From f1e96c1cee7e93cad229144be63606eef2b5e7f1 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 07 2019 15:57:22 +0000 Subject: import ghostscript-9.07-31.el7_6.11 --- diff --git a/SOURCES/ghostscript-cve-2019-3835.patch b/SOURCES/ghostscript-cve-2019-3835.patch index e09c605..873d762 100644 --- a/SOURCES/ghostscript-cve-2019-3835.patch +++ b/SOURCES/ghostscript-cve-2019-3835.patch @@ -30,8 +30,8 @@ https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=d683d1e6450d74619e6277efe --- diff -up ghostscript-9.07/psi/icontext.c.cve-2019-3835 ghostscript-9.07/psi/icontext.c ---- ghostscript-9.07/psi/icontext.c.cve-2019-3835 2019-03-14 08:06:24.215719498 +0100 -+++ ghostscript-9.07/psi/icontext.c 2019-03-14 08:06:40.692519949 +0100 +--- ghostscript-9.07/psi/icontext.c.cve-2019-3835 2019-02-28 14:32:31.762961195 +0100 ++++ ghostscript-9.07/psi/icontext.c 2019-02-28 14:33:02.960552388 +0100 @@ -148,7 +148,6 @@ context_state_alloc(gs_context_state_t * pcst->rand_state = rand_state_initial; pcst->usertime_total = 0; @@ -41,8 +41,8 @@ diff -up ghostscript-9.07/psi/icontext.c.cve-2019-3835 ghostscript-9.07/psi/icon make_t(&pcst->error_object, t__invalid); { /* diff -up ghostscript-9.07/psi/icstate.h.cve-2019-3835 ghostscript-9.07/psi/icstate.h ---- ghostscript-9.07/psi/icstate.h.cve-2019-3835 2019-03-14 08:07:26.329967229 +0100 -+++ ghostscript-9.07/psi/icstate.h 2019-03-14 08:07:47.537710381 +0100 +--- ghostscript-9.07/psi/icstate.h.cve-2019-3835 2019-02-28 14:33:38.288089462 +0100 ++++ ghostscript-9.07/psi/icstate.h 2019-02-28 14:33:46.576980845 +0100 @@ -52,7 +52,6 @@ struct gs_context_state_s { long usertime_total; /* total accumulated usertime, */ /* not counting current time if running */ @@ -52,8 +52,8 @@ diff -up ghostscript-9.07/psi/icstate.h.cve-2019-3835 ghostscript-9.07/psi/icsta ref error_object; /* t__invalid or error object from operator */ ref userparams; /* t_dictionary */ diff -up ghostscript-9.07/psi/zcontrol.c.cve-2019-3835 ghostscript-9.07/psi/zcontrol.c ---- ghostscript-9.07/psi/zcontrol.c.cve-2019-3835 2019-03-14 08:08:02.356530913 +0100 -+++ ghostscript-9.07/psi/zcontrol.c 2019-03-14 08:08:51.888931020 +0100 +--- ghostscript-9.07/psi/zcontrol.c.cve-2019-3835 2019-02-28 14:34:07.694704120 +0100 ++++ ghostscript-9.07/psi/zcontrol.c 2019-02-28 14:34:44.573220870 +0100 @@ -158,34 +158,6 @@ zexecn(i_ctx_t *i_ctx_p) return o_push_estack; } @@ -99,8 +99,8 @@ diff -up ghostscript-9.07/psi/zcontrol.c.cve-2019-3835 ghostscript-9.07/psi/zcon {"0%end_runandhide", end_runandhide}, op_def_end(0) diff -up ghostscript-9.07/psi/zdict.c.cve-2019-3835 ghostscript-9.07/psi/zdict.c ---- ghostscript-9.07/psi/zdict.c.cve-2019-3835 2019-03-14 08:09:12.708678873 +0100 -+++ ghostscript-9.07/psi/zdict.c 2019-03-14 08:11:28.575033391 +0100 +--- ghostscript-9.07/psi/zdict.c.cve-2019-3835 2019-02-28 14:35:18.029782463 +0100 ++++ ghostscript-9.07/psi/zdict.c 2019-02-28 14:36:27.964866049 +0100 @@ -211,8 +211,7 @@ zundef(i_ctx_t *i_ctx_p) int code; @@ -122,8 +122,8 @@ diff -up ghostscript-9.07/psi/zdict.c.cve-2019-3835 ghostscript-9.07/psi/zdict.c if (op->value.intval < 0) return_error(e_rangecheck); diff -up ghostscript-9.07/psi/zgeneric.c.cve-2019-3835 ghostscript-9.07/psi/zgeneric.c ---- ghostscript-9.07/psi/zgeneric.c.cve-2019-3835 2019-03-14 08:11:52.593742496 +0100 -+++ ghostscript-9.07/psi/zgeneric.c 2019-03-14 08:12:24.319358265 +0100 +--- ghostscript-9.07/psi/zgeneric.c.cve-2019-3835 2019-02-28 14:36:54.684515917 +0100 ++++ ghostscript-9.07/psi/zgeneric.c 2019-02-28 14:37:44.859858421 +0100 @@ -204,8 +204,7 @@ zput(i_ctx_t *i_ctx_p) switch (r_type(op2)) { @@ -135,8 +135,8 @@ diff -up ghostscript-9.07/psi/zgeneric.c.cve-2019-3835 ghostscript-9.07/psi/zgen int code = idict_put(op2, op1, op); diff -up ghostscript-9.07/Resource/Init/gs_cet.ps.cve-2019-3835 ghostscript-9.07/Resource/Init/gs_cet.ps ---- ghostscript-9.07/Resource/Init/gs_cet.ps.cve-2019-3835 2019-03-14 08:12:40.178166195 +0100 -+++ ghostscript-9.07/Resource/Init/gs_cet.ps 2019-03-14 08:16:26.875420666 +0100 +--- ghostscript-9.07/Resource/Init/gs_cet.ps.cve-2019-3835 2019-02-28 14:24:02.885629428 +0100 ++++ ghostscript-9.07/Resource/Init/gs_cet.ps 2019-02-28 14:24:02.908629127 +0100 @@ -1,27 +1,22 @@ -%!PS % Set defaults for Ghostscript to match Adobe CPSI behaviour for CET @@ -171,7 +171,7 @@ diff -up ghostscript-9.07/Resource/Init/gs_cet.ps.cve-2019-3835 ghostscript-9.07 - /revision 0 put % match CPSI 3017.103 Tek shows revision 5 - /serialnumber dup {233640} readonly .makeoperator put % match CPSI 3017.102 Tek shows serialnumber 1401788461 - systemdict /deviceinfo undef % for CET 20-23-1 --} superexec +-} 1183615869 internaldict /superexec get exec - { } bind dup setblackgeneration @@ -183,30 +183,30 @@ diff -up ghostscript-9.07/Resource/Init/gs_cet.ps.cve-2019-3835 ghostscript-9.07 -//false 0 startjob pop % re-enter encapsulated mode +systemdict /.odef .undef diff -up ghostscript-9.07/Resource/Init/gs_dps1.ps.cve-2019-3835 ghostscript-9.07/Resource/Init/gs_dps1.ps ---- ghostscript-9.07/Resource/Init/gs_dps1.ps.cve-2019-3835 2019-03-14 08:16:53.023103986 +0100 -+++ ghostscript-9.07/Resource/Init/gs_dps1.ps 2019-03-14 08:17:53.611370192 +0100 +--- ghostscript-9.07/Resource/Init/gs_dps1.ps.cve-2019-3835 2019-02-28 14:24:02.892629336 +0100 ++++ ghostscript-9.07/Resource/Init/gs_dps1.ps 2019-02-28 14:24:02.908629127 +0100 @@ -86,7 +86,7 @@ level2dict begin % definition, copy it into the local directory. //systemdict /SharedFontDirectory .knownget { 1 index .knownget -- { //.FontDirectory 2 index 3 -1 roll { put } //superexec } % readonly +- { //.FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly + { //.FontDirectory 2 index 3 -1 roll .forceput } % readonly if } if diff -up ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2019-3835 ghostscript-9.07/Resource/Init/gs_fonts.ps ---- ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2019-3835 2019-03-14 08:18:37.485838827 +0100 -+++ ghostscript-9.07/Resource/Init/gs_fonts.ps 2019-03-14 08:20:45.465288857 +0100 +--- ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2019-3835 2019-02-28 14:24:02.898629257 +0100 ++++ ghostscript-9.07/Resource/Init/gs_fonts.ps 2019-02-28 14:24:02.908629127 +0100 @@ -501,11 +501,11 @@ buildfontdict 3 /.buildfont3 cvx put % the font in LocalFontDirectory. .currentglobal { //systemdict /LocalFontDirectory .knownget -- { 2 index 2 index { .growput } //superexec } % readonly +- { 2 index 2 index { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly + { 2 index 2 index .forceput } % readonly if } if -- dup //.FontDirectory 4 -2 roll { .growput } //superexec % readonly +- dup //.FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly + dup //.FontDirectory 4 -2 roll .forceput % readonly % If the font originated as a resource, register it. currentfile .currentresourcefile eq { dup .registerfont } if @@ -215,7 +215,7 @@ diff -up ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2019-3835 ghostscript-9. //.FontDirectory 1 index known not { 2 dict dup /FontName 3 index put dup /FontType 1 put -- //.FontDirectory 3 1 roll { put } //superexec % readonly +- //.FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly + //.FontDirectory 3 1 roll //.forceput exec % readonly } { pop @@ -227,27 +227,27 @@ diff -up ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2019-3835 ghostscript-9. % Install initial fonts from Fontmap. diff -up ghostscript-9.07/Resource/Init/gs_init.ps.cve-2019-3835 ghostscript-9.07/Resource/Init/gs_init.ps ---- ghostscript-9.07/Resource/Init/gs_init.ps.cve-2019-3835 2019-03-14 08:21:08.923004756 +0100 -+++ ghostscript-9.07/Resource/Init/gs_init.ps 2019-03-14 08:23:18.726432696 +0100 +--- ghostscript-9.07/Resource/Init/gs_init.ps.cve-2019-3835 2019-02-28 14:24:02.906629153 +0100 ++++ ghostscript-9.07/Resource/Init/gs_init.ps 2019-02-28 14:29:40.355207303 +0100 @@ -2125,9 +2125,6 @@ SAFER { .setsafe } if - /.endtransparencygroup % transparency-example.ps - /.setdotlength % Bug687720.ps - /.sort /.setdebug /.mementolistnewblocks /getenv + /.endtransparencygroup % transparency-example.ps + /.setdotlength % Bug687720.ps + /.sort /.setdebug /.mementolistnewblocks /getenv - --/.makeoperator /.setCPSImode % gs_cet.ps, this won't work on cluster with -dSAFER +- /.makeoperator /.setCPSImode % gs_cet.ps, this won't work on cluster with -dSAFER - - /unread - ] - {systemdict exch .forceundef} forall + /unread + ] + {systemdict exch .forceundef} forall @@ -2206,7 +2203,6 @@ SAFER { .setsafe } if - % Used by our own test suite files - %/.fileposition %image-qa.ps --%/.makeoperator /.setCPSImode % gs_cet.ps + % Used by our own test suite files + %/.fileposition %image-qa.ps +- %/.makeoperator /.setCPSImode % gs_cet.ps - % Either our code uses these in ways which mean they can't be undefined, or they are used directly by - % test files/utilities, or engineers expressed a desire to keep them visible. -@@ -2383,6 +2379,16 @@ end + % Either our code uses these in ways which mean they can't be undefined, or they are used directly by + % test files/utilities, or engineers expressed a desire to keep them visible. +@@ -2400,6 +2396,16 @@ end /vmreclaim where { pop NOGC not { 2 .vmreclaim 0 vmreclaim } if } if @@ -264,31 +264,31 @@ diff -up ghostscript-9.07/Resource/Init/gs_init.ps.cve-2019-3835 ghostscript-9.0 DELAYBIND not { systemdict /.bindnow .undef % We only need this for DELAYBIND systemdict /.forcecopynew .undef % remove temptation -@@ -2390,11 +2396,6 @@ DELAYBIND not { +@@ -2407,11 +2413,6 @@ DELAYBIND not { systemdict /.forceput .undef % ditto systemdict /.forceundef .undef % ditto } if -% Move superexec to internaldict if superexec is defined. --currentdict /superexec .knownget { +-systemdict /superexec .knownget { - 1183615869 internaldict /superexec 3 -1 roll put -- currentdict /superexec .undef +- systemdict /superexec .undef -} if % Can't remove this one until the last minute :-) systemdict /.undef .undef diff -up ghostscript-9.07/Resource/Init/gs_type1.ps.cve-2019-3835 ghostscript-9.07/Resource/Init/gs_type1.ps ---- ghostscript-9.07/Resource/Init/gs_type1.ps.cve-2019-3835 2019-03-14 08:23:35.960223978 +0100 -+++ ghostscript-9.07/Resource/Init/gs_type1.ps 2019-03-14 08:25:47.363632945 +0100 +--- ghostscript-9.07/Resource/Init/gs_type1.ps.cve-2019-3835 2019-02-28 14:24:02.886629415 +0100 ++++ ghostscript-9.07/Resource/Init/gs_type1.ps 2019-02-28 14:24:02.909629113 +0100 @@ -66,11 +66,11 @@ 2 index 1 index known { pop pop } { -- 3 1 roll get //.growput superexec dup dup +- 3 1 roll get //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse dup dup + 3 1 roll get .forceput dup dup } ifelse } { 2 index 1 index known { -- exch 3 1 roll get //.growput superexec dup dup +- exch 3 1 roll get //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse dup dup + exch 3 1 roll get .forceput dup dup } { pop pop diff --git a/SOURCES/ghostscript-cve-2019-3839-part1.patch b/SOURCES/ghostscript-cve-2019-3839-part1.patch new file mode 100644 index 0000000..73f2e01 --- /dev/null +++ b/SOURCES/ghostscript-cve-2019-3839-part1.patch @@ -0,0 +1,564 @@ +From: Ken Sharp +Date: Tue, 25 Apr 2017 16:08:26 +0000 (+0100) +Subject: PS interpreter - remove superexec from systemdict + +PS interpreter - remove superexec from systemdict + +This looks like bit rot, superexec was meant to have been undefined from +systemdict, and moved to internaldict, but the code only executed if +superexec was defined in the current dictionary. It seems that at some +time in the past the order of execution was changed in such a way that +the