|
 |
bb3194 |
From: Ray Johnston <ray.johnston@artifex.com>
|
|
|
bb3194 |
Date: Thu, 14 Feb 2019 18:20:03 +0000 (-0800)
|
|
|
bb3194 |
Subject: Fix bug 700585: Restrict superexec and remove it from internals and gs_cet.ps
|
|
|
bb3194 |
|
|
|
bb3194 |
Fix bug 700585: Restrict superexec and remove it from internals and gs_cet.ps
|
|
|
bb3194 |
|
|
|
bb3194 |
Also while changing things, restructure the CETMODE so that it will
|
|
|
bb3194 |
work with -dSAFER. The gs_cet.ps is now run when we are still at save
|
|
|
bb3194 |
level 0 with systemdict writeable. Allows us to undefine .makeoperator
|
|
|
bb3194 |
and .setCPSImode internal operators after CETMODE is handled.
|
|
|
bb3194 |
|
|
|
bb3194 |
Change previous uses of superexec to using .forceput (with the usual
|
|
|
bb3194 |
.bind executeonly to hide it).
|
|
|
bb3194 |
|
|
|
bb3194 |
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=205591753126802da850ada6511a0ff8411aa287
|
|
|
bb3194 |
|
|
|
bb3194 |
From: Ray Johnston <ray.johnston@artifex.com>
|
|
|
bb3194 |
Date: Mon, 25 Feb 2019 06:01:04 +0000 (-0800)
|
|
|
bb3194 |
Subject: Bug 700585: Obliterate "superexec". We don't need it, nor do any known apps.
|
|
|
bb3194 |
|
|
|
bb3194 |
Bug 700585: Obliterate "superexec". We don't need it, nor do any known apps.
|
|
|
bb3194 |
|
|
|
bb3194 |
We were under the impression that the Windows driver 'PScript5.dll' used
|
|
|
bb3194 |
superexec, but after testing with our extensive suite of PostScript file,
|
|
|
bb3194 |
and analysis of the PScript5 "Adobe CoolType ProcSet, it does not appear
|
|
|
bb3194 |
that this operator is needed anymore. Get rid of superexec and all of the
|
|
|
bb3194 |
references to it, since it is a potential security hole.
|
|
|
bb3194 |
|
|
|
bb3194 |
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=d683d1e6450d74619e6277efeebfc222d9a5cb91
|
|
|
bb3194 |
---
|
|
|
bb3194 |
|
|
|
bb3194 |
diff -up ghostscript-9.07/psi/icontext.c.cve-2019-3835 ghostscript-9.07/psi/icontext.c
|
|
|
79ccdd |
--- ghostscript-9.07/psi/icontext.c.cve-2019-3835 2019-02-28 14:32:31.762961195 +0100
|
|
|
79ccdd |
+++ ghostscript-9.07/psi/icontext.c 2019-02-28 14:33:02.960552388 +0100
|
|
|
bb3194 |
@@ -148,7 +148,6 @@ context_state_alloc(gs_context_state_t *
|
|
|
bb3194 |
pcst->rand_state = rand_state_initial;
|
|
|
bb3194 |
pcst->usertime_total = 0;
|
|
|
bb3194 |
pcst->keep_usertime = false;
|
|
|
bb3194 |
- pcst->in_superexec = 0;
|
|
|
bb3194 |
pcst->plugin_list = 0;
|
|
|
bb3194 |
make_t(&pcst->error_object, t__invalid);
|
|
|
bb3194 |
{ /*
|
|
|
bb3194 |
diff -up ghostscript-9.07/psi/icstate.h.cve-2019-3835 ghostscript-9.07/psi/icstate.h
