From 2796d4231d6c7bc5d71b5361828c16f2edaea173 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Mon, 03 Dec 2018 21:14:53 +0000
Subject: [PATCH] import ghostscript-9.07-31.el7_6.3

---
 SOURCES/ghostscript-cve-2018-15908.patch    |   51 --------
 SOURCES/ghostscript-restore-flushpage.patch |   54 +++++++++
 SPECS/ghostscript.spec                      |   31 ++++
 SOURCES/ghostscript-cve-2018-16863.patch    |  169 ++++++++++++++++++++++++++++
 SOURCES/ghostscript-cve-2018-16539.patch    |   51 ++++++++
 5 files changed, 301 insertions(+), 55 deletions(-)

diff --git a/SOURCES/ghostscript-cve-2018-15908.patch b/SOURCES/ghostscript-cve-2018-15908.patch
index 8403f23..1a9849c 100644
--- a/SOURCES/ghostscript-cve-2018-15908.patch
+++ b/SOURCES/ghostscript-cve-2018-15908.patch
@@ -5,22 +5,6 @@
 Bug 699657: properly apply file permissions to .tempfile
 
 https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=0d3901189f245232f0161addf215d7268c4d05a3
-
-From: Chris Liddell <chris.liddell@artifex.com>
-Date: Tue, 21 Aug 2018 19:17:51 +0000 (+0100)
-Subject: Bug 699658: Fix handling of pre-SAFER opened files.
-
-Bug 699658: Fix handling of pre-SAFER opened files.
-
-Temp files opened for writing before SAFER is engaged are not subject to the
-SAFER restrictions - that is handled by recording in a dictionary, and
-checking that as part of the permissions checks.
-
-By adding a custom error handler for invalidaccess, that allowed the filename
-to be added to the dictionary (despite the attempted open throwing the error)
-thus meaning subsequent accesses were erroneously permitted.
-
-https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a054156d425b4dbdaaa9fda4b5f1182b27598c2b
 ---
 
