packages/ghostscript
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-36664

Browse Source 
(cherry picked from commit b9c502be405874ffbfda421e35d4ac53954418cf)
This commit is contained in:
liningjie 2023-09-06 14:41:43 +08:00 committed by openeuler-sync-bot
parent 43178ca521
commit d1301e74c6
2 changed files with 146 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

141
CVE-2023-36664.patch Normal file
View File

@ -0,0 +1,141 @@
From 505eab7782b429017eb434b2b95120855f2b0e3c Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 7 Jun 2023 10:23:06 +0100
Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission
validation
For regular file names, we try to simplfy relative paths before we use them.
Because the %pipe% device can, effectively, accept command line calls, we
shouldn't be simplifying that string, because the command line syntax can end
up confusing the path simplifying code. That can result in permitting a pipe
command which does not match what was originally permitted.
Special case "%pipe" in the validation code so we always deal with the entire
string.
---
base/gpmisc.c | 31 +++++++++++++++++++--------
base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++-------------
2 files changed, 64 insertions(+), 23 deletions(-)
diff --git a/base/gpmisc.c b/base/gpmisc.c
index 5f39ebba7..2fb87f769 100644
--- a/base/gpmisc.c
+++ b/base/gpmisc.c
@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *mem,
&& !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
prefix_len = 0;
}
- rlen = len+1;
- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
- if (bufferfull == NULL)
- return gs_error_VMerror;
-
- buffer = bufferfull + prefix_len;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len+1;
+ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+ if (bufferfull == NULL)
+ return gs_error_VMerror;
+
+ buffer = bufferfull + prefix_len;
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
while (1) {
switch (mode[0])
{
diff --git a/base/gslibctx.c b/base/gslibctx.c
index eb566ed06..d2a1aa91d 100644
--- a/base/gslibctx.c
+++ b/base/gslibctx.c
@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co
return gs_error_rangecheck;
}
- rlen = len+1;
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
- if (buffer == NULL)
- return gs_error_VMerror;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len + 1;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
n = control->num;
for (i = 0; i < n; i++)
@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type,
return gs_error_rangecheck;
}
- rlen = len+1;
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
- if (buffer == NULL)
- return gs_error_VMerror;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len+1;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
n = control->num;
for (i = 0; i < n; i++) {
--
2.34.1

6
ghostscript.spec
View File

@ -9,7 +9,7 @@
Name: ghostscript
Version: 9.55.0
Release: 4
Release: 5
Summary: An interpreter for PostScript and PDF files
License: AGPLv3+
URL: https://ghostscript.com/
@ -20,6 +20,7 @@ Patch1: backport-Bug-704405-Fix-typo-in-non-forked-lcms2-code.patch
Patch2: backport-CVE-2022-2085.patch
Patch3: CVE-2023-38559.patch
Patch4: CVE-2023-28879.patch
Patch5: CVE-2023-36664.patch
BuildRequires: automake gcc
BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@ -180,6 +181,9 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
%{_bindir}/dvipdf
%changelog
* Wed Sep 6 2023 liningjie <liningjie@xfusion.com> - 9.55.0-5
- fix CVE-2023-36664
* Thu Aug 24 2023 liningjie <liningjie@xfusion.com> - 9.55.0-4
- fix CVE-2023-28879