diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-09-16 12:28:17 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-09-16 12:28:43 +0000 |
| commit | d523278cd6edc33481e4d0d111f3e2d00ee34033 (patch) | |
| tree | 5a17bebb91958e37cd77ca4aeb1bec210c24cc52 | |
| parent | 9f6b061f48c397e4e666fcf6f75fabe92b6033d2 (diff) | |
main/ghostscript: security fixes
5 files changed, 779 insertions, 2 deletions
diff --git a/main/ghostscript/0001-Hide-pdfdict-and-GS_PDF_ProcSet-internal-stuff-for-t.patch b/main/ghostscript/0001-Hide-pdfdict-and-GS_PDF_ProcSet-internal-stuff-for-t.patch new file mode 100644 index 00000000000..463ae601d76 --- /dev/null +++ b/main/ghostscript/0001-Hide-pdfdict-and-GS_PDF_ProcSet-internal-stuff-for-t.patch @@ -0,0 +1,436 @@ +From: Ray Johnston <ray.johnston@artifex.com> +Date: Thu, 31 Jan 2019 11:31:30 -0800 +Subject: Hide pdfdict and GS_PDF_ProcSet (internal stuff for the PDF interp). +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=4ec9ca74bed49f2a82acb4bf430eae0d8b3b75c9 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3839 + +We now keep GS_PDF_ProcSet in pdfdict, and immediately bind pdfdict +where needed so we can undef it after the last PDF interp file has +run (pdf_sec.ps). +--- + Resource/Init/pdf_base.ps | 11 ++++----- + Resource/Init/pdf_draw.ps | 59 +++++++++++++++++++++++------------------------ + Resource/Init/pdf_font.ps | 9 ++++---- + Resource/Init/pdf_main.ps | 25 ++++++++++---------- + Resource/Init/pdf_ops.ps | 11 +++++---- + Resource/Init/pdf_sec.ps | 4 +++- + 6 files changed, 60 insertions(+), 59 deletions(-) + +diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps +index e35e0e3731d4..13dd51f46793 100644 +--- a/Resource/Init/pdf_base.ps ++++ b/Resource/Init/pdf_base.ps +@@ -23,7 +23,6 @@ + + /.setlanguagelevel where { pop 2 .setlanguagelevel } if + .currentglobal //true .setglobal +-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse + pdfdict begin + + % Define the name interpretation dictionary for reading values. +@@ -133,11 +132,11 @@ currentdict /num-chars-dict .undef + + /.pdfexectoken { % <count> <opdict> <exectoken> .pdfexectoken ? + PDFDEBUG { +- pdfdict /PDFSTEPcount known not { pdfdict /PDFSTEPcount 1 .forceput } executeonly if ++ //pdfdict /PDFSTEPcount known not { //pdfdict /PDFSTEPcount 1 .forceput } executeonly if + PDFSTEP { +- pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput ++ //pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput + PDFSTEPcount 1 gt { +- pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput ++ //pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput + } executeonly + { + dup ==only +@@ -145,10 +144,10 @@ currentdict /num-chars-dict .undef + ( ? ) print flush 1 //false .outputpage + (%stdin) (r) file 255 string readline { + token { +- exch pop pdfdict /PDFSTEPcount 3 -1 roll .forceput ++ exch pop //pdfdict /PDFSTEPcount 3 -1 roll .forceput + } executeonly + { +- pdfdict /PDFSTEPcount 1 .forceput ++ //pdfdict /PDFSTEPcount 1 .forceput + } executeonly ifelse % token + } { + pop /PDFSTEP //false def % EOF on stdin +diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps +index 36c41a9a30c2..2e39c87d207c 100644 +--- a/Resource/Init/pdf_draw.ps ++++ b/Resource/Init/pdf_draw.ps +@@ -18,8 +18,7 @@ + + /.setlanguagelevel where { pop 2 .setlanguagelevel } if + .currentglobal //true .setglobal +-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse +-GS_PDF_ProcSet begin ++/GS_PDF_ProcSet load begin + pdfdict begin + + % For simplicity, we use a single interpretation dictionary for all +@@ -113,7 +112,7 @@ pdfdict begin + + /resolvefunction { % <fndict> resolvefunction <function> + .resolvefn +- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Function: ) print dup === flush } if } if ++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Function: ) print dup === flush } if } if + } bind executeonly def + + /resolvefnproc { % <fndict> resolvefnproc <proc> +@@ -1086,7 +1085,7 @@ currentdict end readonly def + %% finished running the PaintProc. + + /.actual_pdfpaintproc { % <patdict> <resdict> .pdfpaintproc - +- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Begin PaintProc) print dup === flush } if } if ++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Begin PaintProc) print dup === flush } if } if + PDFfile fileposition 3 1 roll + q + 1 index /PaintType oget 1 eq { +@@ -1121,21 +1120,21 @@ currentdict end readonly def + Q + }{ + (\n **** Error: File has unbalanced q/Q operators \(too many Q's\)\n Output may be incorrect.\n) +- pdfdict /.Qqwarning_issued .knownget ++ //pdfdict /.Qqwarning_issued .knownget + { + { + pop + } + { +- currentglobal pdfdict gcheck .setglobal +- pdfdict /.Qqwarning_issued //true .forceput ++ currentglobal //pdfdict gcheck .setglobal ++ //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse + } + { +- currentglobal pdfdict gcheck .setglobal +- pdfdict /.Qqwarning_issued //true .forceput ++ currentglobal //pdfdict gcheck .setglobal ++ //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +@@ -1144,21 +1143,21 @@ currentdict end readonly def + } loop + { + (\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n) +- pdfdict /.Qqwarning_issued .knownget ++ //pdfdict /.Qqwarning_issued .knownget + { + { + pop + } + { +- currentglobal pdfdict gcheck .setglobal +- pdfdict /.Qqwarning_issued //true .forceput ++ currentglobal //pdfdict gcheck .setglobal ++ //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse + } + { +- currentglobal pdfdict gcheck .setglobal +- pdfdict /.Qqwarning_issued //true .forceput ++ currentglobal //pdfdict gcheck .setglobal ++ //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +@@ -1169,7 +1168,7 @@ currentdict end readonly def + /pdfemptycount exch def + + Q +- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if ++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if + PDFfile exch setfileposition + } bind executeonly odef + +@@ -1240,7 +1239,7 @@ currentdict end readonly def + ] cvx put + dup /BBox 2 copy knownoget { normrect FixPatternBBox put } { pop pop } ifelse + dup /.pattern_uses_transparency 1 index patternusestransparency put +- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Pattern: ) print dup === flush } if } if ++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Pattern: ) print dup === flush } if } if + } bind executeonly def + + /ignore_color_op ( **** Error: Ignoring a color operation in a cached context.\n Output may be incorrect.