|
|
|
79ccdd |
--- ghostscript-9.07/psi/icstate.h.cve-2019-3835 2019-02-28 14:33:38.288089462 +0100
|
|
|
79ccdd |
+++ ghostscript-9.07/psi/icstate.h 2019-02-28 14:33:46.576980845 +0100
|
|
|
bb3194 |
@@ -52,7 +52,6 @@ struct gs_context_state_s {
|
|
|
bb3194 |
long usertime_total; /* total accumulated usertime, */
|
|
|
bb3194 |
/* not counting current time if running */
|
|
|
bb3194 |
bool keep_usertime; /* true if context ever executed usertime */
|
|
|
bb3194 |
- int in_superexec; /* # of levels of superexec */
|
|
|
bb3194 |
/* View clipping is handled in the graphics state. */
|
|
|
bb3194 |
ref error_object; /* t__invalid or error object from operator */
|
|
|
bb3194 |
ref userparams; /* t_dictionary */
|
|
|
bb3194 |
diff -up ghostscript-9.07/psi/zcontrol.c.cve-2019-3835 ghostscript-9.07/psi/zcontrol.c
|
|
|
79ccdd |
--- ghostscript-9.07/psi/zcontrol.c.cve-2019-3835 2019-02-28 14:34:07.694704120 +0100
|
|
|
79ccdd |
+++ ghostscript-9.07/psi/zcontrol.c 2019-02-28 14:34:44.573220870 +0100
|
|
|
bb3194 |
@@ -158,34 +158,6 @@ zexecn(i_ctx_t *i_ctx_p)
|
|
|
bb3194 |
return o_push_estack;
|
|
|
bb3194 |
}
|
|
|
bb3194 |
|
|
|
bb3194 |
-/* <obj> superexec - */
|
|
|
bb3194 |
-static int end_superexec(i_ctx_t *);
|
|
|
bb3194 |
-static int
|
|
|
bb3194 |
-zsuperexec(i_ctx_t *i_ctx_p)
|
|
|
bb3194 |
-{
|
|
|
bb3194 |
- os_ptr op = osp;
|
|
|
bb3194 |
- es_ptr ep;
|
|
|
bb3194 |
-
|
|
|
bb3194 |
- check_op(1);
|
|
|
bb3194 |
- if (!r_has_attr(op, a_executable))
|
|
|
bb3194 |
- return 0; /* literal object just gets pushed back */
|
|
|
bb3194 |
- check_estack(2);
|
|
|
bb3194 |
- ep = esp += 3;
|
|
|
bb3194 |
- make_mark_estack(ep - 2, es_other, end_superexec); /* error case */
|
|
|
bb3194 |
- make_op_estack(ep - 1, end_superexec); /* normal case */
|
|
|
bb3194 |
- ref_assign(ep, op);
|
|
|
bb3194 |
- esfile_check_cache();
|
|
|
bb3194 |
- pop(1);
|
|
|
bb3194 |
- i_ctx_p->in_superexec++;
|
|
|
bb3194 |
- return o_push_estack;
|
|
|
bb3194 |
-}
|
|
|
bb3194 |
-static int
|
|
|
bb3194 |
-end_superexec(i_ctx_t *i_ctx_p)
|
|
|
bb3194 |
-{
|
|
|
bb3194 |
- i_ctx_p->in_superexec--;
|
|
|
bb3194 |
- return 0;
|
|
|
bb3194 |
-}
|
|
|
bb3194 |
-
|
|
|
bb3194 |
/* <array> <executable> .runandhide <obj> */
|
|
|
bb3194 |
/* before executing <executable>, <array> is been removed from */
|
|
|
bb3194 |
/* the operand stack and placed on the execstack with attributes */
|
|
|
bb3194 |
@@ -969,8 +941,6 @@ const op_def zcontrol3_op_defs[] = {
|
|
|
bb3194 |
{"0%loop_continue", loop_continue},
|
|
|
bb3194 |
{"0%repeat_continue", repeat_continue},
