From b6d32d43fd2b016e932b7dc81fb943eb936b73bb Mon Sep 17 00:00:00 2001 From: Hongxu Jia Date: Mon, 10 Sep 2018 03:21:01 -0400 Subject: ghostscript: fix CVE-2018-15908 & CVE-2018-15909 & CVE-2018-15910 & CVE-2018-15911 Signed-off-by: Hongxu Jia Signed-off-by: Ross Burton --- ...Bug-699665-memory-corruption-in-aesdecode.patch | 56 +++++++++++++ ...Handle-LockDistillerParams-not-being-a-bo.patch | 53 +++++++++++++ ...660-shading_param-incomplete-type-checkin.patch | 91 ++++++++++++++++++++++ .../0004-Hide-the-.shfill-operator.patch | 35 +++++++++ ...properly-apply-file-permissions-to-.tempf.patch | 54 +++++++++++++ .../ghostscript/ghostscript_9.23.bb | 5 ++ 6 files changed, 294 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch create mode 100644 meta/recipes-extended/ghostscript/ghostscript/0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch create mode 100644 meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch create mode 100644 meta/recipes-extended/ghostscript/ghostscript/0004-Hide-the-.shfill-operator.patch create mode 100644 meta/recipes-extended/ghostscript/ghostscript/0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch (limited to 'meta') diff --git a/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch new file mode 100644 index 0000000000..df654f721d --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch @@ -0,0 +1,56 @@ +From b9fa1157e1f4982d42241146c9b7c6c789d6f076 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 23 Aug 2018 15:42:02 +0100 +Subject: [PATCH 1/5] Bug 699665 "memory corruption in aesdecode" + +The specimen file calls aesdecode without specifying the key to be +used, though it does manage to do enough work with the PDF interpreter +routines to get access to aesdecode (which isn't normally available). + +This causes us to read uninitialised memory, which can (and often does) +lead to a segmentation fault. + +In this commit we set the key to NULL explicitly during intialisation +and then check it before we read it. If its NULL we just return. + +It seems bizarre that we don't return error codes, we should probably +look into that at some point, but this prevents the code trying to +read uninitialised memory. + +CVE: CVE-2018-15911 +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] +Signed-off-by: Hongxu Jia +--- + base/aes.c | 3 +++ + base/saes.c | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/base/aes.c b/base/aes.c +index a6bce93..e86f000 100644 +--- a/base/aes.c ++++ b/base/aes.c +@@ -662,6 +662,9 @@ void aes_crypt_ecb( aes_context *ctx, + } + #endif + ++ if (ctx == NULL || ctx->rk == NULL) ++ return; ++ + RK = ctx->rk; + + GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++; +diff --git a/base/saes.c b/base/saes.c +index 6db0e8b..307ed74 100644 +--- a/base/saes.c ++++ b/base/saes.c +@@ -120,6 +120,7 @@ s_aes_process(stream_state * ss, stream_cursor_read * pr, + gs_throw(gs_error_VMerror, "could not allocate aes context"); + return ERRC; + } ++ memset(state->ctx, 0x00, sizeof(aes_context)); + if (state->keylength < 1 || state->keylength > SAES_MAX_KEYLENGTH) { + gs_throw1(gs_error_rangecheck, "invalid aes key length (%d bytes)", + state->keylength); +-- +2.8.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch b/meta/recipes-extended/ghostscript/ghostscript/0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch new file mode 100644 index 0000000000..a16f215bd3 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch @@ -0,0 +1,53 @@ +From 1b516be5f6829ab6ce37835529ba08abd6d18663 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Tue, 21 Aug 2018 16:42:45 +0100 +Subject: [PATCH 2/5] Bug 699656: Handle LockDistillerParams not being a + boolean + +This caused a function call commented as "Can't fail" to fail, and resulted +in memory correuption and a segfault. + +CVE: CVE-2018-15910 +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] + +Signed-off-by: Hongxu Jia +--- + devices/vector/gdevpdfp.c | 2 +- + psi/iparam.c | 7 ++++--- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/devices/vector/gdevpdfp.c