From: Ken Sharp <ken.sharp@artifex.com>

Date: Thu, 11 May 2017 12:09:29 +0000 (+0100)

Subject: Remove as many non-standard operators as possible

Remove as many non-standard operators as possible

Remove all the Display PostScript operators and all the NeXT extensions

Remove all the operators which do not appear to be used in our code

Remove all the operators which are only used in bound procedures defined

at startup and which can therefore subsequently be removed.

The operators to be undefined are stored in arrays in PostScript and

the C support code is untouched. This means that it is relatively

simple for an end user to restore an operator if required.

Operators which are used in our test suite files are listed in the

arrays but commented out.

Operators which are used (by our own code) in a way which requires them

to be present are also listed in the arrays, but commented out.

https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=1497d65039885a52b598b137dd8622bd4672f9be

From: Ken Sharp <ken.sharp@artifex.com>

Date: Sat, 17 Jun 2017 10:17:52 +0000 (+0100)

Subject: Make operator hiding work with DELAYBIND

Make operator hiding work with DELAYBIND

Commit 1497d65039885a52b598b137dd8622bd4672f9be undefines as many operators

as possible once startup is completed, in order to prevent potantially

malicious PostScript or PDF files using them.

However, if DELAYBIND (itself a gaping security hole if used) is

specified, this leads to an endless loop. Instead we must undefine the

operators during .bindnow (after the deferred binding has occured).

https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=971472c83a345a16dac9f90f91258bb22dd77f22

---

diff -up a/Resource/Init/gs_init.ps.cve-2018-16585 b/Resource/Init/gs_init.ps

--- a/Resource/Init/gs_init.ps.cve-2018-16585	2018-11-14 07:51:00.933247401 +0100

+++ b/Resource/Init/gs_init.ps	2018-11-14 07:51:27.637826808 +0100

@@ -2068,6 +2068,118 @@ readonly def

 % If we are running in SAFER mode, lock things down

 SAFER { .setsafe } if

+/UndefinePostScriptOperators {

+

+%% This list is of Display PostScript operators. We believe that Display PostScript

+%% was never fully implemented and the only known user, GNUStep, is no longer

+%% using it. So lets remove it.

+[

+/condition /currentcontext /detach /.fork /join /.localfork /lock /monitor /notify

+/wait /yield /.currentscreenphase /.setscreenphase /.image2 /eoviewclip /initviewclip

+/viewclip /viewclippath /defineusername

+%% NeXT DPS extensions

+/currentalpha /setalpha /.alphaimage /composite /compositerect /dissolve /sizeimagebox /.sizeimageparams

+]

+{systemdict exch .forceundef} forall

+

+%% This list is of operators which no longer appear to be used, and which we do not believe

+%% to have any real use. For now we will undefine the operstors so they cannot easily be used

+%% but can be easily restored (just delete the name from the list in the array). In future

+%% we may remove the operator and the code implementation entirely.

+[

+/.bitadd /.charboxpath /.currentblackptcomp /.setblackptcomp /.cond /.countexecstack /.execstack /.runandhide /.popdevicefilter

+/.execfile /.filenamesplit /.file_name_parent

+/.setdefaultmatrix /.isprocfilter /.unread /.psstringencode

+/.buildsampledfunction /.isencapfunction /.currentaccuratecurves /.currentcurvejoin /.currentdashadapt /.currentdotlength

+/.currentlimitclamp /.dotorientation /.setaccuratecurves /.setcurvejoin /.setdashadapt /.setdotorientation

+/.setlimitclamp /.currentscreenlevels /.dashpath /.pathbbox /.identeq /.identne /.tokenexec /.forgetsave /.pantonecallback

+

+%% Used by our own test suite files

+%%/.setdotlength % Bug687720.ps

+]

+{systemdict exch .forceundef} forall

+

+%% This list of operators are used internally by various parts of the Ghostscript startup code.

+%% Since each operator is a potential security vulnerability, and any operator listed here

+%% is not required once the initislisation is complete and functions are bound, we undefine

+%% the ones that aren't needed at runtime.

