Date: Friday, September 10, 2021 @ 14:33:57 Author: andyrtr Revision: 423717
archrelease: copy trunk to testing-x86_64 Added: ghostscript/repos/testing-x86_64/ ghostscript/repos/testing-x86_64/CVE-2021-3781.patch (from rev 423716, ghostscript/trunk/CVE-2021-3781.patch) ghostscript/repos/testing-x86_64/PKGBUILD (from rev 423716, ghostscript/trunk/PKGBUILD) ---------------------+ CVE-2021-3781.patch | 232 ++++++++++++++++++++++++++++++++++++++++++++++++++ PKGBUILD | 120 +++++++++++++++++++++++++ 2 files changed, 352 insertions(+) Copied: ghostscript/repos/testing-x86_64/CVE-2021-3781.patch (from rev 423716, ghostscript/trunk/CVE-2021-3781.patch) =================================================================== --- testing-x86_64/CVE-2021-3781.patch (rev 0) +++ testing-x86_64/CVE-2021-3781.patch 2021-09-10 14:33:57 UTC (rev 423717) @@ -0,0 +1,232 @@ +From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.lidd...@artifex.com> +Date: Tue, 7 Sep 2021 20:36:12 +0100 +Subject: [PATCH] Bug 704342: Include device specifier strings in access + validation + +for the "%pipe%", %handle%" and %printer% io devices. + +We previously validated only the part after the "%pipe%" Postscript device +specifier, but this proved insufficient. + +This rebuilds the original file name string, and validates it complete. The +slight complication for "%pipe%" is it can be reached implicitly using +"|" so we have to check both prefixes. + +Addresses CVE-2021-3781 +--- + base/gdevpipe.c | 22 +++++++++++++++- + base/gp_mshdl.c | 11 +++++++- + base/gp_msprn.c | 10 ++++++- + base/gp_os2pr.c | 13 +++++++++- + base/gslibctx.c | 69 ++++++++++--------------------------------------- + 5 files changed, 65 insertions(+), 60 deletions(-) + +diff --git a/base/gdevpipe.c b/base/gdevpipe.c +index 96d71f5d8..5bdc485be 100644 +--- a/base/gdevpipe.c ++++ b/base/gdevpipe.c +@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access, + #else + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ /* The pipe device can be reached in two ways, explicltly with %pipe% ++ or implicitly with "|", so we have to check for both ++ */ ++ char f[gp_file_name_sizeof]; ++ const char *pipestr = "|"; ++ const size_t pipestrlen = strlen(pipestr); ++ const size_t preflen = strlen(iodev->dname); ++ const size_t nlen = strlen(fname); ++ int code1; ++ ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(f, iodev->dname, preflen); ++ memcpy(f + preflen, fname, nlen + 1); ++ ++ code1 = gp_validate_path(mem, f, access); ++ ++ memcpy(f, pipestr, pipestrlen); ++ memcpy(f + pipestrlen, fname, nlen + 1); + +- if (gp_validate_path(mem, fname, access) != 0) ++ if (code1 != 0 && gp_validate_path(mem, f, access) != 0 ) + return gs_error_invalidfileaccess; + + /* +diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c +index 2b964ed74..8d87ceadc 100644 +--- a/base/gp_mshdl.c ++++ b/base/gp_mshdl.c +@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access, + long hfile; /* Correct for Win32, may be wrong for Win64 */ + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ char f[gp_file_name_sizeof]; ++ const size_t preflen = strlen(iodev->dname); ++ const size_t nlen = strlen(fname); + +- if (gp_validate_path(mem, fname, access) != 0) ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(f, iodev->dname, preflen); ++ memcpy(f + preflen, fname, nlen + 1); ++ ++ if (gp_validate_path(mem, f, access) != 0) + return gs_error_invalidfileaccess; + + /* First we try the open_handle method. */ +diff --git a/base/gp_msprn.c b/base/gp_msprn.c +index ed4827968..746a974f7 100644 +--- a/base/gp_msprn.c ++++ b/base/gp_msprn.c +@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, + uintptr_t *ptid = &((tid_t *)(iodev->state))->tid; + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ const size_t preflen = strlen(iodev->dname); ++ const size_t nlen = strlen(fname); + +- if (gp_validate_path(mem, fname, access) != 0) ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(pname, iodev->dname, preflen); ++ memcpy(pname + preflen, fname, nlen + 1); ++ ++ if (gp_validate_path(mem, pname, access) != 0) + return gs_error_invalidfileaccess; + + /* First we try the open_printer method. */ +diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c +index f852c71fc..ba54cde66 100644 +--- a/base/gp_os2pr.c ++++ b/base/gp_os2pr.c +@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, + FILE ** pfile, char *rfname, uint rnamelen) + { + os2_printer_t *pr = (os2_printer_t *)iodev->state; +- char driver_name[256]; ++ char driver_name[gp_file_name_sizeof]; + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ const size_t preflen = strlen(iodev->dname); ++ const int size_t = strlen(fname); ++ ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(driver_name, iodev->dname, preflen); ++ memcpy(driver_name + preflen, fname, nlen + 1); ++ ++ if (gp_validate_path(mem, driver_name, access) != 0) ++ return gs_error_invalidfileaccess; + + /* First we try the open_printer method. */ + /* Note that the loop condition here ensures we don't +diff --git a/base/gslibctx.c b/base/gslibctx.c +index 6dfed6cd5..318039fad 100644 +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s) + int + gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) + { +- char *fp, f[gp_file_name_sizeof]; +- const int pipe = 124; /* ASCII code for '|' */ +- const int len = strlen(fname); +- int i, code; ++ char f[gp_file_name_sizeof]; ++ int code; + + /* Be sure the string copy will fit */ +- if (len >= gp_file_name_sizeof) ++ if (strlen(fname) >= gp_file_name_sizeof) + return gs_error_rangecheck; + strcpy(f, fname); +- fp = f; + /* Try to rewrite any %d (or similar) in the string */ + rewrite_percent_specifiers(f); +- for (i = 0; i < len; i++) { +- if (f[i] == pipe) { +- fp = &f[i + 1]; +- /* Because we potentially have to check file permissions at two levels +- for the output file (gx_device_open_output_file and the low level +- fopen API, if we're using a pipe, we have to add both the full string, +- (including the '|', and just the command to which we pipe - since at +- the pipe_fopen(), the leading '|' has been stripped. +- */ +- code = gs_add_control_path(mem, gs_permit_file_writing, f); +- if (code < 0) +- return code; +- code = gs_add_control_path(mem, gs_permit_file_control, f); +- if (code < 0) +- return code; +- break; +- } +- if (!IS_WHITESPACE(f[i])) +- break; +- } +- code = gs_add_control_path(mem, gs_permit_file_control, fp); ++ ++ code = gs_add_control_path(mem, gs_permit_file_control, f); + if (code < 0) + return code; +- return gs_add_control_path(mem, gs_permit_file_writing, fp); ++ return gs_add_control_path(mem, gs_permit_file_writing, f); + } + + int + gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) + { +- char *fp, f[gp_file_name_sizeof]; +- const int pipe = 124; /* ASCII code for '|' */ +- const int len = strlen(fname); +- int i, code; ++ char f[gp_file_name_sizeof]; ++ int code; + + /* Be sure the string copy will fit */ +- if (len >= gp_file_name_sizeof) ++ if (strlen(fname) >= gp_file_name_sizeof) + return gs_error_rangecheck; + strcpy(f, fname); +- fp = f; + /* Try to rewrite any %d (or similar) in the string */ +- for (i = 0; i < len; i++) { +- if (f[i] == pipe) { +- fp = &f[i + 1]; +- /* Because we potentially have to check file permissions at two levels +- for the output file (gx_device_open_output_file and the low level +- fopen API, if we're using a pipe, we have to add both the full string, +- (including the '|', and just the command to which we pipe - since at +- the pipe_fopen(), the leading '|' has been stripped. +- */ +- code = gs_remove_control_path(mem, gs_permit_file_writing, f); +- if (code < 0) +- return code; +- code = gs_remove_control_path(mem, gs_permit_file_control, f); +- if (code < 0) +- return code; +- break; +- } +- if (!IS_WHITESPACE(f[i])) +- break; +- } +- code = gs_remove_control_path(mem, gs_permit_file_control, fp); ++ rewrite_percent_specifiers(f); ++ ++ code = gs_remove_control_path(mem, gs_permit_file_control, f); + if (code < 0) + return code; +- return gs_remove_control_path(mem, gs_permit_file_writing, fp); ++ return gs_remove_control_path(mem, gs_permit_file_writing, f); + } + + int +-- +2.17.1 + Copied: ghostscript/repos/testing-x86_64/PKGBUILD (from rev 423716, ghostscript/trunk/PKGBUILD) =================================================================== --- testing-x86_64/PKGBUILD (rev 0) +++ testing-x86_64/PKGBUILD 2021-09-10 14:33:57 UTC (rev 423717) @@ -0,0 +1,120 @@ +# Maintainer: AndyRTR <andy...