Blame SOURCES/ghostscript-cve-2019-3835.patch

bb3194
From: Ray Johnston <ray.johnston@artifex.com>
bb3194
Date: Thu, 14 Feb 2019 18:20:03 +0000 (-0800)
bb3194
Subject: Fix bug 700585: Restrict superexec and remove it from internals and gs_cet.ps
bb3194
bb3194
Fix bug 700585: Restrict superexec and remove it from internals and gs_cet.ps
bb3194
bb3194
Also while changing things, restructure the CETMODE so that it will
bb3194
work with -dSAFER. The gs_cet.ps is now run when we are still at save
bb3194
level 0 with systemdict writeable. Allows us to undefine .makeoperator
bb3194
and .setCPSImode internal operators after CETMODE is handled.
bb3194
bb3194
Change previous uses of superexec to using .forceput (with the usual
bb3194
.bind executeonly to hide it).
bb3194
bb3194
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=205591753126802da850ada6511a0ff8411aa287
bb3194
bb3194
From: Ray Johnston <ray.johnston@artifex.com>
bb3194
Date: Mon, 25 Feb 2019 06:01:04 +0000 (-0800)
bb3194
Subject: Bug 700585: Obliterate "superexec". We don't need it, nor do any known apps.
bb3194
bb3194
Bug 700585: Obliterate "superexec". We don't need it, nor do any known apps.
bb3194
bb3194
We were under the impression that the Windows driver 'PScript5.dll' used
bb3194
superexec, but after testing with our extensive suite of PostScript file,
bb3194
and analysis of the PScript5 "Adobe CoolType ProcSet, it does not appear
bb3194
that this operator is needed anymore. Get rid of superexec and all of the
bb3194
references to it, since it is a potential security hole.
bb3194
bb3194
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=d683d1e6450d74619e6277efeebfc222d9a5cb91
bb3194
---
bb3194
bb3194
diff -up ghostscript-9.07/psi/icontext.c.cve-2019-3835 ghostscript-9.07/psi/icontext.c
79ccdd
--- ghostscript-9.07/psi/icontext.c.cve-2019-3835	2019-02-28 14:32:31.762961195 +0100
79ccdd
+++ ghostscript-9.07/psi/icontext.c	2019-02-28 14:33:02.960552388 +0100
bb3194
@@ -148,7 +148,6 @@ context_state_alloc(gs_context_state_t *
bb3194
     pcst->rand_state = rand_state_initial;
bb3194
     pcst->usertime_total = 0;
bb3194
     pcst->keep_usertime = false;
bb3194
-    pcst->in_superexec = 0;
bb3194
     pcst->plugin_list = 0;
bb3194
     make_t(&pcst->error_object, t__invalid);
bb3194
     {	/*
bb3194
diff -up ghostscript-9.07/psi/icstate.h.cve-2019-3835 ghostscript-9.07/psi/icstate.h
79ccdd
--- ghostscript-9.07/psi/icstate.h.cve-2019-3835	2019-02-28 14:33:38.288089462 +0100
79ccdd
+++ ghostscript-9.07/psi/icstate.h	2019-02-28 14:33:46.576980845 +0100
bb3194
@@ -52,7 +52,6 @@ struct gs_context_state_s {
bb3194
     long usertime_total;	/* total accumulated usertime, */
bb3194
                                 /* not counting current time if running */
bb3194
     bool keep_usertime;		/* true if context ever executed usertime */
bb3194
-    int in_superexec;		/* # of levels of superexec */
bb3194
     /* View clipping is handled in the graphics state. */
bb3194
     ref error_object;		/* t__invalid or error object from operator */
bb3194
     ref userparams;		/* t_dictionary */
bb3194
diff -up ghostscript-9.07/psi/zcontrol.c.cve-2019-3835 ghostscript-9.07/psi/zcontrol.c
79ccdd
--- ghostscript-9.07/psi/zcontrol.c.cve-2019-3835	2019-02-28 14:34:07.694704120 +0100
79ccdd
+++ ghostscript-9.07/psi/zcontrol.c	2019-02-28 14:34:44.573220870 +0100
bb3194
@@ -158,34 +158,6 @@ zexecn(i_ctx_t *i_ctx_p)
bb3194
     return o_push_estack;
bb3194
 }
bb3194
 
