aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended
diff options
context:
space:
mode:
authorHongxu Jia <hongxu.jia@windriver.com>2018-11-05 16:03:36 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-11-06 11:54:30 +0000
commit6098c19e1f179896af7013c4b5db3081549c97bc (patch)
tree03349714444f010876d773ec16af365a060ab7fb /meta/recipes-extended
parent6c32ea184941d292cd8f0eb898e6cc90120ada40 (diff)
downloadopenembedded-core-contrib-6098c19e1f179896af7013c4b5db3081549c97bc.tar.gz
openembedded-core-contrib-6098c19e1f179896af7013c4b5db3081549c97bc.tar.bz2
openembedded-core-contrib-6098c19e1f179896af7013c4b5db3081549c97bc.zip
ghostscript: fix CVE-2018-18073
Artifex Ghostscript allows attackers to bypass a sandbox protection mechanism by leveraging exposure of system operators in the saved execution stack in an error object. Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended')
-rw-r--r--meta/recipes-extended/ghostscript/files/0006-Undefine-some-additional-internal-operators.patch42
-rw-r--r--meta/recipes-extended/ghostscript/files/0007-Bug-699927-don-t-include-operator-arrays-in-execstac.patch197
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript_9.25.bb2
3 files changed, 241 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/files/0006-Undefine-some-additional-internal-operators.patch b/meta/recipes-extended/ghostscript/files/0006-Undefine-some-additional-internal-operators.patch
new file mode 100644
index 0000000000..19cf7cc8c0
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/files/0006-Undefine-some-additional-internal-operators.patch
@@ -0,0 +1,42 @@
+From 37d7c9117b70e75ebed21c6c8192251f127c0fb0 Mon Sep 17 00:00:00 2001
+From: Nancy Durgin <nancy.durgin@artifex.com>
+Date: Mon, 5 Nov 2018 15:36:27 +0800
+Subject: [PATCH 1/2] Undefine some additional internal operators.
+
+.type, .writecvs, .setSMask, .currentSMask
+
+These don't seem to be referenced anywhere outside of the initialization code,
+which binds their usages. Passes cluster if they are removed.
+
+CVE: CVE-2018-18073
+Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
+
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ Resource/Init/gs_init.ps | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
+index f952f32..7c71d18 100644
+--- a/Resource/Init/gs_init.ps
++++ b/Resource/Init/gs_init.ps
+@@ -2230,6 +2230,7 @@ SAFER { .setsafeglobal } if
+ /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile
+ /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams
+ /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath
++ /.type /.writecvs /.setSMask /.currentSMask
+
+ % Used by a free user in the Library of Congress. Apparently this is used to
+ % draw a partial page, which is then filled in by the results of a barcode
+@@ -2248,7 +2249,7 @@ SAFER { .setsafeglobal } if
+ % test files/utilities, or engineers expressed a desire to keep them visible.
+ %
+ %/currentdevice /.sort /.buildfont0 /.buildfont1 /.buildfont2 /.buildfont3 /.buildfont4 /.buildfont9 /.buildfont10 /.buildfont11
+- %/.buildfotn32 /.buildfont42 /.type9mapcid /.type11mapcid /.swapcolors
++ %/.buildfont32 /.buildfont42 /.type9mapcid /.type11mapcid /.swapcolors
+ %/currentdevice /.quit /.setuseciecolor /.needinput /.setoverprintmode /.special_op /.dicttomark /.knownget
+ %/.FAPIavailable /.FAPIpassfont /.FAPIrebuildfont /.FAPIBuildGlyph /.FAPIBuildChar /.FAPIBuildGlyph9
+ %/.tempfile /.numicc_components /.set_outputintent /.max /.min /.vmreclaim /.getpath /.setglobal
+--
+2.7.4
+
diff --git a/meta/recipes-extended/ghostscript/files/0007-Bug-699927-don-t-include-operator-arrays-in-execstac.patch b/meta/recipes-extended/ghostscript/files/0007-Bug-699927-don-t-include-operator-arrays-in-execstac.patch
new file mode 100644
index 0000000000..ad66fc3d6e
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/files/0007-Bug-699927-don-t-include-operator-arrays-in-execstac.patch
@@ -0,0 +1,197 @@
+From 430f39144244ba4fd7b720cf87031e415e0fabce Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Mon, 5 Nov 2018 15:42:52 +0800
+Subject: [PATCH 2/2] Bug 699927: don't include operator arrays in execstack
+ output
+
+When we transfer the contents of the execution stack into the array, take the
+extra step of replacing any operator arrays on the stack with the operator
+that reference them.
+
+This prevents the contents of Postscript defined, internal only operators (those
+created with .makeoperator) being exposed via execstack (and thus, via error
+handling).