 diff -up a/psi/zfile.c.cve-2018-15908 b/psi/zfile.c
@@ -168,37 +152,4 @@
          return_error(e_invalidfileaccess);
      return 0;
  }
-diff -up a/Resource/Init/gs_init.ps.cve-2018-15908 b/Resource/Init/gs_init.ps
---- a/Resource/Init/gs_init.ps.cve-2018-15908	2018-11-14 16:34:23.268867657 +0100
-+++ b/Resource/Init/gs_init.ps	2018-11-14 16:36:38.765552576 +0100
-@@ -2015,6 +2015,19 @@ readonly def
-             concatstrings concatstrings .generate_dir_list_templates
-         } if
-       ]
-+      /PermitFileWriting [
-+          currentuserparams /PermitFileWriting get aload pop
-+          (TMPDIR) getenv not
-+          {
-+            (TEMP) getenv not
-+            {
-+              (TMP) getenv not
-+              {
-+                (/temp) (/tmp)
-+              } if
-+            } if
-+          } if
-+      ]
-       /LockFilePermissions //true
-     >> setuserparams
-   }
-@@ -2062,7 +2075,9 @@ readonly def
- % the file can be deleted later, even if SAFER is set.
- /.tempfile {
-   .tempfile	% filename file
--  //SAFETY /tempfiles get 2 .argindex //true .forceput
-+    //SAFETY /safe get not { % only add the filename if we're not yet safe
-+    //SAFETY /tempfiles get 2 .argindex //true .forceput
-+  } if
- } .bind executeonly odef
- 
- % If we are running in SAFER mode, lock things down
+ 
\ No newline at end of file
diff --git a/SOURCES/ghostscript-cve-2018-16539.patch b/SOURCES/ghostscript-cve-2018-16539.patch
new file mode 100644
index 0000000..72f056f
--- /dev/null
+++ b/SOURCES/ghostscript-cve-2018-16539.patch
@@ -0,0 +1,51 @@
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Tue, 21 Aug 2018 19:17:51 +0000 (+0100)
+Subject: Bug 699658: Fix handling of pre-SAFER opened files.
+
+Bug 699658: Fix handling of pre-SAFER opened files.
+
+Temp files opened for writing before SAFER is engaged are not subject to the
+SAFER restrictions - that is handled by recording in a dictionary, and
+checking that as part of the permissions checks.
+
+By adding a custom error handler for invalidaccess, that allowed the filename
+to be added to the dictionary (despite the attempted open throwing the error)
+thus meaning subsequent accesses were erroneously permitted.
+
+https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a054156d425b4dbdaaa9fda4b5f1182b27598c2b
+---
+
+diff -up a/Resource/Init/gs_init.ps.cve-2018-16539 b/Resource/Init/gs_init.ps
+--- a/Resource/Init/gs_init.ps.cve-2018-16539	2018-11-14 16:34:23.268867657 +0100
++++ b/Resource/Init/gs_init.ps	2018-11-14 16:36:38.765552576 +0100
+@@ -2015,6 +2015,19 @@ readonly def
+             concatstrings concatstrings .generate_dir_list_templates
+         } if
+       ]
++      /PermitFileWriting [
++          currentuserparams /PermitFileWriting get aload pop
++          (TMPDIR) getenv not
++          {
++            (TEMP) getenv not
++            {
++              (TMP) getenv not
++              {
++                (/temp) (/tmp)
++              } if
++            } if
++          } if
++      ]
+       /LockFilePermissions //true
+     >> setuserparams
+   }
+@@ -2062,7 +2075,9 @@ readonly def
+ % the file can be deleted later, even if SAFER is set.
+ /.tempfile {
+   .tempfile	% filename file
+-  //SAFETY /tempfiles get 2 .argindex //true .forceput
++    //SAFETY /safe get not { % only add the filename if we're not yet safe
++    //SAFETY /tempfiles get 2 .argindex //true .forceput
++  } if
+ } .bind executeonly odef
+ 
+ % If we are running in SAFER mode, lock things down
diff --git a/SOURCES/ghostscript-cve-2018-16863.patch b/SOURCES/ghostscript-cve-2018-16863.patch
new file mode 100644
index 0000000..0704fd4
--- /dev/null
+++ b/SOURCES/ghostscript-cve-2018-16863.patch
@@ -0,0 +1,169 @@
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Sat, 25 Aug 2018 06:45:45 +0000 (+0100)
+Subject: Bug 699654(2): preserve LockSafetyParams in the nulldevice
+
+Bug 699654(2): preserve LockSafetyParams in the nulldevice
+
+The nulldevice does not necessarily use the normal setpagedevice machinery,
+but can be set using the nulldevice operator. In which case, we don't preserve
+the settings from the original device (in the way setpagedevice does).
+
+Since nulldevice does nothing, this is not generally a problem, but in the case
+of LockSafetyParams it *is* important when we restore back to the original
+device, when LockSafetyParams not being set is "preserved" into the post-
+restore configuration.
+
+We have to initialise the value to false because the nulldevice is used during
+initialisation (before any other device exists), and *must* be writable for
+that.
+
+http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=79cccf641486a6595c43f1de1cd7ade696020a31
+
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Tue, 28 Aug 2018 15:27:53 +0000 (+0100)
+Subject: Bug #699654 (again) and Bug #699677 Improve operator removal for SAFER
+
+Bug #699654 (again) and Bug #699677 Improve operator removal for SAFER
+
+Take inspiration from the code to remove unused/dangerous operators