bb3194
-/* <obj> superexec - */
bb3194
-static int end_superexec(i_ctx_t *);
bb3194
-static int
bb3194
-zsuperexec(i_ctx_t *i_ctx_p)
bb3194
-{
bb3194
-    os_ptr op = osp;
bb3194
-    es_ptr ep;
bb3194
-
bb3194
-    check_op(1);
bb3194
-    if (!r_has_attr(op, a_executable))
bb3194
-        return 0;		/* literal object just gets pushed back */
bb3194
-    check_estack(2);
bb3194
-    ep = esp += 3;
bb3194
-    make_mark_estack(ep - 2, es_other, end_superexec); /* error case */
bb3194
-    make_op_estack(ep - 1,  end_superexec); /* normal case */
bb3194
-    ref_assign(ep, op);
bb3194
-    esfile_check_cache();
bb3194
-    pop(1);
bb3194
-    i_ctx_p->in_superexec++;
bb3194
-    return o_push_estack;
bb3194
-}
bb3194
-static int
bb3194
-end_superexec(i_ctx_t *i_ctx_p)
bb3194
-{
bb3194
-    i_ctx_p->in_superexec--;
bb3194
-    return 0;
bb3194
-}
bb3194
-
bb3194
 /* <array> <executable> .runandhide <obj>				*/
bb3194
 /* 	before executing  <executable>, <array> is been removed from	*/
bb3194
 /*	the operand stack and placed on the execstack with attributes	*/
bb3194
@@ -969,8 +941,6 @@ const op_def zcontrol3_op_defs[] = {
bb3194
     {"0%loop_continue", loop_continue},
bb3194
     {"0%repeat_continue", repeat_continue},
bb3194
     {"0%stopped_push", stopped_push},
bb3194
-    {"1superexec", zsuperexec},
bb3194
-    {"0%end_superexec", end_superexec},
bb3194
     {"2.runandhide", zrunandhide},
bb3194
     {"0%end_runandhide", end_runandhide},
bb3194
     op_def_end(0)
bb3194
diff -up ghostscript-9.07/psi/zdict.c.cve-2019-3835 ghostscript-9.07/psi/zdict.c
79ccdd
--- ghostscript-9.07/psi/zdict.c.cve-2019-3835	2019-02-28 14:35:18.029782463 +0100
79ccdd
+++ ghostscript-9.07/psi/zdict.c	2019-02-28 14:36:27.964866049 +0100
bb3194
@@ -211,8 +211,7 @@ zundef(i_ctx_t *i_ctx_p)
bb3194
     int code;
bb3194
 
bb3194
     check_type(*op1, t_dictionary);
bb3194
-    if (i_ctx_p->in_superexec == 0)
bb3194
-        check_dict_write(*op1);
bb3194
+    check_dict_write(*op1);
bb3194
     code = idict_undef(op1, op);
bb3194
     if (code < 0 && code != e_undefined) /* ignore undefined error */
bb3194
         return code;
bb3194
@@ -491,8 +490,7 @@ zsetmaxlength(i_ctx_t *i_ctx_p)
bb3194
     int code;
bb3194
 
bb3194
     check_type(*op1, t_dictionary);
bb3194
-    if (i_ctx_p->in_superexec == 0)
bb3194
-        check_dict_write(*op1);
bb3194
+    check_dict_write(*op1);
bb3194
     check_type(*op, t_integer);
bb3194
     if (op->value.intval < 0)
bb3194
         return_error(e_rangecheck);
bb3194
diff -up ghostscript-9.07/psi/zgeneric.c.cve-2019-3835 ghostscript-9.07/psi/zgeneric.c
79ccdd
--- ghostscript-9.07/psi/zgeneric.c.cve-2019-3835	2019-02-28 14:36:54.684515917 +0100
79ccdd
+++ ghostscript-9.07/psi/zgeneric.c	2019-02-28 14:37:44.859858421 +0100
bb3194
@@ -204,8 +204,7 @@ zput(i_ctx_t *i_ctx_p)
bb3194
 
bb3194
     switch (r_type(op2)) {
bb3194
         case t_dictionary:
bb3194
-            if (i_ctx_p->in_superexec == 0)
bb3194
-                check_dict_write(*op2);
bb3194
+            check_dict_write(*op2);
bb3194
             {
bb3194
                 int code = idict_put(op2, op1, op);
bb3194
 
bb3194
diff -up ghostscript-9.07/Resource/Init/gs_cet.ps.cve-2019-3835 ghostscript-9.07/Resource/Init/gs_cet.ps
79ccdd
--- ghostscript-9.07/Resource/Init/gs_cet.ps.cve-2019-3835	2019-02-28 14:24:02.885629428 +0100
79ccdd
+++ ghostscript-9.07/Resource/Init/gs_cet.ps	2019-02-28 14:24:02.908629127 +0100
bb3194
@@ -1,27 +1,22 @@
bb3194
-%!PS
bb3194
 % Set defaults for Ghostscript to match Adobe CPSI behaviour for CET
bb3194
 