\n) readonly def +@@ -2361,16 +2360,16 @@ currentdict /last-ditch-bpc-csp undef + } bind executeonly def + + /IncrementAppearanceNumber { +- pdfdict /AppearanceNumber .knownget { +- 1 add pdfdict /AppearanceNumber 3 -1 roll .forceput ++ //pdfdict /AppearanceNumber .knownget { ++ 1 add //pdfdict /AppearanceNumber 3 -1 roll .forceput + } executeonly + { +- pdfdict /AppearanceNumber 0 .forceput ++ //pdfdict /AppearanceNumber 0 .forceput + } executeonly ifelse + }bind executeonly odef + + /MakeAppearanceName { +- pdfdict /AppearanceNumber get ++ //pdfdict /AppearanceNumber get + 10 string cvs + dup length 10 add string dup 0 (\{FormName) putinterval + dup 3 -1 roll +@@ -2391,17 +2390,17 @@ currentdict /last-ditch-bpc-csp undef + gsave initclip + MakeNewAppearanceName + .pdfFormName +- pdfdict /.PreservePDFForm known {pdfdict /.PreservePDFForm get} {//false}ifelse exch +- pdfdict /.PreservePDFForm true .forceput ++ //pdfdict /.PreservePDFForm known {//pdfdict /.PreservePDFForm get} {//false}ifelse exch ++ //pdfdict /.PreservePDFForm true .forceput + DoForm +- pdfdict /.PreservePDFForm 3 -1 roll .forceput ++ //pdfdict /.PreservePDFForm 3 -1 roll .forceput + grestore + } bind executeonly odef + + /DoForm { + %% save the current value, if its true we will set it to false later, in order + %% to prevent us preserving Forms which are used *from* an annotation /Appearance. +- pdfdict /.PreservePDFForm known {pdfdict /.PreservePDFForm get} {//false}ifelse exch ++ //pdfdict /.PreservePDFForm known {//pdfdict /.PreservePDFForm get} {//false}ifelse exch + + %% We may alter the Default* colour spaces, if the Resources + %% ColorSpace entry contains one of them. But we don't want that +@@ -2516,13 +2515,13 @@ currentdict /last-ditch-bpc-csp undef + pdfemptycount countdictstack 3 -1 roll + /pdfemptycount count 4 sub store + +- pdfdict /.PreservePDFForm known {pdfdict /.PreservePDFForm get}{//false} ifelse ++ //pdfdict /.PreservePDFForm known {//pdfdict /.PreservePDFForm get}{//false} ifelse + { + %% We must *not* preserve any subsidiary forms (curently at least) as PDF + %% form preservation doesn't really work. This is used just for Annotation + %% Appearances currently, and if they should happen to use a form, we do not + %% want to preserve it. +- pdfdict /.PreservePDFForm false .forceput ++ //pdfdict /.PreservePDFForm false .forceput + /q cvx /execform cvx 5 -2 roll + } executeonly + { +@@ -2555,7 +2554,7 @@ currentdict /last-ditch-bpc-csp undef + saved_DCMYK /DefaultCMYK exch /ColorSpace defineresource pop + end + } if +- pdfdict /.PreservePDFForm 3 -1 roll .forceput ++ //pdfdict /.PreservePDFForm 3 -1 roll .forceput + } bind executeonly odef + + /_dops_save 1 array def +@@ -2714,13 +2713,13 @@ drawopdict begin + % Start by getting the object number for a Form XObject + dup Page /XObject obj_get dup 0 eq not { + % Now get the recording dictionary and see if that object number has been seen +- pdfdict /Recursive_XObject_D get 1 index known { ++ //pdfdict /Recursive_XObject_D get 1 index known { + ( **** Error: Recursive XObject detected, ignoring ") print 1 index 256 string cvs print (", object number ) print 256 string cvs print (\n) print + ( Output may be incorrect.\n) pdfformaterror + //false + }{ + % We haven't seen it yet, so record it. +- pdfdict /Recursive_XObject_D get 1 index null put ++ //pdfdict /Recursive_XObject_D get 1 index null put + 3 1 roll + //true + }ifelse +@@ -2758,7 +2757,7 @@ drawopdict begin + ( Output may be incorrect.