From 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001 From: Ken Sharp Date: Tue, 20 Aug 2019 10:10:28 +0100 Subject: [PATCH] make .forceput inaccessible Bug #701343, #701344, #701345 More defensive programming. We don't want people to access .forecput even though it is no longer sufficient to bypass SAFER. The exploit in #701343 didn't work anyway because of earlier work to stop the error handler being used, but nevertheless, prevent access to .forceput from .setuserparams2. CVE: CVE-2019-14811 Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] Signed-off-by: Stefan Ghinea --- Resource/Init/gs_lev2.ps | 6 +++--- Resource/Init/gs_pdfwr.ps | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps index 98d55fe..f1b771f 100644 --- a/Resource/Init/gs_lev2.ps +++ b/Resource/Init/gs_lev2.ps @@ -158,7 +158,7 @@ end { pop pop } ifelse - } forall + } executeonly forall % A context switch might have occurred during the above loop, % causing the interpreter-level parameters to be reset. % Set them again to the new values. From here on, we are safe, @@ -229,9 +229,9 @@ end { pop pop } ifelse - } + } executeonly forall pop -} .bind odef +} .bind executeonly odef % Initialize the passwords. % NOTE: the names StartJobPassword and SystemParamsPassword are known to diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps index 00c19fa..dfe504d 100644 --- a/Resource/Init/gs_pdfwr.ps +++ b/Resource/Init/gs_pdfwr.ps @@ -652,11 +652,11 @@ currentdict /.pdfmarkparams .undef systemdict /.pdf_hooked_DSC_Creator //true .forceput } executeonly if pop - } if + } executeonly if } { pop } ifelse - } + } executeonly { pop } ifelse -- 2.20.1