+and, when SAFER is true, remove a bunch more non-standard operators
+or routines.
+
+In particular remove the .bindnow operator, which should have been
+removed previously for Bug #699677 and remove the
+.pushpdf14devicefilter for Bug #699654. Only the PDF interpreter
+needs to use that, and the device in question only expects to be used
+carefully and in the correct sequence. Make sure nobody can meddle with
+it.
+
+In addition I removed a number of other operators which are not needed
+in normal operation. Some of them, however, are useful so these
+(with the exception of .bindnow which is always removed) are only
+undefined if SAFER is true.
+
+This allows our QA procedure to continue to use them, which is
+particularly important in the case of .makeoperator and .setCPSImode.
+
+At a later date we may choose to move some of these into the regular
+undefinition code, ie not dependent on SAFER.
+
+https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=520bb0ea7519aa3e79db78aaf0589dae02103764
+---
+
+diff -up ghostscript-9.07/base/gsdevice.c.cve-2018-16863 ghostscript-9.07/base/gsdevice.c
+--- ghostscript-9.07/base/gsdevice.c.cve-2018-16863	2018-11-26 10:45:38.685308279 +0100
++++ ghostscript-9.07/base/gsdevice.c	2018-11-26 11:42:31.405515105 +0100
+@@ -599,13 +599,17 @@ gx_device_retain(gx_device *dev, bool re
+ int
+ gs_nulldevice(gs_state * pgs)
+ {
++    int code = 0;
++    bool saveLockSafety = false;
+     if (pgs->device == 0 || !gx_device_is_null(pgs->device)) {
+         gx_device *ndev;
+-        int code = gs_copydevice(&ndev, (const gx_device *)&gs_null_device,
++        code = gs_copydevice(&ndev, (const gx_device *)&gs_null_device,
+                                  pgs->memory);
+ 
+         if (code < 0)
+             return code;
++        if (gs_currentdevice_inline(pgs) != NULL)
++            saveLockSafety = gs_currentdevice_inline(pgs)->LockSafetyParams;
+         /*
+          * Internal devices have a reference count of 0, not 1,
+          * aside from references from graphics states.
+@@ -623,9 +627,11 @@ gs_nulldevice(gs_state * pgs)
+             set_dev_proc(ndev, get_profile, gx_default_get_profile);
+         } 
+ 
+-        return gs_setdevice_no_erase(pgs, ndev);
++        if ((code = gs_setdevice_no_erase(pgs, ndev)) < 0)
++            gs_free_object(pgs->memory, ndev, "gs_copydevice(device)");
++        gs_currentdevice_inline(pgs)->LockSafetyParams = saveLockSafety;
+     }
+-    return 0;
++    return code;
+ }
+ 
+ /* Close a device.  The client is responsible for ensuring that */
+diff -up ghostscript-9.07/Resource/Init/gs_init.ps.cve-2018-16863 ghostscript-9.07/Resource/Init/gs_init.ps
+--- ghostscript-9.07/Resource/Init/gs_init.ps.cve-2018-16863	2018-11-26 10:51:31.658358967 +0100
++++ ghostscript-9.07/Resource/Init/gs_init.ps	2018-11-26 11:39:03.566039786 +0100
+@@ -2083,6 +2083,26 @@ readonly def
+ % If we are running in SAFER mode, lock things down
+ SAFER { .setsafe } if
+ 
++/SAFERUndefinePostScriptOperators {
++[
++% Used by our own test suite files
++/.pushpdf14devicefilter    % transparency-example.ps
++/.poppdf14devicefilter     % transparency-example.ps
++/.setopacityalpha          % transparency-example.ps
++/.setshapealpha            % transparency-example.ps
++/.endtransparencygroup     % transparency-example.ps
++/.setdotlength             % Bug687720.ps
++/.sort /.setdebug /.mementolistnewblocks /getenv
++
++/.makeoperator /.setCPSImode              % gs_cet.ps, this won't work on cluster with -dSAFER
++
++/unread
++]
++{systemdict exch .forceundef} forall
++
++//systemdict /SAFERUndefinePostScriptOperators .forceundef
++}bind def
++
+ /UndefinePostScriptOperators {
+ 
+ %% This list is of Display PostScript operators. We believe that Display PostScript
+@@ -2153,7 +2173,7 @@ SAFER { .setsafe } if
+ %/.buildfotn32 /.buildfont42 /.type9mapcid /.type11mapcid /.swapcolors
+ %/currentdevice  /.quit /.setuseciecolor /.needinput /.setoverprintmode /.special_op /.dicttomark /.knownget
+ %/.FAPIavailable /.FAPIpassfont /.FAPIrebuildfont /.FAPIBuildGlyph /.FAPIBuildChar /.FAPIBuildGlyph9
+-%/.tempfile /.numicc_components /.set_outputintent  /.max /.min /.shfill /.vmreclaim /.getpath /.setglobal
++%/.tempfile /.numicc_components /.set_outputintent  /.max /.min /.vmreclaim /.getpath /.setglobal
+ %/.setdebug /.mementolistnewblocks /getenv
+ ]
+ {systemdict exch .forceundef} forall
+@@ -2180,13 +2200,6 @@ SAFER { .setsafe } if
+ /.settextspacing /.currenttextspacing /.settextleading /.currenttextleading /.settextrise /.currenttextrise
+ /.setwordspacing /.currentwordspacing /.settexthscaling /.currenttexthscaling
+ 
+-% Used by our own test suite files
+-%/.pushpdf14devicefilter    % transparency-example.ps
+-%/.poppdf14devicefilter     % transparency-example.ps
+-%/.setopacityalpha          % transparency-example.ps
+-%/.setshapealpha            % transparency-example.ps
+-%/.endtransparencygroup     % transparency-example.ps
+-
