rpm/ghostscript
SHA256
1
0
Fork 0
forked from pool/ghostscript
Code Pull Requests Activity

Add two patch to fix security bugs

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=118
This commit is contained in:
Dr. Werner Fink 2019-09-16 12:16:35 +00:00 committed by Git OBS Bridge
parent a94b87d806
commit ac4ca4e97e
7 changed files with 384 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
ghostscript-mini.changes
View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Mon Sep 16 11:58:41 UTC 2019 - Dr. Werner Fink <werner@suse.de>
- Add patch gs-CVE-2019-14811-885444fc.patch to fix bsc#1146882
for CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
- Add patch gs-CVE-2019-14817-cd1b1cac.patch to fix bsc#1146884
for CVE-2019-14817
-------------------------------------------------------------------
Fri Sep 13 14:15:10 UTC 2019 - Dr. Werner Fink <werner@suse.de>
- Add patch openjpeg4gs-CVE-2018-6616-8ee33522.patch to fix bsc#1140359
for CVE-2019-12973
-------------------------------------------------------------------
Thu Aug 22 06:20:43 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
@ -8,7 +22,7 @@ Tue Aug 13 12:38:45 UTC 2019 - Dr. Werner Fink <werner@suse.de>
- Use update-alternatives to get the real ghostscript binary from
/usr/bin/gs to /usr/bin/gs.bin and allow the gswrap package to
use this with ist wrapper script
use this with its wrapper script
-------------------------------------------------------------------
Thu Apr 4 14:37:09 CEST 2019 - jsmeix@suse.de

13
ghostscript-mini.spec
View File

@ -78,6 +78,12 @@ Release: 0
Source0: ghostscript-%{version}.tar.gz
Source1: apparmor_ghostscript
# Patch0...Patch9 is for patches from upstream:
+# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616
Patch0: openjpeg4gs-CVE-2018-6616-8ee33522.patch
# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
Patch1: gs-CVE-2019-14811-885444fc.patch
# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817
Patch2: gs-CVE-2019-14817-cd1b1cac.patch
# Source10...Source99 is for sources from SUSE which are intended for upstream:
# Patch10...Patch99 is for patches from SUSE which are intended for upstream:
# Source100...Source999 is for sources from SUSE which are not intended for upstream:
@ -144,6 +150,13 @@ This package contains the development files for Minimal Ghostscript.
# Be quiet when unpacking and
# use a directory name matching Source0 to make it work also for ghostscript-mini:
%setup -q -n ghostscript-%{tarball_version}
# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616
# openjpeg4gs-CVE-2018-6616-8ee33522.patch
%patch0
# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
%patch1 -p1
# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817
%patch2 -p1
# Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
# in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball.
# Again use the zlib sources from Ghostscript upstream

16
ghostscript.changes
View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Mon Sep 16 11:58:41 UTC 2019 - Dr. Werner Fink <werner@suse.de>
- Add patch gs-CVE-2019-14811-885444fc.patch to fix bsc#1146882
for CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
- Add patch gs-CVE-2019-14817-cd1b1cac.patch to fix bsc#1146884
for CVE-2019-14817
-------------------------------------------------------------------
Fri Sep 13 14:15:10 UTC 2019 - Dr. Werner Fink <werner@suse.de>
- Add patch openjpeg4gs-CVE-2018-6616-8ee33522.patch to fix bsc#1140359
for CVE-2019-12973
-------------------------------------------------------------------
Thu Aug 22 06:20:43 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
@ -8,7 +22,7 @@ Tue Aug 13 12:38:45 UTC 2019 - Dr. Werner Fink <werner@suse.de>
- Use update-alternatives to get the real ghostscript binary from
/usr/bin/gs to /usr/bin/gs.bin and allow the gswrap package to
use this with ist wrapper script
use this with its wrapper script
-------------------------------------------------------------------
Wed May 8 08:46:43 UTC 2019 - jsegitz@suse.com

15
ghostscript.spec
View File

@ -46,6 +46,8 @@ BuildRequires: update-alternatives
BuildRequires: xorg-x11-devel
BuildRequires: xorg-x11-fonts
BuildRequires: zlib-devel
# Always check if latest version of penjpeg becomes compatible with ghostscript
#BuildRequires: pkgconfig(libopenjp2)
%if 0%{?suse_version} >= 1500
BuildRequires: apparmor-abstractions
BuildRequires: apparmor-rpm-macros
@ -98,6 +100,12 @@ Release: 0
Source0: ghostscript-%{version}.tar.gz
Source1: apparmor_ghostscript
# Patch0...Patch9 is for patches from upstream:
# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616
Patch0: openjpeg4gs-CVE-2018-6616-8ee33522.patch
# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
Patch1: gs-CVE-2019-14811-885444fc.patch
# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817
Patch2: gs-CVE-2019-14817-cd1b1cac.patch
# Source10...Source99 is for sources from SUSE which are intended for upstream:
# Patch10...Patch99 is for patches from SUSE which are intended for upstream:
# Source100...Source999 is for sources from SUSE which are not intended for upstream:
@ -277,6 +285,13 @@ This package contains the development files for Ghostscript.
# Be quiet when unpacking and
# use a directory name matching Source0 to make it work also for ghostscript-mini:
%setup -q -n ghostscript-%{tarball_version}
# Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616
# openjpeg4gs-CVE-2018-6616-8ee33522.patch
%patch0
# Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
%patch1 -p1
# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817
%patch2 -p1
# Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
# in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball.
# Again use the zlib sources from Ghostscript upstream