b/devices/vector/gdevpdfp.c +index 522db7a..f2816b9 100644 +--- a/devices/vector/gdevpdfp.c ++++ b/devices/vector/gdevpdfp.c +@@ -364,7 +364,7 @@ gdev_pdf_put_params_impl(gx_device * dev, const gx_device_pdf * save_dev, gs_par + * LockDistillerParams is read again, and reset if necessary, in + * psdf_put_params. + */ +- ecode = param_read_bool(plist, "LockDistillerParams", &locked); ++ ecode = param_read_bool(plist, (param_name = "LockDistillerParams"), &locked); + if (ecode < 0) + param_signal_error(plist, param_name, ecode); + +diff --git a/psi/iparam.c b/psi/iparam.c +index 68c20d4..0279455 100644 +--- a/psi/iparam.c ++++ b/psi/iparam.c +@@ -822,10 +822,11 @@ static int + ref_param_read_signal_error(gs_param_list * plist, gs_param_name pkey, int code) + { + iparam_list *const iplist = (iparam_list *) plist; +- iparam_loc loc; ++ iparam_loc loc = {0}; + +- ref_param_read(iplist, pkey, &loc, -1); /* can't fail */ +- *loc.presult = code; ++ ref_param_read(iplist, pkey, &loc, -1); ++ if (loc.presult) ++ *loc.presult = code; + switch (ref_param_read_get_policy(plist, pkey)) { + case gs_param_policy_ignore: + return 0; +-- +2.8.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch b/meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch new file mode 100644 index 0000000000..174f79e42a --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch @@ -0,0 +1,91 @@ +From 759238fd904aab1706dc1007826a13a670cda320 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 23 Aug 2018 14:12:48 +0100 +Subject: [PATCH 3/5] Fix Bug 699660 "shading_param incomplete type checking" + +Its possible to pass a t_struct parameter to .shfill which is not a +shading function built by .buildshading. This could then lead to memory +corruption or a segmentation fault by treating the object passed in +as if it were a shading. + +Its non-trivial to check the t_struct, because this function can take +7 different kinds of structures as a parameter. Checking these is +possible, of course, but would add a performance penalty. + +However, we can note that we never call .shfill without first calling +.buildshading, and we never call .buildshading without immediately +calling .shfill. So we can treat these as an atomic operation. The +.buildshading function takes all its parameters as PostScript objects +and validates them, so that should be safe. + +This allows us to 'hide' the .shfill operator preventing the possibility +of passing an invalid parameter. + +CVE: CVE-2018-15909 +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] + +Signed-off-by: Hongxu Jia +--- + Resource/Init/gs_init.ps | 4 ++-- + Resource/Init/gs_ll3.ps | 7 ++++++- + Resource/Init/pdf_draw.ps | 3 +-- + 3 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index 6c8da53..1956ed5 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -2181,8 +2181,8 @@ SAFER { .setsafeglobal } if + /.getiodevice /.getdevparms /.putdevparams /.bbox_transform /.matchmedia /.matchpagesize /.defaultpapersize + /.oserrno /.setoserrno /.oserrorstring /.getCPSImode + /.getscanconverter /.setscanconverter /.type1encrypt /.type1decrypt/.languagelevel /.setlanguagelevel /.eqproc /.fillpage /.buildpattern1 /.saslprep +-/.buildshading1 /.buildshadin2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern +-/.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring ++/.buildshading1 /.buildshading2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern ++%/.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring + /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile + /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams + /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath +diff --git a/Resource/Init/gs_ll3.ps b/Resource/Init/gs_ll3.ps +index 5aa56a3..1d37e53 100644 +--- a/Resource/Init/gs_ll3.ps ++++ b/Resource/Init/gs_ll3.ps +@@ -440,6 +440,11 @@ systemdict /.reuseparamdict mark + /shfill .systemvar /undefined signalerror + } ifelse + } bind def ++ ++/.buildshading_and_shfill { ++ .buildshading .shfill ++} bind def ++ + systemdict /.reuseparamdict undef + + /.buildpattern2 { %