From 6cb5093ba249199b7597e37379134c1a350f2daa Mon Sep 17 00:00:00 2001 From: liningjie Date: Tue, 15 Aug 2023 17:41:18 +0800 Subject: [PATCH 1/4] fix CVE-2023-38559 (cherry picked from commit 6c1944605519610bced2023539925fa0210da104) --- CVE-2023-38559.patch | 27 +++++++++++++++++++++++++++ ghostscript.spec | 6 +++++- 2 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-38559.patch diff --git a/CVE-2023-38559.patch b/CVE-2023-38559.patch new file mode 100644 index 0000000..fde0e2c --- /dev/null +++ b/CVE-2023-38559.patch @@ -0,0 +1,27 @@ +From d81b82c70bc1fb9991bb95f1201abb5dea55f57f Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Mon, 17 Jul 2023 14:06:37 +0100 +Subject: [PATCH] Bug 706897: Copy pcx buffer overrun fix from + devices/gdevpcx.c + +Bounds check the buffer, before dereferencing the pointer. +--- + base/gdevdevn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/gdevdevn.c b/base/gdevdevn.c +index 7b14d9c71..6351fb77a 100644 +--- a/base/gdevdevn.c ++++ b/base/gdevdevn.c +@@ -1983,7 +1983,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file + byte data = *from; + + from += step; +- if (data != *from || from == end) { ++ if (from >= end || data != *from) { + if (data >= 0xc0) + gp_fputc(0xc1, file); + } else { +-- +2.41.0.windows.3 + diff --git a/ghostscript.spec b/ghostscript.spec index bcbf08c..0567801 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.55.0 -Release: 2 +Release: 3 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -18,6 +18,7 @@ Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases Patch0: ghostscript-9.23-100-run-dvipdf-securely.patch Patch1: backport-Bug-704405-Fix-typo-in-non-forked-lcms2-code.patch Patch2: backport-CVE-2022-2085.patch +Patch3: CVE-2023-38559.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -178,6 +179,9 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/dvipdf %changelog +* Tue Aug 15 2023 liningjie - 9.55.0-3 +- fix CVE-2023-38559 + * Tue Jul 5 2022 panxiaohe - 9.55.0-2 - fix CVE-2022-2085 -- Gitee From 3d34aefad2e93c0e9001c88b1438b0a74c3c53e9 Mon Sep 17 00:00:00 2001 From: liningjie Date: Thu, 24 Aug 2023 11:01:16 +0800 Subject: [PATCH 2/4] fix CVE-2023-28879 (cherry picked from commit 0db73b54a7ff85c6cc304b71d80c268f9e66e441) --- CVE-2023-28879.patch | 49 ++++++++++++++++++++++++++++++++++++++++++++ ghostscript.spec | 6 +++++- 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-28879.patch diff --git a/CVE-2023-28879.patch b/CVE-2023-28879.patch new file mode 100644 index 0000000..3223963 --- /dev/null +++ b/CVE-2023-28879.patch @@ -0,0 +1,49 @@ +From 5fc0b03188397142c61437e8ec68eb947abebf58 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Fri, 24 Mar 2023 13:19:57 +0000 +Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding + +Bug #706494 "Buffer Overflow in s_xBCPE_process" + +As described in detail in the bug report, if the write buffer is filled +to one byte less than full, and we then try to write an escaped +character, we overrun the buffer because we don't check before +writing two bytes to it. + +This just checks if we have two bytes before starting to write an +escaped character and exits if we don't (replacing the consumed byte +of the input). + +Up for further discussion; why do we even permit a BCP encoding filter +anyway ? I think we should remove this, at least when SAFER is true. +--- + base/sbcp.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/base/sbcp.c b/base/sbcp.c +index 979ae0992..47fc233ec 100644 +--- a/base/sbcp.c ++++ b/base/sbcp.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2021 Artifex Software, Inc. ++/* Copyright (C) 2001-2023 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr, + byte ch = *++p; + + if (ch <= 31 && escaped[ch]) { ++ /* Make sure we have space to store two characters in the write buffer, ++ * if we don't then exit without consuming the input character, we'll process ++ * that on the next time round. ++ */ ++ if (pw->limit - q < 2) { ++ p--; ++ break; ++ } + if (p == rlimit) { + p--; + break; +-- +2.34.1 diff --git a/ghostscript.spec b/ghostscript.spec index 0567801..df1bbbe 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.55.0 -Release: 3 +Release: 4 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -19,6 +19,7 @@ Patch0: ghostscript-9.23-100-run-dvipdf-securely.patch Patch1: backport-Bug-704405-Fix-typo-in-non-forked-lcms2-code.patch Patch2: backport-CVE-2022-2085.patch Patch3: CVE-2023-38559.patch +Patch4: CVE-2023-28879.