Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ghostscript for openSUSE:Factory checked in at 2021-09-13 16:24:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ghostscript (Old) and /work/SRC/openSUSE:Factory/.ghostscript.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghostscript" Mon Sep 13 16:24:27 2021 rev:52 rq:917942 version:9.54.0 Changes: -------- --- /work/SRC/openSUSE:Factory/ghostscript/ghostscript-mini.changes 2021-06-01 10:33:53.172447799 +0200 +++ /work/SRC/openSUSE:Factory/.ghostscript.new.1899/ghostscript-mini.changes 2021-09-13 16:25:10.582789466 +0200 @@ -1,0 +2,8 @@ +Fri Sep 10 09:37:46 CEST 2021 - jsm...@suse.de + +- CVE-2021-3781.patch fixes CVE-2021-3781 + Trivial -dSAFER bypass + cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342 + (bsc#1190381) + +------------------------------------------------------------------- ghostscript.changes: same change New: ---- CVE-2021-3781.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ghostscript-mini.spec ++++++ --- /var/tmp/diff_new_pack.Yq2PaE/_old 2021-09-13 16:25:11.354790359 +0200 +++ /var/tmp/diff_new_pack.Yq2PaE/_new 2021-09-13 16:25:11.358790363 +0200 @@ -83,6 +83,12 @@ # Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem # additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467): Patch101: ijs_exec_server_dont_use_sh.patch +# Patch102 CVE-2021-3781.patch is +# https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=a9bd3dec9fde +# that fixes CVE-2021-3781 Trivial -dSAFER bypass +# cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342 +# and https://bugzilla.suse.com/show_bug.cgi?id=1190381 +Patch102: CVE-2021-3781.patch # RPM dependencies: # The "Provides: ghostscript_any" is there to support "BuildRequires: ghostscript_any" # so other packages can build with any available Ghostscript implementation, @@ -160,6 +166,12 @@ # Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem # additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467): %patch101 -p1 +# Patch102 CVE-2021-3781.patch is +# https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=a9bd3dec9fde +# that fixes CVE-2021-3781 Trivial -dSAFER bypass +# cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342 +# and https://bugzilla.suse.com/show_bug.cgi?id=1190381 +%patch102 -p1 # Remove patch backup files to avoid packaging # cf. https://build.opensuse.org/request/show/581052 rm -f Resource/Init/*.ps.orig ++++++ ghostscript.spec ++++++ --- /var/tmp/diff_new_pack.Yq2PaE/_old 2021-09-13 16:25:11.386790396 +0200 +++ /var/tmp/diff_new_pack.Yq2PaE/_new 2021-09-13 16:25:11.390790400 +0200 @@ -112,6 +112,12 @@ # Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem # additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467): Patch101: ijs_exec_server_dont_use_sh.patch +# Patch102 CVE-2021-3781.patch is +# https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=a9bd3dec9fde +# that fixes CVE-2021-3781 Trivial -dSAFER bypass +# cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342 +# and https://bugzilla.suse.com/show_bug.cgi?id=1190381 +Patch102: CVE-2021-3781.patch # RPM dependencies: # Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from # "rpm -q --provides ghostscript-library" and "rpm -q --provides ghostscript-x11": @@ -301,6 +307,12 @@ # Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem # additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467): %patch101 -p1 +# Patch102 CVE-2021-3781.patch is +# https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=a9bd3dec9fde +# that fixes CVE-2021-3781 Trivial -dSAFER bypass +# cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342 +# and https://bugzilla.suse.com/show_bug.cgi?id=1190381 +%patch102 -p1 # Remove patch backup files to avoid packaging # cf. https://build.opensuse.org/request/show/581052 rm -f Resource/Init/*.ps.orig ++++++ CVE-2021-3781.patch ++++++ >From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001 From: Chris Liddell <chris.lidd...