|
|
|
bb3194 |
{"0%stopped_push", stopped_push},
|
|
|
bb3194 |
- {"1superexec", zsuperexec},
|
|
|
bb3194 |
- {"0%end_superexec", end_superexec},
|
|
|
bb3194 |
{"2.runandhide", zrunandhide},
|
|
|
bb3194 |
{"0%end_runandhide", end_runandhide},
|
|
|
bb3194 |
op_def_end(0)
|
|
|
bb3194 |
diff -up ghostscript-9.07/psi/zdict.c.cve-2019-3835 ghostscript-9.07/psi/zdict.c
|
|
|
79ccdd |
--- ghostscript-9.07/psi/zdict.c.cve-2019-3835 2019-02-28 14:35:18.029782463 +0100
|
|
|
79ccdd |
+++ ghostscript-9.07/psi/zdict.c 2019-02-28 14:36:27.964866049 +0100
|
|
|
bb3194 |
@@ -211,8 +211,7 @@ zundef(i_ctx_t *i_ctx_p)
|
|
|
bb3194 |
int code;
|
|
|
bb3194 |
|
|
|
bb3194 |
check_type(*op1, t_dictionary);
|
|
|
bb3194 |
- if (i_ctx_p->in_superexec == 0)
|
|
|
bb3194 |
- check_dict_write(*op1);
|
|
|
bb3194 |
+ check_dict_write(*op1);
|
|
|
bb3194 |
code = idict_undef(op1, op);
|
|
|
bb3194 |
if (code < 0 && code != e_undefined) /* ignore undefined error */
|
|
|
bb3194 |
return code;
|
|
|
bb3194 |
@@ -491,8 +490,7 @@ zsetmaxlength(i_ctx_t *i_ctx_p)
|
|
|
bb3194 |
int code;
|
|
|
bb3194 |
|
|
|
bb3194 |
check_type(*op1, t_dictionary);
|
|
|
bb3194 |
- if (i_ctx_p->in_superexec == 0)
|
|
|
bb3194 |
- check_dict_write(*op1);
|
|
|
bb3194 |
+ check_dict_write(*op1);
|
|
|
bb3194 |
check_type(*op, t_integer);
|
|
|
bb3194 |
if (op->value.intval < 0)
|
|
|
bb3194 |
return_error(e_rangecheck);
|
|
|
bb3194 |
diff -up ghostscript-9.07/psi/zgeneric.c.cve-2019-3835 ghostscript-9.07/psi/zgeneric.c
|
|
|
79ccdd |
--- ghostscript-9.07/psi/zgeneric.c.cve-2019-3835 2019-02-28 14:36:54.684515917 +0100
|
|
|
79ccdd |
+++ ghostscript-9.07/psi/zgeneric.c 2019-02-28 14:37:44.859858421 +0100
|
|
|
bb3194 |
@@ -204,8 +204,7 @@ zput(i_ctx_t *i_ctx_p)
|
|
|
bb3194 |
|
|
|
bb3194 |
switch (r_type(op2)) {
|
|
|
bb3194 |
case t_dictionary:
|
|
|
bb3194 |
- if (i_ctx_p->in_superexec == 0)
|
|
|
bb3194 |
- check_dict_write(*op2);
|
|
|
bb3194 |
+ check_dict_write(*op2);
|
|
|
bb3194 |
{
|
|
|
bb3194 |
int code = idict_put(op2, op1, op);
|
|
|
bb3194 |
|
|
|
bb3194 |
diff -up ghostscript-9.07/Resource/Init/gs_cet.ps.cve-2019-3835 ghostscript-9.07/Resource/Init/gs_cet.ps
|
|
|
79ccdd |
--- ghostscript-9.07/Resource/Init/gs_cet.ps.cve-2019-3835 2019-02-28 14:24:02.885629428 +0100
|
|
|
79ccdd |
+++ ghostscript-9.07/Resource/Init/gs_cet.ps 2019-02-28 14:24:02.908629127 +0100
|
|
|
bb3194 |
@@ -1,27 +1,22 @@
|
|
|
bb3194 |
-%!PS
|
|
|
bb3194 |
% Set defaults for Ghostscript to match Adobe CPSI behaviour for CET
|
|
|
bb3194 |
|
|
|
bb3194 |
-% do this in the server level so it is persistent across jobs
|
|
|
bb3194 |
