1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
|
From 4203e04ef9e6ca22ed68a1ab10a878aa9ceaeedc Mon Sep 17 00:00:00 2001
From: Ray Johnston <ray.johnston@artifex.com>
Date: Thu, 14 Feb 2019 10:20:03 -0800
Subject: [PATCH] Fix bug 700585: Restrict superexec and remove it from
internals and gs_cet.ps
Also while changing things, restructure the CETMODE so that it will
work with -dSAFER. The gs_cet.ps is now run when we are still at save
level 0 with systemdict writeable. Allows us to undefine .makeoperator
and .setCPSImode internal operators after CETMODE is handled.
Change previous uses of superexec to using .forceput (with the usual
.bind executeonly to hide it).
CVE: CVE-2019-3835
Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
---
Resource/Init/gs_cet.ps | 38 ++++++++++++++------------------------
Resource/Init/gs_dps1.ps | 2 +-
Resource/Init/gs_fonts.ps | 8 ++++----
Resource/Init/gs_init.ps | 38 +++++++++++++++++++++++++++-----------
Resource/Init/gs_ttf.ps | 8 ++++----
Resource/Init/gs_type1.ps | 6 +++---
6 files changed, 53 insertions(+), 47 deletions(-)
diff --git a/Resource/Init/gs_cet.ps b/Resource/Init/gs_cet.ps
index dbc5c4e..3cc6883 100644
--- a/Resource/Init/gs_cet.ps
+++ b/Resource/Init/gs_cet.ps
@@ -1,37 +1,29 @@
%!PS
% Set defaults for Ghostscript to match Adobe CPSI behaviour for CET
-/.odef { % <name> <proc> odef -
- 1 index exch .makeoperator def
-} bind def
-
+% skip if we've already run this -- based on fake "product"
systemdict /product get (PhotoPRINT SE 5.0v2) readonly eq
{
(%END GS_CET) .skipeof
} if
-% do this in the server level so it is persistent across jobs
-//true 0 startjob not {
- (*** Warning: CET startup is not in server default) = flush
-} if
+% Note: this must be run at save level 0 and when systemdict is writeable
+currentglobal //true setglobal
+systemdict dup dup dup
+/version (3017.102) readonly .forceput % match CPSI 3017.102
+/product (PhotoPRINT SE 5.0v2) readonly .forceput % match CPSI 3017.102
+/revision 0 put % match CPSI 3017.103 Tek shows revision 5
+/serialnumber dup {233640} readonly .makeoperator .forceput % match CPSI 3017.102 Tek shows serialnumber 1401788461
+
+systemdict /.odef { % <name> <proc> odef -
+ 1 index exch //.makeoperator def
+} .bind .forceput % this will be undefined at the end
300 .sethiresscreen % needed for language switch build since it
% processes gs_init.ps BEFORE setting the resolution
0 array 0 setdash % CET 09-08 wants local setdash
-currentglobal //true setglobal
-
-{
- systemdict dup dup dup
- /version (3017.102) readonly put % match CPSI 3017.102
- /product (PhotoPRINT SE 5.0v2) readonly put % match CPSI 3017.102
- /revision 0 put % match CPSI 3017.103 Tek shows revision 5
- /serialnumber dup {233640} readonly .makeoperator put % match CPSI 3017.102 Tek shows serialnumber 1401788461
- systemdict /deviceinfo undef % for CET 20-23-1
-% /UNROLLFORMS true put % CET files do unreasonable things inside forms
-} 1183615869 internaldict /superexec get exec
-
/UNROLLFORMS true def
(%.defaultbgrucrproc) cvn { } bind def
@@ -118,9 +110,7 @@ userdict /.smoothness currentsmoothness put
ofnfa
} bind def
-currentdict /.odef undef
-% end of slightly nasty hack to give consistent cluster results
-
-//false 0 startjob pop % re-enter encapsulated mode
+systemdict /.odef .undef
+% end of slightly nasty hack to give consistent cluster results
%END GS_CET
diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps
index 3d2cf7a..c4fd839 100644
--- a/Resource/Init/gs_dps1.ps
+++ b/Resource/Init/gs_dps1.ps
@@ -89,7 +89,7 @@ level2dict begin
% definition, copy it into the local directory.
//systemdict /SharedFontDirectory .knownget
{ 1 index .knownget
- { //.FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly
+ { //.FontDirectory 2 index 3 -1 roll .forceput } % readonly
if
}
if
diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps
index 0562235..f2b4e19 100644
--- a/Resource/Init/gs_fonts.ps
+++ b/Resource/Init/gs_fonts.ps
@@ -519,11 +519,11 @@ buildfontdict 3 /.buildfont3 cvx put
% the font in LocalFontDirectory.
.currentglobal
{ //systemdict /LocalFontDirectory .knownget
- { 2 index 2 index { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly
+ { 2 index 2 index .forceput } % readonly
if
}
if
- dup //.FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly
+ dup //.FontDirectory 4 -2 roll .forceput % readonly
% If the font originated as a resource, register it.
currentfile .currentresourcefile eq { dup .registerfont } if
readonly
@@ -1191,13 +1191,13 @@ $error /SubstituteFont { } put
//.FontDirectory 1 index known not {
2 dict dup /FontName 3 index put
dup /FontType 1 put
- //.FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly
+ //.FontDirectory 3 1 roll //.forceput exec % readonly
} {
pop
} ifelse
} forall
} forall
- }
+ } executeonly % hide .forceput
FAKEFONTS { exch } if pop def % don't bind, .current/setglobal get redefined
% Install initial fonts from Fontmap.
diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
index 80d9585..0d5c4f7 100644
--- a/Resource/Init/gs_init.ps
+++ b/Resource/Init/gs_init.ps
@@ -2188,9 +2188,6 @@ SAFER { .setsafeglobal } if
/.endtransparencygroup % transparency-example.ps
/.setdotlength % Bug687720.ps
/.sort /.setdebug /.mementolistnewblocks /getenv
-
- /.makeoperator /.setCPSImode % gs_cet.ps, this won't work on cluster with -dSAFER
-
/unread
]
{systemdict exch .forceundef} forall
@@ -2270,7 +2267,6 @@ SAFER { .setsafeglobal } if
% Used by our own test suite files
%/.fileposition %image-qa.ps
- %/.makeoperator /.setCPSImode % gs_cet.ps
% Either our code uses these in ways which mean they can't be undefined, or they are used directly by
% test files/utilities, or engineers expressed a desire to keep them visible.
