1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
From 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Tue, 20 Aug 2019 10:10:28 +0100
Subject: [PATCH] make .forceput inaccessible
Bug #701343, #701344, #701345
More defensive programming. We don't want people to access .forecput
even though it is no longer sufficient to bypass SAFER. The exploit
in #701343 didn't work anyway because of earlier work to stop the error
handler being used, but nevertheless, prevent access to .forceput from
.setuserparams2.
CVE: CVE-2019-14811
CVE: CVE-2019-14813
Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
---
Resource/Init/gs_lev2.ps | 6 +++---
Resource/Init/gs_pdfwr.ps | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
index 98d55fe..f1b771f 100644
--- a/Resource/Init/gs_lev2.ps
+++ b/Resource/Init/gs_lev2.ps
@@ -158,7 +158,7 @@ end
{
pop pop
} ifelse
- } forall
+ } executeonly forall
% A context switch might have occurred during the above loop,
% causing the interpreter-level parameters to be reset.
% Set them again to the new values. From here on, we are safe,
@@ -229,9 +229,9 @@ end
{ pop pop
}
ifelse
- }
+ } executeonly
forall pop
-} .bind odef
+} .bind executeonly odef
% Initialize the passwords.
% NOTE: the names StartJobPassword and SystemParamsPassword are known to
diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps
index 00c19fa..dfe504d 100644
--- a/Resource/Init/gs_pdfwr.ps
+++ b/Resource/Init/gs_pdfwr.ps
@@ -652,11 +652,11 @@ currentdict /.pdfmarkparams .undef
systemdict /.pdf_hooked_DSC_Creator //true .forceput
} executeonly if
pop
- } if
+ } executeonly if
} {
pop
} ifelse
- }
+ } executeonly
{
pop
} ifelse
--
2.20.1
|