current dictionary at that point was no longer systemdict. + +So instead of checking currentdict, explicitly check systemdict. + +This means changing our gs_cet.ps file which we use for the Quality +Logic CET (Command Emulation Test) suite so that it can find superexec +and use it to set up our environment in a specific fashion, to prevent +spurious differences when running the tests. + +If sueperexec isn't available when we run the CET tests we'll get an +error, which sounds like a good idea, hopefully we'll notice that. + +https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8556b698892e4706aa0b9d996bec82fed645eaa5 + +From: Ken Sharp +Date: Sat, 17 Jun 2017 13:27:06 +0000 (+0100) +Subject: PS interpreter - fix use of superexec with DELAYBIND + +PS interpreter - fix use of superexec with DELAYBIND + +Commit 8556b698892e4706aa0b9d996bec82fed645eaa5 removed superexec from +systemdict, leaving it in internaldict, where it should be. However, +if we run with DELAYBIND then by the time we come to bind the procedures +which use superexec the definition in systemdict is gone. + +Technically this shouldn't be a problem, as we should be using the version +in internaldict. But if we do that, without DELAYBIND the internaldict +definition isn't present, because we haven't copied it yet.... + +So now we look for the presence of superexec in systemdict and use that +one if its present, otherwise we assume its in internaldict and use +that instead. + +Unfortunately the use of DELAYBIND interferes with the cluster testing +causing thousands of files to fail. I've run a random selection of them +locally in a normal setup and they work, I guess we'll just have to +hope for the best and fix any problems as they are reported. + +https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=c294b131ea270cea5d66c9b0a6ea61d3a69a20a0 + +From: Ray Johnston +Date: Wed, 29 Aug 2018 16:30:19 +0000 (-0700) +Subject: Fix for security issues found during internal security audit + +Fix for security issues found during internal security audit + +While most of the invocations of .forceput and related operators were +"protected" by being within "executeonly" procedures, several had crept +in that did not make sure that the operator was hidden in a procedure +that could not be read. + +https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=c98cb5237c983e363fe05757b2639eab550499e8 + +From: Nancy Durgin +Date: Tue, 13 Nov 2018 22:23:41 +0000 (-0800) +Subject: Undefine some level2-related operators + +Undefine some level2-related operators + +These are only a partial set. Undefine them in both the level2dict and +systemdict. They are undef'd in gs_init.ps because they are used outside +the scope of just gs_lev2.ps + + /.execform1 + /.getdevparams + /.setuserparams2 + /.startjob + /.checkFilePermitparams + /.checksetparams + /.copyparam + /.setpagesize + +Rename .dict1 to .pair2dict and use immediate reference. + +Undef these at end of gs_lev2.ps (should never make it into systemdict): + /.pair2dict + /.checkprocesscomment + +https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=fe4c47d8e25d6366ecbb5ff487348148b908a89e +--- + +diff -up ghostscript-9.07/Resource/Init/gs_cet.ps.cve-2019-3839-part1 ghostscript-9.07/Resource/Init/gs_cet.ps +--- ghostscript-9.07/Resource/Init/gs_cet.ps.cve-2019-3839-part1 2019-02-27 07:32:54.469246630 +0100 ++++ ghostscript-9.07/Resource/Init/gs_cet.ps 2019-02-27 07:35:20.114364074 +0100 +@@ -20,7 +20,7 @@ currentglobal //true setglobal + /revision 0 put % match CPSI 3017.103 Tek shows revision 5 + /serialnumber dup {233640} readonly .makeoperator put % match CPSI 3017.102 Tek shows serialnumber 1401788461 + systemdict /deviceinfo undef % for CET 20-23-1 +-} superexec ++} 1183615869 internaldict /superexec get exec + + { } bind dup + setblackgeneration +diff -up ghostscript-9.07/Resource/Init/gs_dps1.ps.cve-2019-3839-part1 ghostscript-9.07/Resource/Init/gs_dps1.ps +--- ghostscript-9.07/Resource/Init/gs_dps1.ps.cve-2019-3839-part1 2019-02-27 07:44:11.371487238 +0100 ++++ ghostscript-9.07/Resource/Init/gs_dps1.ps 2019-02-27 07:44:56.922883917 +0100 +@@ -86,7 +86,7 @@ level2dict begin + % definition, copy it into the local directory. + //systemdict /SharedFontDirectory .knownget + { 1 index .knownget +- { .FontDirectory 2 index 3 -1 roll { put } //superexec } % readonly ++ { .FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly + if + } + if +diff -up ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2019-3839-part1 ghostscript-9.07/Resource/Init/gs_fonts.ps +--- ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2019-3839-part1 2019-02-27 07:45:31.420426999 +0100 ++++ ghostscript-9.07/Resource/Init/gs_fonts.ps 2019-02-27 07:47:16.440036018 +0100 +@@ -501,11 +501,11 @@ buildfontdict 3 /.buildfont3 cvx put + % the font in LocalFontDirectory. + .currentglobal + { //systemdict /LocalFontDirectory .knownget +- { 2 index 2 index { .growput } //superexec } % readonly ++ { 2 index 2 index { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly + if + } + if +- dup .FontDirectory 4 -2 roll { .growput } //superexec % readonly ++ dup .FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly + % If the font originated as a resource, register it. + currentfile .currentresourcefile eq { dup .registerfont } if + readonly +@@ -1149,7 +1149,7 @@ currentdict /.putgstringcopy .forceundef + .FontDirectory 1 index known not { + 2 dict dup /FontName 3 index put + dup /FontType 1 put +- .FontDirectory 3 1 roll { put } //superexec % readonly ++ .FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly + } { + pop + } ifelse +diff -up ghostscript-9.07/Resource/Init/gs_init.ps.cve-2019-3839-part1 ghostscript-9.07/Resource/Init/gs_init.ps +--- ghostscript-9.07/Resource/Init/gs_init.ps.cve-2019-3839-part1 2019-02-27 07:36:30.132459049 +0100 ++++ ghostscript-9.07/Resource/Init/gs_init.ps 2019-02-27 12:11:55.798721262 +0100 +@@ -2111,139 +2111,157 @@ currentdict /tempfilepaths undef + SAFER { .setsafe } if + + /SAFERUndefinePostScriptOperators { +-[ +-% Used by our own test suite files +-/.pushpdf14devicefilter % transparency-example.ps +-/.poppdf14devicefilter % transparency-example.ps +-/.setopacityalpha % transparency-example.ps +-/.setshapealpha % transparency-example.ps +-/.endtransparencygroup % transparency-example.ps +-/.setdotlength % Bug687720.ps +-/.sort /.setdebug /.mementolistnewblocks /getenv +- +-/.makeoperator /.setCPSImode % gs_cet.ps, this won't work on cluster with -dSAFER +- +-/unread +-] +-{systemdict exch .forceundef} forall ++ [ ++ % Used by our own test suite files ++ /.pushpdf14devicefilter % transparency-example.ps ++ /.poppdf14devicefilter % transparency-example.ps ++ /.setopacityalpha % transparency-example.ps ++ /.setshapealpha % transparency-example.ps ++ /.endtransparencygroup % transparency-example.ps ++ /.setdotlength % Bug687720.ps ++ /.sort /.setdebug /.mementolistnewblocks /getenv ++ ++ /.makeoperator /.setCPSImode % gs_cet.ps, this won't work on cluster with -dSAFER ++ ++ /unread ++ ] ++ {systemdict exch .forceundef} forall + +-//systemdict /SAFERUndefinePostScriptOperators .forceundef +-}bind def ++ //systemdict /SAFERUndefinePostScriptOperators .forceundef ++} .bind executeonly def % must be bound and hidden for .forceundef + + /UndefinePostScriptOperators { + +-%% This list is of Display PostScript operators. We believe that Display PostScript +-%% was never fully implemented and the only known user, GNUStep, is no longer +-%% using it. So lets remove it. +-[ +-/condition /currentcontext /detach /.fork /join /.localfork /lock /monitor /notify +-/wait /yield /.currentscreenphase /.setscreenphase /.image2 /eoviewclip /initviewclip +-/viewclip /viewclippath /defineusername +-%% NeXT DPS extensions +-/currentalpha /setalpha /.alphaimage /composite /compositerect /dissolve /sizeimagebox /.sizeimageparams +-] +-{systemdict exch .forceundef} forall +- +-%% This list is of operators which no longer appear to be used, and which we do not believe +-%% to have any real use. For now we will undefine the operstors so they cannot easily be used +-%% but can be easily restored (just delete the name from the list in the array). In future +-%% we may remove the operator and the code implementation entirely. +-[ +-/.bitadd /.charboxpath /.cond /.runandhide /.popdevicefilter +-/.execfile /.filenamesplit /.file_name_parent +-/.setdefaultmatrix /.isprocfilter /.unread /.psstringencode +-/.buildsampledfunction /.isencapfunction /.currentaccuratecurves /.currentcurvejoin /.currentdashadapt /.currentdotlength +-/.currentlimitclamp /.dotorientation /.setaccuratecurves /.setcurvejoin /.setdashadapt /.setdotorientation +-/.setlimitclamp /.currentscreenlevels /.dashpath /.pathbbox /.identeq /.identne /.tokenexec /.forgetsave /.pantonecallback +- +-%% Used by our own test suite files +-%%/.setdotlength % Bug687720.ps +-] +-{systemdict exch .forceundef} forall +- +-%% This list of operators are used internally by various parts of the Ghostscript startup code. +-%% Since each operator is a potential security vulnerability, and any operator listed here +-%% is not required once the initislisation is complete and functions are bound, we undefine +-%% the ones that aren't needed at runtime. +-[ +-/.callinstall /.callbeginpage /.callendpage +-/.currentstackprotect /.setstackprotect /.errorexec /.finderrorobject /.installsystemnames /.bosobject /.fontbbox +-/.type1execchar /.type2execchar /.type42execchar /.setweightvector /.getuseciecolor /processcolors /.includecolorspace +-/.execn /.instopped /.stop /.stopped /.setcolorrendering /.setdevicecolorrendering /.buildcolorrendering1 /.builddevicecolorrendering1 +-/.TransformPQR_scale_WB0 /.TransformPQR_scale_WB1 /.TransformPQR_scale_WB2 /.currentoverprintmode /.copydevice2 +-/.devicename /.doneshowpage /.getbitsrect /.getdevice /.getdefaultdevice /.getdeviceparams /.gethardwareparams +-/makewordimagedevice /.outputpage /.putdeviceparams /.setdevice /.currentshowpagecount +-/.setpagedevice /.currentpagedevice /.knownundef /.setmaxlength /.rectappend /.initialize_dsc_parser /.parse_dsc_comments +-/.fillCIDMap /.fillIdentityCIDMap /.buildcmap /.filenamelistseparator /.libfile /.getfilename +-/.file_name_combine /.file_name_is_absolute /.file_name_separator /.file_name_directory_separator /.file_name_current /.filename +-/.peekstring /.writecvp /.subfiledecode /.setupUnicodeDecoder /.jbig2makeglobalctx /.registerfont /.parsecff +-/.getshowoperator /.getnativefonts /.beginform /.endform /.get_form_id /.repeatform /.reusablestream /.rsdparams +-/.buildfunction /.currentfilladjust2 /.setfilladjust2 /.sethpglpathmode /.currenthpglpathmode +-/.currenthalftone /.sethalftone5 /.image1 /.imagemask1 /.image3 /.image4 +-/.getiodevice /.getdevparms /.putdevparams /.bbox_transform /.matchmedia /.matchpagesize /.defaultpapersize +-/.oserrno /.setoserrno /.oserrorstring /.getCPSImode +-/.getscanconverter /.setscanconverter /.type1encrypt /.type1decrypt/.languagelevel /.setlanguagelevel /.eqproc /.fillpage /.buildpattern1 /.saslprep +-/.buildshading1 /.buildshading2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern +-/.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring +-/.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile +-/.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams +-/.