\n) pdfformaterror + } ifelse + PDFfile exch setfileposition +- pdfdict /Recursive_XObject_D get exch undef ++ //pdfdict /Recursive_XObject_D get exch undef + }{ + % Otherwise ignore it and tidy up the stacks + pop pop +diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps +index 7e35c02ac132..6b09be61f8f2 100644 +--- a/Resource/Init/pdf_font.ps ++++ b/Resource/Init/pdf_font.ps +@@ -37,8 +37,7 @@ + + /.setlanguagelevel where { pop 2 .setlanguagelevel } if + .currentglobal //true .setglobal +-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse +-GS_PDF_ProcSet begin ++/GS_PDF_ProcSet load begin % from userdict at this point + pdfdict begin + + % We cache the PostScript font in an additional element of the +@@ -1227,11 +1226,11 @@ currentdict /eexec_pdf_param_dict .undef + .pdfruncontext + countdictstack BuildCharDictDepth sub + { +- pdfdict /.Qqwarning_issued .knownget {not}{//true} ifelse ++ //pdfdict /.Qqwarning_issued .knownget {not}{//true} ifelse + { + (\n **** Warning: Type 3 glyph has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n) + pdfformatwarning +- pdfdict /.Qqwarning_issued //true .forceput ++ //pdfdict /.Qqwarning_issued //true .forceput + } executeonly if + Q + } repeat +@@ -2361,7 +2360,7 @@ currentdict /bndef undef + dup //null eq + {pop} + { +- pdfdict /InputPDFFileName .knownget {.CRCHashFilenameAndObject} if ++ //pdfdict /InputPDFFileName .knownget {.CRCHashFilenameAndObject} if + exch dup /.OrigUniqueIDXUID .knownget not + { + dup /XUID .knownget not +diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps +index 0a8929a2ac14..c1de1b0ef05c 100644 +--- a/Resource/Init/pdf_main.ps ++++ b/Resource/Init/pdf_main.ps +@@ -18,8 +18,9 @@ + + /.setlanguagelevel where { pop 2 .setlanguagelevel } if + .currentglobal //true .setglobal +-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse + pdfdict begin ++/GS_PDF_ProcSet dup load def % keep in pdfdict to hide it ++userdict /GS_PDF_ProcSet undef + + % Patch in an obsolete variable used by some third-party software. + /#? //false def +@@ -304,8 +305,8 @@ currentdict /runpdfstring .undef + /Page //null def + /DSCPageCount 0 def + /PDFSave //null def +- GS_PDF_ProcSet begin +- pdfdict begin ++ //pdfdict /GS_PDF_ProcSet get begin ++ //pdfdict begin + pdfopen begin + /CumulativePageCount currentpagedevice /PageCount get def + } bind executeonly def +@@ -624,7 +625,7 @@ currentdict /runpdfstring .undef + %% copied to a temporary file) and store it in pdfdict. We will use this for + %% hashing fonts to detect if fonts with the same name are from different files. + %% +- dup currentglobal exch true setglobal .getfilename exch setglobal /InputPDFFileName exch pdfdict 3 1 roll .forceput ++ dup currentglobal exch true setglobal .getfilename exch setglobal /InputPDFFileName exch //pdfdict 3 1 roll .forceput + + //runpdfbegin exec + //pdf_collection_files exec +@@ -1390,7 +1391,7 @@ currentdict /xref-char-dict undef + } bind executeonly def + + /pdfopenfile { % <file> pdfopenfile <dict> +- pdfdict readonly pop % can't do it any earlier than this ++ //pdfdict readonly pop % can't do it any earlier than this + 32 dict begin + /LocalResources 0 dict def + /DefaultQstate //null def % establish binding +@@ -2717,21 +2718,21 @@ currentdict /PDF2PS_matrix_key undef + StreamRunAborted not { + (\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n) + +- pdfdict /.Qqwarning_issued .knownget ++ //pdfdict /.Qqwarning_issued .knownget + { + { + pop + } + { +- currentglobal pdfdict gcheck .setglobal +- pdfdict /.Qqwarning_issued //true .forceput ++ currentglobal //pdfdict gcheck .setglobal ++ //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse + } + { +- currentglobal pdfdict gcheck .setglobal +- pdfdict /.Qqwarning_issued //true .forceput ++ currentglobal //pdfdict gcheck .setglobal ++ //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +@@ -2743,8 +2744,8 @@ currentdict /PDF2PS_matrix_key