diff --git a/backport-CVE-2021-3781-BUg-704342-Include-device-specifier-strings-in-acces.patch b/backport-CVE-2021-3781-BUg-704342-Include-device-specifier-strings-in-acces.patch new file mode 100644 index 0000000000000000000000000000000000000000..51c33e0bb2aa1e6e1dd59fe6831982fec5a4ee96 --- /dev/null +++ b/backport-CVE-2021-3781-BUg-704342-Include-device-specifier-strings-in-acces.patch @@ -0,0 +1,229 @@ +From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Tue, 7 Sep 2021 20:36:12 +0100 +Subject: [PATCH] Bug 704342: Include device specifier strings in access + validation + +for the "%pipe%", %handle%" and %printer% io devices. + +We previously validated only the part after the "%pipe%" Postscript device +specifier, but this proved insufficient. + +This rebuilds the original file name string, and validates it complete. The +slight complication for "%pipe%" is it can be reached implicitly using +"|" so we have to check both prefixes. + +Addresses CVE-2021-3781 +--- + base/gdevpipe.c | 22 +++++++++++++++- + base/gp_mshdl.c | 11 +++++++- + base/gp_msprn.c | 10 ++++++- + base/gp_os2pr.c | 13 +++++++++- + base/gslibctx.c | 69 ++++++++++--------------------------------------- + 5 files changed, 65 insertions(+), 60 deletions(-) + +diff --git a/base/gdevpipe.c b/base/gdevpipe.c +index 96d71f5d81..5bdc485be0 100644 +--- a/base/gdevpipe.c ++++ b/base/gdevpipe.c +@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access, + #else + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ /* The pipe device can be reached in two ways, explicltly with %pipe% ++ or implicitly with "|", so we have to check for both ++ */ ++ char f[gp_file_name_sizeof]; ++ const char *pipestr = "|"; ++ const size_t pipestrlen = strlen(pipestr); ++ const size_t preflen = strlen(iodev->dname); ++ const size_t nlen = strlen(fname); ++ int code1; ++ ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(f, iodev->dname, preflen); ++ memcpy(f + preflen, fname, nlen + 1); ++ ++ code1 = gp_validate_path(mem, f, access); ++ ++ memcpy(f, pipestr, pipestrlen); ++ memcpy(f + pipestrlen, fname, nlen + 1); + +- if (gp_validate_path(mem, fname, access) != 0) ++ if (code1 != 0 && gp_validate_path(mem, f, access) != 0 ) + return gs_error_invalidfileaccess; + + /* +diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c +index 2b964ed749..8d87ceadc0 100644 +--- a/base/gp_mshdl.c ++++ b/base/gp_mshdl.c +@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access, + long hfile; /* Correct for Win32, may be wrong for Win64 */ + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ char f[gp_file_name_sizeof]; ++ const size_t preflen = strlen(iodev->dname); ++ const size_t nlen = strlen(fname); + +- if (gp_validate_path(mem, fname, access) != 0) ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(f, iodev->dname, preflen); ++ memcpy(f + preflen, fname, nlen + 1); ++ ++ if (gp_validate_path(mem, f, access) != 0) + return gs_error_invalidfileaccess; + + /* First we try the open_handle method. */ +diff --git a/base/gp_msprn.c b/base/gp_msprn.c +index ed48279685..746a974f78 100644 +--- a/base/gp_msprn.c ++++ b/base/gp_msprn.c +@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, + unsigned long *ptid = &((tid_t *)(iodev->state))->tid; + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ const size_t preflen = strlen(iodev->dname); ++ const size_t nlen = strlen(fname); + +- if (gp_validate_path(mem, fname, access) != 0) ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(pname, iodev->dname, preflen); ++ memcpy(pname + preflen, fname, nlen + 1); ++ ++ if (gp_validate_path(mem, pname, access) != 0) + return gs_error_invalidfileaccess; + + /* First we try the open_printer method. */ +diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c +index f852c71fc8..ba54cde66f 100644 +--- a/base/gp_os2pr.c ++++ b/base/gp_os2pr.c +@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, + FILE ** pfile, char *rfname, uint rnamelen) + { + os2_printer_t *pr = (os2_printer_t *)iodev->state; +- char driver_name[256]; ++ char driver_name[gp_file_name_sizeof]; + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ const size_t preflen = strlen(iodev->dname); ++ const int size_t = strlen(fname); ++ ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(driver_name, iodev->dname, preflen); ++ memcpy(driver_name + preflen, fname, nlen + 1); ++ ++ if (gp_validate_path(mem, driver_name, access) != 0) ++ return gs_error_invalidfileaccess; + + /* First we