diff --git a/SOURCES/ghostscript-cve-2019-10216.patch b/SOURCES/ghostscript-cve-2019-10216.patch new file mode 100644 index 0000000..83fc1f9 --- /dev/null +++ b/SOURCES/ghostscript-cve-2019-10216.patch @@ -0,0 +1,43 @@ +From 5b85ddd19a8420a1bd2d5529325be35d78e94234 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Fri, 2 Aug 2019 15:18:26 +0100 +Subject: Bug 701394: protect use of .forceput with executeonly + + +diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps +index 6c7735bc0c..a039ccee35 100644 +--- a/Resource/Init/gs_type1.ps ++++ b/Resource/Init/gs_type1.ps +@@ -118,25 +118,25 @@ + ( to be the same as glyph: ) print 1 index //== exec } if + 3 index exch 3 index .forceput + % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname +- } ++ }executeonly + {pop} ifelse +- } forall ++ } executeonly forall + pop pop +- } ++ } executeonly + { + pop pop pop + } ifelse +- } ++ } executeonly + { + % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname + pop pop + } ifelse +- } forall ++ } executeonly forall + 3 1 roll pop pop +- } if ++ } executeonly if + pop + dup /.AGLprocessed~GS //true .forceput +- } if ++ } executeonly if + + %% We need to excute the C .buildfont1 in a stopped context so that, if there + %% are errors we can put the stack back sanely and exit. Otherwise callers won't diff --git a/SOURCES/ghostscript-cve-2019-14811-14812-14813.patch b/SOURCES/ghostscript-cve-2019-14811-14812-14813.patch new file mode 100644 index 0000000..ec4164b --- /dev/null +++ b/SOURCES/ghostscript-cve-2019-14811-14812-14813.patch @@ -0,0 +1,56 @@ +From 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Tue, 20 Aug 2019 10:10:28 +0100 +Subject: make .forceput inaccessible + +Bug #701343, #701344, #701345 + +More defensive programming. We don't want people to access .forecput +even though it is no longer sufficient to bypass SAFER. The exploit +in #701343 didn't work anyway because of earlier work to stop the error +handler being used, but nevertheless, prevent access to .forceput from +.setuserparams2. + +diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps +index 4cc7f820f..0fd416465 100644 +--- a/Resource/Init/gs_lev2.ps ++++ b/Resource/Init/gs_lev2.ps +@@ -158,7 +158,7 @@ end + { + pop pop + } ifelse +- } forall ++ } executeonly forall + % A context switch might have occurred during the above loop, + % causing the interpreter-level parameters to be reset. + % Set them again to the new values. From here on, we are safe, +@@ -229,9 +229,9 @@ end + { pop pop + } + ifelse +- } ++ } executeonly + forall pop +-} .bind odef ++} .bind executeonly odef + + % Initialize the passwords. + % NOTE: the names StartJobPassword and SystemParamsPassword are known to +diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps +index c158a8faf..422e66e1a 100644 +--- a/Resource/Init/gs_pdfwr.ps ++++ b/Resource/Init/gs_pdfwr.ps +@@ -658,11 +658,11 @@ currentdict /.pdfmarkparams .undef + systemdict /.pdf_hooked_DSC_Creator //true .forceput + } executeonly if + pop +- } if ++ } executeonly if + } { + pop + } ifelse +- } ++ } executeonly + { + pop + } ifelse diff --git a/SOURCES/ghostscript-cve-2019-14817.patch b/SOURCES/ghostscript-cve-2019-14817.patch new file mode 100644 index 0000000..0e942d6 --- /dev/null +++ b/SOURCES/ghostscript-cve-2019-14817.patch @@ -0,0 +1,258 @@ +From be86d2ff2f0f0ea0e365707f3be0fa0c9e7315ee Mon Sep 17 00:00:00 2001 +From: Ray