From: Chris Liddell <chris.liddell@artifex.com>

Date: Tue, 21 Aug 2018 19:17:51 +0000 (+0100)

Subject: Bug 699658: Fix handling of pre-SAFER opened files.

Bug 699658: Fix handling of pre-SAFER opened files.

Temp files opened for writing before SAFER is engaged are not subject to the

SAFER restrictions - that is handled by recording in a dictionary, and

checking that as part of the permissions checks.

By adding a custom error handler for invalidaccess, that allowed the filename

to be added to the dictionary (despite the attempted open throwing the error)

thus meaning subsequent accesses were erroneously permitted.

https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a054156d425b4dbdaaa9fda4b5f1182b27598c2b

---

diff -up a/Resource/Init/gs_init.ps.cve-2018-16539 b/Resource/Init/gs_init.ps

--- a/Resource/Init/gs_init.ps.cve-2018-16539	2018-11-14 16:34:23.268867657 +0100

+++ b/Resource/Init/gs_init.ps	2018-11-14 16:36:38.765552576 +0100

@@ -2015,6 +2015,19 @@ readonly def

             concatstrings concatstrings .generate_dir_list_templates

         } if

       ]

+      /PermitFileWriting [

+          currentuserparams /PermitFileWriting get aload pop

+          (TMPDIR) getenv not

+          {

+            (TEMP) getenv not

+            {

+              (TMP) getenv not

+              {

+                (/temp) (/tmp)

+              } if

+            } if

+          } if

+      ]

       /LockFilePermissions //true

     >> setuserparams

   }

@@ -2062,7 +2075,9 @@ readonly def

 % the file can be deleted later, even if SAFER is set.

 /.tempfile {

   .tempfile	% filename file

-  //SAFETY /tempfiles get 2 .argindex //true .forceput

+    //SAFETY /safe get not { % only add the filename if we're not yet safe

+    //SAFETY /tempfiles get 2 .argindex //true .forceput

+  } if

 } .bind executeonly odef

 % If we are running in SAFER mode, lock things down