+[

+/.callinstall /.callbeginpage /.callendpage

+/.currentstackprotect /.setstackprotect /.errorexec /.finderrorobject /.installsystemnames /.bosobject /.fontbbox

+/.type1execchar /.type2execchar /.type42execchar /.setweightvector /.getuseciecolor /processcolors /.includecolorspace

+/.execn /.instopped /.stop /.stopped /.setcolorrendering /.setdevicecolorrendering /.buildcolorrendering1 /.builddevicecolorrendering1

+/.TransformPQR_scale_WB0 /.TransformPQR_scale_WB1 /.TransformPQR_scale_WB2 /.currentoverprintmode /.copydevice2

+/.devicename /.doneshowpage /flushpage /.getbitsrect /.getdevice /.getdefaultdevice /.getdeviceparams /.gethardwareparams

+/makewordimagedevice /.outputpage /.putdeviceparams /.setdevice /.currentshowpagecount

+/.setpagedevice /.currentpagedevice /.knownundef /.setmaxlength /.rectappend /.initialize_dsc_parser /.parse_dsc_comments

+/.fillCIDMap /.fillIdentityCIDMap /.buildcmap /.filenamelistseparator /.libfile /.getfilename

+/.file_name_combine /.file_name_is_absolute /.file_name_separator /.file_name_directory_separator /.file_name_current /.filename

+/.peekstring /.writecvp /.subfiledecode /.setupUnicodeDecoder /.jbig2makeglobalctx /.registerfont /.parsecff

+/.getshowoperator /.getnativefonts /.beginform /.endform /.get_form_id /.repeatform /.reusablestream /.rsdparams

+/.buildfunction /.currentfilladjust2 /.setfilladjust2 /.sethpglpathmode /.currenthpglpathmode

+/.currenthalftone /.sethalftone5 /.image1 /.imagemask1 /.image3 /.image4

+/.getiodevice /.getdevparms /.putdevparams /.bbox_transform /.matchmedia /.matchpagesize /.defaultpapersize

+/.oserrno /.setoserrno /.oserrorstring /.getCPSImode

+/.getscanconverter /.setscanconverter /.type1encrypt /.type1decrypt/.languagelevel /.setlanguagelevel /.eqproc /.fillpage /.buildpattern1 /.saslprep

+/.buildshading1 /.buildshadin2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern

+/.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring

+/.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile

+/.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams

+/.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath

+

+% Used by our own test suite files

+%/.fileposition %image-qa.ps

+%/.makeoperator /.setCPSImode % gs_cet.ps

+

+% Either our code uses these in ways which mean they can't be undefined, or they are used directly by

+% test files/utilities, or engineers expressed a desire to keep them visible.

+%

+%/currentdevice /.sort /.buildfont0 /.buildfont1 /.buildfont2 /.buildfont3 /.buildfont4 /.buildfont9 /.buildfont10 /.buildfont11

+%/.buildfotn32 /.buildfont42 /.type9mapcid /.type11mapcid /.swapcolors

+%/currentdevice  /.quit /.setuseciecolor /.needinput /.setoverprintmode /.special_op /.dicttomark /.knownget

+%/.FAPIavailable /.FAPIpassfont /.FAPIrebuildfont /.FAPIBuildGlyph /.FAPIBuildChar /.FAPIBuildGlyph9

+%/.tempfile /.numicc_components /.set_outputintent  /.max /.min /.shfill /.vmreclaim /.getpath /.setglobal

+%/.setdebug /.mementolistnewblocks /getenv

+]

+{systemdict exch .forceundef} forall

+

+//systemdict /UndefinePostScriptOperators .forceundef

+} bind def

+

+/UndefinePDFOperators {

+%% This list of operators are used internally by various parts of the Ghostscript PDF interpreter.

+%% Since each operator is a potential security vulnerability, and any operator listed here

+%% is not required once the initislisation is complete and functions are bound, we undefine

+%% the ones that aren't needed at runtime.

+[

+/.pdfawidthshow /.pdfwidthshow

+/.setfillcolor /.setfillcolorspace /.setstrokecolor /.setstrokecolorspace /.currentrenderingintent /.setrenderingintent

+/.currenttextrenderingmode /.settextspacing /.currenttextspacing /.settextleading /.currenttextleading

+/.settextrise /.currenttextrise /.setwordspacing /.currentwordspacing /.settexthscaling /.currenttexthscaling

+/.settextlinematrix /.currenttextlinematrix /.currenttextmatrix /.settextmatrix /.currentblendmode

+/.currentopacityalpha /.currentshapealpha /.currenttextknockout

+/.pushextendedgstate /.popextendedgstate /.begintransparencytextgroup

+/.endtransparencytextgroup /.begintransparencymaskgroup /.begintransparencymaskimage /.endtransparencymask /.image3x

+/.abortpdf14devicefilter /.pdfinkpath /.pdfFormName /.setstrokeconstantalpha

+/.setfillconstantalpha /.setalphaisshape /.currentalphaisshape

+/.settextspacing /.currenttextspacing /.settextleading /.currenttextleading /.settextrise /.currenttextrise