+
+This necessitates a change in the resource remapping 'resource', which contains
+a procedure which relies on the contents of the operators arrays being present.
+As we already had internal-only variants of countexecstack and execstack
+(.countexecstack and .execstack) - using those, and leaving thier operation
+including the operator arrays means the procedure continues to work correctly.
+
+Both .countexecstack and .execstack are undefined after initialization.
+
+Also, when we store the execstack (or part thereof) for an execstackoverflow
+error, make the same oparray/operator substitution as above for execstack.
+
+CVE: CVE-2018-18073
+Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ Resource/Init/gs_init.ps | 4 ++--
+ Resource/Init/gs_resmp.ps | 2 +-
+ psi/int.mak | 2 +-
+ psi/interp.c | 14 +++++++++++---
+ psi/interp.h | 2 ++
+ psi/zcontrol.c | 13 ++++++++++---
+ 6 files changed, 27 insertions(+), 10 deletions(-)
+
+diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
+index 7c71d18..f4c1053 100644
+--- a/Resource/Init/gs_init.ps
++++ b/Resource/Init/gs_init.ps
+@@ -2191,7 +2191,7 @@ SAFER { .setsafeglobal } if
+ %% but can be easily restored (just delete the name from the list in the array). In future
+ %% we may remove the operator and the code implementation entirely.
+ [
+- /.bitadd /.charboxpath /.cond /.countexecstack /.execstack /.runandhide /.popdevicefilter
++ /.bitadd /.charboxpath /.cond /.runandhide /.popdevicefilter
+ /.execfile /.filenamesplit /.file_name_parent
+ /.setdefaultmatrix /.isprocfilter /.unread /.psstringencode
+ /.buildsampledfunction /.isencapfunction /.currentaccuratecurves /.currentcurvejoin /.currentdashadapt /.currentdotlength
+@@ -2230,7 +2230,7 @@ SAFER { .setsafeglobal } if
+ /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile
+ /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams
+ /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath
+- /.type /.writecvs /.setSMask /.currentSMask
++ /.type /.writecvs /.setSMask /.currentSMask /.countexecstack /.execstack
+
+ % Used by a free user in the Library of Congress. Apparently this is used to
+ % draw a partial page, which is then filled in by the results of a barcode
+diff --git a/Resource/Init/gs_resmp.ps b/Resource/Init/gs_resmp.ps
+index 7cacaf8..9bb4263 100644
+--- a/Resource/Init/gs_resmp.ps
++++ b/Resource/Init/gs_resmp.ps
+@@ -183,7 +183,7 @@ setpacking
+ % We don't check them.
+
+ currentglobal //false setglobal % <object> bGlobal
+- countexecstack array execstack % <object> bGlobal [execstack]
++ //false .countexecstack array //false .execstack % <object> bGlobal [execstack]
+ dup //null exch % <object> bGlobal [execstack] null [execstack]
+ length 3 sub -1 0 { % <object> bGlobal [execstack] null i
+ 2 index exch get % <object> bGlobal [execstack] null proc
+diff --git a/psi/int.mak b/psi/int.mak
+index 5d9b3d5..6ab5bf0 100644
+--- a/psi/int.mak
++++ b/psi/int.mak
+@@ -323,7 +323,7 @@ $(PSOBJ)zarray.$(OBJ) : $(PSSRC)zarray.c $(OP) $(memory__h)\
+
+ $(PSOBJ)zcontrol.$(OBJ) : $(PSSRC)zcontrol.c $(OP) $(string__h)\
+ $(estack_h) $(files_h) $(ipacked_h) $(iutil_h) $(store_h) $(stream_h)\
+- $(INT_MAK) $(MAKEDIRS)
++ $(interp_h) $(INT_MAK) $(MAKEDIRS)
+ $(PSCC) $(PSO_)zcontrol.$(OBJ) $(C_) $(PSSRC)zcontrol.c
+
+ $(PSOBJ)zdict.$(OBJ) : $(PSSRC)zdict.c $(OP)\
+diff --git a/psi/interp.c b/psi/interp.c
+index b70769d..6dc0dda 100644
+--- a/psi/interp.c
++++ b/psi/interp.c
+@@ -142,7 +142,6 @@ static int oparray_pop(i_ctx_t *);
+ static int oparray_cleanup(i_ctx_t *);
+ static int zerrorexec(i_ctx_t *);
+ static int zfinderrorobject(i_ctx_t *);
+-static int errorexec_find(i_ctx_t *, ref *);
+ static int errorexec_pop(i_ctx_t *);
