From 2796d4231d6c7bc5d71b5361828c16f2edaea173 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Dec 03 2018 21:14:53 +0000 Subject: import ghostscript-9.07-31.el7_6.3 --- diff --git a/SOURCES/ghostscript-cve-2018-15908.patch b/SOURCES/ghostscript-cve-2018-15908.patch index 8403f23..1a9849c 100644 --- a/SOURCES/ghostscript-cve-2018-15908.patch +++ b/SOURCES/ghostscript-cve-2018-15908.patch @@ -5,22 +5,6 @@ Subject: Bug 699657: properly apply file permissions to .tempfile Bug 699657: properly apply file permissions to .tempfile https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=0d3901189f245232f0161addf215d7268c4d05a3 - -From: Chris Liddell -Date: Tue, 21 Aug 2018 19:17:51 +0000 (+0100) -Subject: Bug 699658: Fix handling of pre-SAFER opened files. - -Bug 699658: Fix handling of pre-SAFER opened files. - -Temp files opened for writing before SAFER is engaged are not subject to the -SAFER restrictions - that is handled by recording in a dictionary, and -checking that as part of the permissions checks. - -By adding a custom error handler for invalidaccess, that allowed the filename -to be added to the dictionary (despite the attempted open throwing the error) -thus meaning subsequent accesses were erroneously permitted. - -https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a054156d425b4dbdaaa9fda4b5f1182b27598c2b --- diff -up a/psi/zfile.c.cve-2018-15908 b/psi/zfile.c @@ -168,37 +152,4 @@ diff -up a/psi/zfile.c.cve-2018-15908 b/psi/zfile.c return_error(e_invalidfileaccess); return 0; } -diff -up a/Resource/Init/gs_init.ps.cve-2018-15908 b/Resource/Init/gs_init.ps ---- a/Resource/Init/gs_init.ps.cve-2018-15908 2018-11-14 16:34:23.268867657 +0100 -+++ b/Resource/Init/gs_init.ps 2018-11-14 16:36:38.765552576 +0100 -@@ -2015,6 +2015,19 @@ readonly def - concatstrings concatstrings .generate_dir_list_templates - } if - ] -+ /PermitFileWriting [ -+ currentuserparams /PermitFileWriting get aload pop -+ (TMPDIR) getenv not -+ { -+ (TEMP) getenv not -+ { -+ (TMP) getenv not -+ { -+ (/temp) (/tmp) -+ } if -+ } if -+ } if -+ ] - /LockFilePermissions //true - >> setuserparams - } -@@ -2062,7 +2075,9 @@ readonly def - % the file can be deleted later, even if SAFER is set. - /.tempfile { - .tempfile % filename file -- //SAFETY /tempfiles get 2 .argindex //true .forceput -+ //SAFETY /safe get not { % only add the filename if we're not yet safe -+ //SAFETY /tempfiles get 2 .argindex //true .forceput -+ } if - } .bind executeonly odef - - % If we are running in SAFER mode, lock things down + \ No newline at end of file diff --git a/SOURCES/ghostscript-cve-2018-16539.patch b/SOURCES/ghostscript-cve-2018-16539.patch new file mode 100644 index 0000000..72f056f --- /dev/null +++ b/SOURCES/ghostscript-cve-2018-16539.patch @@ -0,0 +1,51 @@ +From: Chris Liddell +Date: Tue, 21 Aug 2018 19:17:51 +0000 (+0100) +Subject: Bug 699658: Fix handling of pre-SAFER opened files. + +Bug 699658: Fix handling of pre-SAFER opened files. + +Temp files opened for writing before SAFER is engaged are not subject to the +SAFER restrictions - that is handled by recording in a dictionary, and +checking that as part of the permissions checks. + +By adding a custom error handler for invalidaccess, that allowed the filename +to be added to the dictionary (despite the attempted open throwing the error) +thus meaning subsequent accesses were erroneously permitted. + +https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a054156d425b4dbdaaa9fda4b5f1182b27598c2b +--- + +diff -up a/Resource/Init/gs_init.ps.cve-2018-16539 b/Resource/Init/gs_init.ps +--- a/Resource/Init/gs_init.ps.cve-2018-16539 2018-11-14 16:34:23.268867657 +0100 ++++ b/Resource/Init/gs_init.ps 2018-11-14 16:36:38.765552576 +0100 +@@ -2015,6 +2015,19 @@ readonly def + concatstrings concatstrings .generate_dir_list_templates + } if + ] ++ /PermitFileWriting [ ++ currentuserparams /PermitFileWriting get aload pop ++ (TMPDIR) getenv not ++ { ++ (TEMP) getenv not ++ { ++ (TMP) getenv not ++ { ++ (/temp) (/tmp) ++ } if ++ } if ++ } if ++ ] + /LockFilePermissions //true + >> setuserparams + } +@@ -2062,7 +2075,9 @@ readonly def + % the file can be deleted later, even if SAFER is set. + /.tempfile { + .tempfile % filename file +- //SAFETY /tempfiles get 2 .argindex //true .forceput ++ //SAFETY /safe get not { % only add the filename if we're not yet safe ++ //SAFETY /tempfiles get 2 .argindex //true .forceput ++ } if + } .bind executeonly odef + + % If we are running in SAFER mode, lock things down diff --git a/SOURCES/ghostscript-cve-2018-16863.patch b/SOURCES/ghostscript-cve-2018-16863.patch new file mode 100644 index 0000000..0704fd4 --- /dev/null +++ b/SOURCES/ghostscript-cve-2018-16863.patch @@ -0,0 +1,169 @@ +From: Chris Liddell +Date: Sat, 25 Aug 2018 06:45:45 +0000 (+0100) +Subject: Bug 699654(2): preserve LockSafetyParams in the nulldevice + +Bug 699654(2): preserve LockSafetyParams in the nulldevice + +The nulldevice does not necessarily use the normal setpagedevice machinery, +but can be set using the nulldevice operator. In which case, we don't preserve +the settings from the original device (in the way setpagedevice does). + +Since nulldevice does nothing, this is not generally a problem, but in the case +of LockSafetyParams it *is* important when we restore back to the original +device, when LockSafetyParams not being set is "preserved" into the post- +restore configuration. + +We have to initialise the value to false because the nulldevice is used during +initialisation (before any other device exists), and *must* be writable for +that. + +http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=79cccf641486a6595c43f1de1cd7ade696020a31 + +From: Ken Sharp +Date: Tue, 28 Aug 2018 15:27:53 +0000 (+0100) +Subject: Bug #699654 (again) and Bug #699677 Improve operator removal for SAFER + +Bug #699654 (again) and Bug #699677 Improve operator removal for SAFER + +Take inspiration from the code to remove unused/dangerous operators +and, when SAFER is true, remove a bunch more non-standard operators +or routines. + +In particular remove the .bindnow operator, which should have been +removed previously for Bug #699677 and remove the +.pushpdf14devicefilter for Bug #699654. Only the PDF interpreter +needs to use that, and the device in question only expects to be used +carefully and in the correct sequence. Make sure nobody can meddle with +it. + +In addition I removed a number of other operators which are not needed +in normal operation. Some of them, however, are useful so these +(with the exception of .bindnow which is always removed) are only +undefined if SAFER is true. + +This allows our QA procedure to continue to use them, which is +particularly important in the case of .makeoperator and .setCPSImode. + +At a later date we may choose to move some of these into the regular +undefinition code, ie not dependent on SAFER. + +https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=520bb0ea7519aa3e79db78aaf0589dae02103764 +--- + +diff -up ghostscript-9.07/base/gsdevice.c.cve-2018-16863 ghostscript-9.07/base/gsdevice.c +--- ghostscript-9.07/base/gsdevice.c.cve-2018-16863 2018-11-26 10:45:38.685308279 +0100 ++++ ghostscript-9.07/base/gsdevice.c 2018-11-26 11:42:31.405515105 +0100 +@@ -599,13 +599,17 @@ gx_device_retain(gx_device *dev, bool