From 5e8edce3ca8052c5b69cb446181ffa3336129ae08eb289b287d2a87e8e591a44 Mon Sep 17 00:00:00 2001 From: Johannes Meixner Date: Fri, 10 Sep 2021 11:35:00 +0000 Subject: [PATCH] Accepting request 917941 from home:jsmeix:branches:Printing Ghostscript security fix CVE-2021-3781 (bsc#1190381) OBS-URL: https://build.opensuse.org/request/show/917941 OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=147 --- CVE-2021-3781.patch | 232 +++++++++++++++++++++++++++++++++++++++ ghostscript-mini.changes | 8 ++ ghostscript-mini.spec | 12 ++ ghostscript.changes | 8 ++ ghostscript.spec | 12 ++ 5 files changed, 272 insertions(+) create mode 100644 CVE-2021-3781.patch diff --git a/CVE-2021-3781.patch b/CVE-2021-3781.patch new file mode 100644 index 0000000..faa9976 --- /dev/null +++ b/CVE-2021-3781.patch @@ -0,0 +1,232 @@ +From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Tue, 7 Sep 2021 20:36:12 +0100 +Subject: [PATCH] Bug 704342: Include device specifier strings in access + validation + +for the "%pipe%", %handle%" and %printer% io devices. + +We previously validated only the part after the "%pipe%" Postscript device +specifier, but this proved insufficient. + +This rebuilds the original file name string, and validates it complete. The +slight complication for "%pipe%" is it can be reached implicitly using +"|" so we have to check both prefixes. + +Addresses CVE-2021-3781 +--- + base/gdevpipe.c | 22 +++++++++++++++- + base/gp_mshdl.c | 11 +++++++- + base/gp_msprn.c | 10 ++++++- + base/gp_os2pr.c | 13 +++++++++- + base/gslibctx.c | 69 ++++++++++--------------------------------------- + 5 files changed, 65 insertions(+), 60 deletions(-) + +diff --git a/base/gdevpipe.c b/base/gdevpipe.c +index 96d71f5d8..5bdc485be 100644 +--- a/base/gdevpipe.c ++++ b/base/gdevpipe.c +@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access, + #else + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ /* The pipe device can be reached in two ways, explicltly with %pipe% ++ or implicitly with "|", so we have to check for both ++ */ ++ char f[gp_file_name_sizeof]; ++ const char *pipestr = "|"; ++ const size_t pipestrlen = strlen(pipestr); ++ const size_t preflen = strlen(iodev->dname); ++ const size_t nlen = strlen(fname); ++ int code1; ++ ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(f, iodev->dname, preflen); ++ memcpy(f + preflen, fname, nlen + 1); ++ ++ code1 = gp_validate_path(mem, f, access); ++ ++ memcpy(f, pipestr, pipestrlen); ++ memcpy(f + pipestrlen, fname, nlen + 1); + +- if (gp_validate_path(mem, fname, access) != 0) ++ if (code1 != 0 && gp_validate_path(mem, f, access) != 0 ) + return gs_error_invalidfileaccess; + + /* +diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c +index 2b964ed74..8d87ceadc 100644 +--- a/base/gp_mshdl.c ++++ b/base/gp_mshdl.c +@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access, + long hfile; /* Correct for Win32, may be wrong for Win64 */ + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ char f[gp_file_name_sizeof]; ++ const size_t preflen = strlen(iodev->dname); ++ const size_t nlen = strlen(fname); + +- if (gp_validate_path(mem, fname, access) != 0) ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(f, iodev->dname, preflen); ++ memcpy(f + preflen, fname, nlen + 1); ++ ++ if (gp_validate_path(mem, f, access) != 0) + return gs_error_invalidfileaccess; + + /* First we try the open_handle method. */ +diff --git a/base/gp_msprn.c b/base/gp_msprn.c +index ed4827968..746a974f7 100644 +--- a/base/gp_msprn.c ++++ b/base/gp_msprn.c +@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, + uintptr_t *ptid = &((tid_t *)(iodev->state))->tid; + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ const size_t preflen = strlen(iodev->dname); ++ const size_t nlen = strlen(fname); + +- if (gp_validate_path(mem, fname, access) != 0) ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(pname, iodev->dname, preflen); ++ memcpy(pname + preflen, fname, nlen + 1); ++ ++ if (gp_validate_path(mem, pname, access) != 0) + return