bb3194
-% do this in the server level so it is persistent across jobs
bb3194
-//true 0 startjob not {
bb3194
-  (*** Warning: CET startup is not in server default) = flush
bb3194
-} if
bb3194
+% Note: this must be run at save level 0 and when systemdict is writeable
bb3194
+currentglobal //true setglobal
bb3194
+systemdict dup dup dup
bb3194
+/version (3017.102) readonly .forceput         % match CPSI 3017.102
bb3194
+/product (PhotoPRINT SE 5.0v2) readonly .forceput      % match CPSI 3017.102
bb3194
+/revision 0 put                        % match CPSI 3017.103 Tek shows revision 5
bb3194
+/serialnumber dup {233640} readonly .makeoperator .forceput % match CPSI 3017.102 Tek shows serialnumber 1401788461
bb3194
+
bb3194
+systemdict /.odef {           % <name> <proc> odef -
bb3194
+  1 index exch //.makeoperator def
bb3194
+} .bind .forceput          % this will be undefined at the end
bb3194
 
bb3194
 300 .sethiresscreen	% needed for language switch build since it
bb3194
                         % processes gs_init.ps BEFORE setting the resolution
bb3194
 
bb3194
 0 array 0 setdash % CET 09-08 wants local setdash
bb3194
 
bb3194
-currentglobal //true setglobal
bb3194
-
bb3194
-{
bb3194
-  systemdict dup dup dup
bb3194
-  /version (3017.102) readonly put		% match CPSI 3017.102
bb3194
-  /product (PhotoPRINT SE 5.0v2) readonly put	% match CPSI 3017.102
bb3194
-  /revision 0 put			% match CPSI 3017.103 Tek shows revision 5
bb3194
-  /serialnumber dup {233640} readonly .makeoperator put % match CPSI 3017.102 Tek shows serialnumber 1401788461
bb3194
-  systemdict /deviceinfo undef                  % for CET 20-23-1
79ccdd
-} 1183615869 internaldict /superexec get exec
bb3194
-
bb3194
 { } bind dup
bb3194
 setblackgeneration
bb3194
 setundercolorremoval
bb3194
@@ -69,4 +64,4 @@ userdict /.smoothness currentsmoothness
bb3194
 } bind odef
bb3194
 /currentsmoothness { userdict /.smoothness get } bind odef % for 09-55.PS, 09-57.PS .
bb3194
 
bb3194
-//false 0 startjob pop		% re-enter encapsulated mode
bb3194
+systemdict /.odef .undef
bb3194
diff -up ghostscript-9.07/Resource/Init/gs_dps1.ps.cve-2019-3835 ghostscript-9.07/Resource/Init/gs_dps1.ps
79ccdd
--- ghostscript-9.07/Resource/Init/gs_dps1.ps.cve-2019-3835	2019-02-28 14:24:02.892629336 +0100
79ccdd
+++ ghostscript-9.07/Resource/Init/gs_dps1.ps	2019-02-28 14:24:02.908629127 +0100
bb3194
@@ -86,7 +86,7 @@ level2dict begin
bb3194
                 % definition, copy it into the local directory.
bb3194
       //systemdict /SharedFontDirectory .knownget
bb3194
        { 1 index .knownget
79ccdd
-          { //.FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly
bb3194
+          { //.FontDirectory 2 index 3 -1 roll .forceput } % readonly
bb3194
          if
bb3194
        }
bb3194
       if
bb3194
diff -up ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2019-3835 ghostscript-9.07/Resource/Init/gs_fonts.ps
79ccdd
--- ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2019-3835	2019-02-28 14:24:02.898629257 +0100
79ccdd
+++ ghostscript-9.07/Resource/Init/gs_fonts.ps	2019-02-28 14:24:02.908629127 +0100
bb3194
@@ -501,11 +501,11 @@ buildfontdict 3 /.buildfont3 cvx put
bb3194
                 % the font in LocalFontDirectory.
bb3194
    .currentglobal
bb3194
     { //systemdict /LocalFontDirectory .knownget
79ccdd
-       { 2 index 2 index { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse }  % readonly
bb3194
+       { 2 index 2 index .forceput }   % readonly
bb3194
       if
bb3194
     }
bb3194
    if
79ccdd
-   dup //.FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse   % readonly
bb3194
+   dup //.FontDirectory 4 -2 roll .forceput % readonly
bb3194
                 % If the font originated as a resource, register it.
bb3194
    currentfile .currentresourcefile eq { dup .registerfont } if
bb3194
    readonly
bb3194
@@ -1149,12 +1149,12 @@ currentdict /.putgstringcopy .forceundef
bb3194
         //.FontDirectory 1 index known not {
bb3194
           2 dict dup /FontName 3 index put
bb3194
           dup /FontType 1 put
79ccdd
-          //.FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse   % readonly
bb3194
+          //.FontDirectory 3 1 roll //.forceput exec % readonly
bb3194
         } {
bb3194
           pop
bb3194
         } ifelse
bb3194
       } forall
bb3194
-    }
bb3194
+    } executeonly      % hide .forceput
bb3194
 FAKEFONTS { exch } if pop def   % don't bind, .current/setglobal get redefined
bb3194
 
