From ec0f9996cec20405465e1ec7ce63b95fa8f915b2bf16c6f835a817fa2b5c4c40 Mon Sep 17 00:00:00 2001 From: Johannes Meixner Date: Tue, 4 Jul 2023 07:40:24 +0000 Subject: [PATCH] Accepting request 1096684 from home:jsmeix:branches:Printing Security fix CVE-2023-36664 bsc#1212711 for ghostscript and ghostscript-mini OBS-URL: https://build.opensuse.org/request/show/1096684 OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=161 --- CVE-2023-36664.patch | 116 +++++++++++++++++++++++++++++++++++++++++++ ghostscript.changes | 65 +++++++++++++++++------- ghostscript.spec | 42 ++++++++++++++-- 3 files changed, 201 insertions(+), 22 deletions(-) create mode 100644 CVE-2023-36664.patch diff --git a/CVE-2023-36664.patch b/CVE-2023-36664.patch new file mode 100644 index 0000000..ae3cb7f --- /dev/null +++ b/CVE-2023-36664.patch @@ -0,0 +1,116 @@ +--- base/gpmisc.c.orig 2022-04-04 15:48:49.000000000 +0200 ++++ base/gpmisc.c 2023-07-04 08:13:02.173325373 +0200 +@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t * + && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) { + prefix_len = 0; + } +- rlen = len+1; +- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); +- if (bufferfull == NULL) +- return gs_error_VMerror; + +- buffer = bufferfull + prefix_len; +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; +- buffer[rlen] = 0; ++ /* "%pipe%" do not follow the normal rules for path definitions, so we ++ don't "reduce" them to avoid unexpected results ++ */ ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { ++ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ memcpy(buffer, path, len); ++ buffer[len] = 0; ++ rlen = len; ++ } ++ else { ++ rlen = len+1; ++ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); ++ if (bufferfull == NULL) ++ return gs_error_VMerror; + ++ buffer = bufferfull + prefix_len; ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) ++ return gs_error_invalidfileaccess; ++ buffer[rlen] = 0; ++ } + while (1) { + switch (mode[0]) + { +--- base/gslibctx.c.orig 2022-04-04 15:48:49.000000000 +0200 ++++ base/gslibctx.c 2023-07-04 08:09:47.834639430 +0200 +@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_m + return gs_error_rangecheck; + } + +- rlen = len+1; +- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); +- if (buffer == NULL) +- return gs_error_VMerror; +- +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; +- buffer[rlen] = 0; ++ /* "%pipe%" do not follow the normal rules for path definitions, so we ++ don't "reduce" them to avoid unexpected results ++ */ ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { ++ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ memcpy(buffer, path, len); ++ buffer[len] = 0; ++ rlen = len; ++ } ++ else { ++ rlen = len + 1; ++ ++ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) ++ return gs_error_invalidfileaccess; ++ buffer[rlen] = 0; ++ } + + n = control->num; + for (i = 0; i < n; i++) +@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const g + return gs_error_rangecheck; + } + +- rlen = len+1; +- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); +- if (buffer == NULL) +- return gs_error_VMerror; +- +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; +- buffer[rlen] = 0; ++ /* "%pipe%" do not follow the normal rules for path definitions, so we ++ don't "reduce" them to avoid unexpected results ++ */ ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { ++ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ memcpy(buffer, path, len); ++ buffer[len] = 0; ++ rlen = len; ++ } ++ else { ++ rlen = len+1; ++ ++ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) ++ return gs_error_invalidfileaccess; ++ buffer[rlen] = 0; ++ } + + n = control->num; + for (i = 0; i < n; i++) { diff --git a/ghostscript.changes b/ghostscript.changes index fb0400b..f017971 100644 --- a/ghostscript.changes +++ b/ghostscript.