@archlinux.org> + +pkgbase=ghostscript +pkgname=(ghostscript ghostxps ghostpcl) +pkgver=9.54.0 +pkgrel=3 +pkgdesc="An interpreter for the PostScript language" +url="https://www.ghostscript.com/" +arch=('x86_64') +license=('AGPL3' 'custom') +depends=('libxt' 'libcups' 'fontconfig' 'zlib' 'libpng' 'libjpeg' 'jbig2dec' + 'libtiff' 'lcms2' 'dbus' 'libpaper' 'ijs' 'openjpeg2' 'libidn') +makedepends=('gtk3' 'gnutls' 'glu' 'freeglut') +# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases +source=(https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${pkgver//./}/ghostpdl-${pkgver}.tar.xz + CVE-2021-3781.patch) +sha512sums=('fed500f5f267f0eeecc4ab44c2785ddaa9ad6965b689e9792021e2348296ee19150f10decb264a4689464088449be44fe8e6c30566a26e6e4e978c8b2d4654ec' + '26a625518b18433309ccf404cbe90e2240a75091ae8c38d197d5dce5e1ac7e3df73be83683b64de2d38f429ffa45cb3eda9ecf9388e40094a1ca84328457a8f4') + +### update jbig2dec first! ### + +### make sure to rebuild core/groff on version updates - https://bugs.archlinux.org/task/67751 ### + +prepare() { + cd ghostpdl-${pkgver} + + # *** remove after final decision *** + # new in 9.54.0: + # https://www.ghostscript.com/doc/9.54.0/News.htm + + # 1) inclusion of the tesseract/leptonica sources for OCR capabilities + # at the moment we do not support linking with tesseract/leptonica shared libraries. + # As is normal with such included libraries, deleting those directories and (re)running + # configure (on Unix like systems) will automatically build without the OCR functionality. + # increases package size ghostpcl 2.7->4.9MB | ghostscript 18->23MB | ghostxps 2,7->4.9MB + # https://www.ghostscript.com/doc/9.54.0/VectorDevices.htm#UseOCR - + # this doesn't seem to be worth to keep enabled until linking with shared libs is supported + rm -r tesseract leptonica + + # 2) new directory addition in the source tree: "extract/". + # It contains the implementation for the writing of docx format files used by the + # new "docxwrite" device. This is *not* a "thirdparty library". + # For distribution package maintainers, if you want your packaged Ghostscript to include + # the "docxwrite" device, do not delete this directory. + # ^ this one doesn't affect package size - so let's keep it + + # force it to use system-libs + rm -r cups/libs expat ijs jbig2dec jpeg lcms2mt libpng openjpeg tiff zlib + # using tree freetype because of https://bugs.archlinux.org/task/56849 + # lcms2mt is the new lcms2 fork aimed to replace lcms2 in a thread safe way + + # http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=40dc5b409c6262b18b4bf5386b5482ead4c511e3 + # libs link unwanted to libgpdl that isn't installed + rm -rf gpdl + + + # CVE-2021-3781 / CVE-2021-3781.patch + patch -Np1 -i ../CVE-2021-3781.patch +} + +build() { + cd ghostpdl-${pkgver} + ./configure --prefix=/usr \ + --enable-dynamic \ + --with-ijs \ + --with-jbig2dec \ + --with-x \ + --with-drivers=ALL \ + --with-openprinting \ + --with-fontpath=/usr/share/fonts/gsfonts \ + --enable-fontconfig \ + --enable-freetype \ + --enable-openjpeg \ + --without-luratech \ + --with-system-libtiff \ + --with-libpaper \ + --disable-compile-inits #--help # needed for linking with system-zlib + make +} + +package_ghostscript() { + optdepends=('texlive-core: needed for dvipdf' + 'gtk3: needed for gsx') + + cd ghostpdl-${pkgver} + make DESTDIR="${pkgdir}" install-gs install-so-gs + # replace statically linked gs binary with symlink to dynamically linked gsc + rm -v "${pkgdir}"/usr/bin/gs + ln -s gsc "${pkgdir}"/usr/bin/gs + + # remove unwanted localized manpages + rm -rv "${pkgdir}"/usr/share/man/de + + install -Dt "${pkgdir}"/usr/share/licenses/${pkgname} -m644 LICENSE +} + +package_ghostxps() { + pkgdesc="${pkgdesc/PostScript/XPS document}" + depends=("ghostscript=${pkgver}-${pkgrel}") + + cd ghostpdl-${pkgver} + make DESTDIR="${pkgdir}" install-gxps install-so-gxps + rm -r "${pkgdir}"/usr/include + + install -Dt "${pkgdir}"/usr/share/licenses/${pkgname} -m644 LICENSE + + # fix file conflict - FS#70238 + rm -r "${pkgdir}"/usr/lib/libgxps.so +} + +package_ghostpcl() { + pkgdesc="${pkgdesc/PostScript/PCL 6}" + depends=("ghostscript=${pkgver}-${pkgrel}") + + cd ghostpdl-${pkgver} + make DESTDIR="${pkgdir}" install-gpcl6 install-so-gpcl6 + rm -r "${pkgdir}"/usr/include + + install -Dt "${pkgdir}"/usr/share/licenses/${pkgname} -m644 LICENSE +}