bb3194
 % Install initial fonts from Fontmap.
bb3194
diff -up ghostscript-9.07/Resource/Init/gs_init.ps.cve-2019-3835 ghostscript-9.07/Resource/Init/gs_init.ps
79ccdd
--- ghostscript-9.07/Resource/Init/gs_init.ps.cve-2019-3835	2019-02-28 14:24:02.906629153 +0100
79ccdd
+++ ghostscript-9.07/Resource/Init/gs_init.ps	2019-02-28 14:29:40.355207303 +0100
bb3194
@@ -2125,9 +2125,6 @@ SAFER { .setsafe } if
79ccdd
   /.endtransparencygroup     % transparency-example.ps
79ccdd
   /.setdotlength             % Bug687720.ps
79ccdd
   /.sort /.setdebug /.mementolistnewblocks /getenv
bb3194
-
79ccdd
-  /.makeoperator /.setCPSImode              % gs_cet.ps, this won't work on cluster with -dSAFER
bb3194
-
79ccdd
   /unread
79ccdd
   ]
79ccdd
   {systemdict exch .forceundef} forall
bb3194
@@ -2206,7 +2203,6 @@ SAFER { .setsafe } if
bb3194
 
79ccdd
   % Used by our own test suite files
79ccdd
   %/.fileposition %image-qa.ps
79ccdd
-  %/.makeoperator /.setCPSImode % gs_cet.ps
bb3194
 
79ccdd
   % Either our code uses these in ways which mean they can't be undefined, or they are used directly by
79ccdd
   % test files/utilities, or engineers expressed a desire to keep them visible.
79ccdd
@@ -2400,6 +2396,16 @@ end
bb3194
 /vmreclaim where
bb3194
  { pop NOGC not { 2 .vmreclaim 0 vmreclaim } if
bb3194
  } if
bb3194
+
bb3194
+% Do this before systemdict is locked (see below for additional CETMODE setup using gs_cet.ps)
bb3194
+systemdict /CETMODE .knownget {
bb3194
+  {
bb3194
+    (gs_cet.ps) runlibfile
bb3194
+  } if
bb3194
+} if
bb3194
+systemdict /.makeoperator .undef       % must be after gs_cet.ps
bb3194
+systemdict /.setCPSImode .undef                % must be after gs_cet.ps
bb3194
+
bb3194
 DELAYBIND not {
bb3194
   systemdict /.bindnow .undef       % We only need this for DELAYBIND
bb3194
   systemdict /.forcecopynew .undef	% remove temptation
79ccdd
@@ -2407,11 +2413,6 @@ DELAYBIND not {
bb3194
   systemdict /.forceput .undef		% ditto
bb3194
   systemdict /.forceundef .undef	% ditto
bb3194
 } if
bb3194
-% Move superexec to internaldict if superexec is defined.
79ccdd
-systemdict /superexec .knownget {
bb3194
-  1183615869 internaldict /superexec 3 -1 roll put
79ccdd
-  systemdict /superexec .undef
bb3194
-} if
bb3194
 
bb3194
 % Can't remove this one until the last minute :-)
bb3194
 systemdict /.undef .undef
bb3194
diff -up ghostscript-9.07/Resource/Init/gs_type1.ps.cve-2019-3835 ghostscript-9.07/Resource/Init/gs_type1.ps
79ccdd
--- ghostscript-9.07/Resource/Init/gs_type1.ps.cve-2019-3835	2019-02-28 14:24:02.886629415 +0100
79ccdd
+++ ghostscript-9.07/Resource/Init/gs_type1.ps	2019-02-28 14:24:02.909629113 +0100
bb3194
@@ -66,11 +66,11 @@
bb3194
        2 index 1 index known {
bb3194
          pop pop
bb3194
        } {
79ccdd
-         3 1 roll get //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse dup dup
bb3194
+         3 1 roll get .forceput dup dup
bb3194
        } ifelse
bb3194
      } {
bb3194
        2 index 1 index known {
79ccdd
-         exch 3 1 roll get //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse dup dup
bb3194
+         exch 3 1 roll get .forceput dup dup
bb3194
        } {
bb3194
          pop pop
bb3194
        } ifelse
bb3194
@@ -80,7 +80,7 @@
bb3194
 
bb3194
    //.buildfont1
bb3194
    3 2 roll .setglobal
bb3194
- } bind def
bb3194
+ } .bind executeonly def       % hide .forceput
bb3194
 
bb3194
 % If the diskfont feature isn't included, define a dummy .loadfontdict.
bb3194
 /.loadfontdict where