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Tue Jul 4 06:16:33 UTC 2023 - Johannes Meixner + +- CVE-2023-36664.patch fixes CVE-2023-36664 + see https://bugs.ghostscript.com/show_bug.cgi?id=706761 + "OS command injection in %pipe% access" + and https://bugs.ghostscript.com/show_bug.cgi?id=706778 + "%pipe% allowed_path bypass" + and bsc#1212711 + "permission validation mishandling for pipe devices + (with the %pipe% prefix or the | pipe character prefix)" + ------------------------------------------------------------------- Wed Apr 26 19:08:09 UTC 2023 - Jan Engelhardt @@ -15,35 +27,50 @@ Tue Apr 11 09:09:56 UTC 2023 - Johannes Meixner Mon Jul 18 07:28:54 UTC 2022 - Dirk Müller - update to 9.56.1: - * New PDF Interpreter: This is an entirely new implementation written in C - (rather than PostScript, as before) - * Calling Ghostscript via the GS API is now thread safe. The one limitation - is that the X11 devices for Unix-like systems (x11, x11alpha, x11cmyk, - x11cmyk2, x11cmyk4, x11cmyk8, x11gray2, x11gray4 and x11mono) cannot be - made thread safe, due to their interaction with the X11 server, those - devices have been modified to only allow one instance in an executable. - * The PSD output device now writes ICC profiles to their output files, for - improved color fidelity. + Highlights in this release include + (excerpts from the Ghostscript upstream release summary + in https://ghostscript.com/docs/9.56.1/News.htm): + * New PDF Interpreter: This is an entirely new implementation + written in C (rather than PostScript, as before) + * Calling Ghostscript via the GS API is now thread safe. The one + limitation is that the X11 devices for Unix-like systems (x11, + x11alpha, x11cmyk, x11cmyk2, x11cmyk4, x11cmyk8, x11gray2, + x11gray4 and x11mono) cannot be made thread safe, due to their + interaction with the X11 server, those devices have been + modified to only allow one instance in an executable. + * The PSD output device now writes ICC profiles to their output + files, for improved color fidelity. * Our efforts in code hygiene and maintainability continue. - * The usual round of bug fixes, compatibility changes, and incremental - improvements. + * The usual round of bug fixes, compatibility changes, and + incremental improvements. * We have added the capability to build with the Tesseract OCR - engine. In such a build, new devices are available (pdfocr8/pdfocr24/ - pdfocr32) which render the output file to an image, OCR that image, and - output the image "wrapped" up as a PDF file, with the OCR generated text - information included as "invisible" text (in PDF terms, text rendering mode - 3). -- drop CVE-2021-3781.patch, CVE-2021-45949.patch: upstream + engine. In such a build, new devices are available + (pdfocr8/pdfocr24/pdfocr32) which render the output file to an + image, OCR that image, and output the image "wrapped" up as a + PDF file, with the OCR generated text information included + as "invisible" text (in PDF terms, text rendering mode 3). + Mainly due to time constraints, we only support including + Tesseract from source included in our release packages, + and not linking to Tesseract/Leptonica shared libraries. + Whether we add this capability will be largely dependent + on community demand for the feature. See Enabling OCR + at https://www.ghostscript.com/ocr.html for more details. + For a release summary see: + https://www.ghostscript.com/doc/9.54.0/News.htm + For details see the News.htm and History9.htm files. +- Configure --without-tesseract because this requires C++ (it + might be added if Tesseract support in Ghostscript is needed). +- Drop CVE-2021-3781.patch, CVE-2021-45949.patch: upstream ------------------------------------------------------------------- Mon Jul 18 06:38:01 UTC 2022 - Dirk Müller -- use _multibuild +- Use _multibuild ------------------------------------------------------------------- Wed Apr 13 11:12:39 UTC 2022 - Dirk Müller -- use system zlib (bsc#1198449) +- Use system zlib (bsc#1198449) ------------------------------------------------------------------- Thu Apr 7 08:14:51 UTC 2022 - Frederic Crozat diff --git a/ghostscript.spec b/ghostscript.spec index 43ce18d..c4bb788 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -53,6 +53,18 @@ Patch101: ijs_exec_server_dont_use_sh.patch # cf. https://bugs.ghostscript.com/show_bug.cgi?id=706494 # and https://bugzilla.suse.com/show_bug.cgi?id=1210062 Patch102: CVE-2023-28879.patch +# Patch103 CVE-2023-36664.patch is +# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=505eab7782b429017eb434b2b95120855f2b0e3c +# and +# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d +# that fixes CVE-2023-36664 +# see https://bugs.ghostscript.com/show_bug.cgi?id=706761 +# "OS command injection in %pipe% access" +# and https://bugs.ghostscript.com/show_bug.cgi?id=706778 +# "%pipe% allowed_path bypass" +# and https://bugzilla.suse.com/show_bug.cgi?id=1212711 +# "permission validation mishandling for pipe devices (with the %pipe% prefix or the | pipe character prefix)" +Patch103: CVE-2023-36664.patch BuildRequires: freetype2-devel BuildRequires: libjpeg-devel BuildRequires: liblcms2-devel @@ -257,6 +269,18 @@ This package contains the development files for Ghostscript. # cf. https://bugs.ghostscript.com/show_bug.cgi?id=706494 # and https://bugzilla.suse.com/show_bug.cgi?id=1210062 %patch102 +# Patch103 CVE-2023-36664.patch is +# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=505eab7782b429017eb434b2b95120855f2b0e3c +# and +# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d +# that fixes CVE-2023-36664 +# see https://bugs.ghostscript.com/show_bug.cgi?id=706761 +# "OS command injection in %pipe% access" +# and https://bugs.ghostscript.com/show_bug.cgi?id=706778 +# "%pipe% allowed_path bypass" +# and https://bugzilla.suse.com/show_bug.cgi?id=1212711 +# "permission validation mishandling for pipe devices (with the %pipe% prefix or the | pipe character prefix)" +%patch103 # Remove patch backup files to avoid packaging # cf. https://build.opensuse.org/request/show/581052 rm -f Resource/Init/*.ps.orig @@ -325,15 +349,27 @@ autoreconf -fi # (replacing JasPer - although JasPer is still included for this release) # Performance, reliability and memory use whilst decoding JPX streams are all improved. # see also http://bugs.ghostscript.com/show_bug.cgi?id=691430 -# --without-ufst and --without-luratech because those are relevant to commercial releases only +# --without-ufst because this is relevant to commercial releases only # which would require a commercial license. # --disable-compile-inits to disable compiling of resources (Fonts, init postscript files, ...) # into the library, which is the upstream recommendation for distributions. This also allows # unbundling the 35 Postscript Standard fonts, provided by the URW font package # --without-libpaper disables libpaper support because SUSE does not have libpaper. +# --without-tesseract because this requires C++ (it might be added if Tesseract support in Ghostscript is needed). %define gs_font_path %{_datadir}/fonts/truetype:%{_datadir}/fonts/Type1:%{_datadir}/fonts/CID:%{_datadir}/fonts/URW # See http://bugs.ghostscript.com/show_bug.cgi?id=693100 export SUSE_ASNEEDED=0 +# The RPM configure macro results in the build log e.g. on Tumbleweed x86_64 (very long line shown wrapped here) +# ./configure --host=x86_64-suse-linux-gnu --build=x86_64-suse-linux-gnu --program-prefix= --disable-dependency-tracking +# --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share +# --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib +# --mandir=/usr/share/man --infodir=/usr/share/info +# --with-fontpath=/usr/share/fonts/truetype:/usr/share/fonts/Type1:/usr/share/fonts/CID:/usr/share/fonts/URW +# --with-libiconv=maybe --enable-freetype --with-jbig2dec --enable-openjpeg --enable-dynamic --disable-compile-inits +# --without-local-zlib --with-ijs --enable-cups --with-drivers=ALL --with-x +# --disable-gtk --without-ufst --without-libpaper --without-tesseract +# configure: WARNING: unrecognized options: --disable-dependency-tracking +# so the "unrecognized options: --disable-dependency-tracking" warning comes from the RPM configure macro. %configure \ --with-fontpath=%{gs_font_path} \ --with-libiconv=maybe \ @@ -358,8 +394,8 @@ export SUSE_ASNEEDED=0 %endif --disable-gtk \ --without-ufst \ - --without-luratech \ - --without-libpaper + --without-libpaper \ + --without-tesseract # Make libgs.so and two programs which use it, gsx and gsc: # With --disable-gtk, gsx and gsc are identical. It provides a command line