Johnston +Date: Mon, 18 Feb 2019 12:11:45 -0800 +Subject: [PATCH 1/2] Bug 700599: Issue an error message if an ExtGstate is not + found. + +Previously, this was silently ignored. Only issue a single warning, +and respect PDFSTOPONERROR to prevent continuing with potentially +incorrect output. + +Note that tests_private/pdf/uploads/bug696410.pdf also now gets this +error message (ExtGState" instead of ExtGState in object 10). +--- + Resource/Init/pdf_draw.ps | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps +index 1add3f7..6a2773a 100644 +--- a/Resource/Init/pdf_draw.ps ++++ b/Resource/Init/pdf_draw.ps +@@ -494,7 +494,16 @@ end + dup { + oforce exch gsparamdict exch .knownget { exec } { pop } ifelse + } forall pop +- } if ++ } { ++ //pdfdict /.gs_warning_issued known not { ++ (\n **** Error 'gs' ignored -- ExtGState missing from Resources.\n) ++ pdfformaterror ++ ( Output may be incorrect.\n) pdfformaterror ++ //pdfdict /.gs_warning_issued //true .forceput ++ PDFSTOPONERROR { /gs /undefined signalerror } if ++ } if ++ } ++ ifelse + } bind executeonly def + + % ------ Transparency support ------ % +-- +2.20.1 + + +From cd1b1cacadac2479e291efe611979bdc1b3bdb19 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Wed, 21 Aug 2019 10:10:51 +0100 +Subject: [PATCH 2/2] PDF interpreter - review .forceput security + +Bug #701450 "Safer Mode Bypass by .forceput Exposure in .pdfexectoken" + +By abusing the error handler it was possible to get the PDFDEBUG portion +of .pdfexectoken, which uses .forceput left readable. + +Add an executeonly appropriately to make sure that clause isn't readable +no mstter what. + +Review all the uses of .forceput searching for similar cases, add +executeonly as required to secure those. All cases in the PostScript +support files seem to be covered already. +--- + Resource/Init/pdf_base.ps | 2 +- + Resource/Init/pdf_draw.ps | 14 +++++++------- + Resource/Init/pdf_font.ps | 23 ++++++++++++----------- + Resource/Init/pdf_main.ps | 6 +++--- + Resource/Init/pdf_ops.ps | 11 ++++++----- + 5 files changed, 29 insertions(+), 27 deletions(-) + +diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps +index d3c3a5f..5dabe4d 100644 +--- a/Resource/Init/pdf_base.ps ++++ b/Resource/Init/pdf_base.ps +@@ -154,7 +154,7 @@ currentdict /num-chars-dict .undef + { + dup ==only () = flush + } ifelse % PDFSTEP +- } if % PDFDEBUG ++ } executeonly if % PDFDEBUG + 2 copy .knownget { + exch pop exch pop exch pop exec + } { +diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps +index 6a2773a..068ba7c 100644 +--- a/Resource/Init/pdf_draw.ps ++++ b/Resource/Init/pdf_draw.ps +@@ -501,8 +501,8 @@ end + ( Output may be incorrect.\n) pdfformaterror + //pdfdict /.gs_warning_issued //true .forceput + PDFSTOPONERROR { /gs /undefined signalerror } if +- } if +- } ++ } executeonly if ++ } executeonly + ifelse + } bind executeonly def + +@@ -1127,7 +1127,7 @@ currentdict end readonly def + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput +@@ -1135,8 +1135,8 @@ currentdict end readonly def + pdfformaterror + } executeonly ifelse + end +- } ifelse +- } loop ++ } executeonly ifelse ++ } executeonly loop + { + (\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n) + //pdfdict /.Qqwarning_issued .knownget +@@ -1150,14 +1150,14 @@ currentdict end readonly def + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +- } if ++ } executeonly if + pop + + % restore pdfemptycount +diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps +index 8b8fef8..86b1870 100644 +--- a/Resource/Init/pdf_font.ps ++++ b/Resource/Init/pdf_font.ps +@@ -677,7 +677,7 @@ currentdict end readonly def + currentglobal 2 index dup gcheck setglobal + /FontInfo 5 dict dup 5 1 roll .forceput + setglobal +- } if ++ } executeonly if + dup /GlyphNames2Unicode .knownget not { + //true % No existing G2U, make one + } { +@@ -701,9 +701,9 @@ currentdict end readonly def + } if + PDFDEBUG { + (.processToUnicode end) = +- } if +- } if +- } stopped ++ } executeonly if ++ } executeonly if ++ } executeonly stopped + { + .dstackdepth 1 countdictstack 1 sub + {pop end} for +@@ -1225,19 +1225,20 @@ currentdict /eexec_pdf_param_dict .undef + //pdfdict /.Qqwarning_issued //true .forceput + } executeonly if + Q +- } repeat ++ } executeonly repeat + Q +- } PDFfile fileposition 2 .execn % Keep pdfcount valid. ++ } executeonly PDFfile fileposition 2 .execn % Keep pdfcount valid. + PDFfile exch setfileposition +- } ifelse +- } { ++ } executeonly ifelse ++ } executeonly ++ { + % PDF Type 3 fonts don't use .notdef + % d1 implementation adjusts the width as needed + 0 0 0 0 0 0 + pdfopdict /d1 get exec + } ifelse + end end +- } bdef ++ } executeonly bdef + dup currentdict Encoding .processToUnicode + currentdict end .completefont exch pop + } bind executeonly odef +@@ -2022,9 +2023,9 @@ currentdict /CMap_read_dict undef + (Will continue, but content may be missing.) = flush + } ifelse + } if +- } if ++ } executeonly if + /findresource cvx /undefined signalerror +- } loop ++ } executeonly loop + } bind executeonly odef + + /buildCIDType0 { % buildCIDType0 +diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps +index e44288e..ecde3d4 100644 +--- a/Resource/Init/pdf_main.ps ++++ b/Resource/Init/pdf_main.ps +@@ -2696,15 +2696,15 @@ currentdict /PDF2PS_matrix_key undef + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +- } if +- } if ++ } executeonly if ++ } executeonly if + pop + count PDFexecstackcount sub { pop } repeat + (after exec) VMDEBUG +diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps +index c2e7461..12d5a66 100644 +--- a/Resource/Init/pdf_ops.ps ++++ b/Resource/Init/pdf_ops.ps +@@ -186,14 +186,14 @@ currentdict /gput_always_allow .undef + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +- } if ++ } executeonly if + } bind executeonly odef + + % Save PDF gstate +@@ -440,11 +440,12 @@ currentdict /gput_always_allow .undef + dup type /booleantype eq { + .currentSMask type /dicttype eq { + .currentSMask /Processed 2 index .forceput ++ } executeonly ++ { ++ .setSMask ++ }ifelse + } executeonly + { +- .setSMask +- }ifelse +- }{ + .setSMask + }ifelse + +-- +2.20.1 + diff --git a/SOURCES/ghostscript-cve-2019-14869.patch b/SOURCES/ghostscript-cve-2019-14869.patch new file mode 100644 index 0000000..e23eb19 --- /dev/null +++ b/SOURCES/ghostscript-cve-2019-14869.patch @@ -0,0 +1,40 @@ +diff --git a/Resource/Init/gs_ttf.ps b/Resource/Init/gs_ttf.ps +index 064b6c8..600907e 100644 +--- a/Resource/Init/gs_ttf.ps ++++ b/Resource/Init/gs_ttf.ps +@@ -1421,7 +1421,7 @@ mark + TTFDEBUG { (\n1 setting alias: ) print dup ==only + ( to be the same as ) print 2 index //== exec } if + +- 7 index 2 index 3 -1 roll exch .forceput ++ 7 index 2 index 3 -1 roll exch put + } forall + pop pop pop + } +@@ -1439,7 +1439,7 @@ mark + exch pop + TTFDEBUG { (\n2 setting alias: ) print 1 index ==only + ( to use glyph index: ) print dup //== exec } if +- 5 index 3 1 roll .forceput ++ 5 index 3 1 roll put + //false + } + { +@@ -1456,7 +1456,7 @@ mark + { % CharStrings(dict) isunicode(boolean) cmap(dict) RAGL(dict) gname(name) codep(integer) gindex(integer) + TTFDEBUG { (\3 nsetting alias: ) print 1 index ==only + ( to be index: ) print dup //== exec } if +- exch pop 5 index 3 1 roll .forceput ++ exch pop 5 index 3 1 roll put + } + { + pop pop +@@ -1486,7 +1486,7 @@ mark + } ifelse + ] + TTFDEBUG { (Encoding: ) print dup === flush } if +-} .bind executeonly odef % hides .forceput ++} .bind odef + + % to be removed 9.09...... + currentdict /postalias undef diff --git a/SOURCES/ghostscript-cve-2019-6116-downstream.patch b/SOURCES/ghostscript-cve-2019-6116-downstream.patch index 0b5f15f..bc6c742 100644 --- a/SOURCES/ghostscript-cve-2019-6116-downstream.patch +++ b/SOURCES/ghostscript-cve-2019-6116-downstream.patch @@ -28,15 +28,6 @@ diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps index f1d1728..46408f9 100644 --- a/Resource/Init/pdf_font.ps +++ b/Resource/Init/pdf_font.ps -@@ -678,7 +678,7 @@ currentdict end readonly def - currentglobal 2 index dup gcheck setglobal - /FontInfo 5 dict dup 5 1 roll .forceput - setglobal -- } if -+ } executeonly if - dup /GlyphNames2Unicode .knownget not { - //true % No existing G2U, make one - } { @@ -692,7 +692,7 @@ currentdict end readonly def currentglobal exch dup gcheck setglobal dup /GlyphNames2Unicode 100 dict dup 4 1 roll .forceput diff --git a/SPECS/ghostscript.spec b/SPECS/ghostscript.spec index 78be840..f2cc420 100644 --- a/SPECS/ghostscript.spec +++ b/SPECS/ghostscript.spec @@ -37,7 +37,7 @@ Name: ghostscript Summary: Interpreter for PostScript language & PDF Version: 9.25 -Release: 3%{?dist} +Release: 5%{?dist}.1 License: AGPLv3+ @@ -102,6 +102,10 @@ Patch011: ghostscript-cve-2019-3835.patch Patch012: ghostscript-cve-2019-3838.patch Patch013: ghostscript-fix-DSC-comment-parsing.patch Patch014: ghostscript-pdf2dsc-regression.patch +Patch015: ghostscript-cve-2019-10216.patch +Patch016: ghostscript-cve-2019-14811-14812-14813.patch +Patch017: ghostscript-cve-2019-14817.patch +Patch018: ghostscript-cve-2019-14869.patch # Downstream patches -- these should be always included when doing rebase: # ------------------ @@ -441,6 +445,18 @@ done # ============================================================================= %changelog +* Fri Nov 08 2019 Zdenek Dohnal - 9.25-5.1 +- 1769342 - CVE-2019-14869 ghostscript: -dSAFER escape in .charkeys + +* Thu Aug 22 2019 Martin Osvald - 9.25-5 +- Resolves: #1744011 - CVE-2019-14811 ghostscript: Safer Mode Bypass by .forceput Exposure in .pdf_hook_DSC_Creator (701445) +- Resolves: #1744015 - CVE-2019-14812 ghostscript: Safer Mode Bypass by .forceput Exposure in setuserparams (701444) +- Resolves: #1744006 - CVE-2019-14813 ghostscript: Safer Mode Bypass by .forceput Exposure in setsystemparams (701443) +- Resolves: #1744231 - CVE-2019-14817 ghostscript: Safer Mode Bypass by .forceput Exposure in .pdfexectoken and other procedures (701450) + +* Mon Aug 05 2019 Martin Osvald - 9.25-4 +- Resolves: #1737337 - CVE-2019-10216 ghostscript: -dSAFER escape via .buildfont1 (701394) + * Thu Mar 28 2019 Martin Osvald - 9.25-3 - Resolves: #1692798 - CVE-2019-3839 ghostscript: missing attack vector protections for CVE-2019-6116