+ static int errorexec_cleanup(i_ctx_t *);
+ static int zsetstackprotect(i_ctx_t *);
+@@ -761,7 +760,7 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_stack_t * pstack, int skip, ref * arr)
+ {
+ uint size = ref_stack_count(pstack) - skip;
+ uint save_space = ialloc_space(idmemory);
+- int code;
++ int code, i;
+
+ if (size > 65535)
+ size = 65535;
+@@ -770,6 +769,15 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_stack_t * pstack, int skip, ref * arr)
+ if (code >= 0)
+ code = ref_stack_store(pstack, arr, size, 0, 1, true, idmemory,
+ "copy_stack");
++ /* If we are copying the exec stack, try to replace any oparrays with
++ * with the operator than references them
++ */
++ if (pstack == &e_stack) {
++ for (i = 0; i < size; i++) {
++ if (errorexec_find(i_ctx_p, &arr->value.refs[i]) < 0)
++ make_null(&arr->value.refs[i]);
++ }
++ }
+ ialloc_set_space(idmemory, save_space);
+ return code;
+ }
+@@ -1934,7 +1942,7 @@ zfinderrorobject(i_ctx_t *i_ctx_p)
+ * .errorexec with errobj != null, store it in *perror_object and return 1,
+ * otherwise return 0;
+ */
+-static int
++int
+ errorexec_find(i_ctx_t *i_ctx_p, ref *perror_object)
+ {
+ long i;
+diff --git a/psi/interp.h b/psi/interp.h
+index e9275b9..4f551d1 100644
+--- a/psi/interp.h
++++ b/psi/interp.h
+@@ -91,5 +91,7 @@ void gs_interp_reset(i_ctx_t *i_ctx_p);
+ /* Define the top-level interface to the interpreter. */
+ int gs_interpret(i_ctx_t **pi_ctx_p, ref * pref, int user_errors,
+ int *pexit_code, ref * perror_object);
++int
++errorexec_find(i_ctx_t *i_ctx_p, ref *perror_object);
+
+ #endif /* interp_INCLUDED */
+diff --git a/psi/zcontrol.c b/psi/zcontrol.c
+index 36da22c..0362cf4 100644
+--- a/psi/zcontrol.c
++++ b/psi/zcontrol.c
+@@ -24,6 +24,7 @@
+ #include "ipacked.h"
+ #include "iutil.h"
+ #include "store.h"
++#include "interp.h"
+
+ /* Forward references */
+ static int check_for_exec(const_os_ptr);
+@@ -787,7 +788,7 @@ zexecstack2(i_ctx_t *i_ctx_p)
+ /* Continuation operator to do the actual transfer. */
+ /* r_size(op1) was set just above. */
+ static int
+-do_execstack(i_ctx_t *i_ctx_p, bool include_marks, os_ptr op1)
++do_execstack(i_ctx_t *i_ctx_p, bool include_marks, bool include_oparrays, os_ptr op1)
+ {
+ os_ptr op = osp;
+ ref *arefs = op1->value.refs;
+@@ -829,6 +830,12 @@ do_execstack(i_ctx_t *i_ctx_p, bool include_marks, os_ptr op1)
+ strlen(tname), (const byte *)tname);
+ break;
+ }
++ case t_array:
++ case t_shortarray:
++ case t_mixedarray:
++ if (!include_oparrays && errorexec_find(i_ctx_p, rq) < 0)
++ make_null(rq);
++ break;
+ default:
+ ;
+ }
+@@ -841,14 +848,14 @@ execstack_continue(i_ctx_t *i_ctx_p)
+ {
+ os_ptr op = osp;
+
+- return do_execstack(i_ctx_p, false, op);
++ return do_execstack(i_ctx_p, false, false, op);
+ }
+ static int
+ execstack2_continue(i_ctx_t *i_ctx_p)
+ {
+ os_ptr op = osp;
+
+- return do_execstack(i_ctx_p, op->value.boolval, op - 1);
++ return do_execstack(i_ctx_p, op->value.boolval, true, op - 1);
+ }
+
+ /* - .needinput - */
+--
+2.7.4
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.25.bb b/meta/recipes-extended/ghostscript/ghostscript_9.25.bb
index 55251a55d4..28521f3c4b 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.25.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.25.bb
@@ -30,6 +30,8 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
file://0003-Bug-699832-add-control-over-hiding-error-handlers.patch \
file://0004-For-hidden-operators-pass-a-name-object-to-error-han.patch \
file://0005-Bug-699938-.loadfontloop-must-be-an-operator.patch \
+ file://0006-Undefine-some-additional-internal-operators.patch \
+ file://0007-Bug-699927-don-t-include-operator-arrays-in-execstac.patch \
"
SRC_URI = "${SRC_URI_BASE} \