packages/ghostscript
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sync by openEuler-22.03-LTS-SP3

Browse Source 
Signed-off-by: liweigang <liweiganga@uniontech.com>
This commit is contained in:
liweigang 2024-06-20 14:00:14 +08:00
parent ee08056647
commit 9765c07dfb
4 changed files with 121 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
backport-CVE-2023-43115-Bug707051-IJS-device-try-and-secure-the-IJS-server-startup.patch Normal file
View File

@ -0,0 +1,57 @@
From e59216049cac290fb437a04c4f41ea46826cfba5 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Thu, 24 Aug 2023 15:24:35 +0100
Subject: [PATCH 01/44] IJS device - try and secure the IJS server startup
Bug #707051 ""ijs" device can execute arbitrary commands"
The problem is that the 'IJS' device needs to start the IJS server, and
that is indeed an arbitrary command line. There is (apparently) no way
to validate it. Indeed, this is covered quite clearly in the comments
at the start of the source:
* WARNING: The ijs server can be selected on the gs command line
* which is a security risk, since any program can be run.
Previously this used the awful LockSafetyParams hackery, which we
abandoned some time ago because it simply couldn't be made secure (it
was implemented in PostScript and was therefore vulnerable to PostScript
programs).
This commit prevents PostScript programs switching to the IJS device
after SAFER has been activated, and prevents changes to the IjsServer
parameter after SAFER has been activated.
SAFER is activated, unless explicitly disabled, before any user
PostScript is executed which means that the device and the server
invocation can only be configured on the command line. This does at
least provide minimal security against malicious PostScript programs.
---
devices/gdevijs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/devices/gdevijs.c b/devices/gdevijs.c
index 8cbd84b97..16f5a1752 100644
--- a/devices/gdevijs.c
+++ b/devices/gdevijs.c
@@ -888,6 +888,8 @@ gsijs_initialize_device(gx_device *dev)
static const char rgb[] = "DeviceRGB";
gx_device_ijs *ijsdev = (gx_device_ijs *)dev;
+ if (ijsdev->memory->gs_lib_ctx->core->path_control_active)
+ return_error(gs_error_invalidaccess);
if (!ijsdev->ColorSpace) {
ijsdev->ColorSpace = gs_malloc(ijsdev->memory, sizeof(rgb), 1,
"gsijs_initialize");
@@ -1326,7 +1328,7 @@ gsijs_put_params(gx_device *dev, gs_param_list *plist)
if (code >= 0)
code = gsijs_read_string(plist, "IjsServer",
ijsdev->IjsServer, sizeof(ijsdev->IjsServer),
- dev->LockSafetyParams, is_open);
+ ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open);
if (code >= 0)
code = gsijs_read_string_malloc(plist, "DeviceManufacturer",
--
2.33.0

43
backport-CVE-2023-46751.patch Normal file
View File

@ -0,0 +1,43 @@
From 5d2da96e81c7455338302c71a291088a8396245a Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Mon, 16 Oct 2023 16:49:40 +0100
Subject: [PATCH] Bug 707264: Fix tiffsep(1) requirement for seekable output
files
In the device initialization redesign, tiffsep and tiffsep1 lost the requirement
for the output files to be seekable.
Fixing that highlighted a problem with the error handling in
gdev_prn_open_printer_seekable() where closing the erroring file would leave a
dangling pointer, and lead to a crash.
---
base/gdevprn.c | 1 +
devices/gdevtsep.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/base/gdevprn.c b/base/gdevprn.c
index 0491a3c6c..033632387 100644
--- a/base/gdevprn.c
+++ b/base/gdevprn.c
@@ -1271,6 +1271,7 @@ gdev_prn_open_printer_seekable(gx_device *pdev, bool binary_mode,
&& !IS_LIBCTX_STDERR(pdev->memory, gp_get_file(ppdev->file))) {
code = gx_device_close_output_file(pdev, ppdev->fname, ppdev->file);
+ ppdev->file = NULL;
if (code < 0)
return code;
}
diff --git a/devices/gdevtsep.c b/devices/gdevtsep.c
index 7fd3c5518..f7a1b174b 100644
--- a/devices/gdevtsep.c
+++ b/devices/gdevtsep.c
@@ -737,6 +737,7 @@ tiffsep_initialize_device_procs(gx_device *dev)
{
gdev_prn_initialize_device_procs(dev);
+ set_dev_proc(dev, output_page, gdev_prn_output_page_seekable);
set_dev_proc(dev, open_device, tiffsep_prn_open);
set_dev_proc(dev, close_device, tiffsep_prn_close);
set_dev_proc(dev, map_color_rgb, tiffsep_decode_color);
--
2.34.1