59
gs-CVE-2019-14811-885444fc.patch Normal file
View File

@ -0,0 +1,59 @@
Based on 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Tue, 20 Aug 2019 10:10:28 +0100
Subject: [PATCH] make .forceput inaccessible
Bug #701343, #701344, #701345
More defensive programming. We don't want people to access .forecput
even though it is no longer sufficient to bypass SAFER. The exploit
in #701343 didn't work anyway because of earlier work to stop the error
handler being used, but nevertheless, prevent access to .forceput from
.setuserparams2.
---
Resource/Init/gs_lev2.ps | 6 +++---
Resource/Init/gs_pdfwr.ps | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
--- a/Resource/Init/gs_lev2.ps
+++ b/Resource/Init/gs_lev2.ps
@@ -158,7 +158,7 @@ end
{
pop pop
} ifelse
- } forall
+ } executeonly forall
% A context switch might have occurred during the above loop,
% causing the interpreter-level parameters to be reset.
% Set them again to the new values. From here on, we are safe,
@@ -229,9 +229,9 @@ end
{ pop pop
}
ifelse
- }
+ } executeonly
forall pop
-} .bind odef
+} .bind executeonly odef
% Initialize the passwords.
% NOTE: the names StartJobPassword and SystemParamsPassword are known to
diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps
--- a/Resource/Init/gs_pdfwr.ps
+++ b/Resource/Init/gs_pdfwr.ps
@@ -652,11 +652,11 @@ currentdict /.pdfmarkparams .undef
systemdict /.pdf_hooked_DSC_Creator //true .forceput
} executeonly if
pop
- } if
+ } executeonly if
} {
pop
} ifelse
- }
+ } executeonly
{
pop
} ifelse