gs_error_invalidfileaccess; + + /* First we try the open_printer method. */ +diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c +index f852c71fc..ba54cde66 100644 +--- a/base/gp_os2pr.c ++++ b/base/gp_os2pr.c +@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, + FILE ** pfile, char *rfname, uint rnamelen) + { + os2_printer_t *pr = (os2_printer_t *)iodev->state; +- char driver_name[256]; ++ char driver_name[gp_file_name_sizeof]; + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ const size_t preflen = strlen(iodev->dname); ++ const int size_t = strlen(fname); ++ ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(driver_name, iodev->dname, preflen); ++ memcpy(driver_name + preflen, fname, nlen + 1); ++ ++ if (gp_validate_path(mem, driver_name, access) != 0) ++ return gs_error_invalidfileaccess; + + /* First we try the open_printer method. */ + /* Note that the loop condition here ensures we don't +diff --git a/base/gslibctx.c b/base/gslibctx.c +index 6dfed6cd5..318039fad 100644 +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s) + int + gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) + { +- char *fp, f[gp_file_name_sizeof]; +- const int pipe = 124; /* ASCII code for '|' */ +- const int len = strlen(fname); +- int i, code; ++ char f[gp_file_name_sizeof]; ++ int code; + + /* Be sure the string copy will fit */ +- if (len >= gp_file_name_sizeof) ++ if (strlen(fname) >= gp_file_name_sizeof) + return gs_error_rangecheck; + strcpy(f, fname); +- fp = f; + /* Try to rewrite any %d (or similar) in the string */ + rewrite_percent_specifiers(f); +- for (i = 0; i < len; i++) { +- if (f[i] == pipe) { +- fp = &f[i + 1]; +- /* Because we potentially have to check file permissions at two levels +- for the output file (gx_device_open_output_file and the low level +- fopen API, if we're using a pipe, we have to add both the full string, +- (including the '|', and just the command to which we pipe - since at +- the pipe_fopen(), the leading '|' has been stripped. +- */ +- code = gs_add_control_path(mem, gs_permit_file_writing, f); +- if (code < 0) +- return code; +- code = gs_add_control_path(mem, gs_permit_file_control, f); +- if (code < 0) +- return code; +- break; +- } +- if (!IS_WHITESPACE(f[i])) +- break; +- } +- code = gs_add_control_path(mem, gs_permit_file_control, fp); ++ ++ code = gs_add_control_path(mem, gs_permit_file_control, f); + if (code < 0) + return code; +- return gs_add_control_path(mem, gs_permit_file_writing, fp); ++ return gs_add_control_path(mem, gs_permit_file_writing, f); + } + + int + gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) + { +- char *fp, f[gp_file_name_sizeof]; +- const int pipe = 124; /* ASCII code for '|' */ +- const int len = strlen(fname); +- int i, code; ++ char f[gp_file_name_sizeof]; ++ int code; + + /* Be sure the string copy will fit */ +- if (len >= gp_file_name_sizeof) ++ if (strlen(fname) >= gp_file_name_sizeof) + return gs_error_rangecheck; + strcpy(f, fname); +- fp = f; + /* Try to rewrite any %d (or similar) in the string */ +- for (i = 0; i < len; i++) { +- if (f[i] == pipe) { +- fp = &f[i + 1]; +- /* Because we potentially have to check file permissions at two levels +- for the output file (gx_device_open_output_file and the low level +- fopen API, if we're using a pipe, we have to add both the full string, +- (including the '|', and just the command to which we pipe - since at +- the pipe_fopen(), the leading '|' has been stripped. +- */ +- code = gs_remove_control_path(mem, gs_permit_file_writing, f); +- if (code < 0) +- return code; +- code = gs_remove_control_path(mem, gs_permit_file_control, f); +- if (code < 0) +- return code; +- break; +- } +- if (!IS_WHITESPACE(f[i])) +- break; +- } +- code = gs_remove_control_path(mem, gs_permit_file_control, fp); ++ rewrite_percent_specifiers(f); ++ ++ code = gs_remove_control_path(mem, gs_permit_file_control, f); + if (code < 0) + return code; +- return gs_remove_control_path(mem, gs_permit_file_writing, fp); ++ return gs_remove_control_path(mem, gs_permit_file_writing, f); + } + + int +-- +2.17.1 + diff --git a/ghostscript-mini.changes b/ghostscript-mini.changes index a137bd8..cf566a6 100644 --- a/ghostscript-mini.changes +++ b/ghostscript-mini.