gnu: ghostscript: Fix CVE-2013-5653 and CVE-2016-{7976,7978,7979,8602}.

* gnu/packages/patches/ghostscript-CVE-2013-5653.patch,
gnu/packages/patches/ghostscript-CVE-2016-7976.patch,
gnu/packages/patches/ghostscript-CVE-2016-7978.patch,
gnu/packages/patches/ghostscript-CVE-2016-7979.patch,
gnu/packages/patches/ghostscript-CVE-2016-8602.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/ghostscript.scm (ghostscript)[replacement]: New field.
(ghostscript/fixed): New variable.
(ghostscript/x): Inherit 'ghostscript/fixed'.
This commit is contained in:
Mark H Weaver 2016-10-13 03:20:46 -04:00
parent e940a2713d
commit 1de17a648f
No known key found for this signature in database
GPG Key ID: 7CEF29847562C516
7 changed files with 411 additions and 2 deletions

View File

@ -538,7 +538,12 @@ dist_patch_DATA = \
%D%/packages/patches/gd-fix-tests-on-i686.patch \
%D%/packages/patches/gegl-CVE-2012-4433.patch \
%D%/packages/patches/geoclue-config.patch \
%D%/packages/patches/ghostscript-CVE-2013-5653.patch \
%D%/packages/patches/ghostscript-CVE-2015-3228.patch \
%D%/packages/patches/ghostscript-CVE-2016-7976.patch \
%D%/packages/patches/ghostscript-CVE-2016-7978.patch \
%D%/packages/patches/ghostscript-CVE-2016-7979.patch \
%D%/packages/patches/ghostscript-CVE-2016-8602.patch \
%D%/packages/patches/ghostscript-runpath.patch \
%D%/packages/patches/glib-networking-ssl-cert-file.patch \
%D%/packages/patches/glib-tests-timer.patch \

View File

@ -1,6 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2013, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
;;;
@ -127,6 +127,7 @@ printing, and psresize, for adjusting page sizes.")
(package
(name "ghostscript")
(version "9.14.0")
(replacement ghostscript/fixed)
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/ghostscript/gnu-ghostscript-"
@ -192,8 +193,21 @@ output file formats and printers.")
(license license:agpl3+)
(home-page "http://www.gnu.org/software/ghostscript/")))
(define ghostscript/fixed
(package
(inherit ghostscript)
(source (origin
(inherit (package-source ghostscript))
(patches (search-patches "ghostscript-CVE-2013-5653.patch"
"ghostscript-CVE-2015-3228.patch"
"ghostscript-CVE-2016-7976.patch"
"ghostscript-CVE-2016-7978.patch"
"ghostscript-CVE-2016-7979.patch"
"ghostscript-CVE-2016-8602.patch"
"ghostscript-runpath.patch"))))))
(define-public ghostscript/x
(package (inherit ghostscript)
(package (inherit ghostscript/fixed)
(name (string-append (package-name ghostscript) "-with-x"))
(inputs `(("libxext" ,libxext)
("libxt" ,libxt)

