Have all of these been resolved in master? Ross
On Wed, 3 Apr 2019 at 13:39, Ovidiu Panait <ovidiu.pan...@windriver.com> wrote: > > It was found that the superexec operator was available in the internal > dictionary in ghostscript before 9.27. A specially crafted PostScript > file could use this flaw in order to, for example, have access to the > file system outside of the constrains imposed by -dSAFER. > > It was found that the forceput operator could be extracted from the > DefineResource method in ghostscript before 9.27. A specially crafted > PostScript file could use this flaw in order to, for example, have > access to the file system outside of the constrains imposed by -dSAFER. > > References: > https://nvd.nist.gov/vuln/detail/CVE-2019-3835 > https://nvd.nist.gov/vuln/detail/CVE-2019-3838 > > Upstream patches: > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=779664d > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e8acf6d > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917 > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd9 > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e > > Signed-off-by: Ovidiu Panait <ovidiu.pan...@windriver.com> > --- > .../ghostscript/CVE-2019-3835-0001.patch | 99 ++++++ > .../ghostscript/CVE-2019-3835-0002.patch | 71 +++++ > .../ghostscript/CVE-2019-3835-0003.patch | 295 ++++++++++++++++++ > .../ghostscript/CVE-2019-3835-0004.patch | 167 ++++++++++ > .../ghostscript/CVE-2019-3838-0001.patch | 34 ++ > .../ghostscript/CVE-2019-3838-0002.patch | 30 ++ > .../ghostscript/ghostscript_9.26.bb | 6 + > 7 files changed, 702 insertions(+) > create mode 100644 > meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0001.patch > create mode 100644 > meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0002.patch > create mode 100644 > meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0003.patch > create mode 100644 > meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0004.patch > create mode 100644 > meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0001.patch > create mode 100644 > meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0002.patch > > diff --git > a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0001.patch > b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0001.patch > new file mode 100644 > index 0000000000..30ce04a7b1 > --- /dev/null > +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0001.patch > @@ -0,0 +1,99 @@ > +From ad3ad6b389653722507e588c5cb34d8731e49e89 Mon Sep 17 00:00:00 2001 > +From: Chris Liddell <chris.lidd...@artifex.com> > +Date: Mon, 26 Nov 2018 18:01:25 +0000 > +Subject: [PATCH] Have gs_cet.ps run from gs_init.ps > + > +Previously gs_cet.ps was run on the command line, to set up the interpreter > +state so our output more closely matches the example output for the QL CET > +tests. > + > +Allow a -dCETMODE command line switch, which will cause gs_init.ps to run the > +file directly. > + > +This works better for gpdl as it means the changes are made in the intial > +interpreter state, rather than after initialisation is complete. > + > +This also means adding a definition of the default procedure for black > +generation and under color removal (rather it being defined in-line in > +.setdefaultbgucr > + > +Also, add a check so gs_cet.ps only runs once - if we try to run it a second > +time, we'll just skip over the file, flushing through to the end. > + > +CVE: CVE-2019-3835 > +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] > + > +Signed-off-by: Ovidiu Panait <ovidiu.pan...