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath /.currentoutputdevice +-/.type /.writecvs /.setSMask /.currentSMask /.needinput /.countexecstack /.execstack /.applypolicies +- +-% Used by a free user in the Library of Congress. Apparently this is used to +-% draw a partial page, which is then filled in by the results of a barcode +-% scanner and SQL database lookup. Its not clear to us exactly why this needs to be +-% done as a partial page, but its easiest to restore the operator, and it seems like +-% its a reasonably safe operator to restore, for the *very* few devices on which +-% it will have any effect. Currently this uses the 'sync_outptu' device method +-% to transfer the partial page, in future we may use a spec_op instead. +-%/flushpage +- +-% Used by our own test suite files +-%/.fileposition %image-qa.ps +-%/.makeoperator /.setCPSImode % gs_cet.ps +- +-% Either our code uses these in ways which mean they can't be undefined, or they are used directly by +-% test files/utilities, or engineers expressed a desire to keep them visible. +-% +-%/currentdevice /.sort /.buildfont0 /.buildfont1 /.buildfont2 /.buildfont3 /.buildfont4 /.buildfont9 /.buildfont10 /.buildfont11 +-%/.buildfont32 /.buildfont42 /.type9mapcid /.type11mapcid /.swapcolors +-%/currentdevice /.quit /.setuseciecolor /.needinput /.setoverprintmode /.special_op /.dicttomark /.knownget +-%/.FAPIavailable /.FAPIpassfont /.FAPIrebuildfont /.FAPIBuildGlyph /.FAPIBuildChar /.FAPIBuildGlyph9 +-%/.tempfile /.numicc_components /.set_outputintent /.max /.min /.vmreclaim /.getpath /.setglobal +-%/.setdebug /.mementolistnewblocks /getenv +-] +-{systemdict exch .forceundef} forall ++ %% This list is of Display PostScript operators. We believe that Display PostScript ++ %% was never fully implemented and the only known user, GNUStep, is no longer ++ %% using it. So lets remove it. ++ [ ++ /condition /currentcontext /detach /.fork /join /.localfork /lock /monitor /notify ++ /wait /yield /.currentscreenphase /.setscreenphase /.image2 /eoviewclip /initviewclip ++ /viewclip /viewclippath /defineusername ++ %% NeXT DPS extensions ++ /currentalpha /setalpha /.alphaimage /composite /compositerect /dissolve /sizeimagebox /.sizeimageparams ++ ] ++ {systemdict exch .forceundef} forall ++ ++ %% This list is of operators which no longer appear to be used, and which we do not believe ++ %% to have any real use. For now we will undefine the operstors so they cannot easily be used ++ %% but can be easily restored (just delete the name from the list in the array). In future ++ %% we may remove the operator and the code implementation entirely. ++ [ ++ /.bitadd /.charboxpath /.cond /.runandhide /.popdevicefilter ++ /.execfile /.filenamesplit /.file_name_parent ++ /.setdefaultmatrix /.isprocfilter /.unread /.psstringencode ++ /.buildsampledfunction /.isencapfunction /.currentaccuratecurves /.currentcurvejoin /.currentdashadapt /.currentdotlength ++ /.currentlimitclamp /.dotorientation /.setaccuratecurves /.setcurvejoin /.setdashadapt /.setdotorientation ++ /.setlimitclamp /.currentscreenlevels /.dashpath /.pathbbox /.identeq /.identne /.tokenexec /.forgetsave /.pantonecallback ++ ++ %% Used by our own test suite files ++ %%/.setdotlength % Bug687720.ps ++ ] ++ {systemdict exch .forceundef} forall ++ ++ %% This list of operators are used internally by various parts of the Ghostscript startup code. ++ %% Since each operator is a potential security vulnerability, and any operator listed here ++ %% is not required once the initislisation is complete and functions are bound, we undefine ++ %% the ones that aren't needed at runtime. ++ [ ++ /.callinstall /.callbeginpage /.callendpage ++ /.currentstackprotect /.setstackprotect /.errorexec /.finderrorobject /.installsystemnames /.bosobject /.fontbbox ++ /.type1execchar /.type2execchar /.type42execchar /.setweightvector /.getuseciecolor /processcolors /.includecolorspace ++ /.execn /.instopped /.stop /.stopped /.setcolorrendering /.setdevicecolorrendering /.buildcolorrendering1 /.builddevicecolorrendering1 ++ /.TransformPQR_scale_WB0 /.TransformPQR_scale_WB1 /.TransformPQR_scale_WB2 /.currentoverprintmode /.copydevice2 ++ /.devicename /.doneshowpage /.getbitsrect /.getdevice /.getdefaultdevice /.getdeviceparams /.gethardwareparams ++ /makewordimagedevice /.outputpage /.putdeviceparams /.setdevice /.currentshowpagecount ++ /.setpagedevice /.currentpagedevice /.knownundef /.setmaxlength /.rectappend /.initialize_dsc_parser /.parse_dsc_comments ++ /.fillCIDMap /.fillIdentityCIDMap /.buildcmap /.filenamelistseparator /.libfile /.getfilename ++ /.file_name_combine /.file_name_is_absolute /.file_name_separator /.file_name_directory_separator /.file_name_current /.filename ++ /.peekstring /.writecvp /.subfiledecode /.setupUnicodeDecoder /.jbig2makeglobalctx /.registerfont /.parsecff ++ /.getshowoperator /.getnativefonts /.beginform /.endform /.get_form_id /.repeatform /.reusablestream /.rsdparams ++ /.buildfunction /.currentfilladjust2 /.setfilladjust2 /.sethpglpathmode /.currenthpglpathmode ++ /.currenthalftone /.sethalftone5 /.image1 /.imagemask1 /.image3 /.image4 ++ /.getiodevice /.getdevparms /.putdevparams /.bbox_transform /.matchmedia /.matchpagesize /.defaultpapersize ++ /.oserrno /.setoserrno /.oserrorstring /.getCPSImode ++ /.getscanconverter /.setscanconverter /.type1encrypt /.type1decrypt/.languagelevel /.setlanguagelevel /.eqproc /.fillpage /.buildpattern1 /.saslprep ++ /.buildshading1 /.buildshading2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern ++ /.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring ++ /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile ++ /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams ++ /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath /.currentoutputdevice ++ /.type /.writecvs /.setSMask /.currentSMask /.needinput /.countexecstack /.execstack /.applypolicies ++ ++ % Used by a free user in the Library of Congress. Apparently this is used to ++ % draw a partial page, which is then filled in by the results of a barcode ++ % scanner and SQL database lookup. Its not clear to us exactly why this needs to be ++ % done as a partial page, but its easiest to restore the operator, and it seems like ++ % its a reasonably safe operator to restore, for the *very* few devices on which ++ % it will have any effect. Currently this uses the 'sync_outptu' device method ++ % to transfer the partial page, in future we may use a spec_op instead. ++ %/flushpage ++ ++ % Used by our own test suite files ++ %/.fileposition %image-qa.ps ++ %/.makeoperator /.setCPSImode % gs_cet.ps ++ ++ % Either our code uses these in ways which mean they can't be undefined, or they are used directly by ++ % test files/utilities, or engineers expressed a desire to keep them visible. ++ % ++ %/currentdevice /.sort /.buildfont0 /.buildfont1 /.buildfont2 /.buildfont3 /.buildfont4 /.buildfont9 /.buildfont10 /.buildfont11 ++ %/.buildfont32 /.buildfont42 /.type9mapcid /.type11mapcid /.swapcolors ++ %/currentdevice /.quit /.setuseciecolor /.needinput /.setoverprintmode /.special_op /.dicttomark /.knownget ++ %/.FAPIavailable /.FAPIpassfont /.FAPIrebuildfont /.FAPIBuildGlyph /.FAPIBuildChar /.FAPIBuildGlyph9 ++ %/.tempfile /.numicc_components /.set_outputintent /.max /.min /.vmreclaim /.getpath /.setglobal ++ %/.setdebug /.mementolistnewblocks /getenv ++ ] ++ {systemdict exch .forceundef} forall ++ ++ % level 2 operators, undefine from both systemdict and level2dict ++ [ ++ /.execform1 ++ /.getdevparams ++ /.setuserparams2 ++ /.startjob ++ /.checkFilePermitparams ++ /.checksetparams ++ /.copyparam ++ /.setpagesize ++ ++% Couldn't figure out how to do these yet ++% /.checkparamtype ++% /.startnewjob ++ ] ++ dup {level2dict exch .forceundef} forall ++ {systemdict exch .forceundef} forall + +-//systemdict /UndefinePostScriptOperators .forceundef +-} bind def ++ //systemdict /UndefinePostScriptOperators .forceundef ++} .bind executeonly def % must be bound and hidden for .forceundef + + /UndefinePDFOperators { +-%% This list of operators are used internally by various parts of the Ghostscript PDF interpreter. +-%% Since each operator is a potential security vulnerability, and any operator listed here +-%% is not required once the initislisation is complete and functions are bound, we undefine +-%% the ones that aren't needed at runtime. +-[ +-/.pdfawidthshow /.pdfwidthshow +-/.setfillcolor /.setfillcolorspace /.setstrokecolor /.setstrokecolorspace /.currentrenderingintent /.setrenderingintent +-/.currenttextrenderingmode /.settextspacing /.currenttextspacing /.settextleading /.currenttextleading +-/.settextrise /.currenttextrise /.setwordspacing /.currentwordspacing /.settexthscaling /.currenttexthscaling +-/.settextlinematrix /.currenttextlinematrix /.currenttextmatrix /.settextmatrix /.currentblendmode +-/.currentopacityalpha /.currentshapealpha /.currenttextknockout +-/.pushextendedgstate /.popextendedgstate /.begintransparencytextgroup +-/.endtransparencytextgroup /.begintransparencymaskgroup /.begintransparencymaskimage /.endtransparencymask /.image3x +-/.abortpdf14devicefilter /.pdfinkpath /.pdfFormName /.setstrokeconstantalpha +-/.setfillconstantalpha /.setalphaisshape /.currentalphaisshape +-/.settextspacing /.currenttextspacing /.settextleading /.currenttextleading /.settextrise /.currenttextrise +-/.setwordspacing /.currentwordspacing /.settexthscaling /.currenttexthscaling +- +-% undefining these causes errors/incorrect output +-%/.settextrenderingmode /.setblendmode /.begintransparencygroup /.settextknockout /check_r6_password /.setstrokeoverprint /.setfilloverprint +-%/.currentstrokeoverprint /.currentfilloverprint /.currentfillconstantalpha /.currentstrokeconstantalpha +-] +-{systemdict exch .forceundef} forall +-//systemdict /UndefinePDFOperators .forceundef +-} bind def ++ %% This list of operators are used internally by various parts of the Ghostscript PDF interpreter. ++ %% Since each operator is a potential security vulnerability, and any operator listed here ++ %% is not required once the initislisation is complete and functions are bound, we undefine ++ %% the ones that aren't needed at runtime. ++ [ ++ /.pdfawidthshow /.pdfwidthshow ++ /.setfillcolor /.setfillcolorspace /.setstrokecolor /.setstrokecolorspace /.currentrenderingintent /.setrenderingintent ++ /.currenttextrenderingmode /.settextspacing /.currenttextspacing /.settextleading /.currenttextleading ++ /.settextrise /.currenttextrise /.setwordspacing /.currentwordspacing /.settexthscaling /.currenttexthscaling ++ /.settextlinematrix /.currenttextlinematrix /.currenttextmatrix /.settextmatrix /.currentblendmode ++ /.currentopacityalpha /.currentshapealpha /.currenttextknockout ++ /.pushextendedgstate /.popextendedgstate /.begintransparencytextgroup ++ /.endtransparencytextgroup /.begintransparencymaskgroup /.begintransparencymaskimage /.endtransparencymask /.image3x ++ /.abortpdf14devicefilter /.pdfinkpath /.pdfFormName /.setstrokeconstantalpha ++ /.setfillconstantalpha /.setalphaisshape /.currentalphaisshape ++ /.settextspacing /.currenttextspacing /.settextleading /.currenttextleading /.settextrise /.currenttextrise ++ /.setwordspacing /.currentwordspacing /.settexthscaling /.currenttexthscaling ++ ++ % undefining these causes errors/incorrect output ++ %/.settextrenderingmode /.setblendmode /.begintransparencygroup /.settextknockout /check_r6_password /.setstrokeoverprint /.setfilloverprint ++ %/.currentstrokeoverprint /.currentfilloverprint /.currentfillconstantalpha /.currentstrokeconstantalpha ++ ] ++ {systemdict exch .forceundef} forall ++ //systemdict /UndefinePDFOperators .forceundef ++} .bind executeonly def % must be bound and hidden for .forceundef + + % If we delayed