View File

@ -0,0 +1,85 @@
The following patch was adapted for GNU Ghostscript
by Mark H Weaver <mhw@netris.org> based on:
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ab109aaeb3ddba59518b036fb288402a65cf7ce8
From ab109aaeb3ddba59518b036fb288402a65cf7ce8 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Sat, 5 Mar 2016 14:56:03 -0800
Subject: [PATCH] Bug 694724: Have filenameforall and getenv honor SAFER
---
Resource/Init/gs_init.ps | 2 ++
psi/zfile.c | 36 ++++++++++++++++++++----------------
2 files changed, 22 insertions(+), 16 deletions(-)
diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
index fa33d88..99888ac 100644
--- a/Resource/Init/gs_init.ps
+++ b/Resource/Init/gs_init.ps
@@ -2018,6 +2018,7 @@ readonly def
/.locksafe {
.locksafe_userparams
+ systemdict /getenv {pop //false} put
% setpagedevice has the side effect of clearing the page, but
% we will just document that. Using setpagedevice keeps the device
% properties and pagedevice .LockSafetyParams in agreement even
@@ -2036,6 +2037,7 @@ readonly def
%%
/.locksafeglobal {
.locksafe_userparams
+ systemdict /getenv {pop //false} put
% setpagedevice has the side effect of clearing the page, but
% we will just document that. Using setpagedevice keeps the device
% properties and pagedevice .LockSafetyParams in agreement even
diff --git a/psi/zfile.c b/psi/zfile.c
index 320ecd5..0b9f299 100644
--- a/psi/zfile.c
+++ b/psi/zfile.c
@@ -371,22 +371,26 @@ file_continue(i_ctx_t *i_ctx_p)
if (len < devlen)
return_error(e_rangecheck); /* not even room for device len */
- memcpy((char *)pscratch->value.bytes, iodev->dname, devlen);
- code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen,
- len - devlen);
- if (code == ~(uint) 0) { /* all done */
- esp -= 5; /* pop proc, pfen, devlen, iodev , mark */
- return o_pop_estack;
- } else if (code > len) /* overran string */
- return_error(e_rangecheck);
- else {
- push(1);
- ref_assign(op, pscratch);
- r_set_size(op, code + devlen);
- push_op_estack(file_continue); /* come again */
- *++esp = pscratch[2]; /* proc */
- return o_push_estack;
- }
+
+ do {
+ memcpy((char *)pscratch->value.bytes, iodev->dname, devlen);
+ code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen,
+ len - devlen);
+ if (code == ~(uint) 0) { /* all done */
+ esp -= 5; /* pop proc, pfen, devlen, iodev , mark */
+ return o_pop_estack;
+ } else if (code > len) /* overran string */
+ return_error(e_rangecheck);
+ else if (iodev != iodev_default(imemory)
+ || (check_file_permissions_reduced(i_ctx_p, (char *)pscratch->value.bytes, code + devlen, "PermitFileReading")) == 0) {
+ push(1);
+ ref_assign(op, pscratch);
+ r_set_size(op, code + devlen);
+ push_op_estack(file_continue); /* come again */
+ *++esp = pscratch[2]; /* proc */
+ return o_push_estack;
+ }
+ } while(1);
}
/* Cleanup procedure for enumerating files */
static int
--
2.9.1