200
gs-CVE-2019-14817-cd1b1cac.patch Normal file
View File

@ -0,0 +1,200 @@
Based on cd1b1cacadac2479e291efe611979bdc1b3bdb19 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Wed, 21 Aug 2019 10:10:51 +0100
Subject: [PATCH] PDF interpreter - review .forceput security
Bug #701450 "Safer Mode Bypass by .forceput Exposure in .pdfexectoken"
By abusing the error handler it was possible to get the PDFDEBUG portion
of .pdfexectoken, which uses .forceput left readable.
Add an executeonly appropriately to make sure that clause isn't readable
no mstter what.
Review all the uses of .forceput searching for similar cases, add
executeonly as required to secure those. All cases in the PostScript
support files seem to be covered already.
---
Resource/Init/pdf_base.ps | 2 +-
Resource/Init/pdf_draw.ps | 14 +++++++-------
Resource/Init/pdf_font.ps | 21 +++++++++++----------
Resource/Init/pdf_main.ps | 6 +++---
Resource/Init/pdf_ops.ps | 11 ++++++-----
5 files changed, 28 insertions(+), 26 deletions(-)
diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps
--- a/Resource/Init/pdf_base.ps
+++ b/Resource/Init/pdf_base.ps
@@ -157,7 +157,7 @@ currentdict /num-chars-dict .undef
{
dup ==only () = flush
} ifelse % PDFSTEP
- } if % PDFDEBUG
+ } executeonly if % PDFDEBUG
2 copy .knownget {
exch pop exch pop exch pop exec
} {
diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
--- a/Resource/Init/pdf_draw.ps
+++ b/Resource/Init/pdf_draw.ps
@@ -501,8 +501,8 @@ end
( Output may be incorrect.\n) pdfformaterror
//pdfdict /.gs_warning_issued //true .forceput
PDFSTOPONERROR { /gs /undefined signalerror } if
- } if
- }
+ } executeonly if
+ } executeonly
ifelse
} bind executeonly def
@@ -1142,7 +1142,7 @@ currentdict end readonly def
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
@@ -1150,8 +1150,8 @@ currentdict end readonly def
pdfformaterror
} executeonly ifelse
end
- } ifelse
- } loop
+ } executeonly ifelse
+ } executeonly loop
{
(\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
//pdfdict /.Qqwarning_issued .knownget
@@ -1165,14 +1165,14 @@ currentdict end readonly def
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
.setglobal
pdfformaterror
} executeonly ifelse
- } if
+ } executeonly if
pop
% restore pdfemptycount
diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps
--- a/Resource/Init/pdf_font.ps
+++ b/Resource/Init/pdf_font.ps
@@ -701,9 +701,9 @@ currentdict end readonly def
} if
PDFDEBUG {
(.processToUnicode end) =
- } if
- } if
- } stopped
+ } executeonly if
+ } executeonly if
+ } executeonly stopped
{
.dstackdepth 1 countdictstack 1 sub
{pop end} for
@@ -1233,19 +1233,20 @@ currentdict /eexec_pdf_param_dict .undef
//pdfdict /.Qqwarning_issued //true .forceput
} executeonly if
Q
- } repeat
+ } executeonly repeat
Q
- } PDFfile fileposition 2 .execn % Keep pdfcount valid.
+ } executeonly PDFfile fileposition 2 .execn % Keep pdfcount valid.
PDFfile exch setfileposition
- } ifelse
- } {
+ } executeonly ifelse
+ } executeonly
+ {
% PDF Type 3 fonts don't use .notdef
% d1 implementation adjusts the width as needed
0 0 0 0 0 0
pdfopdict /d1 get exec
} ifelse
end end
- } bdef
+ } executeonly bdef
dup currentdict Encoding .processToUnicode
currentdict end .completefont exch pop
} bind executeonly odef
@@ -2045,9 +2046,9 @@ currentdict /CMap_read_dict undef
(Will continue, but content may be missing.) = flush
} ifelse
} if
- } if
+ } executeonly if
/findresource cvx /undefined signalerror
- } loop
+ } executeonly loop
} bind executeonly odef
/buildCIDType0 { % <CIDFontType0-font-resource> buildCIDType0 <font>
diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps
--- a/Resource/Init/pdf_main.ps
+++ b/Resource/Init/pdf_main.ps
@@ -2749,15 +2749,15 @@ currentdict /PDF2PS_matrix_key undef
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
.setglobal
pdfformaterror
} executeonly ifelse
- } if
- } if
+ } executeonly if
+ } executeonly if
pop
count PDFexecstackcount sub { pop } repeat
(after exec) VMDEBUG
diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps
--- a/Resource/Init/pdf_ops.ps
+++ b/Resource/Init/pdf_ops.ps
@@ -186,14 +186,14 @@ currentdict /gput_always_allow .undef
.setglobal
pdfformaterror
} executeonly ifelse
- }
+ } executeonly
{
currentglobal //pdfdict gcheck .setglobal
//pdfdict /.Qqwarning_issued //true .forceput
.setglobal
pdfformaterror
} executeonly ifelse
- } if
+ } executeonly if
} bind executeonly odef
% Save PDF gstate
@@ -440,11 +440,12 @@ currentdict /gput_always_allow .undef
dup type /booleantype eq {
.currentSMask type /dicttype eq {
.currentSMask /Processed 2 index .forceput
+ } executeonly
+ {
+ .setSMask
+ }ifelse
} executeonly
{
- .setSMask
- }ifelse
- }{
.setSMask
}ifelse

67
openjpeg4gs-CVE-2018-6616-8ee33522.patch Normal file
View File

@ -0,0 +1,67 @@
From 8ee335227bbcaf1614124046aa25e53d67b11ec3 Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Fri, 14 Dec 2018 04:58:40 +0100
Subject: [PATCH] convertbmp: detect invalid file dimensions early
width/length dimensions read from bmp headers are not necessarily
valid. For instance they may have been maliciously set to very large
values with the intention to cause DoS (large memory allocation, stack
overflow). In these cases we want to detect the invalid size as early
as possible.
This commit introduces a counter which verifies that the number of
written bytes corresponds to the advertized width/length.
Fixes #1059 (CVE-2018-6616).
---
openjpeg/src/bin/jp2/convertbmp.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- openjpeg/src/bin/jp2/convertbmp.c
+++ openjpeg/src/bin/jp2/convertbmp.c 2019-09-12 08:22:52.272682353 +0000
@@ -519,14 +519,14 @@ static OPJ_BOOL bmp_read_raw_data(FILE*
static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData,
OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height)
{
- OPJ_UINT32 x, y;
+ OPJ_UINT32 x, y, written;
OPJ_UINT8 *pix;
const OPJ_UINT8 *beyond;
beyond = pData + stride * height;
pix = pData;
- x = y = 0U;
+ x = y = written = 0U;
while (y < height) {
int c = getc(IN);
if (c == EOF) {
@@ -546,6 +546,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE*
for (j = 0; (j < c) && (x < width) &&
((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) {
*pix = c1;
+ written++;
}
} else {
c = getc(IN);
@@ -583,6 +584,7 @@ static OPJ_BOOL bmp_read_rle8_data(FILE*
}
c1 = (OPJ_UINT8)c1_int;
*pix = c1;
+ written++;
}
if ((OPJ_UINT32)c & 1U) { /* skip padding byte */
c = getc(IN);
@@ -593,6 +595,12 @@ static OPJ_BOOL bmp_read_rle8_data(FILE*
}
}
}/* while() */
+
+ if (written != width * height) {
+ fprintf(stderr, "warning, image's actual size does not match advertized one\n");
+ return OPJ_FALSE;
+ }
+
return OPJ_TRUE;
}