undef + Repaired % pass Repaired state around the restore + RepairedAnError + PDFSave restore +- currentglobal pdfdict gcheck .setglobal +- pdfdict /.Qqwarning_issued //false .forceput ++ currentglobal //pdfdict gcheck .setglobal ++ //pdfdict /.Qqwarning_issued //false .forceput + .setglobal + /RepairedAnError exch def + /Repaired exch def +diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps +index 34e2fbd5861a..46de547f7a98 100644 +--- a/Resource/Init/pdf_ops.ps ++++ b/Resource/Init/pdf_ops.ps +@@ -24,6 +24,7 @@ + systemdict /pdfmark known not + { userdict /pdfmark { cleartomark } bind executeonly put } if + ++systemdict /pdfdict where { pop } { /pdfdict 100 dict put } ifelse + userdict /GS_PDF_ProcSet 256 dict dup begin + + % ---------------- Abbreviations ---------------- % +@@ -174,21 +175,21 @@ currentdict /gput_always_allow .undef + { + (\n **** Error: File has unbalanced q/Q operators \(too many Q's\)\n Output may be incorrect.\n) + +- pdfdict /.Qqwarning_issued .knownget ++ //pdfdict /.Qqwarning_issued .knownget + { + { + pop + } + { +- currentglobal pdfdict gcheck .setglobal +- pdfdict /.Qqwarning_issued //true .forceput ++ currentglobal //pdfdict gcheck .setglobal ++ //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse + } + { +- currentglobal pdfdict gcheck .setglobal +- pdfdict /.Qqwarning_issued //true .forceput ++ currentglobal //pdfdict gcheck .setglobal ++ //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +diff --git a/Resource/Init/pdf_sec.ps b/Resource/Init/pdf_sec.ps +index d8cc94c86574..163dd687764e 100644 +--- a/Resource/Init/pdf_sec.ps ++++ b/Resource/Init/pdf_sec.ps +@@ -39,7 +39,6 @@ + + /.setlanguagelevel where { pop 2 .setlanguagelevel } if + .currentglobal //true .setglobal +-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse + pdfdict begin + + % Older ghostscript versions do not have .pdftoken, so we use 'token' instead. +@@ -748,4 +747,7 @@ currentdict /PDFScanRules_null undef + } bind executeonly def + + end % pdfdict ++ ++systemdict /pdfdict .forceundef % hide pdfdict ++ + .setglobal +-- +2.11.0 + diff --git a/main/ghostscript/0002-Bug-700599-Issue-an-error-message-if-an-ExtGstate-is.patch b/main/ghostscript/0002-Bug-700599-Issue-an-error-message-if-an-ExtGstate-is.patch new file mode 100644 index 00000000000..5da83ab565c --- /dev/null +++ b/main/ghostscript/0002-Bug-700599-Issue-an-error-message-if-an-ExtGstate-is.patch @@ -0,0 +1,41 @@ +From: Ray Johnston <ray.johnston@artifex.com> +Date: Mon, 18 Feb 2019 12:11:45 -0800 +Subject: Bug 700599: Issue an error message if an ExtGstate is not found. +Origin: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=be86d2ff2f0f0ea0e365707f3be0fa0c9e7315ee +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=700599 + +Previously, this was silently ignored. Only issue a single warning, +and respect PDFSTOPONERROR to prevent continuing with potentially +incorrect output. + +Note that tests_private/pdf/uploads/bug696410.pdf also now gets this +error message (ExtGState" instead of ExtGState in object 10). +--- + Resource/Init/pdf_draw.ps | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps +index 75b5eb622b52..c0201ad65da2 100644 +--- a/Resource/Init/pdf_draw.ps ++++ b/Resource/Init/pdf_draw.ps +@@ -494,7 +494,16 @@ end + dup { + oforce exch gsparamdict exch .knownget { exec } { pop } ifelse + } forall pop +- } if ++ } { ++ //pdfdict /.gs_warning_issued known not { ++ (\n **** Error 'gs' ignored -- ExtGState missing from Resources.