+/.setwordspacing /.currentwordspacing /.settexthscaling /.currenttexthscaling

+

+% Used by our own test suite files

+%/.pushpdf14devicefilter    % transparency-example.ps

+%/.poppdf14devicefilter     % transparency-example.ps

+%/.setopacityalpha          % transparency-example.ps

+%/.setshapealpha            % transparency-example.ps

+%/.endtransparencygroup     % transparency-example.ps

+

+% undefining these causes errors/incorrect output

+%/.settextrenderingmode /.setblendmode /.begintransparencygroup /.settextknockout /check_r6_password /.setstrokeoverprint /.setfilloverprint

+%/.currentstrokeoverprint /.currentfilloverprint /.currentfillconstantalpha /.currentstrokeconstantalpha

+]

+{systemdict exch .forceundef} forall

+//systemdict /UndefinePDFOperators .forceundef

+} bind def

+

 % If we delayed binding, make it possible to do it later.

 /.bindnow {

   currentuserparams /IdiomRecognition .knownget {

@@ -2081,6 +2193,8 @@ SAFER { .setsafe } if

   //systemdict /.delaybind {} .forceput	% reclaim the space

   //systemdict /.bindnow .forceundef	% ditto

   put

+%  //systemdict /UndefinePostScriptOperators get exec

+%  //systemdict /UndefinePDFOperators get exec

   //systemdict /.forcecopynew .forceundef	% remove temptation

   //systemdict /.forcedef .forceundef		% ditto

   //systemdict /.forceput .forceundef		% ditto

@@ -2180,6 +2294,13 @@ currentdict /.patterntypes .undef

 currentdict /.shadingtypes .undef

 currentdict /.wheredict .undef

 currentdict /.renderingintentdict .undef

+

+%% If we are using DELAYBIND we have to defer the undefinition

+%% until .bindnow.

+DELAYBIND not {

+  //systemdict /UndefinePostScriptOperators get exec

+  //systemdict /UndefinePDFOperators .forceundef

+} if

 end

 % Clean up VM, and enable GC. Use .vmreclaim to force the GC.

@@ -2197,6 +2318,10 @@ currentdict /superexec .knownget {

   1183615869 internaldict /superexec 3 -1 roll put

   currentdict /superexec .undef

 } if

+

+%% Can't remove this one until the last minute :-)

+systemdict /.undef .undef

+

 WRITESYSTEMDICT not { systemdict readonly pop } if

 (END GC) VMDEBUG

diff -up a/Resource/Init/pdf_main.ps.cve-2018-16585 b/Resource/Init/pdf_main.ps

--- a/Resource/Init/pdf_main.ps.cve-2018-16585	2018-11-14 07:50:45.158495856 +0100

+++ b/Resource/Init/pdf_main.ps	2018-11-14 07:51:16.245006245 +0100

@@ -2347,3 +2347,32 @@ currentdict /PDF2PS_matrix_key undef

 end			% pdfdict

 .setglobal

+

+DELAYBIND not {

+%% This list of operators are used internally by various parts of the Ghostscript PDF interpreter.

+%% Since each operator is a potential security vulnerability, and any operator listed here

+%% is not required once the initislisation is complete and functions are bound, we undefine

+%% the ones that aren't needed at runtime.

+[

+/.pdfawidthshow /.pdfwidthshow

+/.setfillcolor /.setfillcolorspace /.setstrokecolor /.setstrokecolorspace /.currentrenderingintent /.setrenderingintent

+/.currentstrokeoverprint /.setstrokeoverprint /.currentfilloverprint /.setfilloverprint

+/.currenttextrenderingmode /.settextspacing /.currenttextspacing /.settextleading /.currenttextleading

+/.settextrise /.currenttextrise /.setwordspacing /.currentwordspacing /.settexthscaling /.currenttexthscaling

+/.setTextLineMatrix /.currentTextLineMatrix /.currentTextMatrix /.setTextMatrix /.currentblendmode

+/.currentopacityalpha /.currentshapealpha /.currenttextknockout

+/.pushextendedgstate /.popextendedgstate /.begintransparencytextgroup

+/.endtransparencytextgroup /.begintransparencymaskgroup /.begintransparencymaskimage /.endtransparencymask /.image3x

+/.abortpdf14devicefilter /.pdfinkpath /.pdfFormName

+

+% Used by our own test suite files

+%/.pushpdf14devicefilter    % transparency-example.ps

+%/.poppdf14devicefilter     % transparency-example.ps

+%/.setopacityalpha          % transparency-example.ps

+%/.setshapealpha            % transparency-example.ps

+%/.endtransparencygroup     % transparency-example.ps

+

+%/.settextrenderingmode /.setblendmode /.begintransparencygroup /.settextknockout /check_r6_password

+]

+{systemdict exch .undef} forall

+} if