+ % undefining these causes errors/incorrect output
+ %/.settextrenderingmode /.setblendmode /.begintransparencygroup /.settextknockout /check_r6_password /.setstrokeoverprint /.setfilloverprint
+ %/.currentstrokeoverprint /.currentfilloverprint /.currentfillconstantalpha /.currentstrokeconstantalpha
+@@ -2208,6 +2221,9 @@ SAFER { .setsafe } if
+   //systemdict /.delaybind {} .forceput	% reclaim the space
+   //systemdict /.bindnow .forceundef	% ditto
+   put
++  SAFER {
++    //systemdict /SAFERUndefinePostScriptOperators get exec
++  } if
+ %  //systemdict /UndefinePostScriptOperators get exec
+ %  //systemdict /UndefinePDFOperators get exec
+   //systemdict /.forcecopynew .forceundef	% remove temptation
+@@ -2313,6 +2329,9 @@ currentdict /.renderingintentdict .undef
+ %% If we are using DELAYBIND we have to defer the undefinition
+ %% until .bindnow.
+ DELAYBIND not {
++  SAFER {
++    //systemdict /SAFERUndefinePostScriptOperators get exec
++  } if
+   //systemdict /UndefinePostScriptOperators get exec
+   //systemdict /UndefinePDFOperators .forceundef
+ } if
+@@ -2323,6 +2342,7 @@ end
+  { pop NOGC not { 2 .vmreclaim 0 vmreclaim } if
+  } if
+ DELAYBIND not {
++  systemdict /.bindnow .undef       % We only need this for DELAYBIND
+   systemdict /.forcecopynew .undef	% remove temptation
+   systemdict /.forcedef .undef		% ditto
+   systemdict /.forceput .undef		% ditto
diff --git a/SOURCES/ghostscript-restore-flushpage.patch b/SOURCES/ghostscript-restore-flushpage.patch
new file mode 100644
index 0000000..5e1d966
--- /dev/null
+++ b/SOURCES/ghostscript-restore-flushpage.patch
@@ -0,0 +1,54 @@
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Tue, 21 Nov 2017 16:46:18 +0000 (+0000)
+Subject: PS interpreter - restore the flushpage operator
+
+PS interpreter - restore the flushpage operator
+
+Michael Katzmann, working at the Library of Congress, is using
+Ghostscript in a custom application, which also involves a barcode
+reader and an SQL database.
+
+Currently this resides in an RPM at:
+
+http://engineering.nlsbph.org/repo/fedora/fedora/updates/27/SRPMS/AddressCard-3.17-LoC.fc27.src.rpm
+
+but its not usable without the barcode reader and SQL database....
+For reasons which are not completely clear to me, he wants to use
+flushpage to update the display part way through the operation.
+
+We suspect that it would be possible to avoid this, but it would
+probably require some programming effort on the users part, and since
+flushpage doesn't look like a likely candidate for abuse, we've decided
+just to restore it.
+
+https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=19ebb5f1f497b6f2d50fe13d17d3e627dfb6c868
+---
+
+diff -up ghostscript-9.07/Resource/Init/gs_init.ps.restore_flushpage ghostscript-9.07/Resource/Init/gs_init.ps
+--- ghostscript-9.07/Resource/Init/gs_init.ps.restore_flushpage	2018-11-28 14:07:09.976249454 +0100
++++ ghostscript-9.07/Resource/Init/gs_init.ps	2018-11-28 14:08:41.225078430 +0100
+@@ -2144,7 +2144,7 @@ SAFER { .setsafe } if
+ /.type1execchar /.type2execchar /.type42execchar /.setweightvector /.getuseciecolor /processcolors /.includecolorspace
+ /.execn /.instopped /.stop /.stopped /.setcolorrendering /.setdevicecolorrendering /.buildcolorrendering1 /.builddevicecolorrendering1
+ /.TransformPQR_scale_WB0 /.TransformPQR_scale_WB1 /.TransformPQR_scale_WB2 /.currentoverprintmode /.copydevice2
+-/.devicename /.doneshowpage /flushpage /.getbitsrect /.getdevice /.getdefaultdevice /.getdeviceparams /.gethardwareparams
++/.devicename /.doneshowpage /.getbitsrect /.getdevice /.getdefaultdevice /.getdeviceparams /.gethardwareparams
+ /makewordimagedevice /.outputpage /.putdeviceparams /.setdevice /.currentshowpagecount
+ /.setpagedevice /.currentpagedevice /.knownundef /.setmaxlength /.rectappend /.initialize_dsc_parser /.parse_dsc_comments
+ /.fillCIDMap /.fillIdentityCIDMap /.buildcmap /.filenamelistseparator /.libfile /.getfilename
+@@ -2162,6 +2162,15 @@ SAFER { .setsafe } if
+ /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams
+ /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath
+ 
++% Used by a free user in the Library of Congress. Apparently this is used to
++% draw a partial page, which is then filled in by the results of a barcode
++% scanner and SQL database lookup. Its not clear to us exactly why this needs to be
++% done as a partial page, but its easiest to restore the operator, and it seems like
++% its a reasonably safe operator to restore, for the *very* few devices on which
++% it will have any effect. Currently this uses the 'sync_outptu' device method
++% to transfer the partial page, in future we may use a spec_op instead.
++%/flushpage
++
+ % Used by our own test suite files
+ %/.fileposition %image-qa.ps
+ %/.makeoperator /.setCPSImode % gs_cet.ps
diff --git a/SPECS/ghostscript.spec b/SPECS/ghostscript.spec
index 528d6d0..8f76361 100644
--- a/SPECS/ghostscript.spec
+++ b/SPECS/ghostscript.spec
@@ -5,7 +5,7 @@
 Name: ghostscript
 Version: %{gs_ver}
 
