diff --git a/backport-CVE-2023-43115-Bug707051-IJS-device-try-and-secure-the-IJS-server-startup.patch b/backport-CVE-2023-43115-Bug707051-IJS-device-try-and-secure-the-IJS-server-startup.patch new file mode 100644 index 0000000000000000000000000000000000000000..531e4ebd5678024a5d3e8fe689fccd2af4580ec5 --- /dev/null +++ b/backport-CVE-2023-43115-Bug707051-IJS-device-try-and-secure-the-IJS-server-startup.patch @@ -0,0 +1,57 @@ +From e59216049cac290fb437a04c4f41ea46826cfba5 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 24 Aug 2023 15:24:35 +0100 +Subject: [PATCH 01/44] IJS device - try and secure the IJS server startup + +Bug #707051 ""ijs" device can execute arbitrary commands" + +The problem is that the 'IJS' device needs to start the IJS server, and +that is indeed an arbitrary command line. There is (apparently) no way +to validate it. Indeed, this is covered quite clearly in the comments +at the start of the source: + + * WARNING: The ijs server can be selected on the gs command line + * which is a security risk, since any program can be run. + +Previously this used the awful LockSafetyParams hackery, which we +abandoned some time ago because it simply couldn't be made secure (it +was implemented in PostScript and was therefore vulnerable to PostScript +programs). + +This commit prevents PostScript programs switching to the IJS device +after SAFER has been activated, and prevents changes to the IjsServer +parameter after SAFER has been activated. + +SAFER is activated, unless explicitly disabled, before any user +PostScript is executed which means that the device and the server +invocation can only be configured on the command line. This does at +least provide minimal security against malicious PostScript programs. +--- + devices/gdevijs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/devices/gdevijs.c b/devices/gdevijs.c +index 8cbd84b97..16f5a1752 100644 +--- a/devices/gdevijs.c ++++ b/devices/gdevijs.c +@@ -888,6 +888,8 @@ gsijs_initialize_device(gx_device *dev) + static const char rgb[] = "DeviceRGB"; + gx_device_ijs *ijsdev = (gx_device_ijs *)dev; + ++ if (ijsdev->memory->gs_lib_ctx->core->path_control_active) ++ return_error(gs_error_invalidaccess); + if (!ijsdev->ColorSpace) { + ijsdev->ColorSpace = gs_malloc(ijsdev->memory, sizeof(rgb), 1, + "gsijs_initialize"); +@@ -1326,7 +1328,7 @@ gsijs_put_params(gx_device *dev, gs_param_list *plist) + if (code >= 0) + code = gsijs_read_string(plist, "IjsServer", + ijsdev->IjsServer, sizeof(ijsdev->IjsServer), +- dev->LockSafetyParams, is_open); ++ ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open); + + if (code >= 0) + code = gsijs_read_string_malloc(plist, "DeviceManufacturer", +-- +2.33.0 + diff --git a/ghostscript.spec b/ghostscript.spec index 47e93d85d0414d44021daac579adc7d47c256a9b..39bb85d96b340a9be2049b0021315fa8b44e5d3f 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.55.0 -Release: 5 +Release: 6 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -21,6 +21,7 @@ Patch2: backport-CVE-2022-2085.patch Patch3: CVE-2023-38559.patch Patch4: CVE-2023-28879.patch Patch5: CVE-2023-36664.patch +Patch6: backport-CVE-2023-43115-Bug707051-IJS-device-try-and-secure-the-IJS-server-startup.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -181,6 +182,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/dvipdf %changelog +* Fri Sep 22 2023 dillon chen - 9.55.0-6 +- Type:CVE +- ID:CVE-2023-43115 +- SUG:NA +- DESC:fix CVE-2023-43115 + * Wed Sep 6 2023 liningjie - 9.55.0-5 - fix CVE-2023-36664