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Fri Sep 10 09:37:46 CEST 2021 - jsmeix@suse.de + +- CVE-2021-3781.patch fixes CVE-2021-3781 + Trivial -dSAFER bypass + cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342 + (bsc#1190381) + ------------------------------------------------------------------- Fri May 21 13:40:56 CEST 2021 - jsmeix@suse.de diff --git a/ghostscript-mini.spec b/ghostscript-mini.spec index e1acebe..dc3f181 100644 --- a/ghostscript-mini.spec +++ b/ghostscript-mini.spec @@ -83,6 +83,12 @@ Patch100: remove-zlib-h-dependency.patch # Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem # additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467): Patch101: ijs_exec_server_dont_use_sh.patch +# Patch102 CVE-2021-3781.patch is +# https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=a9bd3dec9fde +# that fixes CVE-2021-3781 Trivial -dSAFER bypass +# cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342 +# and https://bugzilla.suse.com/show_bug.cgi?id=1190381 +Patch102: CVE-2021-3781.patch # RPM dependencies: # The "Provides: ghostscript_any" is there to support "BuildRequires: ghostscript_any" # so other packages can build with any available Ghostscript implementation, @@ -160,6 +166,12 @@ This package contains the development files for Minimal Ghostscript. # Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem # additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467): %patch101 -p1 +# Patch102 CVE-2021-3781.patch is +# https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=a9bd3dec9fde +# that fixes CVE-2021-3781 Trivial -dSAFER bypass +# cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342 +# and https://bugzilla.suse.com/show_bug.cgi?id=1190381 +%patch102 -p1 # Remove patch backup files to avoid packaging # cf. https://build.opensuse.org/request/show/581052 rm -f Resource/Init/*.ps.orig diff --git a/ghostscript.changes b/ghostscript.changes index 428e285..3314d21 100644 --- a/ghostscript.changes +++ b/ghostscript.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Fri Sep 10 09:37:46 CEST 2021 - jsmeix@suse.de + +- CVE-2021-3781.patch fixes CVE-2021-3781 + Trivial -dSAFER bypass + cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342 + (bsc#1190381) + ------------------------------------------------------------------- Fri May 21 13:40:56 CEST 2021 - jsmeix@suse.de diff --git a/ghostscript.spec b/ghostscript.spec index 9e1baa2..e55746a 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -112,6 +112,12 @@ Patch100: remove-zlib-h-dependency.patch # Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem # additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467): Patch101: ijs_exec_server_dont_use_sh.patch +# Patch102 CVE-2021-3781.patch is +# https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=a9bd3dec9fde +# that fixes CVE-2021-3781 Trivial -dSAFER bypass +# cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342 +# and https://bugzilla.suse.com/show_bug.cgi?id=1190381 +Patch102: CVE-2021-3781.patch # RPM dependencies: # Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from # "rpm -q --provides ghostscript-library" and "rpm -q --provides ghostscript-x11": @@ -301,6 +307,12 @@ This package contains the development files for Ghostscript. # Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem # additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467): %patch101 -p1 +# Patch102 CVE-2021-3781.patch is +# https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=a9bd3dec9fde +# that fixes CVE-2021-3781 Trivial -dSAFER bypass +# cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342 +# and https://bugzilla.suse.com/show_bug.cgi?id=1190381 +%patch102 -p1 # Remove patch backup files to avoid packaging # cf. https://build.opensuse.org/request/show/581052 rm -f Resource/Init/*.ps.orig