-Release: 31%{?dist}.1
+Release: 31%{?dist}.3
 
 # Included CMap data is Redistributable, no modification permitted,
 # see http://bugzilla.redhat.com/487510
@@ -51,6 +51,7 @@
 Patch35: ghostscript-fix-pxl-devices-printing.patch
 Patch36: ghostscript-more-than-11-elements-in-array.patch
 Patch41: ghostscript-remove-as-many-non-standard-operators-as-possible.patch
+Patch47: ghostscript-restore-flushpage.patch
 
 # Security patches:
 # -----------------
@@ -66,8 +67,10 @@
 Patch39: ghostscript-cve-2018-15910.patch
 Patch40: ghostscript-cve-2018-16542.patch
 Patch42: ghostscript-cve-2018-16511.patch
-Patch43: ghostscript-cve-2018-15908.patch
-Patch44: ghostscript-cve-2018-15909.patch
+Patch43: ghostscript-cve-2018-16539.patch
+Patch44: ghostscript-cve-2018-15908.patch
+Patch45: ghostscript-cve-2018-15909.patch
+Patch46: ghostscript-cve-2018-16863.patch
 
 # Upstream is not versioning the SONAME correctly, thus the rpmbuild is unable
 # to recognize we need a newer version of lcms2. This 'hackish' workaround
@@ -283,11 +286,20 @@
 # CVE-2018-16511 (bug #1621383):
 %patch42 -p1
 
-# CVE-2018-15908 (bug #1621159):
+# CVE-2018-16539 (bug #1649721):
 %patch43 -p1
 
-# CVE-2018-15909 (bug #1621381):
+# CVE-2018-15908 (bug #1621159):
 %patch44 -p1
+
+# CVE-2018-15909 (bug #1621381):
+%patch45 -p1
+
+# CVE-2018-16863 (bug #1652901):
+%patch46 -p1
+
+# ghostscript update breaks xdvi (gs: Error: /undefined in flushpage) (bug #1654290):
+%patch47 -p1
 
 # Remove pdfopt man pages which were mistakenly left in (bug #963882).
 rm man/{de/,}pdfopt.1
@@ -488,11 +500,20 @@
 %{_libdir}/libgs.so
 
 %changelog
+* Wed Nov 28 2018 Martin Osvald <mosvald@redhat.com> - 9.07-31.el7_6.3
+- Resolves: #1654290 ghostscript update breaks xdvi (gs: Error: /undefined in flushpage)
+
+* Mon Nov 26 2018 Martin Osvald <mosvald@redhat.com> - 9.07-31.el7_6.2
+- Resolves: #1652901 - CVE-2018-16863 ghostscript: incomplete fix for
+  CVE-2018-16509
+
 * Wed Nov 14 2018 Martin Osvald <mosvald@redhat.com> - 9.07-31.el7_6.1
 - Remove as many non-standard operators as possible to make the codebase
   closer to upstream for later CVEs
 - Resolves: #1621383 - CVE-2018-16511 ghostscript: missing type check in type
   checker (699659)
+- Resolves: #1649721 - CVE-2018-16539 ghostscript: incorrect access checking
+  in temp file handling to disclose contents of files (699658) 
 - Resolves: #1621159 - CVE-2018-15908 ghostscript: .tempfile file permission
   issues (699657)
 - Resolves: #1621381 - CVE-2018-15909 ghostscript: shading_param incomplete

--
Gitblit v1.8.0