wok-current rev 25679
Patch ghostscript CVE-2023-36664
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Fri Mar 08 13:06:31 2024 +0000 (8 months ago) |
| parents | c6586b983edd |
| children | 36a7b2c61bce |
| files | ghostscript/receipt ghostscript/stuff/CVE-2023-36664-1.patch ghostscript/stuff/CVE-2023-36664-2.patch |
line diff
1.1 --- a/ghostscript/receipt Thu Mar 07 20:38:36 2024 +0000 1.2 +++ b/ghostscript/receipt Fri Mar 08 13:06:31 2024 +0000 1.3 @@ -33,6 +33,10 @@ 1.4 # force it to use system-libs 1.5 rm -rf jpeg libpng zlib jasper expat 1.6 1.7 + # Patch for CVE-2023-36664 1.8 + patch -p1 < $stuff/CVE-2023-36664-1.patch 1.9 + patch -p1 < $stuff/CVE-2023-36664-2.patch 1.10 + 1.11 # --disable-compile-inits is needed for linking with system-zlib 1.12 ./configure \ 1.13 --prefix=/usr \
2.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 2.2 +++ b/ghostscript/stuff/CVE-2023-36664-1.patch Fri Mar 08 13:06:31 2024 +0000 2.3 @@ -0,0 +1,143 @@ 2.4 +From 505eab7782b429017eb434b2b95120855f2b0e3c Mon Sep 17 00:00:00 2001 2.5 +From: Chris Liddell <chris.liddell@artifex.com> 2.6 +Date: Wed, 7 Jun 2023 10:23:06 +0100 2.7 +Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission 2.8 + validation 2.9 + 2.10 +For regular file names, we try to simplfy relative paths before we use them. 2.11 + 2.12 +Because the %pipe% device can, effectively, accept command line calls, we 2.13 +shouldn't be simplifying that string, because the command line syntax can end 2.14 +up confusing the path simplifying code. That can result in permitting a pipe 2.15 +command which does not match what was originally permitted. 2.16 + 2.17 +Special case "%pipe" in the validation code so we always deal with the entire 2.18 +string. 2.19 +--- 2.20 + base/gpmisc.c | 31 +++++++++++++++++++-------- 2.21 + base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++------------- 2.22 + 2 files changed, 64 insertions(+), 23 deletions(-) 2.23 + 2.24 +diff --git a/base/gpmisc.c b/base/gpmisc.c 2.25 +index 5f39ebba7..2fb87f769 100644 2.26 +--- a/base/gpmisc.c 2.27 ++++ b/base/gpmisc.c 2.28 +@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *mem, 2.29 + && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) { 2.30 + prefix_len = 0; 2.31 + } 2.32 +- rlen = len+1; 2.33 +- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); 2.34 +- if (bufferfull == NULL) 2.35 +- return gs_error_VMerror; 2.36 +- 2.37 +- buffer = bufferfull + prefix_len; 2.38 +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) 2.39 +- return gs_error_invalidfileaccess; 2.40 +- buffer[rlen] = 0; 2.41 + 2.42 ++ /* "%pipe%" do not follow the normal rules for path definitions, so we 2.43 ++ don't "reduce" them to avoid unexpected results 2.44 ++ */ 2.45 ++ if (len > 5 && memcmp(path, "%pipe", 5) != 0) { 2.46 ++ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path"); 2.47 ++ if (buffer == NULL) 2.48 ++ return gs_error_VMerror; 2.49 ++ memcpy(buffer, path, len); 2.50 ++ buffer[len] = 0; 2.51 ++ rlen = len; 2.52 ++ } 2.53 ++ else { 2.54 ++ rlen = len+1; 2.55 ++ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); 2.56 ++ if (bufferfull == NULL) 2.57 ++ return gs_error_VMerror; 2.58 ++ 2.59 ++ buffer = bufferfull + prefix_len; 2.60 ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) 2.61 ++ return gs_error_invalidfileaccess; 2.62 ++ buffer[rlen] = 0; 2.63 ++ } 2.64 + while (1) { 2.65 + switch (mode[0]) 2.66 + { 2.67 +diff --git a/base/gslibctx.c b/base/gslibctx.c 2.68 +index eb566ed06..d2a1aa91d 100644 2.69 +--- a/base/gslibctx.c 2.70 ++++ b/base/gslibctx.c 2.71 +@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co 2.72 + return gs_error_rangecheck; 2.73 + } 2.74 + 2.75 +- rlen = len+1; 2.76 +- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); 2.77 +- if (buffer == NULL) 2.78 +- return gs_error_VMerror; 2.79 ++ /* "%pipe%" do not follow the normal rules for path definitions, so we 2.80 ++ don't "reduce" them to avoid unexpected results 2.81 ++ */ 2.82 ++ if (len > 5 && memcmp(path, "%pipe", 5) != 0) { 2.83 ++ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len"); 2.84 ++ if (buffer == NULL) 2.85 ++ return gs_error_VMerror; 2.86 ++ memcpy(buffer, path, len); 2.87 ++ buffer[len] = 0; 2.88 ++ rlen = len; 2.89 ++ } 2.90 ++ else { 2.91 ++ rlen = len + 1; 2.92 + 2.93 +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) 2.94 +- return gs_error_invalidfileaccess; 2.95 +- buffer[rlen] = 0; 2.96 ++ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len"); 2.97 ++ if (buffer == NULL) 2.98 ++ return gs_error_VMerror; 2.99 ++ 2.100 ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) 2.101 ++ return gs_error_invalidfileaccess; 2.102 ++ buffer[rlen] = 0; 2.103 ++ } 2.104 + 2.105 + n = control->num; 2.106 + for (i = 0; i < n; i++) 2.107 +@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, 2.108 + return gs_error_rangecheck; 2.109 + } 2.110 + 2.111 +- rlen = len+1; 2.112 +- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); 2.113 +- if (buffer == NULL) 2.114 +- return gs_error_VMerror; 2.115 ++ /* "%pipe%" do not follow the normal rules for path definitions, so we 2.116 ++ don't "reduce" them to avoid unexpected results 2.117 ++ */ 2.118 ++ if (len > 5 && memcmp(path, "%pipe", 5) != 0) { 2.119 ++ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len"); 2.120 ++ if (buffer == NULL) 2.121 ++ return gs_error_VMerror; 2.122 ++ memcpy(buffer, path, len); 2.123 ++ buffer[len] = 0; 2.124 ++ rlen = len; 2.125 ++ } 2.126 ++ else { 2.127 ++ rlen = len+1; 2.128 + 2.129 +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) 2.130 +- return gs_error_invalidfileaccess; 2.131 +- buffer[rlen] = 0; 2.132 ++ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len"); 2.133 ++ if (buffer == NULL) 2.134 ++ return gs_error_VMerror; 2.135 ++ 2.136 ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) 2.137 ++ return gs_error_invalidfileaccess; 2.138 ++ buffer[rlen] = 0; 2.139 ++ } 2.140 + 2.141 + n = control->num; 2.142 + for (i = 0; i < n; i++) { 2.143 +-- 2.144 +2.34.1 2.145 + 2.146 +
3.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 3.2 +++ b/ghostscript/stuff/CVE-2023-36664-2.patch Fri Mar 08 13:06:31 2024 +0000 3.3 @@ -0,0 +1,57 @@ 3.4 +From 0974e4f2ac0005d3731e0b5c13ebc7e965540f4d Mon Sep 17 00:00:00 2001 3.5 +From: Chris Liddell <chris.liddell@artifex.com> 3.6 +Date: Wed, 14 Jun 2023 09:08:12 +0100 3.7 +Subject: [PATCH] Bug 706778: 706761 revisit 3.8 + 3.9 +Two problems with the original commit. The first a silly typo inverting the 3.10 +logic of a test. 3.11 + 3.12 +The second was forgetting that we actually actually validate two candidate 3.13 +strings for pipe devices. One with the expected "%pipe%" prefix, the other 3.14 +using the pipe character prefix: "|". 3.15 + 3.16 +This addresses both those. 3.17 +--- 3.18 + base/gpmisc.c | 2 +- 3.19 + base/gslibctx.c | 4 ++-- 3.20 + 2 files changed, 3 insertions(+), 3 deletions(-) 3.21 + 3.22 +diff --git a/base/gpmisc.c b/base/gpmisc.c 3.23 +index 58511270e..2b0064bea 100644 3.24 +--- a/base/gpmisc.c 3.25 ++++ b/base/gpmisc.c 3.26 +@@ -1081,7 +1081,7 @@ gp_validate_path_len(const gs_memory_t *mem, 3.27 + /* "%pipe%" do not follow the normal rules for path definitions, so we 3.28 + don't "reduce" them to avoid unexpected results 3.29 + */ 3.30 +- if (len > 5 && memcmp(path, "%pipe", 5) != 0) { 3.31 ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { 3.32 + bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path"); 3.33 + if (buffer == NULL) 3.34 + return gs_error_VMerror; 3.35 +diff --git a/base/gslibctx.c b/base/gslibctx.c 3.36 +index d2a1aa91d..42af99090 100644 3.37 +--- a/base/gslibctx.c 3.38 ++++ b/base/gslibctx.c 3.39 +@@ -743,7 +743,7 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co 3.40 + /* "%pipe%" do not follow the normal rules for path definitions, so we 3.41 + don't "reduce" them to avoid unexpected results 3.42 + */ 3.43 +- if (len > 5 && memcmp(path, "%pipe", 5) != 0) { 3.44 ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { 3.45 + buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len"); 3.46 + if (buffer == NULL) 3.47 + return gs_error_VMerror; 3.48 +@@ -850,7 +850,7 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, 3.49 + /* "%pipe%" do not follow the normal rules for path definitions, so we 3.50 + don't "reduce" them to avoid unexpected results 3.51 + */ 3.52 +- if (len > 5 && memcmp(path, "%pipe", 5) != 0) { 3.53 ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { 3.54 + buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len"); 3.55 + if (buffer == NULL) 3.56 + return gs_error_VMerror; 3.57 +-- 3.58 +2.34.1 3.59 + 3.60 +