binding, make it possible to do it later. + /.bindnow { +@@ -2386,9 +2404,9 @@ DELAYBIND not { + systemdict /.forceundef .undef % ditto + } if + % Move superexec to internaldict if superexec is defined. +-currentdict /superexec .knownget { ++systemdict /superexec .knownget { + 1183615869 internaldict /superexec 3 -1 roll put +- currentdict /superexec .undef ++ systemdict /superexec .undef + } if + + %% Can't remove this one until the last minute :-) +diff -up ghostscript-9.07/Resource/Init/gs_lev2.ps.cve-2019-3839-part1 ghostscript-9.07/Resource/Init/gs_lev2.ps +--- ghostscript-9.07/Resource/Init/gs_lev2.ps.cve-2019-3839-part1 2019-02-27 12:14:12.442926989 +0100 ++++ ghostscript-9.07/Resource/Init/gs_lev2.ps 2019-02-27 12:54:04.228526320 +0100 +@@ -64,7 +64,7 @@ level2dict begin + pop + } ifelse pop pop + } forall pop pop +-} .bind def % not odef, shouldn't reset stacks ++} .bind odef + + % currentuser/systemparams creates and returns a dictionary in the + % current VM. The easiest way to make this work is to copy any composite +@@ -101,7 +101,7 @@ level2dict begin + 1 index length string exch .setglobal + copy exch not { readonly } if + } if +-} .bind def ++} .bind odef + + % Some user parameters are managed entirely at the PostScript level. + % We take care of that here. +@@ -343,13 +343,13 @@ end + } ifelse + } .bind def + /ProcessComment //null .definepsuserparam +-psuserparams /ProcessComment {.checkprocesscomment} put ++psuserparams /ProcessComment {//.checkprocesscomment exec} put + (%ProcessComment) cvn { + /ProcessComment getuserparam + dup //null eq { pop pop pop } { exec } ifelse + } bind def + /ProcessDSCComment //null .definepsuserparam +-psuserparams /ProcessDSCComment {.checkprocesscomment} put ++psuserparams /ProcessDSCComment {//.checkprocesscomment exec} put + /.loadingfont //false def + (%ProcessDSCComment) cvn { + /ProcessDSCComment getuserparam +@@ -554,7 +554,8 @@ end % serverdict + % Note that statusdict must be allocated in local VM. + % We don't bother with many of these yet. + +-/.dict1 { exch mark 3 1 roll .dicttomark } bind def ++% convenience function to make a dictionary from an object and a key ++/.pair2dict { exch mark 3 1 roll .dicttomark } bind def + + currentglobal //false setglobal 25 dict exch setglobal begin + currentsystemparams +@@ -567,11 +568,11 @@ systemdict /buildtime dup load put + /checkpassword { .checkpassword 0 gt } bind def + dup /DoStartPage known + { /dostartpage { /DoStartPage getsystemparam } bind def +- /setdostartpage { /DoStartPage .dict1 setsystemparams } bind def ++ /setdostartpage { /DoStartPage //.pair2dict exec setsystemparams } bind def + } if + dup /StartupMode known + { /dosysstart { /StartupMode getsystemparam 0 ne } bind def +- /setdosysstart { { 1 } { 0 } ifelse /StartupMode .dict1 setsystemparams } bind def ++ /setdosysstart { { 1 } { 0 } ifelse /StartupMode //.pair2dict exec setsystemparams } bind def + } if + %****** Setting jobname is supposed to set userparams.JobName, too. + /jobname { /JobName getuserparam } bind def +@@ -579,7 +580,7 @@ dup /StartupMode known + /ramsize { /RamSize getsystemparam } bind def + /realformat 1 index /RealFormat get def + dup /PrinterName known +- { /setprintername { /PrinterName .dict1 setsystemparams } bind def ++ { /setprintername { /PrinterName //.pair2dict exec setsystemparams } bind def + } if + /printername + { currentsystemparams /PrinterName .knownget not { () } if exch copy +@@ -614,12 +615,12 @@ currentuserparams /WaitTimeout known + .dicttomark setpagedevice + /WaitTimeout exch mark /JobTimeout 5 2 roll .dicttomark setsystemparams + } bind def +-/.setpagesize { 2 array astore /PageSize .dict1 setpagedevice } bind def +-/setduplexmode { /Duplex .dict1 setpagedevice } bind def ++/.setpagesize { 2 array astore /PageSize //.pair2dict exec setpagedevice } bind def ++/setduplexmode { /Duplex //.pair2dict exec setpagedevice } bind def + /setmargins +- { exch 2 array astore /Margins .dict1 setpagedevice ++ { exch 2 array astore /Margins //.pair2dict exec setpagedevice + } bind def +-/setpagemargin { 0 2 array astore /PageOffset .dict1 setpagedevice } bind def ++/setpagemargin { 0 2 array astore /PageOffset //.pair2dict exec setpagedevice } bind def + /setpageparams + { mark /PageSize 6 -2 roll + 4 index 1 and ORIENT1 { 1 } { 0 } ifelse ne { exch } if 2 array astore +@@ -628,7 +629,7 @@ currentuserparams /WaitTimeout known + .dicttomark setpagedevice + } bind def + /setresolution +- { dup 2 array astore /HWResolution .dict1 setpagedevice ++ { dup 2 array astore /HWResolution //.pair2dict exec setpagedevice + } bind def + %END PAGEDEVICE + +@@ -1076,3 +1077,10 @@ def + %END TN 5044 psuedo-ops + + end % level2dict ++ ++% undefine things defined in this file and not referenced elsewhere ++[ ++ /.checkprocesscomment ++ /.pair2dict ++] ++{level2dict exch .forceundef} forall +diff -up ghostscript-9.07/Resource/Init/gs_type1.ps.cve-2019-3839-part1 ghostscript-9.07/Resource/Init/gs_type1.ps +--- ghostscript-9.07/Resource/Init/gs_type1.ps.cve-2019-3839-part1 2019-02-27 09:28:21.973106203 +0100 ++++ ghostscript-9.07/Resource/Init/gs_type1.ps 2019-02-27 10:30:47.260979260 +0100 +@@ -66,11 +66,11 @@ + 2 index 1 index known { + pop pop + } { +- 3 1 roll get //.growput superexec dup dup ++ 3 1 roll get //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse dup dup + } ifelse + } { + 2 index 1 index known { +- exch 3 1 roll get //.growput superexec dup dup ++ exch 3 1 roll get //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse dup dup + } { + pop pop + } ifelse diff --git a/SOURCES/ghostscript-cve-2019-3839-part2.patch b/SOURCES/ghostscript-cve-2019-3839-part2.patch new file mode 100644 index 0000000..893d466 --- /dev/null +++ b/SOURCES/ghostscript-cve-2019-3839-part2.patch @@ -0,0 +1,248 @@ +From: Nancy Durgin +Date: Wed, 23 Jan 2019 20:00:30 +0000 (-0800) +Subject: Fixed bug caused by the way .checksetparams was undef'd + +Fixed bug caused by the way .checksetparams was undef'd + +Previously, had undef'd it by making it an operator. +Now just use an immediate reference and undef it in the gs_lev2.ps file. + +This fixes bug introduced in commit fe4c47d8e25d6366ecbb5ff487348148b908a89e. + +Undef'ing .checksetparams by making it an operator doesn't work right because +errors report .checksetparams as the offending function instead of +the operator that uses it (setsystemparams in this case). + +This caused an error in file /tests_private/ps/ps3cet/27-09.PS on page 3, +where it reports the offending function of some error-handling tests. +Reporting function should be 'setsystemparams', not '.checksetparams' on +this page. + +https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e7ff64cf9b756278f19c87d295ee0fd95c955c05 + +From: Ray Johnston +Date: Thu, 31 Jan 2019 19:31:30 +0000 (-0800) +Subject: Hide pdfdict and GS_PDF_ProcSet (internal stuff for the PDF interp). + +Hide pdfdict and GS_PDF_ProcSet (internal stuff for the PDF interp). + +We now keep GS_PDF_ProcSet in pdfdict, and immediately bind pdfdict +where needed so we can undef it after the last PDF interp file has +run (pdf_sec.ps). + +https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4ec9ca74bed49f2a82acb4bf430eae0d8b3b75c9 +--- + +diff -up ghostscript-9.07/Resource/Init/gs_init.ps.cve-2019-3839-part2 ghostscript-9.07/Resource/Init/gs_init.ps +--- ghostscript-9.07/Resource/Init/gs_init.ps.cve-2019-3839-part2 2019-02-28 08:33:56.995374504 +0100 ++++ ghostscript-9.07/Resource/Init/gs_init.ps 2019-02-28 08:34:35.073879701 +0100 +@@ -2222,7 +2222,6 @@ SAFER { .setsafe } if + /.setuserparams2 + /.startjob + /.checkFilePermitparams +- /.checksetparams + /.copyparam + /.setpagesize + +diff -up ghostscript-9.07/Resource/Init/gs_lev2.ps.cve-2019-3839-part2 ghostscript-9.07/Resource/Init/gs_lev2.ps +--- ghostscript-9.07/Resource/Init/gs_lev2.ps.cve-2019-3839-part2 2019-02-28 08:35:01.038542311 +0100 ++++ ghostscript-9.07/Resource/Init/gs_lev2.ps 2019-02-28 08:38:44.266647686 +0100 +@@ -64,7 +64,7 @@ level2dict begin + pop + } ifelse pop pop + } forall pop pop +-} .bind odef ++} .bind def + + % currentuser/systemparams creates and returns a dictionary in the + % current VM. The easiest way to make this work is to copy any composite +@@ -129,7 +129,7 @@ end + /.setuserparams2 { + % Check that we will be able to set the PostScript-level + % user parameters. +- /setuserparams /psuserparams .systemvar .checksetparams ++ /setuserparams /psuserparams .systemvar //.checksetparams exec + % Set the C-level user params. If this succeeds, we know that + % the password check succeeded. + dup .setuserparams +@@ -211,7 +211,7 @@ end + } if + /setsystemparams //pssystemparams mark exch { + type cvlit /.checkparamtype cvx 2 packedarray cvx +- } forall .dicttomark .checksetparams ++ } forall .dicttomark //.checksetparams exec + % Set the C-level system params. If this succeeds, we know that + % the password check succeeded. + dup .setsystemparams +@@ -1083,5 +1083,6 @@ end % level2dict + [ + /.checkprocesscomment + /.pair2dict ++ /.checksetparams + ] + {level2dict exch .forceundef} forall +diff -up ghostscript-9.07/Resource/Init/pdf_base.ps.cve-2019-3839-part2 ghostscript-9.07/Resource/Init/pdf_base.ps +--- ghostscript-9.07/Resource/Init/pdf_base.ps.cve-2019-3839-part2 2019-02-28 08:51:17.876974739 +0100 ++++ ghostscript-9.07/Resource/Init/pdf_base.ps 2019-02-28 08:53:47.343056275 +0100 +@@ -23,7 +23,6 @@ + + /.setlanguagelevel where { pop 2 .setlanguagelevel } if + .currentglobal //true .setglobal +-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse + pdfdict begin + + % Define the name interpretation dictionary for reading values. +@@ -125,11 +124,11 @@ currentdict /num-chars-dict .undef + + /.pdfexectoken { % .pdfexectoken ? + PDFDEBUG { +- pdfdict /PDFSTEPcount known not { pdfdict /PDFSTEPcount 1 .forceput } executeonly if ++ //pdfdict /PDFSTEPcount known not { //pdfdict /PDFSTEPcount 1 .forceput } executeonly if + PDFSTEP { +- pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput ++ //pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput + PDFSTEPcount 1 gt { +- pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput ++ //pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput + } executeonly + { + dup ==only +@@ -137,10 +136,10 @@ currentdict /num-chars-dict .undef + ( ? ) print flush 1 //false .outputpage + (%stdin) (r) file 255 string readline { + token { +- exch pop pdfdict /PDFSTEPcount 3 -1 roll .forceput ++ exch pop //pdfdict /PDFSTEPcount 3 -1 roll .forceput + } executeonly + { +- pdfdict /PDFSTEPcount 1 .forceput ++ //pdfdict /PDFSTEPcount 1 .forceput + } executeonly ifelse % token + } { + pop /PDFSTEP //false def % EOF on stdin +diff -up ghostscript-9.07/Resource/Init/pdf_draw.ps.cve-2019-3839-part2 ghostscript-9.07/Resource/Init/pdf_draw.ps +--- ghostscript-9.07/Resource/Init/pdf_draw.ps.cve-2019-3839-part2 2019-02-28 08:54:17.090674446 +0100 ++++ ghostscript-9.07/Resource/Init/pdf_draw.ps 2019-02-28 09:06:50.804906849 +0100 +@@ -18,8 +18,7 @@ + + /.setlanguagelevel where { pop 2 .setlanguagelevel } if + .currentglobal //true .setglobal +-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse +-GS_PDF_ProcSet begin ++/GS_PDF_ProcSet load begin + pdfdict begin + + % For simplicity, we use a single interpretation dictionary for all +@@ -141,7 +140,7 @@ pdfdict begin + + /resolvefunction { % resolvefunction + .resolvefn +- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Function: ) print dup === flush } if } if ++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Function: ) print dup === flush } if } if + } bdef + + /resolvefnproc { % resolvefnproc +@@ -907,7 +906,7 @@ currentdict end readonly def + } bdef + + /.pdfpaintproc { % .pdfpaintproc - +- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Begin PaintProc) print dup === flush } if } if ++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Begin PaintProc) print dup === flush } if } if + PDFfile fileposition 3 1 roll + q + 1 index /PaintType oget 1 eq { +@@ -946,7 +945,7 @@ currentdict end readonly def + /pdfemptycount exch def + + Q +- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if ++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if + PDFfile exch setfileposition + }bind executeonly odef + +@@ -986,7 +985,7 @@ currentdict end readonly def + ] cvx put + dup /BBox 2 copy knownoget { normrect put } { pop pop } ifelse + dup /.pattern_uses_transparency 1 index patternusestransparency put +- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Pattern: ) print dup === flush } if } if ++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Pattern: ) print dup === flush } if } if + } bdef + + /ignore_color_op ( **** Warning: Ignoring a color operation in a cached context.