-//true 0 startjob not {
|
|
|
bb3194 |
- (*** Warning: CET startup is not in server default) = flush
|
|
|
bb3194 |
-} if
|
|
|
bb3194 |
+% Note: this must be run at save level 0 and when systemdict is writeable
|
|
|
bb3194 |
+currentglobal //true setglobal
|
|
|
bb3194 |
+systemdict dup dup dup
|
|
|
bb3194 |
+/version (3017.102) readonly .forceput % match CPSI 3017.102
|
|
|
bb3194 |
+/product (PhotoPRINT SE 5.0v2) readonly .forceput % match CPSI 3017.102
|
|
|
bb3194 |
+/revision 0 put % match CPSI 3017.103 Tek shows revision 5
|
|
|
bb3194 |
+/serialnumber dup {233640} readonly .makeoperator .forceput % match CPSI 3017.102 Tek shows serialnumber 1401788461
|
|
|
bb3194 |
+
|
|
|
bb3194 |
+systemdict /.odef { % <name> <proc> odef -
|
|
|
bb3194 |
+ 1 index exch //.makeoperator def
|
|
|
bb3194 |
+} .bind .forceput % this will be undefined at the end
|
|
|
bb3194 |
|
|
|
bb3194 |
300 .sethiresscreen % needed for language switch build since it
|
|
|
bb3194 |
% processes gs_init.ps BEFORE setting the resolution
|
|
|
bb3194 |
|
|
|
bb3194 |
0 array 0 setdash % CET 09-08 wants local setdash
|
|
|
bb3194 |
|
|
|
bb3194 |
-currentglobal //true setglobal
|
|
|
bb3194 |
-
|
|
|
bb3194 |
-{
|
|
|
bb3194 |
- systemdict dup dup dup
|
|
|
bb3194 |
- /version (3017.102) readonly put % match CPSI 3017.102
|
|
|
bb3194 |
- /product (PhotoPRINT SE 5.0v2) readonly put % match CPSI 3017.102
|
|
|
bb3194 |
- /revision 0 put % match CPSI 3017.103 Tek shows revision 5
|
|
|
bb3194 |
- /serialnumber dup {233640} readonly .makeoperator put % match CPSI 3017.102 Tek shows serialnumber 1401788461
|
|
|
bb3194 |
- systemdict /deviceinfo undef % for CET 20-23-1
|
|
|
79ccdd |
-} 1183615869 internaldict /superexec get exec
|
|
|
bb3194 |
-
|
|
|
bb3194 |
{ } bind dup
|
|
|
bb3194 |
setblackgeneration
|
|
|
bb3194 |
setundercolorremoval
|
|
|
bb3194 |
@@ -69,4 +64,4 @@ userdict /.smoothness currentsmoothness
|
|
|
bb3194 |
} bind odef
|
|
|
bb3194 |
/currentsmoothness { userdict /.smoothness get } bind odef % for 09-55.PS, 09-57.PS .
|
|
|
bb3194 |
|
|
|
bb3194 |
-//false 0 startjob pop % re-enter encapsulated mode
|
|
|
bb3194 |
+systemdict /.odef .undef
|
|
|
bb3194 |
diff -up ghostscript-9.07/Resource/Init/gs_dps1.ps.cve-2019-3835 ghostscript-9.07/Resource/Init/gs_dps1.ps
|
|
|
79ccdd |
--- ghostscript-9.07/Resource/Init/gs_dps1.ps.cve-2019-3835 2019-02-28 14:24:02.892629336 +0100
|
|
|
79ccdd |
+++ ghostscript-9.07/Resource/Init/gs_dps1.ps 2019-02-28 14:24:02.908629127 +0100
|
|
|
bb3194 |
@@ -86,7 +86,7 @@ level2dict begin
|
|
|
bb3194 |
% definition, copy it into the local directory.
