diff --git a/SOURCES/ghostscript-9.54.0-gdevtxtw-null-also-pointers.patch b/SOURCES/ghostscript-9.54.0-gdevtxtw-null-also-pointers.patch new file mode 100644 index 0000000..90b9859 --- /dev/null +++ b/SOURCES/ghostscript-9.54.0-gdevtxtw-null-also-pointers.patch @@ -0,0 +1,46 @@ +diff --git a/devices/vector/gdevtxtw.c b/devices/vector/gdevtxtw.c +index c6b95ed5b..f103d598b 100644 +--- a/devices/vector/gdevtxtw.c ++++ b/devices/vector/gdevtxtw.c +@@ -1982,16 +1982,26 @@ textw_text_release(gs_text_enum_t *pte, client_name_t cname) + gx_device_txtwrite_t *const tdev = (gx_device_txtwrite_t *) pte->dev; + + /* Free the working buffer where the Unicode was assembled from the enumerated text */ +- if (penum->TextBuffer) ++ if (penum->TextBuffer) { + gs_free(tdev->memory, penum->TextBuffer, 1, penum->TextBufferIndex, "txtwrite free temporary text buffer"); +- if (penum->Widths) ++ penum->TextBuffer = NULL; ++ } ++ if (penum->Widths) { + gs_free(tdev->memory, penum->Widths, sizeof(float), pte->text.size, "txtwrite free temporary widths array"); +- if (penum->Advs) ++ penum->Widths = NULL; ++ } ++ if (penum->Advs) { + gs_free(tdev->memory, penum->Advs, 1, penum->TextBufferIndex, "txtwrite free temporary text buffer"); +- if (penum->GlyphWidths) ++ penum->Advs = NULL; ++ } ++ if (penum->GlyphWidths) { + gs_free(tdev->memory, penum->GlyphWidths, 1, penum->TextBufferIndex, "txtwrite free temporary text buffer"); +- if (penum->SpanDeltaX) ++ penum->GlyphWidths = NULL; ++ } ++ if (penum->SpanDeltaX) { + gs_free(tdev->memory, penum->SpanDeltaX, 1, penum->TextBufferIndex, "txtwrite free temporary text buffer"); ++ penum->SpanDeltaX = NULL; ++ } + /* If this is copied away when we complete the text enumeration succesfully, then + * we set the pointer to NULL, if we get here with it non-NULL , then there was + * an error. +@@ -2008,6 +2018,7 @@ textw_text_release(gs_text_enum_t *pte, client_name_t cname) + if (penum->text_state->FontName) + gs_free(tdev->memory, penum->text_state->FontName, 1, penum->TextBufferIndex, "txtwrite free temporary font name copy"); + gs_free(tdev->memory, penum->text_state, 1, sizeof(penum->text_state), "txtwrite free text state"); ++ penum->text_state = NULL; + } + } + +-- +2.17.1 diff --git a/SOURCES/ghostscript-9.54.0-include-pipe-handle-in-validation.patch b/SOURCES/ghostscript-9.54.0-include-pipe-handle-in-validation.patch new file mode 100644 index 0000000..39a8bb7 --- /dev/null +++ b/SOURCES/ghostscript-9.54.0-include-pipe-handle-in-validation.patch @@ -0,0 +1,208 @@ +diff --git a/base/gdevpipe.c b/base/gdevpipe.c +index 96d71f5d81..752a2f1d94 100644 +--- a/base/gdevpipe.c ++++ b/base/gdevpipe.c +@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access, + #else + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ /* The pipe device can be reached in two ways, explicltly with %pipe% ++ or implicitly with "|", so we have to check for both ++ */ ++ char f[gp_file_name_sizeof]; ++ const char *pipestr = "|"; ++ const size_t pipestrlen = strlen(pipestr); ++ int code1; ++ const size_t preflen = strlen(iodev->dname); ++ const size_t nlen = strlen(fname); ++ ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(f, iodev->dname, preflen); ++ memcpy(f + preflen, fname, nlen + 1); ++ ++ code1 = gp_validate_path(mem, f, access); ++ ++ memcpy(f, pipestr, pipestrlen); ++ memcpy(f + pipestrlen, fname, nlen + 1); + +- if (gp_validate_path(mem, fname, access) != 0) ++ if (code1 != 0 && gp_validate_path(mem, f, access) != 0 ) + return gs_error_invalidfileaccess; + + /* +diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c +index 2b964ed749..8d87ceadc0 100644 +--- a/base/gp_mshdl.c ++++ b/base/gp_mshdl.c +@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access, + long hfile; /* Correct for Win32, may be wrong for Win64 */ + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ char f[gp_file_name_sizeof]; ++ const size_t preflen = strlen(iodev->dname); ++ const size_t nlen = strlen(fname); + +- if (gp_validate_path(mem, fname, access) != 0) ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(f, iodev->dname, preflen); ++ memcpy(f + preflen, fname, nlen + 1); ++ ++ if (gp_validate_path(mem, f, access) != 0) + return gs_error_invalidfileaccess; + + /* First we try the open_handle method. */ +diff --git a/base/gp_msprn.c b/base/gp_msprn.c +index ed48279685..746a974f78 100644 +--- a/base/gp_msprn.c ++++ b/base/gp_msprn.c +@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, + uintptr_t *ptid = &((tid_t *)(iodev->state))->tid; + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ const size_t preflen = strlen(iodev->dname); ++ const size_t nlen = strlen(fname); + +- if (gp_validate_path(mem, fname, access) != 0) ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(pname, iodev->dname, preflen); ++ memcpy(pname + preflen, fname, nlen + 1); ++ ++ if (gp_validate_path(mem, pname, access) != 0) + return gs_error_invalidfileaccess; + + /* First we try the open_printer method. */ +diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c +index f852c71fc8..ba54cde66f 100644 +--- a/base/gp_os2pr.c ++++ b/base/gp_os2pr.c +@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, + FILE ** pfile, char *rfname, uint rnamelen) + { + os2_printer_t *pr = (os2_printer_t *)iodev->state; +- char driver_name[256]; ++ char driver_name[gp_file_name_sizeof]; + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ const size_t preflen = strlen(iodev->dname); ++ const int size_t = strlen(fname); ++ ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(driver_name, iodev->dname, preflen); ++ memcpy(driver_name + preflen, fname, nlen + 1); ++ ++ if (gp_validate_path(mem, driver_name, access) != 0) ++ return gs_error_invalidfileaccess; + + /* First we try the open_printer method. */ + /* Note that the loop condition here ensures we don't +diff --git a/base/gslibctx.c b/base/gslibctx.c +index 6dfed6cd5a..318039fad0 100644 +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s) + int + gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) + { +- char *fp, f[gp_file_name_sizeof]; +- const int pipe = 124; /* ASCII code for '|' */ +- const int len = strlen(fname); +- int i, code; ++ char f[gp_file_name_sizeof]; ++ int code; + + /* Be sure the string copy will fit */ +- if (len >= gp_file_name_sizeof) ++ if (strlen(fname) >= gp_file_name_sizeof) + return gs_error_rangecheck; + strcpy(f, fname); +- fp = f; + /* Try to rewrite any %d (or similar) in the string */ + rewrite_percent_specifiers(f); +- for (i = 0; i < len; i++) { +- if (f[i] == pipe) { +- fp = &f[i + 1]; +- /* Because we potentially have to check file permissions at two levels +- for the output file (gx_device_open_output_file and the low level +- fopen API, if we're using a pipe, we have to add both the full string, +- (including the '|', and just the command to which we pipe - since at +- the pipe_fopen(), the leading '|' has been stripped. +- */ +- code = gs_add_control_path(mem, gs_permit_file_writing, f); +- if (code < 0) +- return code; +- code = gs_add_control_path(mem, gs_permit_file_control, f); +- if (code < 0) +- return code; +- break; +- } +- if (!IS_WHITESPACE(f[i])) +- break; +- } +- code = gs_add_control_path(mem, gs_permit_file_control, fp); ++ ++ code = gs_add_control_path(mem, gs_permit_file_control, f); + if (code < 0) + return code; +- return gs_add_control_path(mem, gs_permit_file_writing, fp); ++ return gs_add_control_path(mem, gs_permit_file_writing, f); + } + + int + gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) + { +- char *fp, f[gp_file_name_sizeof]; +- const int pipe = 124; /* ASCII code for '|' */ +- const int len = strlen(fname); +- int i, code; ++ char f[gp_file_name_sizeof]; ++ int code; + + /* Be sure the string copy will fit */ +- if (len >= gp_file_name_sizeof) ++ if (strlen(fname) >= gp_file_name_sizeof) + return gs_error_rangecheck; + strcpy(f, fname); +- fp = f; + /* Try to rewrite any %d (or similar) in the string */ +- for (i = 0; i < len; i++) { +- if (f[i] == pipe) { +- fp = &f[i + 1]; +- /* Because we potentially have to check file permissions at two levels +- for the output file (gx_device_open_output_file and the low level +- fopen API, if we're using a pipe, we have to add both the full string, +- (including the '|', and just the command to which we pipe - since at +- the pipe_fopen(), the leading '|' has been stripped. +- */ +- code = gs_remove_control_path(mem, gs_permit_file_writing, f); +- if (code < 0) +- return code; +- code = gs_remove_control_path(mem, gs_permit_file_control, f); +- if (code < 0) +- return code; +- break; +- } +- if (!IS_WHITESPACE(f[i])) +- break; +- } +- code = gs_remove_control_path(mem, gs_permit_file_control, fp); ++ rewrite_percent_specifiers(f); ++ ++ code = gs_remove_control_path(mem, gs_permit_file_control, f); + if (code < 0) + return code; +- return gs_remove_control_path(mem, gs_permit_file_writing, fp); ++ return gs_remove_control_path(mem, gs_permit_file_writing, f); + } + + int +-- +2.17.1 + diff --git a/SPECS/ghostscript.spec b/SPECS/ghostscript.spec index acd5fb5..bc639a1 100644 --- a/SPECS/ghostscript.spec +++ b/SPECS/ghostscript.spec @@ -42,7 +42,7 @@ Name: ghostscript Summary: Interpreter for PostScript language & PDF Version: 9.54.0 -Release: 2%{?dist} +Release: 4%{?dist} License: AGPLv3+ @@ -100,10 +100,11 @@ BuildRequires: make # Upstream patches -- official upstream patches released by upstream since the # ---------------- last rebase that are necessary for any reason: #Patch000: example000.patch +Patch001: ghostscript-9.54.0-gdevtxtw-null-also-pointers.patch +Patch002: ghostscript-9.54.0-include-pipe-handle-in-validation.patch # Downstream patches -- these should be always included when doing rebase: # ------------------ - # Downstream patches for RHEL -- patches that we keep only in RHEL for various # --------------------------- reasons, but are not enabled in Fedora: %if %{defined rhel} || %{defined centos} @@ -434,6 +435,12 @@ done # ============================================================================= %changelog +* Thu Sep 16 2021 Richard Lescak - 9.54.0-4 +- Added fix for CVE-2021-3781 (#2002625) + +* Thu Sep 16 2021 Richard Lescak - 9.54.0-3 +- Added fix for segfault bug (#1989084) + * Mon Aug 09 2021 Mohan Boddu - 9.54.0-2 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688