\n) readonly def +diff -up ghostscript-9.07/Resource/Init/pdf_font.ps.cve-2019-3839-part2 ghostscript-9.07/Resource/Init/pdf_font.ps +--- ghostscript-9.07/Resource/Init/pdf_font.ps.cve-2019-3839-part2 2019-02-28 09:55:34.701833501 +0100 ++++ ghostscript-9.07/Resource/Init/pdf_font.ps 2019-02-28 09:56:27.116147620 +0100 +@@ -37,8 +37,7 @@ + + /.setlanguagelevel where { pop 2 .setlanguagelevel } if + .currentglobal //true .setglobal +-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse +-GS_PDF_ProcSet begin ++/GS_PDF_ProcSet load begin % from userdict at this point + pdfdict begin + + % We cache the PostScript font in an additional element of the +diff -up ghostscript-9.07/Resource/Init/pdf_main.ps.cve-2019-3839-part2 ghostscript-9.07/Resource/Init/pdf_main.ps +--- ghostscript-9.07/Resource/Init/pdf_main.ps.cve-2019-3839-part2 2019-02-28 10:02:48.872152118 +0100 ++++ ghostscript-9.07/Resource/Init/pdf_main.ps 2019-02-28 10:12:44.687353440 +0100 +@@ -18,8 +18,9 @@ + + /.setlanguagelevel where { pop 2 .setlanguagelevel } if + .currentglobal //true .setglobal +-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse + pdfdict begin ++/GS_PDF_ProcSet dup load def % keep in pdfdict to hide it ++userdict /GS_PDF_ProcSet undef + + % Patch in an obsolete variable used by some third-party software. + /#? //false def +@@ -177,8 +178,8 @@ currentdict /runpdfstring .undef + /Page //null def + /DSCPageCount 0 def + /PDFSave //null def +- GS_PDF_ProcSet begin +- pdfdict begin ++ //pdfdict /GS_PDF_ProcSet get begin ++ //pdfdict begin + pdfopen begin + } bind def + +@@ -888,7 +889,7 @@ currentdict /xref-char-dict undef + } bind def + + /pdfopenfile { % pdfopenfile +- pdfdict readonly pop % can't do it any earlier than this ++ //pdfdict readonly pop % can't do it any earlier than this + 32 dict begin + /LocalResources 0 dict def + /DefaultQstate //null def % establish binding +diff -up ghostscript-9.07/Resource/Init/pdf_ops.ps.cve-2019-3839-part2 ghostscript-9.07/Resource/Init/pdf_ops.ps +--- ghostscript-9.07/Resource/Init/pdf_ops.ps.cve-2019-3839-part2 2019-02-28 10:16:15.196597921 +0100 ++++ ghostscript-9.07/Resource/Init/pdf_ops.ps 2019-02-28 10:17:01.082997269 +0100 +@@ -24,6 +24,7 @@ + systemdict /pdfmark known not + { userdict /pdfmark { cleartomark } bind put } if + ++systemdict /pdfdict where { pop } { /pdfdict 100 dict put } ifelse + userdict /GS_PDF_ProcSet 127 dict dup begin + + % ---------------- Abbreviations ---------------- % +diff -up ghostscript-9.07/Resource/Init/pdf_sec.ps.cve-2019-3839-part2 ghostscript-9.07/Resource/Init/pdf_sec.ps +--- ghostscript-9.07/Resource/Init/pdf_sec.ps.cve-2019-3839-part2 2019-02-28 10:21:16.760650506 +0100 ++++ ghostscript-9.07/Resource/Init/pdf_sec.ps 2019-02-28 10:22:46.213473549 +0100 +@@ -39,7 +39,6 @@ + + /.setlanguagelevel where { pop 2 .setlanguagelevel } if + .currentglobal //true .setglobal +-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse + pdfdict begin + + % Older ghostscript versions do not have .pdftoken, so we use 'token' instead. +@@ -719,4 +718,7 @@ currentdict /PDFScanRules_null undef + } bind def + + end % pdfdict ++ ++systemdict /pdfdict .forceundef % hide pdfdict ++ + .setglobal diff --git a/SOURCES/ghostscript-cve-2019-6116-downstream.patch b/SOURCES/ghostscript-cve-2019-6116-downstream.patch new file mode 100644 index 0000000..ac9af97 --- /dev/null +++ b/SOURCES/ghostscript-cve-2019-6116-downstream.patch @@ -0,0 +1,45 @@ +diff -up ghostscript-9.07/Resource/Init/gs_dps.ps.cve-2019-6116-downstream ghostscript-9.07/Resource/Init/gs_dps.ps +--- ghostscript-9.07/Resource/Init/gs_dps.ps.cve-2019-6116-downstream 2019-02-27 16:40:45.235290444 +0100 ++++ ghostscript-9.07/Resource/Init/gs_dps.ps 2019-02-27 16:41:27.054739624 +0100 +@@ -118,7 +118,7 @@ + .dicttomark readonly /localdicts exch put + % localdicts is now defined in userdict. + % Copy the definitions into systemdict. +- localdicts { .forcedef } forall ++ localdicts { .forcedef } executeonly forall + % Set the user parameters. + userparams readonly .setuserparams + % Establish the initial gstate(s). +diff -up ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2019-6116-downstream ghostscript-9.07/Resource/Init/gs_fonts.ps +--- ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2019-6116-downstream 2019-02-27 16:43:10.993370606 +0100 ++++ ghostscript-9.07/Resource/Init/gs_fonts.ps 2019-02-27 16:44:44.174143288 +0100 +@@ -1110,7 +1110,7 @@ $error /SubstituteFont { } put + % Stack: fontdict + } executeonly + if pop % Stack: origfontname fontdirectory path +- } ++ } executeonly + if pop pop % Stack: origfontname + + % The font definitely did not load correctly. +diff -up ghostscript-9.07/Resource/Init/pdf_font.ps.cve-2019-6116-downstream ghostscript-9.07/Resource/Init/pdf_font.ps +--- ghostscript-9.07/Resource/Init/pdf_font.ps.cve-2019-6116-downstream 2019-02-27 16:45:45.838331086 +0100 ++++ ghostscript-9.07/Resource/Init/pdf_font.ps 2019-02-27 16:47:02.411322516 +0100 +@@ -614,7 +614,7 @@ currentdict end readonly def + currentglobal 2 index dup gcheck setglobal + /FontInfo 5 dict dup 5 1 roll .forceput + setglobal +- } if ++ } executeonly if + dup /GlyphNames2Unicode .knownget not { + //true % No existing G2U, make one + } { +@@ -628,7 +628,7 @@ currentdict end readonly def + currentglobal exch dup gcheck setglobal + dup /GlyphNames2Unicode 100 dict dup 4 1 roll .forceput + 3 2 roll setglobal +- } if % font-res font-dict encoding|null font-info g2u ++ } executeonly if % font-res font-dict encoding|null font-info g2u + exch pop exch % font-res font-dict g2u encoding|null + userdict /.lastToUnicode get % font-res font-dict g2u Encoding|null CMap + .convert_ToUnicode-into-g2u % font-res font-dict diff --git a/SOURCES/ghostscript-cve-2019-6116.patch b/SOURCES/ghostscript-cve-2019-6116.patch index c026749..b322ad1 100644 --- a/SOURCES/ghostscript-cve-2019-6116.patch +++ b/SOURCES/ghostscript-cve-2019-6116.patch @@ -1,43 +1,43 @@ -commit 30cd347f37bfb293ffdc407397d1023628400b81 -Author: Ken Sharp -Date: Mon Oct 15 13:35:15 2018 +0100 +From: Ken Sharp +Date: Mon, 15 Oct 2018 12:35:15 +0000 (+0100) +Subject: font parsing - prevent SEGV in .cffparse - font parsing - prevent SEGV in .cffparse - - Bug #699961 "currentcolortransfer procs crash .parsecff" - - zparsecff checked the operand for being an array (and not a packed - array) but the returned procedures from the default currentcolortransfer - are arrays, not packed arrays. This led to the code trying to - dereference a NULL pointer. - - Add a specific check for the 'refs' pointer being NULL before we try - to use it. - - Additionally, make the StartData procedure in the CFF Font Resource - executeonly to prevent pulling the hidden .parsecff operator out and - using it. Finally, extend this to other resource types. +font parsing - prevent SEGV in .cffparse -commit 8e18fcdaa2e2247363c4cc8f851f3096cc5756fa -Author: Chris Liddell -Date: Fri Oct 19 13:14:24 2018 +0100 +Bug #699961 "currentcolortransfer procs crash .parsecff" - "Hide" a final use of a .force* operator - - There was one use of .forceput remaining that was in a regular procedure - rather than being "hidden" behind an operator. - - In this case, it's buried in the resource machinery, and hard to access (I - would not be confident in claiming it was impossible). This ensures it's - not accessible. +zparsecff checked the operand for being an array (and not a packed +array) but the returned procedures from the default currentcolortransfer +are arrays, not packed arrays. This led to the code trying to +dereference a NULL pointer. + +Add a specific check for the 'refs' pointer being NULL before we try +to use it. + +Additionally, make the StartData procedure in the CFF Font Resource +executeonly to prevent pulling the hidden .parsecff operator out and +using it. Finally, extend this to other resource types. + +https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=30cd347f37bfb293ffdc407397d1023628400b81 -From d3537a54740d78c5895ec83694a07b3e4f616f61 Mon Sep 17 00:00:00 2001 From: Chris Liddell -Date: Wed, 5 Dec 2018 12:22:13 +0000 -Subject: [PATCH] Bug700317: Address .force* operators exposure +Date: Fri, 19 Oct 2018 12:14:24 +0000 (+0100) +Subject: "Hide" a final use of a .force* operator -Fix logic for an older change: unlike almost every other function in gs, dict_find_string() returns 1 on -success 0 or <0 on failure. The logic for this case was wrong. +"Hide" a final use of a .force* operator + +There was one use of .forceput remaining that was in a regular procedure +rather than being "hidden" behind an operator. + +In this case, it's buried in the resource machinery, and hard to access (I +would not be confident in claiming it was impossible). This ensures it's +not accessible. + +https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8e18fcdaa2e2247363c4cc8f851f3096cc5756fa + +From: Chris Liddell +Date: Wed, 5 Dec 2018 12:22:13 +0000 (+0000) +Subject: Sanitize op stack for error conditions Sanitize op stack for error conditions @@ -49,20 +49,43 @@ we make these copies, we check for operators that do *not* exist in systemdict, when we find one, we replace the operator with a name object (of the form "/--opname--"). +https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=13b0a36f8181db66a91bcc8cea139998b53a8996 + +From: Chris Liddell +Date: Thu, 13 Dec 2018 15:28:34 +0000 (+0000) +Subject: Any transient procedures that call .force* operators + Any transient procedures that call .force* operators (i.e. for conditionals or loops) make them executeonly. +https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2db98f9c66135601efb103d8db7d020a672308db + +From: Chris Liddell +Date: Sat, 15 Dec 2018 09:08:32 +0000 (+0000) +Subject: Bug700317: Fix logic for an older change + +Bug700317: Fix logic for an older change + +Unlike almost every other function in gs, dict_find_string() returns 1 on +success 0 or <0 on failure. The logic for this case was wrong. + +https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=99f13091a3f309bdc95d275ea9fec10bb9f42d9a + +From: Chris Liddell +Date: Tue, 18 Dec 2018 10:42:10 +0000 (+0000) +Subject: Harden some uses of .force* operators + Harden some uses of .force* operators by adding a few immediate evalutions -CVE-2019-6116 +https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=59d8f4deef90c1598ff50616519d5576756b4495 --- diff -up ghostscript-9.07/psi/interp.c.cve-2019-6116 ghostscript-9.07/psi/interp.c ---- ghostscript-9.07/psi/interp.c.cve-2019-6116 2019-01-24 12:20:06.802913354 +0100 -+++ ghostscript-9.07/psi/interp.c 2019-01-24 12:20:06.843912826 +0100 +--- ghostscript-9.07/psi/interp.c.cve-2019-6116 2019-03-05 11:28:18.238244540 +0100 ++++ ghostscript-9.07/psi/interp.c 2019-03-05 11:28:18.295243766 +0100 @@ -692,7 +692,7 @@ again: * i.e. it's an internal operator we have hidden */ @@ -95,8 +118,8 @@ diff -up ghostscript-9.07/psi/interp.c.cve-2019-6116 ghostscript-9.07/psi/interp return code; } diff -up ghostscript-9.07/psi/int.mak.cve-2019-6116 ghostscript-9.07/psi/int.mak ---- ghostscript-9.07/psi/int.mak.cve-2019-6116 2019-01-24 12:20:06.824913071 +0100 -+++ ghostscript-9.07/psi/int.mak 2019-01-24 12:20:06.843912826 +0100 +--- ghostscript-9.07/psi/int.mak.cve-2019-6116 2019-03-05 11:28:18.265244173 +0100 ++++ ghostscript-9.07/psi/int.mak 2019-03-05 11:28:18.296243753 +0100 @@ -199,7 +199,7 @@ $(PSOBJ)iparam.