\n) ++ pdfformaterror ++ ( Output may be incorrect.\n) pdfformaterror ++ //pdfdict /.gs_warning_issued //true .forceput ++ PDFSTOPONERROR { /gs /undefined signalerror } if ++ } if ++ } ++ ifelse + } bind executeonly def + + % ------ Transparency support ------ % +-- +2.20.1 + diff --git a/main/ghostscript/APKBUILD b/main/ghostscript/APKBUILD index ff515ed5613..68b83c4bb5a 100644 --- a/main/ghostscript/APKBUILD +++ b/main/ghostscript/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Cameron Banta <cbanta@gmail.com> pkgname=ghostscript pkgver=9.26 -pkgrel=3 +pkgrel=4 pkgdesc="An interpreter for the PostScript language and for PDF" url="https://ghostscript.com/" arch="all" @@ -19,10 +19,19 @@ source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/ CVE-2019-10216.patch ghostscript-system-zlib.patch fix-sprintf.patch + CVE-2019-14811-14812-14813.patch + 0001-Hide-pdfdict-and-GS_PDF_ProcSet-internal-stuff-for-t.patch + 0002-Bug-700599-Issue-an-error-message-if-an-ExtGstate-is.patch + CVE-2019-14817.patch " builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 9.26-r4: +# - CVE-2019-14811 +# - CVE-2019-14812 +# - CVE-2019-14813 +# - CVE-2019-14817 # 9.26-r3: # - CVE-2019-10216 # 9.26-r2: @@ -143,4 +152,8 @@ sha512sums="670159c23618ffafa85c671642bf182a107a82c053a1fd8c3f45f73f203524077be1 dc3bd1de86e4a968ed35a35a125f682cffeed51fe4dbf9b3939dd78b07ef0748fe6b34816e689bcfffb4f819e51bcb5022f3151a5610aa24fd2468cdcbc665ea CVE-2019-3838.patch f89744b17922b7d9c04c6de69ce35fa621732e4373eccc158b7ff6a9e56d2cf0bbea30c28119f4808864ca584e94342e5125d7bcc6195252455b5f223f379e3f CVE-2019-10216.patch 70721e3a335afa5e21d4e6cf919119010bd4544a03ab8f53f5325c173902221ad9b88c118b4bfeee80b3e1956bcdbaf4c53f64ae7fb81f5ba57dbc956750c482 ghostscript-system-zlib.patch -beefcf395f7f828e1b81c088022c08a506e218f27535b9de01e0f0edf7979b435316c318fa676771630f6ad16ff1ab059cd68aa128ed97e5a9f2f3fa840200c4 fix-sprintf.patch" +beefcf395f7f828e1b81c088022c08a506e218f27535b9de01e0f0edf7979b435316c318fa676771630f6ad16ff1ab059cd68aa128ed97e5a9f2f3fa840200c4 fix-sprintf.patch +b61a1c5d818c054463e606a9f85e4f4a308ac839f734d6200dfc3b74e3859ac64b23996ff1bf4c90a0ee95acf10dfa19d066fda0b6fb11689294d0dc4267689e CVE-2019-14811-14812-14813.patch +8036fa8a7175546dc3aae8619c92fa38016a8be132bb2a3a01f16ba66b5d9c05581dba40c1f184380b43b4e0b079d3cace7e401f9ed5fd718f36fbe7038649bc 0001-Hide-pdfdict-and-GS_PDF_ProcSet-internal-stuff-for-t.patch +26ad5e996d4724a1683083c1abfdd39ebf41f5e7478a061f5713e11f2ffaf3834fe52f29e03d585044c7536b1201a97626f3640324abdc3e90b6ecc2a2db399b 0002-Bug-700599-Issue-an-error-message-if-an-ExtGstate-is.patch +63b7d1a30045e454eba0bcceba52fd402c5fd9313c0057100bb98d2e82c1d61cd404826f63c4b9d7e4fdf4935c71f09a9633d43edbcd0658fb5dc5e20afc6ca0 CVE-2019-14817.patch" diff --git a/main/ghostscript/CVE-2019-14811-14812-14813.patch b/main/ghostscript/CVE-2019-14811-14812-14813.patch new file mode 100644 index 00000000000..a3d6b76c846 --- /dev/null +++ b/main/ghostscript/CVE-2019-14811-14812-14813.patch @@ -0,0 +1,69 @@ +From: Ken Sharp <ken.sharp@artifex.com> +Date: Tue, 20 Aug 2019 10:10:28 +0100 +Subject: make .forceput inaccessible +Origin: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701443 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14813 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701444 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14812 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701445 