate +@@ -440,11 +440,12 @@ currentdict /gput_always_allow .undef + dup type /booleantype eq { + .currentSMask type /dicttype eq { + .currentSMask /Processed 2 index .forceput ++ } executeonly ++ { ++ .setSMask ++ }ifelse + } executeonly + { +- .setSMask +- }ifelse +- }{ + .setSMask + }ifelse + diff --git a/openjpeg4gs-CVE-2018-6616-8ee33522.patch b/openjpeg4gs-CVE-2018-6616-8ee33522.patch new file mode 100644 index 0000000..3ff7872 --- /dev/null +++ b/openjpeg4gs-CVE-2018-6616-8ee33522.patch @@ -0,0 +1,67 @@ +From 8ee335227bbcaf1614124046aa25e53d67b11ec3 Mon Sep 17 00:00:00 2001 +From: Hugo Lefeuvre +Date: Fri, 14 Dec 2018 04:58:40 +0100 +Subject: [PATCH] convertbmp: detect invalid file dimensions early + +width/length dimensions read from bmp headers are not necessarily +valid. For instance they may have been maliciously set to very large +values with the intention to cause DoS (large memory allocation, stack +overflow). In these cases we want to detect the invalid size as early +as possible. + +This commit introduces a counter which verifies that the number of +written bytes corresponds to the advertized width/length. + +Fixes #1059 (CVE-2018-6616). +--- + openjpeg/src/bin/jp2/convertbmp.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- openjpeg/src/bin/jp2/convertbmp.c ++++ openjpeg/src/bin/jp2/convertbmp.c 2019-09-12 08:22:52.272682353 +0000 +@@ -519,14 +519,14 @@ static OPJ_BOOL bmp_read_raw_data(FILE* + static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height) + { +- OPJ_UINT32 x, y; ++ OPJ_UINT32 x, y, written; + OPJ_UINT8 *pix; + const OPJ_UINT8 *beyond; + + beyond = pData + stride * height; + pix = pData; + +- x = y = 0U; ++ x = y = written = 0U; + while (y < height) { + int c = getc(IN); + if (c == EOF) { +@@ -546,6 +546,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* + for (j = 0; (j < c) && (x < width) && + ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { + *pix = c1; ++ written++; + } + } else { + c = getc(IN); +@@ -583,6 +584,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* + } + c1 = (OPJ_UINT8)c1_int; + *pix = c1; ++ written++; + } + if ((OPJ_UINT32)c & 1U) { /* skip padding byte */ + c = getc(IN); +@@ -593,6 +595,12 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* + } + } + }/* while() */ ++ ++ if (written != width * height) { ++ fprintf(stderr, "warning, image's actual size does not match advertized one\n"); ++ return OPJ_FALSE; ++ } ++ + return OPJ_TRUE; + } +