re + int + gs_nulldevice(gs_state * pgs) + { ++ int code = 0; ++ bool saveLockSafety = false; + if (pgs->device == 0 || !gx_device_is_null(pgs->device)) { + gx_device *ndev; +- int code = gs_copydevice(&ndev, (const gx_device *)&gs_null_device, ++ code = gs_copydevice(&ndev, (const gx_device *)&gs_null_device, + pgs->memory); + + if (code < 0) + return code; ++ if (gs_currentdevice_inline(pgs) != NULL) ++ saveLockSafety = gs_currentdevice_inline(pgs)->LockSafetyParams; + /* + * Internal devices have a reference count of 0, not 1, + * aside from references from graphics states. +@@ -623,9 +627,11 @@ gs_nulldevice(gs_state * pgs) + set_dev_proc(ndev, get_profile, gx_default_get_profile); + } + +- return gs_setdevice_no_erase(pgs, ndev); ++ if ((code = gs_setdevice_no_erase(pgs, ndev)) < 0) ++ gs_free_object(pgs->memory, ndev, "gs_copydevice(device)"); ++ gs_currentdevice_inline(pgs)->LockSafetyParams = saveLockSafety; + } +- return 0; ++ return code; + } + + /* Close a device. The client is responsible for ensuring that */ +diff -up ghostscript-9.07/Resource/Init/gs_init.ps.cve-2018-16863 ghostscript-9.07/Resource/Init/gs_init.ps +--- ghostscript-9.07/Resource/Init/gs_init.ps.cve-2018-16863 2018-11-26 10:51:31.658358967 +0100 ++++ ghostscript-9.07/Resource/Init/gs_init.ps 2018-11-26 11:39:03.566039786 +0100 +@@ -2083,6 +2083,26 @@ readonly def + % If we are running in SAFER mode, lock things down + SAFER { .setsafe } if + ++/SAFERUndefinePostScriptOperators { ++[ ++% Used by our own test suite files ++/.pushpdf14devicefilter % transparency-example.ps ++/.poppdf14devicefilter % transparency-example.ps ++/.setopacityalpha % transparency-example.ps ++/.setshapealpha % transparency-example.ps ++/.endtransparencygroup % transparency-example.ps ++/.setdotlength % Bug687720.ps ++/.sort /.setdebug /.mementolistnewblocks /getenv ++ ++/.makeoperator /.setCPSImode % gs_cet.ps, this won't work on cluster with -dSAFER ++ ++/unread ++] ++{systemdict exch .forceundef} forall ++ ++//systemdict /SAFERUndefinePostScriptOperators .forceundef ++}bind def ++ + /UndefinePostScriptOperators { + + %% This list is of Display PostScript operators. We believe that Display PostScript +@@ -2153,7 +2173,7 @@ SAFER { .setsafe } if + %/.buildfotn32 /.buildfont42 /.type9mapcid /.type11mapcid /.swapcolors + %/currentdevice /.quit /.setuseciecolor /.needinput /.setoverprintmode /.special_op /.dicttomark /.knownget + %/.FAPIavailable /.FAPIpassfont /.FAPIrebuildfont /.FAPIBuildGlyph /.FAPIBuildChar /.FAPIBuildGlyph9 +-%/.tempfile /.numicc_components /.set_outputintent /.max /.min /.shfill /.vmreclaim /.getpath /.setglobal ++%/.tempfile /.numicc_components /.set_outputintent /.max /.min /.vmreclaim /.getpath /.setglobal + %/.setdebug /.mementolistnewblocks /getenv + ] + {systemdict exch .forceundef} forall +@@ -2180,13 +2200,6 @@ SAFER { .setsafe } if + /.settextspacing /.currenttextspacing /.settextleading /.currenttextleading /.settextrise /.currenttextrise + /.setwordspacing /.currentwordspacing /.settexthscaling /.currenttexthscaling + +-% Used by our own test suite files +-%/.pushpdf14devicefilter % transparency-example.ps +-%/.poppdf14devicefilter % transparency-example.ps +-%/.setopacityalpha % transparency-example.ps +-%/.setshapealpha % transparency-example.ps +-%/.endtransparencygroup % transparency-example.ps +- + % undefining these causes errors/incorrect output + %/.settextrenderingmode /.setblendmode /.begintransparencygroup /.settextknockout /check_r6_password /.setstrokeoverprint /.setfilloverprint + %/.currentstrokeoverprint /.currentfilloverprint /.currentfillconstantalpha /.currentstrokeconstantalpha +@@ -2208,6 +2221,9 @@ SAFER { .setsafe } if + //systemdict /.delaybind {} .forceput % reclaim the space + //systemdict /.bindnow .forceundef % ditto + put ++ SAFER { ++ //systemdict /SAFERUndefinePostScriptOperators get exec ++ } if + % //systemdict /UndefinePostScriptOperators get exec + % //systemdict /UndefinePDFOperators get exec + //systemdict /.forcecopynew .forceundef % remove temptation +@@ -2313,6 +2329,9 @@ currentdict /.renderingintentdict .undef + %% If we are using DELAYBIND we have to defer the undefinition + %% until .bindnow. + DELAYBIND not { ++ SAFER { ++ //systemdict /SAFERUndefinePostScriptOperators get exec ++ } if + //systemdict /UndefinePostScriptOperators get exec + //systemdict /UndefinePDFOperators .forceundef + } if +@@ -2323,6 +2342,7 @@ end + { pop NOGC not { 2 .vmreclaim 0 vmreclaim } if + } if + DELAYBIND not { ++ systemdict /.bindnow .undef % We only need this for DELAYBIND + systemdict /.forcecopynew .undef % remove temptation + systemdict /.forcedef .undef % ditto + systemdict /.forceput .undef % ditto diff --git a/SOURCES/ghostscript-restore-flushpage.patch b/SOURCES/ghostscript-restore-flushpage.patch new file mode 100644 index 0000000..5e1d966 --- /dev/null +++ b/SOURCES/ghostscript-restore-flushpage.patch @@ -0,0 +1,54 @@ +From: Ken Sharp +Date: Tue, 21 Nov 2017 16:46:18 +0000 (+0000) +Subject: PS interpreter - restore the flushpage operator + +PS interpreter - restore the flushpage operator + +Michael Katzmann, working at the Library of Congress, is using +Ghostscript in a custom application, which also involves a barcode +reader and an SQL database. + +Currently this resides in an RPM at: + +http://engineering.nlsbph.org/repo/fedora/fedora/updates/27/SRPMS/AddressCard-3.17-LoC.fc27.src.rpm + +but its not usable without the barcode reader and SQL database.... +For reasons which are not completely clear to me, he wants to use +flushpage to update the display part way through the operation. + +We suspect that it would be possible to avoid this, but it would +probably require some programming effort on the users part, and since +flushpage doesn't look like a likely candidate for abuse, we've decided +just to restore it. + +https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=19ebb5f1f497b6f2d50fe13d17d3e627dfb6c868 +--- + +diff -up ghostscript-9.07/Resource/Init/gs_init.ps.restore_flushpage ghostscript-9.07/Resource/Init/gs_init.ps +--- ghostscript-9.07/Resource/Init/gs_init.ps.restore_flushpage 2018-11-28 14:07:09.976249454 +0100 ++++ ghostscript-9.07/Resource/Init/gs_init.ps 2018-11-28 14:08:41.225078430 +0100 +@@ -2144,7 +2144,7 @@ SAFER { .setsafe } if + /.type1execchar /.type2execchar /.type42execchar /.setweightvector /.getuseciecolor /processcolors /.includecolorspace + /.execn /.instopped /.stop /.stopped /.setcolorrendering /.setdevicecolorrendering /.buildcolorrendering1 /.builddevicecolorrendering1 + /.TransformPQR_scale_WB0 /.TransformPQR_scale_WB1 /.TransformPQR_scale_WB2 /.currentoverprintmode /.copydevice2 +-/.devicename /.doneshowpage /flushpage /.getbitsrect /.getdevice /.getdefaultdevice /.getdeviceparams /.gethardwareparams ++/.devicename /.doneshowpage /.getbitsrect /.getdevice /.getdefaultdevice /.getdeviceparams /.gethardwareparams + /makewordimagedevice /.outputpage /.putdeviceparams /.setdevice /.currentshowpagecount + /.setpagedevice /.currentpagedevice /.knownundef /.setmaxlength /.rectappend /.initialize_dsc_parser /.parse_dsc_comments + /.fillCIDMap /.fillIdentityCIDMap /.buildcmap /.filenamelistseparator /.libfile /.getfilename +@@ -2162,6 +2162,15 @@ SAFER { .setsafe } if + /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams + /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath + ++% Used by a free user in the Library of Congress. Apparently this is used to ++% draw a partial page, which is then filled in by the results of a barcode ++% scanner and SQL database lookup. Its not clear to us exactly why this needs to be ++% done as a partial page, but its easiest to restore the operator, and it seems like ++% its a reasonably safe operator to restore, for the *very* few devices on which ++% it will have any effect. Currently this uses the 'sync_outptu' device method ++% to transfer the partial page, in future we may use a spec_op instead. ++%/flushpage ++ + % Used by our own test suite files + %/.fileposition %image-qa.ps + %/.makeoperator /.setCPSImode % gs_cet.ps diff --git a/SPECS/ghostscript.spec b/SPECS/ghostscript.spec index 528d6d0..8f76361 100644 --- a/SPECS/ghostscript.spec +++ b/SPECS/ghostscript.spec @@ -5,7 +5,7 @@ Summary: A PostScript interpreter and renderer Name: ghostscript Version: %{gs_ver} -Release: 31%{?dist}.1 +Release: 31%{?dist}.3 # Included CMap data is Redistributable, no modification permitted, # see http://bugzilla.redhat.com/487510 @@ -51,6 +51,7 @@ Patch34: ghostscript-raise-VMThreshold-limit.patch Patch35: ghostscript-fix-pxl-devices-printing.patch Patch36: ghostscript-more-than-11-elements-in-array.patch Patch41: ghostscript-remove-as-many-non-standard-operators-as-possible.patch +Patch47: ghostscript-restore-flushpage.patch # Security patches: # ----------------- @@ -66,8 +67,10 @@ Patch38: ghostscript-cve-2018-16509.patch Patch39: ghostscript-cve-2018-15910.patch Patch40: ghostscript-cve-2018-16542.patch Patch42: ghostscript-cve-2018-16511.patch -Patch43: ghostscript-cve-2018-15908.patch -Patch44: ghostscript-cve-2018-15909.patch +Patch43: ghostscript-cve-2018-16539.patch +Patch44: ghostscript-cve-2018-15908.patch +Patch45: ghostscript-cve-2018-15909.patch +Patch46: ghostscript-cve-2018-16863.patch # Upstream is not versioning the SONAME correctly, thus the rpmbuild is unable # to recognize we need a newer version of lcms2. This 'hackish' workaround @@ -283,12 +286,21 @@ rm -rf expat freetype icclib jasper jpeg lcms lcms2 libpng openjpeg zlib cups/li # CVE-2018-16511 (bug #1621383): %patch42 -p1 -# CVE-2018-15908 (bug #1621159): +# CVE-2018-16539 (bug #1649721): %patch43 -p1 -# CVE-2018-15909 (bug #1621381): +# CVE-2018-15908 (bug #1621159): %patch44 -p1 +# CVE-2018-15909 (bug #1621381): +%patch45 -p1 + +# CVE-2018-16863 (bug #1652901): +%patch46 -p1 + +# ghostscript update breaks xdvi (gs: Error: /undefined in flushpage) (bug #1654290): +%patch47 -p1 + # Remove pdfopt man pages which were mistakenly left in (bug #963882). rm man/{de/,}pdfopt.1 @@ -488,11 +500,20 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libgs.so %changelog +* Wed Nov 28 2018 Martin Osvald - 9.07-31.el7_6.3 +- Resolves: #1654290 ghostscript update breaks xdvi (gs: Error: /undefined in flushpage) + +* Mon Nov 26 2018 Martin Osvald - 9.07-31.el7_6.2 +- Resolves: #1652901 - CVE-2018-16863 ghostscript: incomplete fix for + CVE-2018-16509 + * Wed Nov 14 2018 Martin Osvald - 9.07-31.el7_6.1 - Remove as many non-standard operators as possible to make the codebase closer to upstream for later CVEs - Resolves: #1621383 - CVE-2018-16511 ghostscript: missing type check in type checker (699659) +- Resolves: #1649721 - CVE-2018-16539 ghostscript: incorrect access checking + in temp file handling to disclose contents of files (699658) - Resolves: #1621159 - CVE-2018-15908 ghostscript: .tempfile file permission issues (699657) - Resolves: #1621381 - CVE-2018-15909 ghostscript: shading_param incomplete