|
|
|
bb3194 |
//systemdict /SharedFontDirectory .knownget
|
|
|
bb3194 |
{ 1 index .knownget
|
|
|
79ccdd |
- { //.FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly
|
|
|
bb3194 |
+ { //.FontDirectory 2 index 3 -1 roll .forceput } % readonly
|
|
|
bb3194 |
if
|
|
|
bb3194 |
}
|
|
|
bb3194 |
if
|
|
|
bb3194 |
diff -up ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2019-3835 ghostscript-9.07/Resource/Init/gs_fonts.ps
|
|
|
79ccdd |
--- ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2019-3835 2019-02-28 14:24:02.898629257 +0100
|
|
|
79ccdd |
+++ ghostscript-9.07/Resource/Init/gs_fonts.ps 2019-02-28 14:24:02.908629127 +0100
|
|
|
bb3194 |
@@ -501,11 +501,11 @@ buildfontdict 3 /.buildfont3 cvx put
|
|
|
bb3194 |
% the font in LocalFontDirectory.
|
|
|
bb3194 |
.currentglobal
|
|
|
bb3194 |
{ //systemdict /LocalFontDirectory .knownget
|
|
|
79ccdd |
- { 2 index 2 index { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly
|
|
|
bb3194 |
+ { 2 index 2 index .forceput } % readonly
|
|
|
bb3194 |
if
|
|
|
bb3194 |
}
|
|
|
bb3194 |
if
|
|
|
79ccdd |
- dup //.FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly
|
|
|
bb3194 |
+ dup //.FontDirectory 4 -2 roll .forceput % readonly
|
|
|
bb3194 |
% If the font originated as a resource, register it.
|
|
|
bb3194 |
currentfile .currentresourcefile eq { dup .registerfont } if
|
|
|
bb3194 |
readonly
|
|
|
bb3194 |
@@ -1149,12 +1149,12 @@ currentdict /.putgstringcopy .forceundef
|
|
|
bb3194 |
//.FontDirectory 1 index known not {
|
|
|
bb3194 |
2 dict dup /FontName 3 index put
|
|
|
bb3194 |
dup /FontType 1 put
|
|
|
79ccdd |
- //.FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly
|
|
|
bb3194 |
+ //.FontDirectory 3 1 roll //.forceput exec % readonly
|
|
|
bb3194 |
} {
|
|
|
bb3194 |
pop
|
|
|
bb3194 |
} ifelse
|
|
|
bb3194 |
} forall
|
|
|
bb3194 |
- }
|
|
|
bb3194 |
+ } executeonly % hide .forceput
|
|
|
bb3194 |
FAKEFONTS { exch } if pop def % don't bind, .current/setglobal get redefined
|
|
|
bb3194 |
|
|
|
bb3194 |
% Install initial fonts from Fontmap.
|
|
|
bb3194 |
diff -up ghostscript-9.07/Resource/Init/gs_init.ps.cve-2019-3835 ghostscript-9.07/Resource/Init/gs_init.ps
|
|
|
79ccdd |
--- ghostscript-9.07/Resource/Init/gs_init.ps.cve-2019-3835 2019-02-28 14:24:02.906629153 +0100
|
|
|
79ccdd |
+++ ghostscript-9.07/Resource/Init/gs_init.ps 2019-02-28 14:29:40.355207303 +0100
|
|
|
bb3194 |
@@ -2125,9 +2125,6 @@ SAFER { .setsafe } if
|
|
|
79ccdd |
/.endtransparencygroup % transparency-example.ps
|
|
|
79ccdd |
/.setdotlength % Bug687720.ps
|
|
|
79ccdd |
/.sort /.setdebug /.mementolistnewblocks /getenv
|
|
|
bb3194 |
-
|
|
|
79ccdd |
- /.makeoperator /.setCPSImode % gs_cet.ps, this won't work on cluster with -dSAFER
|
|
|
bb3194 |
-
|
|
|
79ccdd |
/unread
|
|
|
79ccdd |
]
|
|
|
79ccdd |
{systemdict exch .forceundef} forall
|
|
|
bb3194 |
@@ -2206,7 +2203,6 @@ SAFER { .setsafe } if
|
|
|
bb3194 |
|
|
|
79ccdd |
% Used by our own test suite files
|
|
|
79ccdd |
%/.fileposition %image-qa.ps
|
|
|
79ccdd |
- %/.makeoperator /.setCPSImode % gs_cet.ps
|
|
|
bb3194 |
|
|
|
79ccdd |
% Either our code uses these in ways which mean they can't be undefined, or they are used directly by
|
|
|
79ccdd |
% test files/utilities, or engineers expressed a desire to keep them visible.