View File

@ -0,0 +1,185 @@
The following patch was adapted for GNU Ghostscript
by Mark H Weaver <mhw@netris.org> based on:
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=6d444c273da5499a4cd72f21cb6d4c9a5256807d
From 6d444c273da5499a4cd72f21cb6d4c9a5256807d Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 5 Oct 2016 09:55:55 +0100
Subject: [PATCH] Bug 697178: Add a file permissions callback
For the rare occasions when the graphics library directly opens a file
(currently for reading), this allows us to apply any restrictions on
file access normally applied in the interpteter.
---
base/gsicc_manage.c | 10 ++++++----
base/gslibctx.c | 12 +++++++++++-
base/gslibctx.h | 7 +++++++
psi/imain.c | 2 ++
psi/int.mak | 2 +-
psi/zfile.c | 19 +++++++++++++++++++
psi/zfile.h | 7 +++++++
7 files changed, 53 insertions(+), 6 deletions(-)
diff --git a/base/gsicc_manage.c b/base/gsicc_manage.c
index 931c2a6..e9c09c3 100644
--- a/base/gsicc_manage.c
+++ b/base/gsicc_manage.c
@@ -1028,10 +1028,12 @@ gsicc_open_search(const char* pname, int namelen, gs_memory_t *mem_gc,
}
/* First just try it like it is */
- str = sfopen(pname, "rb", mem_gc);
- if (str != NULL) {
- *strp = str;
- return 0;
+ if (gs_check_file_permission(mem_gc, pname, namelen, "r") >= 0) {
+ str = sfopen(pname, "rb", mem_gc);
+ if (str != NULL) {
+ *strp = str;
+ return 0;
+ }
}
/* If that fails, try %rom% */ /* FIXME: Not sure this is needed or correct */
diff --git a/base/gslibctx.c b/base/gslibctx.c
index eaa0458..37ce1ca 100644
--- a/base/gslibctx.c
+++ b/base/gslibctx.c
@@ -121,7 +121,7 @@ int gs_lib_ctx_init( gs_memory_t *mem )
mem->gs_lib_ctx = NULL;
return -1;
}
-
+ pio->client_check_file_permission = NULL;
gp_get_realtime(pio->real_time_0);
return 0;
@@ -262,3 +262,13 @@ void errflush(const gs_memory_t *mem)
fflush(mem->gs_lib_ctx->fstderr);
/* else nothing to flush */
}
+
+int
+gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission)
+{
+ int code = 0;
+ if (mem->gs_lib_ctx->client_check_file_permission != NULL) {
+ code = mem->gs_lib_ctx->client_check_file_permission(mem, fname, len, permission);
+ }
+ return code;
+}
diff --git a/base/gslibctx.h b/base/gslibctx.h
index 7a4e110..020e2d9 100644
--- a/base/gslibctx.h
+++ b/base/gslibctx.h
@@ -32,6 +32,9 @@ typedef struct gs_fapi_server_s gs_fapi_server;
# define gs_font_dir_DEFINED
typedef struct gs_font_dir_s gs_font_dir;
#endif
+
+typedef int (*client_check_file_permission_t) (gs_memory_t *mem, const char *fname, const int len, const char *permission);
+
typedef struct gs_lib_ctx_s
{
gs_memory_t *memory; /* mem->gs_lib_ctx->memory == mem */
@@ -59,6 +62,7 @@ typedef struct gs_lib_ctx_s
bool dict_auto_expand; /* ps dictionary: false level 1 true level 2 or 3 */
/* A table of local copies of the IODevices */
struct gx_io_device_s **io_device_table;
+ client_check_file_permission_t client_check_file_permission;
/* Define the default value of AccurateScreens that affects setscreen
and setcolorscreen. */
bool screen_accurate_screens;
@@ -108,6 +112,9 @@ int
void gs_lib_ctx_set_icc_directory(const gs_memory_t *mem_gc, const char* pname,
int dir_namelen);
+int
+gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission);
+
#define IS_LIBCTX_STDOUT(mem, f) (f == mem->gs_lib_ctx->fstdout)
#define IS_LIBCTX_STDERR(mem, f) (f == mem->gs_lib_ctx->fstderr)
diff --git a/psi/imain.c b/psi/imain.c
index 9a9bb5d..6874128 100644
--- a/psi/imain.c
+++ b/psi/imain.c
@@ -57,6 +57,7 @@
#include "ivmspace.h"
#include "idisp.h" /* for setting display device callback */
#include "iplugin.h"
+#include "zfile.h"
#ifdef PACIFY_VALGRIND
#include "valgrind.h"
@@ -215,6 +216,7 @@ gs_main_init1(gs_main_instance * minst)
"the_gs_name_table");
if (code < 0)
return code;
+ mem->gs_lib_ctx->client_check_file_permission = z_check_file_permissions;
}
code = obj_init(&minst->i_ctx_p, &idmem); /* requires name_init */
if (code < 0)
diff --git a/psi/int.mak b/psi/int.mak
index 4654afc..bb30d51 100644
--- a/psi/int.mak
+++ b/psi/int.mak
@@ -1868,7 +1868,7 @@ $(PSOBJ)imain.$(OBJ) : $(PSSRC)imain.c $(GH) $(memory__h) $(string__h)\
$(ialloc_h) $(iconf_h) $(idebug_h) $(idict_h) $(idisp_h) $(iinit_h)\
$(iname_h) $(interp_h) $(iplugin_h) $(isave_h) $(iscan_h) $(ivmspace_h)\
$(iinit_h) $(main_h) $(oper_h) $(ostack_h)\
- $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h)
+ $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h) $(zfile_h)
$(PSCC) $(PSO_)imain.$(OBJ) $(C_) $(PSSRC)imain.c
#****** $(CCINT) interp.c
diff --git a/psi/zfile.c b/psi/zfile.c
index 2c6c958..2f27f82 100644
--- a/psi/zfile.c
+++ b/psi/zfile.c
@@ -197,6 +197,25 @@ check_file_permissions(i_ctx_t *i_ctx_p, const char *fname, int len,
return check_file_permissions_reduced(i_ctx_p, fname_reduced, rlen, permitgroup);
}
+/* z_check_file_permissions: see zfile.h for explanation
+ */
+int
+z_check_file_permissions(gs_memory_t *mem, const char *fname, const int len, const char *permission)
+{
+ i_ctx_t *i_ctx_p = get_minst_from_memory(mem)->i_ctx_p;
+ gs_parsed_file_name_t pname;
+ const char *permitgroup = permission[0] == 'r' ? "PermitFileReading" : "PermitFileWriting";
+ int code = gs_parse_file_name(&pname, fname, len, imemory);
+ if (code < 0)
+ return code;
+
+ if (pname.iodev && i_ctx_p->LockFilePermissions && strcmp(pname.iodev->dname, "%pipe%") == 0)
+ return e_invalidfileaccess;
+
+ code = check_file_permissions(i_ctx_p, fname, len, permitgroup);
+ return code;
+}
+
/* <name_string> <access_string> file <file> */
int /* exported for zsysvm.c */
zfile(i_ctx_t *i_ctx_p)
diff --git a/psi/zfile.h b/psi/zfile.h
index fdf1373..a9399c7 100644
--- a/psi/zfile.h
+++ b/psi/zfile.h
@@ -22,4 +22,11 @@
int zopen_file(i_ctx_t *i_ctx_p, const gs_parsed_file_name_t *pfn,
const char *file_access, stream **ps, gs_memory_t *mem);
+/* z_check_file_permissions: a callback (via mem->gs_lib_ctx->client_check_file_permission)
+ * to allow applying the above permissions checks when opening file(s) from
+ * the graphics library
+ */
+int
+z_check_file_permissions(gs_memory_t *mem, const char *fname,
+ const int len, const char *permission);
#endif
--
2.9.1