try the open_printer method. */ + /* Note that the loop condition here ensures we don't +diff --git a/base/gslibctx.c b/base/gslibctx.c +index 6dfed6cd5a..318039fad0 100644 +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s) + int + gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) + { +- char *fp, f[gp_file_name_sizeof]; +- const int pipe = 124; /* ASCII code for '|' */ +- const int len = strlen(fname); +- int i, code; ++ char f[gp_file_name_sizeof]; ++ int code; + + /* Be sure the string copy will fit */ +- if (len >= gp_file_name_sizeof) ++ if (strlen(fname) >= gp_file_name_sizeof) + return gs_error_rangecheck; + strcpy(f, fname); +- fp = f; + /* Try to rewrite any %d (or similar) in the string */ + rewrite_percent_specifiers(f); +- for (i = 0; i < len; i++) { +- if (f[i] == pipe) { +- fp = &f[i + 1]; +- /* Because we potentially have to check file permissions at two levels +- for the output file (gx_device_open_output_file and the low level +- fopen API, if we're using a pipe, we have to add both the full string, +- (including the '|', and just the command to which we pipe - since at +- the pipe_fopen(), the leading '|' has been stripped. +- */ +- code = gs_add_control_path(mem, gs_permit_file_writing, f); +- if (code < 0) +- return code; +- code = gs_add_control_path(mem, gs_permit_file_control, f); +- if (code < 0) +- return code; +- break; +- } +- if (!IS_WHITESPACE(f[i])) +- break; +- } +- code = gs_add_control_path(mem, gs_permit_file_control, fp); ++ ++ code = gs_add_control_path(mem, gs_permit_file_control, f); + if (code < 0) + return code; +- return gs_add_control_path(mem, gs_permit_file_writing, fp); ++ return gs_add_control_path(mem, gs_permit_file_writing, f); + } + + int + gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) + { +- char *fp, f[gp_file_name_sizeof]; +- const int pipe = 124; /* ASCII code for '|' */ +- const int len = strlen(fname); +- int i, code; ++ char f[gp_file_name_sizeof]; ++ int code; + + /* Be sure the string copy will fit */ +- if (len >= gp_file_name_sizeof) ++ if (strlen(fname) >= gp_file_name_sizeof) + return gs_error_rangecheck; + strcpy(f, fname); +- fp = f; + /* Try to rewrite any %d (or similar) in the string */ +- for (i = 0; i < len; i++) { +- if (f[i] == pipe) { +- fp = &f[i + 1]; +- /* Because we potentially have to check file permissions at two levels +- for the output file (gx_device_open_output_file and the low level +- fopen API, if we're using a pipe, we have to add both the full string, +- (including the '|', and just the command to which we pipe - since at +- the pipe_fopen(), the leading '|' has been stripped. +- */ +- code = gs_remove_control_path(mem, gs_permit_file_writing, f); +- if (code < 0) +- return code; +- code = gs_remove_control_path(mem, gs_permit_file_control, f); +- if (code < 0) +- return code; +- break; +- } +- if (!IS_WHITESPACE(f[i])) +- break; +- } +- code = gs_remove_control_path(mem, gs_permit_file_control, fp); ++ rewrite_percent_specifiers(f); ++ ++ code = gs_remove_control_path(mem, gs_permit_file_control, f); + if (code < 0) + return code; +- return gs_remove_control_path(mem, gs_permit_file_writing, fp); ++ return gs_remove_control_path(mem, gs_permit_file_writing, f); + } + + int diff --git a/backport-CVE-2021-45944-oss-fuzz-30715-Check-stack-limits-after-function-eva.patch b/backport-CVE-2021-45944-oss-fuzz-30715-Check-stack-limits-after-function-eva.patch new file mode 100644 index 0000000000000000000000000000000000000000..4a9cf6436e67a30a7dcabd0643de31932ddaf800 --- /dev/null +++ b/backport-CVE-2021-45944-oss-fuzz-30715-Check-stack-limits-after-function-eva.patch @@ -0,0 +1,45 @@ +From 7861fcad13c497728189feafb41cd57b5b50ea25 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Fri, 12 Feb 2021 10:34:23 +0000 +Subject: [PATCH] oss-fuzz 30715: Check stack limits after function evaluation. + +During function result sampling, after the callout to the Postscript +interpreter, make sure there is enough stack space available before pushing +or popping entries. + +In thise case, the Postscript procedure for the "function" is totally invalid +(as a function), and leaves the op stack in an unrecoverable state (as far as +function evaluation is concerned). We end up popping more entries off the +stack than are available. + +To cope, add in stack limit checking to throw an appropriate error when this +happens. +--- + psi/zfsample.