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14811 + +Bug #701343, #701344, #701345 + +More defensive programming. We don't want people to access .forecput +even though it is no longer sufficient to bypass SAFER. The exploit +in #701343 didn't work anyway because of earlier work to stop the error +handler being used, but nevertheless, prevent access to .forceput from +.setuserparams2. +--- + Resource/Init/gs_lev2.ps | 6 +++--- + Resource/Init/gs_pdfwr.ps | 4 ++-- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps +index 4cc7f820f765..0fd4164650ab 100644 +--- a/Resource/Init/gs_lev2.ps ++++ b/Resource/Init/gs_lev2.ps +@@ -158,7 +158,7 @@ end + { + pop pop + } ifelse +- } forall ++ } executeonly forall + % A context switch might have occurred during the above loop, + % causing the interpreter-level parameters to be reset. + % Set them again to the new values. From here on, we are safe, +@@ -229,9 +229,9 @@ end + { pop pop + } + ifelse +- } ++ } executeonly + forall pop +-} .bind odef ++} .bind executeonly odef + + % Initialize the passwords. + % NOTE: the names StartJobPassword and SystemParamsPassword are known to +diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps +index c158a8faf540..422e66e1a6ca 100644 +--- a/Resource/Init/gs_pdfwr.ps ++++ b/Resource/Init/gs_pdfwr.ps +@@ -658,11 +658,11 @@ currentdict /.pdfmarkparams .undef + systemdict /.pdf_hooked_DSC_Creator //true .forceput + } executeonly if + pop +- } if ++ } executeonly if + } { + pop + } ifelse +- } ++ } executeonly + { + pop + } ifelse +-- +2.23.0.rc1 + diff --git a/main/ghostscript/CVE-2019-14817.patch b/main/ghostscript/CVE-2019-14817.patch new file mode 100644 index 00000000000..80cdcecb8e2 --- /dev/null +++ b/main/ghostscript/CVE-2019-14817.patch @@ -0,0 +1,218 @@ +From: Ken Sharp <ken.sharp@artifex.com> +Date: Wed, 21 Aug 2019 10:10:51 +0100 +Subject: PDF interpreter - review .forceput security +Origin: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701450 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14817 + +Bug #701450 "Safer Mode Bypass by .forceput Exposure in .pdfexectoken" + +By abusing the error handler it was possible to get the PDFDEBUG portion +of .pdfexectoken, which uses .forceput left readable. + +Add an executeonly appropriately to make sure that clause isn't readable +no mstter what. + +Review all the uses of .forceput searching for similar cases, add +executeonly as required to secure those. All cases in the PostScript +support files seem to be covered already. +--- + Resource/Init/pdf_base.ps | 2 +- + Resource/Init/pdf_draw.ps | 14 +++++++------- + Resource/Init/pdf_font.ps | 29 ++++++++++++++++------------- + Resource/Init/pdf_main.ps | 6 +++--- + Resource/Init/pdf_ops.ps | 11 ++++++----- + 5 files changed, 33 insertions(+), 29 deletions(-) + +diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps +index 2e28cdd7181e..02503eef8bc4 100644 +--- a/Resource/Init/pdf_base.ps ++++ b/Resource/Init/pdf_base.ps +@@ -157,7 +157,7 @@ currentdict /num-chars-dict .undef + { + dup ==only () = flush + } ifelse % PDFSTEP +- } if % PDFDEBUG ++ } executeonly if % PDFDEBUG + 2 copy .knownget { + exch pop exch pop exch pop exec + } { +diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps +index 11eb485f2eb7..fe3fc56c4161 100644 +--- a/Resource/Init/pdf_draw.ps ++++ b/Resource/Init/pdf_draw.ps +@@ -501,8 +501,8 @@ end + ( Output may be incorrect.