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -179,6 +180,9 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/dvipdf %changelog +* Thu Aug 24 2023 liningjie - 9.55.0-4 +- fix CVE-2023-28879 + * Tue Aug 15 2023 liningjie - 9.55.0-3 - fix CVE-2023-38559 -- Gitee From 5abfcfcf3d03881a588acaef73a35014f4bcced2 Mon Sep 17 00:00:00 2001 From: liningjie Date: Wed, 6 Sep 2023 14:41:43 +0800 Subject: [PATCH 3/4] fix CVE-2023-36664 (cherry picked from commit b9c502be405874ffbfda421e35d4ac53954418cf) --- CVE-2023-36664.patch | 141 +++++++++++++++++++++++++++++++++++++++++++ ghostscript.spec | 6 +- 2 files changed, 146 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-36664.patch diff --git a/CVE-2023-36664.patch b/CVE-2023-36664.patch new file mode 100644 index 0000000..a1a8c9a --- /dev/null +++ b/CVE-2023-36664.patch @@ -0,0 +1,141 @@ +From 505eab7782b429017eb434b2b95120855f2b0e3c Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Wed, 7 Jun 2023 10:23:06 +0100 +Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission + validation + +For regular file names, we try to simplfy relative paths before we use them. + +Because the %pipe% device can, effectively, accept command line calls, we +shouldn't be simplifying that string, because the command line syntax can end +up confusing the path simplifying code. That can result in permitting a pipe +command which does not match what was originally permitted. + +Special case "%pipe" in the validation code so we always deal with the entire +string. +--- + base/gpmisc.c | 31 +++++++++++++++++++-------- + base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++------------- + 2 files changed, 64 insertions(+), 23 deletions(-) + +diff --git a/base/gpmisc.c b/base/gpmisc.c +index 5f39ebba7..2fb87f769 100644 +--- a/base/gpmisc.c ++++ b/base/gpmisc.c +@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *mem, + && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) { + prefix_len = 0; + } +- rlen = len+1; +- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); +- if (bufferfull == NULL) +- return gs_error_VMerror; +- +- buffer = bufferfull + prefix_len; +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; +- buffer[rlen] = 0; + ++ /* "%pipe%" do not follow the normal rules for path definitions, so we ++ don't "reduce" them to avoid unexpected results ++ */ ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { ++ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ memcpy(buffer, path, len); ++ buffer[len] = 0; ++ rlen = len; ++ } ++ else { ++ rlen = len+1; ++ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); ++ if (bufferfull == NULL) ++ return gs_error_VMerror; ++ ++ buffer = bufferfull + prefix_len; ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) ++ return gs_error_invalidfileaccess; ++ buffer[rlen] = 0; ++ } + while (1) { + switch (mode[0]) + { +diff --git a/base/gslibctx.c b/base/gslibctx.c +index eb566ed06..d2a1aa91d 100644 +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co + return gs_error_rangecheck; + } + +- rlen = len+1; +- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); +- if (buffer == NULL) +- return gs_error_VMerror; ++ /* "%pipe%" do not follow the normal rules for path definitions, so we ++ don't "reduce" them to avoid unexpected results ++ */ ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { ++ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ memcpy(buffer, path, len); ++ buffer[len] = 0; ++ rlen = len; ++ } ++ else { ++ rlen = len + 1; + +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; +- buffer[rlen] = 0; ++ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) ++ return gs_error_invalidfileaccess; ++ buffer[rlen] = 0; ++ } + + n = control->num; + for (i = 0; i < n; i++) +@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, + return gs_error_rangecheck; + } + +- rlen = len+1; +- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); +- if (buffer == NULL) +- return gs_error_VMerror; ++ /* "%pipe%" do not follow the normal rules for path definitions, so we ++ don't "reduce" them to avoid unexpected results ++ */ ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { ++ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ memcpy(buffer, path, len); ++ buffer[len] = 0; ++ rlen = len; ++ } ++ else { ++ rlen = len+1; + +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; +- buffer[rlen] = 0; ++ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) ++ return gs_error_invalidfileaccess; ++ buffer[rlen] = 0; ++ } + + n = control->num; + for (i = 0; i < n; i++) { +-- +2.34.1 diff --git a/ghostscript.spec b/ghostscript.spec index df1bbbe..47e93d8 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.55.0 -Release: 4 +Release: 5 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -20,6 +20,7 @@ Patch1: backport-Bug-704405-Fix-typo-in-non-forked-lcms2-code.patch Patch2: backport-CVE-2022-2085.patch Patch3: CVE-2023-38559.patch Patch4: CVE-2023-28879.patch +Patch5: CVE-2023-36664.