@artifex.com> Date: Tue, 7 Sep 2021 20:36:12 +0100 Subject: [PATCH] Bug 704342: Include device specifier strings in access validation for the "%pipe%", %handle%" and %printer% io devices. We previously validated only the part after the "%pipe%" Postscript device specifier, but this proved insufficient. This rebuilds the original file name string, and validates it complete. The slight complication for "%pipe%" is it can be reached implicitly using "|" so we have to check both prefixes. Addresses CVE-2021-3781 --- base/gdevpipe.c | 22 +++++++++++++++- base/gp_mshdl.c | 11 +++++++- base/gp_msprn.c | 10 ++++++- base/gp_os2pr.c | 13 +++++++++- base/gslibctx.c | 69 ++++++++++--------------------------------------- 5 files changed, 65 insertions(+), 60 deletions(-) diff --git a/base/gdevpipe.c b/base/gdevpipe.c index 96d71f5d8..5bdc485be 100644 --- a/base/gdevpipe.c +++ b/base/gdevpipe.c @@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access, #else gs_lib_ctx_t *ctx = mem->gs_lib_ctx; gs_fs_list_t *fs = ctx->core->fs; + /* The pipe device can be reached in two ways, explicltly with %pipe% + or implicitly with "|", so we have to check for both + */ + char f[gp_file_name_sizeof]; + const char *pipestr = "|"; + const size_t pipestrlen = strlen(pipestr); + const size_t preflen = strlen(iodev->dname); + const size_t nlen = strlen(fname); + int code1; + + if (preflen + nlen >= gp_file_name_sizeof) + return_error(gs_error_invalidaccess); + + memcpy(f, iodev->dname, preflen); + memcpy(f + preflen, fname, nlen + 1); + + code1 = gp_validate_path(mem, f, access); + + memcpy(f, pipestr, pipestrlen); + memcpy(f + pipestrlen, fname, nlen + 1); - if (gp_validate_path(mem, fname, access) != 0) + if (code1 != 0 && gp_validate_path(mem, f, access) != 0 ) return gs_error_invalidfileaccess; /* diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c index 2b964ed74..8d87ceadc 100644 --- a/base/gp_mshdl.c +++ b/base/gp_mshdl.c @@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access, long hfile; /* Correct for Win32, may be wrong for Win64 */ gs_lib_ctx_t *ctx = mem->gs_lib_ctx; gs_fs_list_t *fs = ctx->core->fs; + char f[gp_file_name_sizeof]; + const size_t preflen = strlen(iodev->dname); + const size_t nlen = strlen(fname); - if (gp_validate_path(mem, fname, access) != 0) + if (preflen + nlen >= gp_file_name_sizeof) + return_error(gs_error_invalidaccess); + + memcpy(f, iodev->dname, preflen); + memcpy(f + preflen, fname, nlen + 1); + + if (gp_validate_path(mem, f, access) != 0) return gs_error_invalidfileaccess; /* First we try the open_handle method. */ diff --git a/base/gp_msprn.c b/base/gp_msprn.c index ed4827968..746a974f7 100644 --- a/base/gp_msprn.c +++ b/base/gp_msprn.c @@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, uintptr_t *ptid = &((tid_t *)(iodev->state))->tid; gs_lib_ctx_t *ctx = mem->gs_lib_ctx; gs_fs_list_t *fs = ctx->core->fs; + const size_t preflen = strlen(iodev->dname); + const size_t nlen = strlen(fname); - if (gp_validate_path(mem, fname, access) != 0) + if (preflen + nlen >= gp_file_name_sizeof) + return_error(gs_error_invalidaccess); + + memcpy(pname, iodev->dname, preflen); + memcpy(pname + preflen, fname, nlen + 1); + + if (gp_validate_path(mem, pname, access) != 0) return gs_error_invalidfileaccess; /* First we try the open_printer method. */ diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c index f852c71fc..ba54cde66 100644 --- a/base/gp_os2pr.c +++ b/base/gp_os2pr.c @@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, FILE ** pfile, char *rfname, uint rnamelen) { os2_printer_t *pr = (os2_printer_t *)iodev->state; - char driver_name[256]; + char driver_name[gp_file_name_sizeof]; gs_lib_ctx_t *ctx = mem->gs_lib_ctx; gs_fs_list_t *fs = ctx->core->fs; + const size_t preflen = strlen(iodev->dname); + const int size_t = strlen(fname); + + if (preflen + nlen >= gp_file_name_sizeof) + return_error(gs_error_invalidaccess); + + memcpy(driver_name, iodev->dname, preflen); + memcpy(driver_name + preflen, fname, nlen + 1); + + if (gp_validate_path(mem, driver_name, access) != 0) + return gs_error_invalidfileaccess; /* First we try the open_printer method. */ /* Note that the loop condition here ensures we don't diff --git a/base/gslibctx.c b/base/gslibctx.c index 6dfed6cd5..318039fad 100644 --- a/base/gslibctx.c +++ b/base/gslibctx.c @@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s) int gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) { - char *fp, f[gp_file_name_sizeof]; - const int pipe = 124; /* ASCII code for '|' */ - const int len = strlen(fname); - int i, code; + char f[gp_file_name_sizeof]; + int code; /* Be sure the string copy will fit */ - if (len >= gp_file_name_sizeof) + if (strlen(fname) >= gp_file_name_sizeof) return gs_error_rangecheck; strcpy(f, fname); - fp = f; /* Try to rewrite any %d (or similar) in the string */ rewrite_percent_specifiers(f); - for (i = 0; i < len; i++) { - if (f[i] == pipe) { - fp = &f[i + 1]; - /* Because we potentially have to check file permissions at two levels - for the output file (gx_device_open_output_file and the low level - fopen API, if we're using a pipe, we have to add both the full string, - (including the '|', and just the command to which we pipe - since at - the pipe_fopen(), the leading '|' has been stripped. - */ - code = gs_add_control_path(mem, gs_permit_file_writing, f); - if (code < 0) - return code; - code = gs_add_control_path(mem, gs_permit_file_control, f); - if (code < 0) - return code; - break; - } - if (!IS_WHITESPACE(f[i])) - break; - } - code = gs_add_control_path(mem, gs_permit_file_control, fp); + + code = gs_add_control_path(mem, gs_permit_file_control, f); if (code < 0) return code; - return gs_add_control_path(mem, gs_permit_file_writing, fp); + return gs_add_control_path(mem, gs_permit_file_writing, f); } int gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) { - char *fp, f[gp_file_name_sizeof]; - const int pipe = 124; /* ASCII code for '|' */ - const int len = strlen(fname); - int i, code; + char f[gp_file_name_sizeof]; + int code; /* Be sure the string copy will fit */ - if (len >= gp_file_name_sizeof) + if (strlen(fname) >= gp_file_name_sizeof) return gs_error_rangecheck; strcpy(f, fname); - fp = f; /* Try to rewrite any %d (or similar) in the string */ - for (i = 0; i < len; i++) { - if (f[i] == pipe) { - fp = &f[i + 1]; - /* Because we potentially have to check file permissions at two levels - for the output file (gx_device_open_output_file and the low level - fopen API, if we're using a pipe, we have to add both the full string, - (including the '|', and just the command to which we pipe - since at - the pipe_fopen(), the leading '|' has been stripped. - */ - code = gs_remove_control_path(mem, gs_permit_file_writing, f); - if (code < 0) - return code; - code = gs_remove_control_path(mem, gs_permit_file_control, f); - if (code < 0) - return code; - break; - } - if (!IS_WHITESPACE(f[i])) - break; - } - code = gs_remove_control_path(mem, gs_permit_file_control, fp); + rewrite_percent_specifiers(f); + + code = gs_remove_control_path(mem, gs_permit_file_control, f); if (code < 0) return code; - return gs_remove_control_path(mem, gs_permit_file_writing, fp); + return gs_remove_control_path(mem, gs_permit_file_writing, f); } int -- 2.17.1