|
|
|
79ccdd |
@@ -2400,6 +2396,16 @@ end
|
|
|
bb3194 |
/vmreclaim where
|
|
|
bb3194 |
{ pop NOGC not { 2 .vmreclaim 0 vmreclaim } if
|
|
|
bb3194 |
} if
|
|
|
bb3194 |
+
|
|
|
bb3194 |
+% Do this before systemdict is locked (see below for additional CETMODE setup using gs_cet.ps)
|
|
|
bb3194 |
+systemdict /CETMODE .knownget {
|
|
|
bb3194 |
+ {
|
|
|
bb3194 |
+ (gs_cet.ps) runlibfile
|
|
|
bb3194 |
+ } if
|
|
|
bb3194 |
+} if
|
|
|
bb3194 |
+systemdict /.makeoperator .undef % must be after gs_cet.ps
|
|
|
bb3194 |
+systemdict /.setCPSImode .undef % must be after gs_cet.ps
|
|
|
bb3194 |
+
|
|
|
bb3194 |
DELAYBIND not {
|
|
|
bb3194 |
systemdict /.bindnow .undef % We only need this for DELAYBIND
|
|
|
bb3194 |
systemdict /.forcecopynew .undef % remove temptation
|
|
|
79ccdd |
@@ -2407,11 +2413,6 @@ DELAYBIND not {
|
|
|
bb3194 |
systemdict /.forceput .undef % ditto
|
|
|
bb3194 |
systemdict /.forceundef .undef % ditto
|
|
|
bb3194 |
} if
|
|
|
bb3194 |
-% Move superexec to internaldict if superexec is defined.
|
|
|
79ccdd |
-systemdict /superexec .knownget {
|
|
|
bb3194 |
- 1183615869 internaldict /superexec 3 -1 roll put
|
|
|
79ccdd |
- systemdict /superexec .undef
|
|
|
bb3194 |
-} if
|
|
|
bb3194 |
|
|
|
bb3194 |
% Can't remove this one until the last minute :-)
|
|
|
bb3194 |
systemdict /.undef .undef
|
|
|
bb3194 |
diff -up ghostscript-9.07/Resource/Init/gs_type1.ps.cve-2019-3835 ghostscript-9.07/Resource/Init/gs_type1.ps
|
|
|
79ccdd |
--- ghostscript-9.07/Resource/Init/gs_type1.ps.cve-2019-3835 2019-02-28 14:24:02.886629415 +0100
|
|
|
79ccdd |
+++ ghostscript-9.07/Resource/Init/gs_type1.ps 2019-02-28 14:24:02.909629113 +0100
|
|
|
bb3194 |
@@ -66,11 +66,11 @@
|
|
|
bb3194 |
2 index 1 index known {
|
|
|
bb3194 |
pop pop
|
|
|
bb3194 |
} {
|
|
|
79ccdd |
- 3 1 roll get //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse dup dup
|
|
|
bb3194 |
+ 3 1 roll get .forceput dup dup
|
|
|
bb3194 |
} ifelse
|
|
|
bb3194 |
} {
|
|
|
bb3194 |
2 index 1 index known {
|
|
|
79ccdd |
- exch 3 1 roll get //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse dup dup
|
|
|
bb3194 |
+ exch 3 1 roll get .forceput dup dup
|
|
|
bb3194 |
} {
|
|
|
bb3194 |
pop pop
|
|
|
bb3194 |
} ifelse
|
|
|
bb3194 |
@@ -80,7 +80,7 @@
|
|
|
bb3194 |
|
|
|
bb3194 |
//.buildfont1
|
|
|
bb3194 |
3 2 roll .setglobal
|
|
|
bb3194 |
- } bind def
|
|
|
bb3194 |
+ } .bind executeonly def % hide .forceput
|
|
|
bb3194 |
|
|
|
bb3194 |
% If the diskfont feature isn't included, define a dummy .loadfontdict.
|
|
|
bb3194 |
/.loadfontdict where
|