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -180,6 +181,9 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/dvipdf %changelog +* Wed Sep 6 2023 liningjie - 9.55.0-5 +- fix CVE-2023-36664 + * Thu Aug 24 2023 liningjie - 9.55.0-4 - fix CVE-2023-28879 -- Gitee From 220306563edb42ceec2abd2f99468947df6d4b5d Mon Sep 17 00:00:00 2001 From: dillon_chen Date: Fri, 22 Sep 2023 16:03:49 +0800 Subject: [PATCH 4/4] CVE-2023-43115 --- ...ry-and-secure-the-IJS-server-startup.patch | 57 +++++++++++++++++++ ghostscript.spec | 9 ++- 2 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2023-43115-Bug707051-IJS-device-try-and-secure-the-IJS-server-startup.patch diff --git a/backport-CVE-2023-43115-Bug707051-IJS-device-try-and-secure-the-IJS-server-startup.patch b/backport-CVE-2023-43115-Bug707051-IJS-device-try-and-secure-the-IJS-server-startup.patch new file mode 100644 index 0000000..531e4eb --- /dev/null +++ b/backport-CVE-2023-43115-Bug707051-IJS-device-try-and-secure-the-IJS-server-startup.patch @@ -0,0 +1,57 @@ +From e59216049cac290fb437a04c4f41ea46826cfba5 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 24 Aug 2023 15:24:35 +0100 +Subject: [PATCH 01/44] IJS device - try and secure the IJS server startup + +Bug #707051 ""ijs" device can execute arbitrary commands" + +The problem is that the 'IJS' device needs to start the IJS server, and +that is indeed an arbitrary command line. There is (apparently) no way +to validate it. Indeed, this is covered quite clearly in the comments +at the start of the source: + + * WARNING: The ijs server can be selected on the gs command line + * which is a security risk, since any program can be run. + +Previously this used the awful LockSafetyParams hackery, which we +abandoned some time ago because it simply couldn't be made secure (it +was implemented in PostScript and was therefore vulnerable to PostScript +programs). + +This commit prevents PostScript programs switching to the IJS device +after SAFER has been activated, and prevents changes to the IjsServer +parameter after SAFER has been activated. + +SAFER is activated, unless explicitly disabled, before any user +PostScript is executed which means that the device and the server +invocation can only be configured on the command line. This does at +least provide minimal security against malicious PostScript programs. +--- + devices/gdevijs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/devices/gdevijs.c b/devices/gdevijs.c +index 8cbd84b97..16f5a1752 100644 +--- a/devices/gdevijs.c ++++ b/devices/gdevijs.c +@@ -888,6 +888,8 @@ gsijs_initialize_device(gx_device *dev) + static const char rgb[] = "DeviceRGB"; + gx_device_ijs *ijsdev = (gx_device_ijs *)dev; + ++ if (ijsdev->memory->gs_lib_ctx->core->path_control_active) ++ return_error(gs_error_invalidaccess); + if (!ijsdev->ColorSpace) { + ijsdev->ColorSpace = gs_malloc(ijsdev->memory, sizeof(rgb), 1, + "gsijs_initialize"); +@@ -1326,7 +1328,7 @@ gsijs_put_params(gx_device *dev, gs_param_list *plist) + if (code >= 0) + code = gsijs_read_string(plist, "IjsServer", + ijsdev->IjsServer, sizeof(ijsdev->IjsServer), +- dev->LockSafetyParams, is_open); ++ ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open); + + if (code >= 0) + code = gsijs_read_string_malloc(plist, "DeviceManufacturer", +-- +2.33.0 + diff --git a/ghostscript.spec b/ghostscript.spec index 47e93d8..39bb85d 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.55.0 -Release: 5 +Release: 6 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -21,6 +21,7 @@ Patch2: backport-CVE-2022-2085.patch Patch3: CVE-2023-38559.patch Patch4: CVE-2023-28879.patch Patch5: CVE-2023-36664.patch +Patch6: backport-CVE-2023-43115-Bug707051-IJS-device-try-and-secure-the-IJS-server-startup.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -181,6 +182,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/dvipdf %changelog +* Fri Sep 22 2023 dillon chen - 9.55.0-6 +- Type:CVE +- ID:CVE-2023-43115 +- SUG:NA +- DESC:fix CVE-2023-43115 + * Wed Sep 6 2023 liningjie - 9.55.0-5 - fix CVE-2023-36664 -- Gitee