$(OBJ) : $(PSSRC)iparam.c $(PSOBJ)istack.$(OBJ) : $(PSSRC)istack.c $(GH) $(memory__h)\ $(ierrors_h) $(gsstruct_h) $(gsutil_h)\ @@ -108,7 +131,7 @@ diff -up ghostscript-9.07/psi/int.mak.cve-2019-6116 ghostscript-9.07/psi/int.mak $(PSOBJ)iutil.$(OBJ) : $(PSSRC)iutil.c $(GH) $(math__h) $(memory__h) $(string__h)\ diff -up ghostscript-9.07/psi/istack.c.cve-2019-6116 ghostscript-9.07/psi/istack.c --- ghostscript-9.07/psi/istack.c.cve-2019-6116 2013-02-14 08:58:13.000000000 +0100 -+++ ghostscript-9.07/psi/istack.c 2019-01-24 12:20:06.844912813 +0100 ++++ ghostscript-9.07/psi/istack.c 2019-03-05 11:28:18.297243739 +0100 @@ -27,6 +27,10 @@ #include "iutil.h" #include "ivmspace.h" /* for local/global test */ @@ -203,7 +226,7 @@ diff -up ghostscript-9.07/psi/istack.c.cve-2019-6116 ghostscript-9.07/psi/istack * the top, into an array, with or without store/undo checking. age=-1 for diff -up ghostscript-9.07/psi/istack.h.cve-2019-6116 ghostscript-9.07/psi/istack.h --- ghostscript-9.07/psi/istack.h.cve-2019-6116 2013-02-14 08:58:13.000000000 +0100 -+++ ghostscript-9.07/psi/istack.h 2019-01-24 12:20:06.844912813 +0100 ++++ ghostscript-9.07/psi/istack.h 2019-03-05 11:28:18.297243739 +0100 @@ -129,6 +129,9 @@ int ref_stack_store(const ref_stack_t *p uint skip, int age, bool check, gs_dual_memory_t *idmem, client_name_t cname); @@ -215,8 +238,8 @@ diff -up ghostscript-9.07/psi/istack.h.cve-2019-6116 ghostscript-9.07/psi/istack * Pop the top N elements off a stack. * The number must not exceed the number of elements in use. diff -up ghostscript-9.07/psi/zfont2.c.cve-2019-6116 ghostscript-9.07/psi/zfont2.c ---- ghostscript-9.07/psi/zfont2.c.cve-2019-6116 2019-01-24 12:20:06.601915943 +0100 -+++ ghostscript-9.07/psi/zfont2.c 2019-01-24 12:20:06.844912813 +0100 +--- ghostscript-9.07/psi/zfont2.c.cve-2019-6116 2019-03-05 11:28:18.063246914 +0100 ++++ ghostscript-9.07/psi/zfont2.c 2019-03-05 11:28:18.297243739 +0100 @@ -2718,9 +2718,13 @@ zparsecff(i_ctx_t *i_ctx_p) ref blk_wrap[1]; @@ -233,7 +256,7 @@ diff -up ghostscript-9.07/psi/zfont2.c.cve-2019-6116 ghostscript-9.07/psi/zfont2 blk_sz = r_size(data.blk_ref); diff -up ghostscript-9.07/Resource/Init/gs_cff.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_cff.ps --- ghostscript-9.07/Resource/Init/gs_cff.ps.cve-2019-6116 2013-02-14 08:58:16.000000000 +0100 -+++ ghostscript-9.07/Resource/Init/gs_cff.ps 2019-01-24 12:20:06.845912801 +0100 ++++ ghostscript-9.07/Resource/Init/gs_cff.ps 2019-03-05 11:28:18.299243712 +0100 @@ -719,7 +719,7 @@ dup % Format 2 % ordinary CFF font. /StartData { % StartData - @@ -254,7 +277,7 @@ diff -up ghostscript-9.07/Resource/Init/gs_cff.ps.cve-2019-6116 ghostscript-9.07 diff -up ghostscript-9.07/Resource/Init/gs_cidcm.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_cidcm.ps --- ghostscript-9.07/Resource/Init/gs_cidcm.ps.cve-2019-6116 2013-02-14 08:58:16.000000000 +0100 -+++ ghostscript-9.07/Resource/Init/gs_cidcm.ps 2019-01-24 12:20:06.845912801 +0100 ++++ ghostscript-9.07/Resource/Init/gs_cidcm.ps 2019-03-05 11:28:18.299243712 +0100 @@ -327,7 +327,7 @@ currentdict end def //FindResource exec } ifelse @@ -284,7 +307,7 @@ diff -up ghostscript-9.07/Resource/Init/gs_cidcm.ps.cve-2019-6116 ghostscript-9. end diff -up ghostscript-9.07/Resource/Init/gs_ciddc.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_ciddc.ps --- ghostscript-9.07/Resource/Init/gs_ciddc.ps.cve-2019-6116 2013-02-14 08:58:16.000000000 +0100 -+++ ghostscript-9.07/Resource/Init/gs_ciddc.ps 2019-01-24 12:20:06.845912801 +0100 ++++ ghostscript-9.07/Resource/Init/gs_ciddc.ps 2019-03-05 11:28:18.299243712 +0100 @@ -202,7 +202,7 @@ begin exch pop begin % .GetCIDDecoding @@ -305,7 +328,7 @@ diff -up ghostscript-9.07/Resource/Init/gs_ciddc.ps.cve-2019-6116 ghostscript-9. /CIDDecoding exch /Category defineresource pop diff -up ghostscript-9.07/Resource/Init/gs_cmap.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_cmap.ps --- ghostscript-9.07/Resource/Init/gs_cmap.ps.cve-2019-6116 2013-02-14 08:58:16.000000000 +0100 -+++ ghostscript-9.07/Resource/Init/gs_cmap.ps 2019-01-24 12:20:06.845912801 +0100 ++++ ghostscript-9.07/Resource/Init/gs_cmap.ps 2019-03-05 11:28:18.299243712 +0100 @@ -535,7 +535,7 @@ dup /DefineResource { } if dup /CodeMap .knownget { //null eq { .buildcmap } if } if @@ -316,8 +339,8 @@ diff -up ghostscript-9.07/Resource/Init/gs_cmap.ps.cve-2019-6116 ghostscript-9.0 % We might have loaded CID font support already. /CIDInit /ProcSet 2 copy { findresource } .internalstopped diff -up ghostscript-9.07/Resource/Init/gs_diskn.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_diskn.ps ---- ghostscript-9.07/Resource/Init/gs_diskn.ps.cve-2019-6116 2019-01-24 12:20:06.813913213 +0100 -+++ ghostscript-9.07/Resource/Init/gs_diskn.ps 2019-01-24 12:20:06.845912801 +0100 +--- ghostscript-9.07/Resource/Init/gs_diskn.ps.cve-2019-6116 2019-03-05 11:28:18.255244309 +0100 ++++ ghostscript-9.07/Resource/Init/gs_diskn.ps 2019-03-05 11:28:18.299243712 +0100 @@ -51,7 +51,7 @@ systemdict begin mark 5 1 roll ] mark exch { { } forall } forall ] //systemdict /.searchabledevs 2 index .forceput @@ -328,27 +351,27 @@ diff -up ghostscript-9.07/Resource/Init/gs_diskn.ps.cve-2019-6116 ghostscript-9. } .bind executeonly odef % must be bound and hidden for .forceput diff -up ghostscript-9.07/Resource/Init/gs_dps1.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_dps1.ps ---- ghostscript-9.07/Resource/Init/gs_dps1.ps.cve-2019-6116 2019-01-24 12:20:06.798913406 +0100 -+++ ghostscript-9.07/Resource/Init/gs_dps1.ps 2019-01-24 12:20:06.846912788 +0100 +--- ghostscript-9.07/Resource/Init/gs_dps1.ps.cve-2019-6116 2019-03-05 11:28:18.288243861 +0100 ++++ ghostscript-9.07/Resource/Init/gs_dps1.ps 2019-03-05 11:28:18.299243712 +0100 @@ -75,18 +75,18 @@ level2dict begin } odef % undefinefont has to take local/global VM into account. /undefinefont % undefinefont - - { .FontDirectory 1 .argindex .forceundef % FontDirectory is readonly -+ { //.FontDirectory 1 .argindex .forceundef % FontDirectory is readonly ++ { //.FontDirectory 1 .argindex .forceundef % FontDirectory is readonly .currentglobal { % Current mode is global; delete from local directory too. //systemdict /LocalFontDirectory .knownget - { 1 index .forceundef } % LocalFontDirectory is readonly -+ { 1 index .forceundef } executeonly % LocalFontDirectory is readonly ++ { 1 index .forceundef } executeonly % LocalFontDirectory is readonly if } { % Current mode is local; if there was a shadowed global % definition, copy it into the local directory. //systemdict /SharedFontDirectory .knownget { 1 index .knownget -- { .FontDirectory 2 index 3 -1 roll { put } //superexec } % readonly -+ { //.FontDirectory 2 index 3 -1 roll { put } //superexec } % readonly +- { .FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly ++ { //.FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly if } if @@ -357,25 +380,13 @@ diff -up ghostscript-9.07/Resource/Init/gs_dps1.ps.cve-2019-6116 ghostscript-9.0 ifelse } forall - pop counttomark 2 idiv { .forceundef } repeat pop % readonly -+ pop counttomark 2 idiv { .forceundef } executeonly repeat pop % readonly ++ pop counttomark 2 idiv { .forceundef } executeonly repeat pop % readonly } if //SharedFontDirectory exch .forcecopynew pop -diff -up ghostscript-9.07/Resource/Init/gs_dps.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_dps.ps ---- ghostscript-9.07/Resource/Init/gs_dps.ps.cve-2019-6116 2019-01-24 12:20:06.813913213 +0100 -+++ ghostscript-9.07/Resource/Init/gs_dps.ps 2019-01-24 12:20:06.846912788 +0100 -@@ -118,7 +118,7 @@ - .dicttomark readonly /localdicts exch put - % localdicts is now defined in userdict. - % Copy the definitions into systemdict. -- localdicts { .forcedef } forall -+ localdicts { .forcedef } executeonly forall - % Set the user parameters. - userparams readonly .setuserparams - % Establish the initial gstate(s). diff -up ghostscript-9.07/Resource/Init/gs_fntem.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_fntem.ps ---- ghostscript-9.07/Resource/Init/gs_fntem.ps.cve-2019-6116 2019-01-24 12:20:06.807913290 +0100 -+++ ghostscript-9.07/Resource/Init/gs_fntem.ps 2019-01-24 12:20:06.846912788 +0100 +--- ghostscript-9.07/Resource/Init/gs_fntem.ps.cve-2019-6116 2019-03-05 11:28:18.246244431 +0100 ++++ ghostscript-9.07/Resource/Init/gs_fntem.ps 2019-03-05 11:28:18.299243712 +0100 @@ -425,12 +425,12 @@ currentdict end def .forceput % FontInfo can be read-only. pop % bool @@ -392,14 +403,14 @@ diff -up ghostscript-9.07/Resource/Init/gs_fntem.ps.cve-2019-6116 ghostscript-9. } .bind executeonly odef % must be bound and hidden for .forceput diff -up ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_fonts.ps ---- ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2019-6116 2019-01-24 12:20:06.814913200 +0100 -+++ ghostscript-9.07/Resource/Init/gs_fonts.ps 2019-01-24 12:20:06.846912788 +0100 +--- ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2019-6116 2019-03-05 11:28:18.288243861 +0100 ++++ ghostscript-9.07/Resource/Init/gs_fonts.ps 2019-03-05 11:28:18.299243712 +0100 @@ -505,7 +505,7 @@ buildfontdict 3 /.buildfont3 cvx put if } if -- dup .FontDirectory 4 -2 roll { .growput } //superexec % readonly -+ dup //.FontDirectory 4 -2 roll { .growput } //superexec % readonly +- dup .FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly ++ dup //.FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly % If the font originated as a resource, register it. currentfile .currentresourcefile eq { dup .registerfont } if readonly @@ -441,7 +452,7 @@ diff -up ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2019-6116 ghostscript-9. % Remove the fake definition, if any. - .FontDirectory 3 index .forceundef % readonly - 1 index (r) file .loadfont .FontDirectory exch -+ //.FontDirectory 3 index .forceundef % readonly ++ //.FontDirectory 3 index .forceundef % readonly + 1 index (r) file .loadfont //.FontDirectory exch /.setglobal .systemvar exec - } @@ -460,18 +471,15 @@ diff -up ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2019-6116 ghostscript-9. % Maybe the file had a different FontName. % See if we can get a FontName from the file, and if so, -@@ -1108,9 +1108,9 @@ $error /SubstituteFont { } put +@@ -1108,7 +1108,7 @@ $error /SubstituteFont { } put ifelse % Stack: origfontname fontdict exch pop //true exit % Stack: fontdict - } + } executeonly if pop % Stack: origfontname fontdirectory path -- } -+ } executeonly + } if pop pop % Stack: origfontname - - % The font definitely did not load correctly. @@ -1146,10 +1146,10 @@ currentdict /.putgstringcopy .forceundef (gs_fonts FAKEFONTS) VMDEBUG Fontmap { @@ -480,14 +488,14 @@ diff -up ghostscript-9.07/Resource/Init/gs_fonts.ps.cve-2019-6116 ghostscript-9. + //.FontDirectory 1 index known not { 2 dict dup /FontName 3 index put dup /FontType 1 put -- .FontDirectory 3 1 roll { put } //superexec % readonly -+ //.FontDirectory 3 1 roll { put } //superexec % readonly +- .FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly ++ //.FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly } { pop } ifelse diff -up ghostscript-9.07/Resource/Init/gs_init.