\n) pdfformaterror + //pdfdict /.gs_warning_issued //true .forceput + PDFSTOPONERROR { /gs /undefined signalerror } if +- } if +- } ++ } executeonly if ++ } executeonly + ifelse + } bind executeonly def + +@@ -1152,7 +1152,7 @@ currentdict end readonly def + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput +@@ -1160,8 +1160,8 @@ currentdict end readonly def + pdfformaterror + } executeonly ifelse + end +- } ifelse +- } loop ++ } executeonly ifelse ++ } executeonly loop + { + (\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n) + //pdfdict /.Qqwarning_issued .knownget +@@ -1175,14 +1175,14 @@ currentdict end readonly def + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +- } if ++ } executeonly if + pop + + % restore pdfemptycount +diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps +index 8b8fef8..86b1870 100644 +--- a/Resource/Init/pdf_font.ps ++++ b/Resource/Init/pdf_font.ps +@@ -677,7 +677,7 @@ currentdict end readonly def + currentglobal 2 index dup gcheck setglobal + /FontInfo 5 dict dup 5 1 roll .forceput + setglobal +- } if ++ } executeonly if + dup /GlyphNames2Unicode .knownget not { + //true % No existing G2U, make one + } { +@@ -701,9 +701,9 @@ currentdict end readonly def + } if + PDFDEBUG { + (.processToUnicode end) = +- } if +- } if +- } stopped ++ } executeonly if ++ } executeonly if ++ } executeonly stopped + { + .dstackdepth 1 countdictstack 1 sub + {pop end} for +@@ -1298,19 +1300,20 @@ currentdict /eexec_pdf_param_dict .undef + //pdfdict /.Qqwarning_issued //true .forceput + } executeonly if + Q +- } repeat ++ } executeonly repeat + Q +- } PDFfile fileposition 2 .execn % Keep pdfcount valid. ++ } executeonly PDFfile fileposition 2 .execn % Keep pdfcount valid. + PDFfile exch setfileposition +- } ifelse +- } { ++ } executeonly ifelse ++ } executeonly ++ { + % PDF Type 3 fonts don't use .notdef + % d1 implementation adjusts the width as needed + 0 0 0 0 0 0 + pdfopdict /d1 get exec + } ifelse + end end +- } bdef ++ } executeonly bdef + dup currentdict Encoding .processToUnicode + currentdict end .completefont exch pop + } bind executeonly odef +@@ -2124,9 +2127,9 @@ currentdict /CMap_read_dict undef + (Will continue, but content may be missing.) = flush + } ifelse + } if +- } if ++ } executeonly if + /findresource cvx /undefined signalerror +- } loop ++ } executeonly loop + } bind executeonly odef + + /buildCIDType0 { % <CIDFontType0-font-resource> buildCIDType0 <font> +diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps +index 00d7e3682fd8..7690bae0f920 100644 +--- a/Resource/Init/pdf_main.ps ++++ b/Resource/Init/pdf_main.ps +@@ -2771,15 +2771,15 @@ currentdict /PDF2PS_matrix_key undef + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +- } if +- } if ++ } executeonly if ++ } executeonly if + pop + count PDFexecstackcount sub { pop } repeat + (after exec) VMDEBUG +diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps +index a15c8c6770f7..d594035c066a 100644 +--- a/Resource/Init/pdf_ops.ps ++++ b/Resource/Init/pdf_ops.ps +@@ -192,14 +192,14 @@ currentdict /gput_always_allow .undef + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +- } if ++ } executeonly if + } bind executeonly odef + + % Save PDF gstate +@@ -446,11 +446,12 @@ currentdict /gput_always_allow .undef + dup type /booleantype eq { + .currentSMask type /dicttype eq { + .currentSMask /Processed 2 index .forceput ++ } executeonly ++ { ++ .setSMask ++ }ifelse + } executeonly + { +- .setSMask +- }ifelse +- }{ + .setSMask + }ifelse + +-- +2.23.0.rc1 + |