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/psi/zfsample.c b/psi/zfsample.c +index 290809405d..652ae02c67 100644 +--- a/psi/zfsample.c ++++ b/psi/zfsample.c +@@ -551,9 +551,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p) + } else { + if (stack_depth_adjust) { + stack_depth_adjust -= num_out; +- push(O_STACK_PAD - stack_depth_adjust); +- for (i=0;i +Date: Tue, 1 Jun 2021 19:57:16 +0100 +Subject: [PATCH] Bug 703902: Fix op stack management in + sampled_data_continue() + +Replace pop() (which does no checking, and doesn't handle stack extension +blocks) with ref_stack_pop() which does do all that. + +We still use pop() in one case (it's faster), but we have to later use +ref_stack_pop() before calling sampled_data_sample() which also accesses the +op stack. + +Fixes: +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675 +--- + psi/zfsample.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/psi/zfsample.c b/psi/zfsample.c +index 0e8e4bc8dd..00cd0cfdd9 100644 +--- a/psi/zfsample.c ++++ b/psi/zfsample.c +@@ -533,15 +533,19 @@ sampled_data_continue(i_ctx_t *i_ctx_p) + for (j = 0; j < bps; j++) + data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8)); /* MSB first */ + } +- pop(num_out); /* Move op to base of result values */ + +- /* Check if we are done collecting data. */ ++ pop(num_out); /* Move op to base of result values */ + ++ /* From here on, we have to use ref_stack_pop() rather than pop() ++ so that it handles stack extension blocks properly, before calling ++ sampled_data_sample() which also uses the op stack. ++ */ ++ /* Check if we are done collecting data. */ + if (increment_cube_indexes(params, penum->indexes)) { + if (stack_depth_adjust == 0) +- pop(O_STACK_PAD); /* Remove spare stack space */ ++ ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */ + else +- pop(stack_depth_adjust - num_out); ++ ref_stack_pop(&o_stack, stack_depth_adjust - num_out); + /* Execute the closing procedure, if given */ + code = 0; + if (esp_finish_proc != 0) +@@ -554,11 +558,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p) + if ((O_STACK_PAD - stack_depth_adjust) < 0) { + stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust); + check_op(stack_depth_adjust); +- pop(stack_depth_adjust); ++ ref_stack_pop(&o_stack, stack_depth_adjust); + } + else { + check_ostack(O_STACK_PAD - stack_depth_adjust); +- push(O_STACK_PAD - stack_depth_adjust); ++ ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust); + for (i=0;i +Date: Mon, 24 Aug 2020 09:24:31 +0100 +Subject: [PATCH] Coverity 361429: move "break" to correct place. + +We had to add the outputfile to the "control" file permission list (as well +as write), but for the "pipe" case, I accidentally added the call after the +break out of loop that checks for a pipe. +--- + base/gslibctx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/gslibctx.c b/base/gslibctx.c +index ff8fc895ef..63dfbe2e06 100644 +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -668,10 +668,10 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) + code = gs_add_control_path(mem, gs_permit_file_writing, f); + if (code < 0) + return code; +- break; + code = gs_add_control_path(mem, gs_permit_file_control, f); + if (code < 0) + return code; ++ break; + } + if (!IS_WHITESPACE(f[i])) + break; diff --git a/backport-Fix-pdfwrite-d-mode-with-file-permissions.patch b/backport-Fix-pdfwrite-d-mode-with-file-permissions.patch new file mode 100644 index 0000000000000000000000000000000000000000..e12fd6116b5f57662bfccfcd4b37f5824fa6d21b --- /dev/null +++ b/backport-Fix-pdfwrite-d-mode-with-file-permissions.patch @@ -0,0 +1,112 @@ +From 3920a727fb19e19f597e518610ce2416d08cb75f Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Thu, 20 Aug 2020 17:19:09 +0100 +Subject: [PATCH] Fix pdfwrite "%d" mode with file permissions + +Firstly, in gx_device_delete_output_file the iodev pointer was being passed +to the delete_method incorrectly (passing a pointer to that pointer). Thus +when we attempted to use that to confirm permission to delete the file, it +crashed. Credit to Ken for finding that. + +Secondly, due to the way pdfwrite works, when running with an output file per +page, it creates the current output file immediately it has completed writing +the previous one. Thus, it has to delete that partial file on exit. + +Previously, the output file was not added to the "control" permission list, +so an attempt to delete it would result in an error. So add the output file +to the "control" as well as "write" list. +--- + base/gsdevice.c | 2 +- + base/gslibctx.c | 20 ++++++++++++++------ + 2 files changed, 15 insertions(+), 7 deletions(-) + +diff --git a/base/gsdevice.c b/base/gsdevice.c +index 9131194951..ac78af93fd 100644 +--- a/base/gsdevice.c ++++ b/base/gsdevice.c +@@ -1185,7 +1185,7 @@ int gx_device_delete_output_file(const gx_device * dev, const char *fname) + parsed.len = strlen(parsed.fname); + } + if (parsed.iodev) +- code = parsed.iodev->procs.delete_file((gx_io_device *)(&parsed.iodev), (const char *)parsed.fname); ++ code = parsed.iodev->procs.delete_file((gx_io_device *)(parsed.iodev), (const char *)parsed.fname); + else + code = gs_note_error(gs_error_invalidfileaccess); + +diff --git a/base/gslibctx.c b/base/gslibctx.c +index d726c58b5b..ff8fc895ef 100644 +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -647,7 +647,7 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) + char *fp, f[gp_file_name_sizeof]; + const int pipe = 124; /* ASCII code for '|' */ + const int len = strlen(fname); +- int i; ++ int i, code; + + /* Be sure the string copy will fit */ + if (len >= gp_file_name_sizeof) +@@ -658,8 +658,6 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) + rewrite_percent_specifiers(f); + for (i = 0; i < len; i++) { + if (f[i] == pipe) { +- int code; +- + fp = &f[i + 1]; + /* Because we potentially have to check file permissions at two levels + for the output file (gx_device_open_output_file and the low level +@@ -671,10 +669,16 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) + if (code < 0) + return code; + break; ++ code = gs_add_control_path(mem, gs_permit_file_control, f); ++ if (code < 0) ++ return code; + } + if (!IS_WHITESPACE(f[i])) + break; + } ++ code = gs_add_control_path(mem, gs_permit_file_control, fp); ++ if (code < 0) ++ return code; + return gs_add_control_path(mem, gs_permit_file_writing, fp); + } + +@@ -684,7 +688,7 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) + char *fp, f[gp_file_name_sizeof]; + const int pipe = 124; /* ASCII code for '|' */ + const int len = strlen(fname); +- int i; ++ int i, code; + + /* Be sure the string copy will fit */ + if (len >= gp_file_name_sizeof) +@@ -694,8 +698,6 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) + /* Try to rewrite any %d (or similar) in the string */ + for (i = 0; i < len; i++) { + if (f[i] == pipe) { +- int code; +- + fp = &f[i + 1]; + /* Because we potentially have to check file permissions at two levels + for the output file (gx_device_open_output_file and the low level +@@ -704,6 +706,9 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) + the pipe_fopen(), the leading '|' has been stripped. + */ + code = gs_remove_control_path(mem, gs_permit_file_writing, f); ++ if (code < 0) ++ return code; ++ code = gs_remove_control_path(mem, gs_permit_file_control, f); + if (code < 0) + return code; + break; +@@ -711,6 +716,9 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) + if (!IS_WHITESPACE(f[i])) + break; + } ++ code = gs_remove_control_path(mem, gs_permit_file_control, fp); ++ if (code < 0) ++ return code; + return gs_remove_control_path(mem, gs_permit_file_writing, fp); + } + diff --git a/ghostscript.spec b/ghostscript.spec index a24b41a6bd6916caadfc45d1758a56877ee124e4..f931f76c7be6603b921d004a71688e4eb1579309 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.52 -Release: 5 +Release: 6 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -44,6 +44,11 @@ Patch25: Bug-702582-CVE-2020-15900-Memory-Corruption-in-Ghost.patch Patch26: oss-fuzz-22182-validate-glyph-offset-length-values.patch Patch27: oss-fuzz-23637-Fix-error-code-confusion.patch Patch28: oss-fuzz-23946-Move-buffer-bounds-check-to-before-us.patch +Patch29: backport-CVE-2021-45944-oss-fuzz-30715-Check-stack-limits-after-function-eva.patch +Patch30: backport-CVE-2021-45949-Bug-703902-Fix-op-stack-management-in-sampled_data_c.patch +Patch31: backport-Fix-pdfwrite-d-mode-with-file-permissions.patch +Patch32: backport-Coverity-361429-move-break-to-correct-place.patch +Patch33: backport-CVE-2021-3781-BUg-704342-Include-device-specifier-strings-in-acces.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -204,6 +209,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/dvipdf %changelog +* Tue Mar 1 2022 yangzhuangzhuang - 9.52-6 +- Type:CVE +- ID:CVE-2021-3781 CVE-2021-45944 CVE-2021-45949 +- SUG:NA +- DESC:fix CVE-2021-3781 CVE-2021-45944 CVE-2021-45949 + * Mon Apr 19 2021 panxiaohe - 9.52-5 - Type:enhancement - ID:NA