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_init.ps ---- ghostscript-9.07/Resource/Init/gs_init.ps.cve-2019-6116 2019-01-24 12:20:06.826913045 +0100 -+++ ghostscript-9.07/Resource/Init/gs_init.ps 2019-01-24 12:20:06.846912788 +0100 +--- ghostscript-9.07/Resource/Init/gs_init.ps.cve-2019-6116 2019-03-05 11:28:18.289243848 +0100 ++++ ghostscript-9.07/Resource/Init/gs_init.ps 2019-03-05 11:28:18.300243698 +0100 @@ -1157,8 +1157,8 @@ errordict /unknownerror .undef //.SAFERERRORLIST {dup errordict exch get 2 index 3 1 roll put} forall @@ -508,7 +516,7 @@ diff -up ghostscript-9.07/Resource/Init/gs_init.ps.cve-2019-6116 ghostscript-9.0 if % setpagedevice has the side effect of clearing the page, but % we will just document that. Using setpagedevice keeps the device -@@ -2287,7 +2287,7 @@ SAFER { .setsafe } if +@@ -2305,7 +2305,7 @@ SAFER { .setsafe } if % Update the copy of the user parameters. mark .currentuserparams counttomark 2 idiv { userparams 3 1 roll .forceput % userparams is read-only @@ -517,7 +525,7 @@ diff -up ghostscript-9.07/Resource/Init/gs_init.ps.cve-2019-6116 ghostscript-9.0 % Turn on idiom recognition, if available. currentuserparams /IdiomRecognition known { /IdiomRecognition //true .definepsuserparam -@@ -2306,7 +2306,7 @@ SAFER { .setsafe } if +@@ -2324,7 +2324,7 @@ SAFER { .setsafe } if % Remove real system params from pssystemparams. mark .currentsystemparams counttomark 2 idiv { pop pssystemparams exch .forceundef @@ -527,8 +535,8 @@ diff -up ghostscript-9.07/Resource/Init/gs_init.ps.cve-2019-6116 ghostscript-9.0 % Set up AlignToPixels : diff -up ghostscript-9.07/Resource/Init/gs_lev2.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_lev2.ps ---- ghostscript-9.07/Resource/Init/gs_lev2.ps.cve-2019-6116 2019-01-24 12:20:06.808913277 +0100 -+++ ghostscript-9.07/Resource/Init/gs_lev2.ps 2019-01-24 12:20:06.854912684 +0100 +--- ghostscript-9.07/Resource/Init/gs_lev2.ps.cve-2019-6116 2019-03-05 11:28:18.291243820 +0100 ++++ ghostscript-9.07/Resource/Init/gs_lev2.ps 2019-03-05 11:28:18.300243698 +0100 @@ -154,7 +154,8 @@ end % protect top level of parameters that we copied dup type dup /arraytype eq exch /stringtype eq or { readonly } if @@ -548,7 +556,7 @@ diff -up ghostscript-9.07/Resource/Init/gs_lev2.ps.cve-2019-6116 ghostscript-9.0 { pop pop } ifelse -@@ -911,7 +912,7 @@ mark +@@ -912,7 +913,7 @@ mark dup /PaintProc get 1 index /Implementation known not { 1 index dup /Implementation //null .forceput readonly pop @@ -558,8 +566,8 @@ diff -up ghostscript-9.07/Resource/Init/gs_lev2.ps.cve-2019-6116 ghostscript-9.0 } .bind odef % must bind .forceput diff -up ghostscript-9.07/Resource/Init/gs_pdfwr.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_pdfwr.ps ---- ghostscript-9.07/Resource/Init/gs_pdfwr.ps.cve-2019-6116 2019-01-24 12:20:06.808913277 +0100 -+++ ghostscript-9.07/Resource/Init/gs_pdfwr.ps 2019-01-24 12:20:06.855912672 +0100 +--- ghostscript-9.07/Resource/Init/gs_pdfwr.ps.cve-2019-6116 2019-03-05 11:28:18.248244404 +0100 ++++ ghostscript-9.07/Resource/Init/gs_pdfwr.ps 2019-03-05 11:28:18.300243698 +0100 @@ -541,7 +541,7 @@ currentdict /.pdfmarkparams .undef resourcestatus } ifelse @@ -571,7 +579,7 @@ diff -up ghostscript-9.07/Resource/Init/gs_pdfwr.ps.cve-2019-6116 ghostscript-9. } { diff -up ghostscript-9.07/Resource/Init/gs_res.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_res.ps --- ghostscript-9.07/Resource/Init/gs_res.ps.cve-2019-6116 2013-02-14 08:58:16.000000000 +0100 -+++ ghostscript-9.07/Resource/Init/gs_res.ps 2019-01-24 12:20:06.857912646 +0100 ++++ ghostscript-9.07/Resource/Init/gs_res.ps 2019-03-05 11:29:42.852096773 +0100 @@ -155,10 +155,10 @@ setglobal } { /defineresource cvx /typecheck signaloperror @@ -657,7 +665,7 @@ diff -up ghostscript-9.07/Resource/Init/gs_res.ps.cve-2019-6116 ghostscript-9.07 } ifelse -} .bind executeonly % executeonly to prevent access to .forcedef -+} .bind executeonly .makeoperator % executeonly to prevent access to .forcedef ++} .bind executeonly .makeoperator % executeonly to prevent access to .forcedef /UndefineResource { { dup 2 index .knownget { dup 1 get 1 ge @@ -812,13 +820,13 @@ diff -up ghostscript-9.07/Resource/Init/gs_res.ps.cve-2019-6116 ghostscript-9.07 /findfont { .findfontop -} bind def % Must be a procedure, not an operator -+} bind executeonly def % Must be a procedure, not an operator ++} bind executeonly def % Must be a procedure, not an operator % Remove initialization utilities. currentdict /.definecategory .undef diff -up ghostscript-9.07/Resource/Init/gs_setpd.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/gs_setpd.ps ---- ghostscript-9.07/Resource/Init/gs_setpd.ps.cve-2019-6116 2019-01-24 12:20:06.815913187 +0100 -+++ ghostscript-9.07/Resource/Init/gs_setpd.ps 2019-01-24 12:20:06.856912659 +0100 +--- ghostscript-9.07/Resource/Init/gs_setpd.ps.cve-2019-6116 2019-03-05 11:28:18.256244295 +0100 ++++ ghostscript-9.07/Resource/Init/gs_setpd.ps 2019-03-05 11:28:18.301243685 +0100 @@ -570,7 +570,7 @@ NOMEDIAATTRS { SETPDDEBUG { (Rolling back.) = pstack flush } if 3 index 2 index 3 -1 roll .forceput @@ -829,9 +837,9 @@ diff -up ghostscript-9.07/Resource/Init/gs_setpd.ps.cve-2019-6116 ghostscript-9. ifelse } bind executeonly odef diff -up ghostscript-9.07/Resource/Init/pdf_base.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/pdf_base.ps ---- ghostscript-9.07/Resource/Init/pdf_base.ps.cve-2019-6116 2019-01-24 12:20:06.809913264 +0100 -+++ ghostscript-9.07/Resource/Init/pdf_base.ps 2019-01-24 12:20:06.856912659 +0100 -@@ -125,26 +125,26 @@ currentdict /num-chars-dict .undef +--- ghostscript-9.07/Resource/Init/pdf_base.ps.cve-2019-6116 2019-03-05 11:28:18.251244363 +0100 ++++ ghostscript-9.07/Resource/Init/pdf_base.ps 2019-03-05 11:28:18.301243685 +0100 +@@ -125,26 +125,29 @@ currentdict /num-chars-dict .undef /.pdfexectoken { % .pdfexectoken ? PDFDEBUG { @@ -842,7 +850,8 @@ diff -up ghostscript-9.07/Resource/Init/pdf_base.ps.cve-2019-6116 ghostscript-9. PDFSTEPcount 1 gt { pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput - } { -+ } executeonly { ++ } executeonly ++ { dup ==only ( step # ) print PDFtokencount =only ( ? ) print flush 1 //false .outputpage @@ -850,7 +859,8 @@ diff -up ghostscript-9.07/Resource/Init/pdf_base.ps.cve-2019-6116 ghostscript-9. token { exch pop pdfdict /PDFSTEPcount 3 -1 roll .forceput - } { -+ } executeonly { ++ } executeonly ++ { pdfdict /PDFSTEPcount 1 .forceput - } ifelse % token + } executeonly ifelse % token @@ -859,31 +869,14 @@ diff -up ghostscript-9.07/Resource/Init/pdf_base.ps.cve-2019-6116 ghostscript-9. } ifelse % readline } ifelse % PDFSTEPcount > 1 - } { -+ } executeonly { ++ } executeonly ++ { dup ==only () = flush } ifelse % PDFSTEP } if % PDFDEBUG diff -up ghostscript-9.07/Resource/Init/pdf_font.ps.cve-2019-6116 ghostscript-9.07/Resource/Init/pdf_font.ps ---- ghostscript-9.07/Resource/Init/pdf_font.ps.cve-2019-6116 2019-01-24 12:20:06.810913251 +0100 -+++ ghostscript-9.07/Resource/Init/pdf_font.ps 2019-01-24 12:20:06.857912646 +0100 -@@ -614,7 +614,7 @@ currentdict end readonly def - currentglobal 2 index dup gcheck setglobal - /FontInfo 5 dict dup 5 1 roll .forceput - setglobal -- } if -+ } executeonly if - dup /GlyphNames2Unicode .knownget not { - //true % No existing G2U, make one - } { -@@ -628,7 +628,7 @@ currentdict end readonly def - currentglobal exch dup gcheck setglobal - dup /GlyphNames2Unicode 100 dict dup 4 1 roll .forceput - 3 2 roll setglobal -- } if % font-res font-dict encoding|null font-info g2u -+ } executeonly if % font-res font-dict encoding|null font-info g2u - exch pop exch % font-res font-dict g2u encoding|null - userdict /.lastToUnicode get % font-res font-dict g2u Encoding|null CMap - .convert_ToUnicode-into-g2u % font-res font-dict +--- ghostscript-9.07/Resource/Init/pdf_font.ps.cve-2019-6116 2019-03-05 11:28:18.252244350 +0100 ++++ ghostscript-9.07/Resource/Init/pdf_font.ps 2019-03-05 11:28:18.302243671 +0100 @@ -1757,7 +1757,7 @@ currentdict /CMap_read_dict undef /CIDFallBack /CIDFont findresource } if diff --git a/SOURCES/ghostscript-fix-DSC-comment-parsing.patch b/SOURCES/ghostscript-fix-DSC-comment-parsing.patch index e090658..6a65969 100644 --- a/SOURCES/ghostscript-fix-DSC-comment-parsing.patch +++ b/SOURCES/ghostscript-fix-DSC-comment-parsing.patch @@ -20,8 +20,8 @@ https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=f31702b38fba21153e26c3417 --- diff -up ghostscript-9.07/Resource/Init/gs_init.ps.comment_fix ghostscript-9.07/Resource/Init/gs_init.ps ---- ghostscript-9.07/Resource/Init/gs_init.ps.comment_fix 2019-01-29 16:14:32.480751012 +0100 -+++ ghostscript-9.07/Resource/Init/gs_init.ps 2019-01-29 16:18:17.998840535 +0100 +--- ghostscript-9.07/Resource/Init/gs_init.ps.comment_fix 2019-02-28 11:02:59.540694185 +0100 ++++ ghostscript-9.07/Resource/Init/gs_init.ps 2019-02-28 11:05:31.182710227 +0100 @@ -20,6 +20,11 @@ % %% Replace % indicate places where the next lines should be replaced by @@ -38,71 +38,71 @@ diff -up ghostscript-9.07/Resource/Init/gs_init.ps.comment_fix ghostscript-9.07/ /UndefinePostScriptOperators { --%% This list is of Display PostScript operators. We believe that Display PostScript --%% was never fully implemented and the only known user, GNUStep, is no longer --%% using it. So lets remove it. -+% This list is of Display PostScript operators. We believe that Display PostScript -+% was never fully implemented and the only known user, GNUStep, is no longer -+% using it. So lets remove it. - [ - /condition /currentcontext /detach /.fork /join /.localfork /lock /monitor /notify - /wait /yield /.currentscreenphase /.setscreenphase /.image2 /eoviewclip /initviewclip - /viewclip /viewclippath /defineusername --%% NeXT DPS extensions -+% NeXT DPS extensions - /currentalpha /setalpha /.alphaimage /composite /compositerect /dissolve /sizeimagebox /.sizeimageparams - ] - {systemdict exch .forceundef} forall +- %% This list is of Display PostScript operators. We believe that Display PostScript +- %% was never fully implemented and the only known user, GNUStep, is no longer +- %% using it. So lets remove it. ++ % This list is of Display PostScript operators. We believe that Display PostScript ++ % was never fully implemented and the only known user, GNUStep, is no longer ++ % using it. So lets remove it. + [ + /condition /currentcontext /detach /.fork /join /.localfork /lock /monitor /notify + /wait /yield /.currentscreenphase /.setscreenphase /.image2 /eoviewclip /initviewclip + /viewclip /viewclippath /defineusername +- %% NeXT DPS extensions ++ % NeXT DPS extensions + /currentalpha /setalpha /.alphaimage /composite /compositerect /dissolve /sizeimagebox /.sizeimageparams + ] + {systemdict exch .forceundef} forall --%% This list is of operators which no longer appear to be used, and which we do not believe --%% to have any real use. For now we will undefine the operstors so they cannot easily be used --%% but can be easily restored (just delete the