@@ -2457,6 +2453,16 @@ end
/vmreclaim where
{ pop NOGC not { 2 .vmreclaim 0 vmreclaim } if
} if
+
+% Do this before systemdict is locked (see below for additional CETMODE setup using gs_cet.ps)
+systemdict /CETMODE .knownget {
+ {
+ (gs_cet.ps) runlibfile
+ } if
+} if
+systemdict /.makeoperator .undef % must be after gs_cet.ps
+systemdict /.setCPSImode .undef % must be after gs_cet.ps
+
DELAYBIND not {
systemdict /.bindnow .undef % We only need this for DELAYBIND
systemdict /.forcecopynew .undef % remove temptation
@@ -2464,16 +2470,29 @@ DELAYBIND not {
systemdict /.forceundef .undef % ditto
} if
-% Move superexec to internaldict if superexec is defined.
-systemdict /superexec .knownget {
- 1183615869 internaldict /superexec 3 -1 roll put
- systemdict /superexec .undef
+% Move superexec to internaldict if superexec is defined. (Level 2 or later)
+systemdict /superexec known {
+ % restrict superexec to single known use by PScript5.dll
+ % We could do this only for SAFER mode, but internaldict and superexec are
+ % not very well documented, and we don't want them to be used.
+ 1183615869 internaldict /superexec {
+ 2 index /Private eq % first check for typical use in PScript5.dll
+ 1 index length 1 eq and % expected usage is: dict /Private <value> {put} superexec
+ 1 index 0 get systemdict /put get eq and
+ {
+ //superexec exec % the only usage we allow
+ } {
+ /superexec load /invalidaccess signalerror
+ } ifelse
+ } bind cvx executeonly put
+ systemdict /superexec .undef % get rid of the dangerous (unrestricted) operator
} if
% Can't remove this one until the last minute :-)
DELAYBIND not {
systemdict /.undef .undef
} if
+
WRITESYSTEMDICT {
SAFER {
(\n *** WARNING - you have selected SAFER, indicating you want Ghostscript\n) print
@@ -2500,7 +2519,4 @@ WRITESYSTEMDICT {
% be 'true' in some cases.
userdict /AGM_preserve_spots //false put
-systemdict /CETMODE .knownget
-{ { (gs_cet.ps) runlibfile } if } if
-
% The interpreter will run the initial procedure (start).
diff --git a/Resource/Init/gs_ttf.ps b/Resource/Init/gs_ttf.ps
index 05943c5..da97afa 100644
--- a/Resource/Init/gs_ttf.ps
+++ b/Resource/Init/gs_ttf.ps
@@ -1421,7 +1421,7 @@ mark
TTFDEBUG { (\n1 setting alias: ) print dup ==only
( to be the same as ) print 2 index //== exec } if
- 7 index 2 index 3 -1 roll exch //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse
+ 7 index 2 index 3 -1 roll exch .forceput
} forall
pop pop pop
}
@@ -1439,7 +1439,7 @@ mark
exch pop
TTFDEBUG { (\n2 setting alias: ) print 1 index ==only
( to use glyph index: ) print dup //== exec } if
- 5 index 3 1 roll //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse
+ 5 index 3 1 roll .forceput
//false
}
{
@@ -1456,7 +1456,7 @@ mark
{ % CharStrings(dict) isunicode(boolean) cmap(dict) RAGL(dict) gname(name) codep(integer) gindex(integer)
TTFDEBUG { (\3 nsetting alias: ) print 1 index ==only
( to be index: ) print dup //== exec } if
- exch pop 5 index 3 1 roll //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse
+ exch pop 5 index 3 1 roll .forceput
}
{
pop pop
@@ -1486,7 +1486,7 @@ mark
} ifelse
]
TTFDEBUG { (Encoding: ) print dup === flush } if
-} bind def
+} .bind executeonly odef % hides .forceput
% to be removed 9.09......
currentdict /postalias undef
diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps
index 96e1ced..61f5269 100644
--- a/Resource/Init/gs_type1.ps
+++ b/Resource/Init/gs_type1.ps
@@ -116,7 +116,7 @@
{ % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname aglname
CFFDEBUG { (\nsetting alias: ) print dup ==only
( to be the same as glyph: ) print 1 index //== exec } if
- 3 index exch 3 index //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse
+ 3 index exch 3 index .forceput
% scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
}
{pop} ifelse
@@ -135,7 +135,7 @@
3 1 roll pop pop
} if
pop
- dup /.AGLprocessed~GS //true //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse
+ dup /.AGLprocessed~GS //true .forceput
} if
%% We need to excute the C .buildfont1 in a stopped context so that, if there
@@ -148,7 +148,7 @@
{//.buildfont1} stopped
4 3 roll .setglobal
{//.buildfont1 $error /errorname get signalerror} if
- } bind def
+ } .bind executeonly def % hide .forceput
% If the diskfont feature isn't included, define a dummy .loadfontdict.
/.loadfontdict where
--
2.20.1
|