2
fix-cve-2023-52722.patch
View File

@ -34,5 +34,5 @@ index 3c47e99..81556ac 100644
* If we're reading a .PFB file, let the filter know about it, * If we're reading a .PFB file, let the filter know about it,
* so it can read recklessly to the end of the binary section. * so it can read recklessly to the end of the binary section.
-- --
2.27.0 2.43.0

30
ghostscript.spec
View File

@ -9,7 +9,7 @@
Name: ghostscript Name: ghostscript
Version: 9.55.0 Version: 9.55.0
Release: 8 Release: 9
Summary: An interpreter for PostScript and PDF files Summary: An interpreter for PostScript and PDF files
License: AGPLv3+ License: AGPLv3+
URL: https://ghostscript.com/ URL: https://ghostscript.com/
@ -21,11 +21,12 @@ Patch2: backport-CVE-2022-2085.patch
Patch3: CVE-2023-38559.patch Patch3: CVE-2023-38559.patch
Patch4: CVE-2023-28879.patch Patch4: CVE-2023-28879.patch
Patch5: CVE-2023-36664.patch Patch5: CVE-2023-36664.patch
Patch6: CVE-2023-46751.patch Patch6: backport-CVE-2023-43115-Bug707051-IJS-device-try-and-secure-the-IJS-server-startup.patch
Patch7: fix-cve-2023-52722.patch Patch7: backport-CVE-2023-46751.patch
Patch8: fix-CVE-2024-29510.patch Patch8: fix-cve-2023-52722.patch
Patch9: fix-CVE-2024-33869.patch Patch9: fix-CVE-2024-29510.patch
Patch10: fix-CVE-2024-33870.patch Patch10: fix-CVE-2024-33869.patch
Patch11: fix-CVE-2024-33870.patch
BuildRequires: automake gcc BuildRequires: automake gcc
BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@ -186,20 +187,29 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
%{_bindir}/dvipdf %{_bindir}/dvipdf
%changelog %changelog
* Sun May 26 2024 xuchenchen <xuchenchen@kylinos.cn> - 9.55.0-8 * Sun May 26 2024 xuchenchen <xuchenchen@kylinos.cn> - 9.55.0-9
- Type:CVE - Type:CVE
- ID:NA - ID:NA
- SUG:NA - SUG:NA
- DECS: fix CVE-2024-29510 CVE-2024-33869 CVE-2024-33870 - DECS: fix CVE-2024-29510 CVE-2024-33869 CVE-2024-33870
* Mon May 6 2024 xuchenchen <xuchenchen@kylinos.cn> - 9.55.0-7 * Mon May 6 2024 xuchenchen <xuchenchen@kylinos.cn> - 9.55.0-8
- Type:CVE - Type:CVE
- ID:NA - ID:NA
- SUG:NA - SUG:NA
- DECS: fix CVE-2023-52722 - DECS: fix CVE-2023-52722
* Mon Dec 25 2023 liningjie <liningjie@xfusion.com> - 9.55.0-6 * Mon Dec 25 2023 liningjie <liningjie@xfusion.com> - 9.55.0-7
- fix CVE-2023-46751 - Type:CVE
- ID:CVE-2023-46751
- SUG:NA
- DESC:fix CVE-2023-46751
* Fri Sep 22 2023 dillon chen <dillon.chen@gmail.com> - 9.55.0-6
- Type:CVE
- ID:CVE-2023-43115
- SUG:NA
- DESC:fix CVE-2023-43115
* Wed Sep 6 2023 liningjie <liningjie@xfusion.com> - 9.55.0-5 * Wed Sep 6 2023 liningjie <liningjie@xfusion.com> - 9.55.0-5
- fix CVE-2023-36664 - fix CVE-2023-36664