name from the list in the array). In future --%% we may remove the operator and the code implementation entirely. -+% This list is of operators which no longer appear to be used, and which we do not believe -+% to have any real use. For now we will undefine the operstors so they cannot easily be used -+% but can be easily restored (just delete the name from the list in the array). In future -+% we may remove the operator and the code implementation entirely. - [ - /.bitadd /.charboxpath /.cond /.runandhide /.popdevicefilter - /.execfile /.filenamesplit /.file_name_parent +- %% This list is of operators which no longer appear to be used, and which we do not believe +- %% to have any real use. For now we will undefine the operstors so they cannot easily be used +- %% but can be easily restored (just delete the name from the list in the array). In future +- %% we may remove the operator and the code implementation entirely. ++ % This list is of operators which no longer appear to be used, and which we do not believe ++ % to have any real use. For now we will undefine the operstors so they cannot easily be used ++ % but can be easily restored (just delete the name from the list in the array). In future ++ % we may remove the operator and the code implementation entirely. + [ + /.bitadd /.charboxpath /.cond /.runandhide /.popdevicefilter + /.execfile /.filenamesplit /.file_name_parent @@ -2156,15 +2161,15 @@ SAFER { .setsafe } if - /.currentlimitclamp /.dotorientation /.setaccuratecurves /.setcurvejoin /.setdashadapt /.setdotorientation - /.setlimitclamp /.currentscreenlevels /.dashpath /.pathbbox /.identeq /.identne /.tokenexec /.forgetsave /.pantonecallback + /.currentlimitclamp /.dotorientation /.setaccuratecurves /.setcurvejoin /.setdashadapt /.setdotorientation + /.setlimitclamp /.currentscreenlevels /.dashpath /.pathbbox /.identeq /.identne /.tokenexec /.forgetsave /.pantonecallback --%% Used by our own test suite files --%%/.setdotlength % Bug687720.ps -+% Used by our own test suite files -+%/.setdotlength % Bug687720.ps - ] - {systemdict exch .forceundef} forall +- %% Used by our own test suite files +- %%/.setdotlength % Bug687720.ps ++ % Used by our own test suite files ++ %/.setdotlength % Bug687720.ps + ] + {systemdict exch .forceundef} forall --%% This list of operators are used internally by various parts of the Ghostscript startup code. --%% Since each operator is a potential security vulnerability, and any operator listed here --%% is not required once the initislisation is complete and functions are bound, we undefine --%% the ones that aren't needed at runtime. -+% This list of operators are used internally by various parts of the Ghostscript startup code. -+% Since each operator is a potential security vulnerability, and any operator listed here -+% is not required once the initislisation is complete and functions are bound, we undefine -+% the ones that aren't needed at runtime. - [ - /.callinstall /.callbeginpage /.callendpage - /.currentstackprotect /.setstackprotect /.errorexec /.finderrorobject /.installsystemnames /.bosobject /.fontbbox -@@ -2219,10 +2224,10 @@ SAFER { .setsafe } if - } bind def +- %% This list of operators are used internally by various parts of the Ghostscript startup code. +- %% Since each operator is a potential security vulnerability, and any operator listed here +- %% is not required once the initislisation is complete and functions are bound, we undefine +- %% the ones that aren't needed at runtime. ++ % This list of operators are used internally by various parts of the Ghostscript startup code. ++ % Since each operator is a potential security vulnerability, and any operator listed here ++ % is not required once the initislisation is complete and functions are bound, we undefine ++ % the ones that aren't needed at runtime. + [ + /.callinstall /.callbeginpage /.callendpage + /.currentstackprotect /.setstackprotect /.errorexec /.finderrorobject /.installsystemnames /.bosobject /.fontbbox +@@ -2236,10 +2241,10 @@ SAFER { .setsafe } if + } .bind executeonly def % must be bound and hidden for .forceundef /UndefinePDFOperators { --%% This list of operators are used internally by various parts of the Ghostscript PDF interpreter. --%% Since each operator is a potential security vulnerability, and any operator listed here --%% is not required once the initislisation is complete and functions are bound, we undefine --%% the ones that aren't needed at runtime. -+% This list of operators are used internally by various parts of the Ghostscript PDF interpreter. -+% Since each operator is a potential security vulnerability, and any operator listed here -+% is not required once the initislisation is complete and functions are bound, we undefine -+% the ones that aren't needed at runtime. - [ - /.pdfawidthshow /.pdfwidthshow - /.setfillcolor /.setfillcolorspace /.setstrokecolor /.setstrokecolorspace /.currentrenderingintent /.setrenderingintent -@@ -2363,8 +2368,8 @@ currentdict /.shadingtypes .undef +- %% This list of operators are used internally by various parts of the Ghostscript PDF interpreter. +- %% Since each operator is a potential security vulnerability, and any operator listed here +- %% is not required once the initislisation is complete and functions are bound, we undefine +- %% the ones that aren't needed at runtime. ++ % This list of operators are used internally by various parts of the Ghostscript PDF interpreter. ++ % Since each operator is a potential security vulnerability, and any operator listed here ++ % is not required once the initislisation is complete and functions are bound, we undefine ++ % the ones that aren't needed at runtime. + [ + /.pdfawidthshow /.pdfwidthshow + /.setfillcolor /.setfillcolorspace /.setstrokecolor /.setstrokecolorspace /.currentrenderingintent /.setrenderingintent +@@ -2380,8 +2385,8 @@ currentdict /.shadingtypes .undef currentdict /.wheredict .undef currentdict /.renderingintentdict .undef @@ -113,8 +113,8 @@ diff -up ghostscript-9.07/Resource/Init/gs_init.ps.comment_fix ghostscript-9.07/ DELAYBIND not { SAFER { //systemdict /SAFERUndefinePostScriptOperators get exec -@@ -2391,7 +2396,7 @@ currentdict /superexec .knownget { - currentdict /superexec .undef +@@ -2408,7 +2413,7 @@ systemdict /superexec .knownget { + systemdict /superexec .undef } if -%% Can't remove this one until the last minute :-) diff --git a/SOURCES/ghostscript-pdf2dsc-regression.patch b/SOURCES/ghostscript-pdf2dsc-regression.patch new file mode 100644 index 0000000..907f3e4 --- /dev/null +++ b/SOURCES/ghostscript-pdf2dsc-regression.patch @@ -0,0 +1,59 @@ +From: Ray Johnston +Date: Tue, 19 Mar 2019 16:25:48 +0000 (-0700) +Subject: Fix lib/pdf2dsc.ps to use documented Ghostscript pdf procedures. + +Fix lib/pdf2dsc.ps to use documented Ghostscript pdf procedures. + +We eliminated GS_PDF_ProcSet and pdfdict, but runpdfbegin, dopdfpages, +and runpdfend are still available. + +https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=db24f253409d5d085c2760c814c3e1d3fa2dac59 +--- + +diff -up ghostscript-9.07/lib/pdf2dsc.ps.pdf2dsc-fix ghostscript-9.07/lib/pdf2dsc.ps +--- ghostscript-9.07/lib/pdf2dsc.ps.pdf2dsc-fix 2013-02-14 08:58:16.000000000 +0100 ++++ ghostscript-9.07/lib/pdf2dsc.ps 2019-03-21 15:57:27.006345954 +0100 +@@ -52,10 +52,7 @@ systemdict /.setsafe known { .setsafe } + /DSCstring 255 string def + /MediaTypes 10 dict def + +- GS_PDF_ProcSet begin +- pdfdict begin +- PDFfile +- pdfopen begin ++ PDFfile runpdfbegin + /FirstPage where { pop } { /FirstPage 1 def } ifelse + /LastPage where { pop } { /LastPage pdfpagecount def } ifelse + +@@ -108,13 +105,12 @@ systemdict /.setsafe known { .setsafe } + (%%BeginProlog\n) puts + (/Page null def\n/Page# 0 def\n/PDFSave null def\n) puts + (/DSCPageCount 0 def\n) puts +- (/DoPDFPage {dup /Page# exch store pdfgetpage pdfshowpage } def\n) puts +- (GS_PDF_ProcSet begin\npdfdict begin\n) puts ++ (/DoPDFPage {dup /Page# exch store dup dopdfpages } def\n) puts + (%%EndProlog\n) puts + (%%BeginSetup\n) puts + DSCfile PDFname write==only + ( \(r\) file { DELAYSAFER { .setsafe } if } stopped pop\n) puts +- ( pdfopen begin\n) puts ++ ( runpdfbegin\n) puts + ( process_trailer_attrs\n) puts + (%%EndSetup\n) puts + +@@ -239,13 +235,10 @@ systemdict /.setsafe known { .setsafe } + DSCfile exch DSCstring cvs writestring + ( DoPDFPage\n) puts + } for +- currentdict pdfclose +- end +- end +- end ++ runpdfend + % write trailer + (%%Trailer\n) puts +-(currentdict pdfclose\nend\nend\nend\n) puts ++(runpdfend\n) puts + (%%EOF\n) puts + % close output file and exit + DSCfile closefile diff --git a/SPECS/ghostscript.spec b/SPECS/ghostscript.spec index 3db2a9c..2d282ec 100644 --- a/SPECS/ghostscript.spec +++ b/SPECS/ghostscript.spec @@ -5,7 +5,7 @@ Summary: A PostScript interpreter and renderer Name: ghostscript Version: %{gs_ver} -Release: 31%{?dist}.10 +Release: 31%{?dist}.11 # Included CMap data is Redistributable, no modification permitted, # see http://bugzilla.redhat.com/487510 @@ -53,7 +53,8 @@ Patch36: ghostscript-more-than-11-elements-in-array.patch Patch41: ghostscript-remove-as-many-non-standard-operators-as-possible.patch Patch47: ghostscript-restore-flushpage.patch Patch57: ghostscript-pdf2ps-reports-error-when-reading-stdin.patch -Patch63: ghostscript-fix-DSC-comment-parsing.patch +Patch66: ghostscript-fix-DSC-comment-parsing.patch +Patch69: ghostscript-pdf2dsc-regression.patch # Security patches: # ----------------- @@ -86,9 +87,12 @@ Patch58: ghostscript-cve-2018-16540.patch Patch59: ghostscript-cve-2018-19475.patch Patch60: ghostscript-cve-2018-19476.patch Patch61: ghostscript-cve-2018-19477.patch -Patch62: ghostscript-cve-2019-6116.patch -Patch64: ghostscript-cve-2019-3835.patch -Patch65: ghostscript-cve-2019-3838.patch +Patch62: ghostscript-cve-2019-3839-part1.patch +Patch63: ghostscript-cve-2019-6116.patch +Patch64: ghostscript-cve-2019-6116-downstream.patch +Patch65: ghostscript-cve-2019-3839-part2.patch +Patch67: ghostscript-cve-2019-3835.patch +Patch68: ghostscript-cve-2019-3838.patch # Upstream is not versioning the SONAME correctly, thus the rpmbuild is unable # to recognize we need a newer version of lcms2. This 'hackish' workaround @@ -361,18 +365,31 @@ rm -rf expat freetype icclib jasper jpeg lcms lcms2 libpng openjpeg zlib cups/li # CVE-2018-19477 (bug #1661278): %patch61 -p1 -# CVE-2019-6116 (bug 1667442): +# CVE-2019-3839 part1 (bug #1673398): %patch62 -p1 +# CVE-2019-6116 (bug #1667442): +%patch63 -p1 + +# CVE-2019-6116 downstream changes (bug #1667442): +%patch64 -p1 + +# CVE-2019-3839 part2 (bug #1673398): +%patch65 -p1 + # ghostscript: Regression: double comment chars '%%' in gs_init.ps # leading to missing metadata (bug #1673915): -%patch63 -p1 +%patch66 -p1 # CVE-2019-3835 (bug #1678171): -%patch64 -p1 +%patch67 -p1 # CVE-2019-3838 (bug #1680025): -%patch65 -p1 +%patch68 -p1 + +# fix for pdf2dsc regression to allow fix for CVE-2019-3839 +# https://bugs.ghostscript.com/show_bug.cgi?id=700704 +%patch69 -p1 # Remove pdfopt man pages which were mistakenly left in (bug #963882). rm man/{de/,}pdfopt.1 @@ -573,6 +590,11 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libgs.so %changelog +* Thu Mar 21 2019 Martin Osvald - 9.07-31.el7_6.11 +- Resolves: #1673398 - CVE-2019-3839 ghostscript: missing attack vector + protections for CVE-2019-6116 +- fix for pdf2dsc regression added + * Tue Jan 29 2019 Martin Osvald - 9.07-31.el7_6.10 - Resolves: #1673915 - ghostscript: Regression: double comment chars '%%' in gs_init.ps leading to missing metadata