View File

@ -0,0 +1,25 @@
From 6f749c0c44e7b9e09737b9f29edf29925a34f0cf Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 5 Oct 2016 09:59:25 +0100
Subject: [PATCH] Bug 697179: Reference count device icc profile
when copying a device
---
base/gsdevice.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/base/gsdevice.c b/base/gsdevice.c
index 778106f..aea986a 100644
--- a/base/gsdevice.c
+++ b/base/gsdevice.c
@@ -614,6 +614,7 @@ gx_device_init(gx_device * dev, const gx_device * proto, gs_memory_t * mem,
dev->memory = mem;
dev->retained = !internal;
rc_init(dev, mem, (internal ? 0 : 1));
+ rc_increment(dev->icc_struct);
}
void
--
2.9.1

View File

@ -0,0 +1,48 @@
The following patch was adapted for GNU Ghostscript
by Mark H Weaver <mhw@netris.org> based on:
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=875a0095f37626a721c7ff57d606a0f95af03913
From 875a0095f37626a721c7ff57d606a0f95af03913 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Wed, 5 Oct 2016 10:10:58 +0100
Subject: [PATCH] DSC parser - validate parameters
Bug #697190 ".initialize_dsc_parser doesn't validate the parameter is a dict type before using it."
Regardless of any security implications, its simply wrong for a PostScript
operator not to validate its parameter(s).
No differences expected.
---
psi/zdscpars.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/psi/zdscpars.c b/psi/zdscpars.c
index c05e154..9b4b605 100644
--- a/psi/zdscpars.c
+++ b/psi/zdscpars.c
@@ -150,11 +150,16 @@ zinitialize_dsc_parser(i_ctx_t *i_ctx_p)
ref local_ref;
int code;
os_ptr const op = osp;
- dict * const pdict = op->value.pdict;
- gs_memory_t * const mem = (gs_memory_t *)dict_memory(pdict);
- dsc_data_t * const data =
- gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init");
+ dict *pdict;
+ gs_memory_t *mem;
+ dsc_data_t *data;
+ check_read_type(*op, t_dictionary);
+
+ pdict = op->value.pdict;
+ mem = (gs_memory_t *)dict_memory(pdict);
+
+ data = gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init");
if (!data)
return_error(e_VMerror);
data->document_level = 0;
--
2.9.1

View File

@ -0,0 +1,47 @@
The following patch was adapted for GNU Ghostscript
by Mark H Weaver <mhw@netris.org> based on:
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78
From f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Sat, 8 Oct 2016 16:10:27 +0100
Subject: [PATCH] Bug 697203: check for sufficient params in .sethalftone5
and param types
---
psi/zht2.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/psi/zht2.c b/psi/zht2.c
index fb4a264..dfa27a4 100644
--- a/psi/zht2.c
+++ b/psi/zht2.c
@@ -82,14 +82,22 @@ zsethalftone5(i_ctx_t *i_ctx_p)
gs_memory_t *mem;
uint edepth = ref_stack_count(&e_stack);
int npop = 2;
- int dict_enum = dict_first(op);
+ int dict_enum;
ref rvalue[2];
int cname, colorant_number;
byte * pname;
uint name_size;
int halftonetype, type = 0;
gs_state *pgs = igs;
- int space_index = r_space_index(op - 1);
+ int space_index;
+
+ if (ref_stack_count(&o_stack) < 2)
+ return_error(e_stackunderflow);
+ check_type(*op, t_dictionary);
+ check_type(*(op - 1), t_dictionary);
+
+ dict_enum = dict_first(op);
+ space_index = r_space_index(op - 1);
mem = (gs_memory_t *) idmemory->spaces_indexed[space_index];
--
2.9.1