@windriver.com> > +--- > + Resource/Init/gs_cet.ps | 11 ++++++++++- > + Resource/Init/gs_init.ps | 13 ++++++++++++- > + 2 files changed, 22 insertions(+), 2 deletions(-) > + > +diff --git a/Resource/Init/gs_cet.ps b/Resource/Init/gs_cet.ps > +index d3e1686..75534bb 100644 > +--- a/Resource/Init/gs_cet.ps > ++++ b/Resource/Init/gs_cet.ps > +@@ -1,6 +1,11 @@ > + %!PS > + % Set defaults for Ghostscript to match Adobe CPSI behaviour for CET > + > ++systemdict /product get (PhotoPRINT SE 5.0v2) readonly eq > ++{ > ++ (%END GS_CET) .skipeof > ++} if > ++ > + % do this in the server level so it is persistent across jobs > + //true 0 startjob not { > + (*** Warning: CET startup is not in server default) = flush > +@@ -25,7 +30,9 @@ currentglobal //true setglobal > + > + /UNROLLFORMS true def > + > +-{ } bind dup > ++(%.defaultbgrucrproc) cvn { } bind def > ++ > ++(%.defaultbgrucrproc) cvn load dup > + setblackgeneration > + setundercolorremoval > + 0 array cvx readonly dup dup dup setcolortransfer > +@@ -109,3 +116,5 @@ userdict /.smoothness currentsmoothness put > + % end of slightly nasty hack to give consistent cluster results > + > + //false 0 startjob pop % re-enter encapsulated mode > ++ > ++%END GS_CET > +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps > +index 45bebf4..e6b9cd2 100644 > +--- a/Resource/Init/gs_init.ps > ++++ b/Resource/Init/gs_init.ps > +@@ -1538,10 +1538,18 @@ setpacking > + % any-part-of-pixel rule. > + 0.5 .setfilladjust > + } bind def > ++ > + % Set the default screen and BG/UCR. > ++% We define the proc here, rather than inline in .setdefaultbgucr > ++% for the benefit of gs_cet.ps so jobs that do anything that causes > ++% .setdefaultbgucr to be called will still get the redefined proc > ++% in gs_cet.ps > ++(%.defaultbgrucrproc) cvn { pop 0 } def > ++ > + /.setdefaultbgucr { > + systemdict /setblackgeneration known { > +- { pop 0 } dup setblackgeneration setundercolorremoval > ++ (%.defaultbgrucrproc) cvn load dup > ++ setblackgeneration setundercolorremoval > + } if > + } bind def > + /.useloresscreen { % - .useloresscreen <bool> > +@@ -2491,4 +2499,7 @@ WRITESYSTEMDICT { > + % be 'true' in some cases. > + userdict /AGM_preserve_spots //false put > + > ++systemdict /CETMODE .knownget > ++{ { (gs_cet.ps) runlibfile } if } if > ++ > + % The interpreter will run the initial procedure (start). > +-- > +2.18.1 > + > diff --git > a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0002.patch > b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0002.patch > new file mode 100644 > index 0000000000..590b92e186 > --- /dev/null > +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0002.patch > @@ -0,0 +1,71 @@ > +From ba6dbd6e61dbb3cc6ee6db9dd3a4f70cc18f706e Mon Sep 17 00:00:00 2001 > +From: Nancy Durgin <nancy.dur...@artifex.com> > +Date: Thu, 14 Feb 2019 10:09:00 -0800 > +Subject: [PATCH] Undef /odef in gs_init.ps > + > +Made a new temporary utility function in gs_cet.ps (.odef) to use instead > +of /odef. This makes it fine to undef odef with all the other operators in > +gs_init.ps > + > +This punts the bigger question of what to do with .makeoperator, but it > +doesn't make the situation any worse than it already was. > + > +CVE: CVE-2019-3835 > +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] > + > +Signed-off-by: Ovidiu Panait <ovidiu.pan...@windriver.com> > +--- > + Resource/Init/gs_cet.ps | 10 ++++++++-- > + Resource/Init/gs_init.ps | 1 + > + 2 files changed, 9 insertions(+), 2 deletions(-) > + > +diff --git a/Resource/Init/gs_cet.ps b/Resource/Init/gs_cet.ps > +index 75534bb..dbc5c4e 100644 > +--- a/Resource/Init/gs_cet.ps > ++++ b/Resource/Init/gs_cet.ps > +@@ -1,6 +1,10 @@ > + %!PS > + % Set defaults for Ghostscript to match Adobe CPSI behaviour for CET > + > ++/.odef { % <name> <proc> odef - > ++ 1 index exch .makeoperator def > ++} bind def > ++ > + systemdict /product get (PhotoPRINT SE 5.0v2) readonly eq > + { > + (%END GS_CET) .skipeof > +@@ -93,8 +97,8 @@ userdict /.smoothness currentsmoothness put > + } { > + /setsmoothness .systemvar /typecheck signalerror > + } ifelse > +-} bind odef > +-/currentsmoothness { userdict /.smoothness get } bind odef % for 09-55.PS, > 09-57.PS . > ++} bind //.odef exec > ++/currentsmoothness { userdict /.smoothness get } bind //.odef exec % for > 09-55.PS, 09-57.PS . > + > + % slightly nasty hack to give consistent cluster results > + /ofnfa systemdict /filenameforall get def > +@@ -113,6 +117,8 @@ userdict /.smoothness currentsmoothness put > + } ifelse > + ofnfa > + } bind def > ++ > ++currentdict /.odef undef > + % end of slightly nasty hack to give consistent cluster results > + > + //false 0 startjob pop % re-enter encapsulated mode > +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps > +index e6b9cd2..80d9585 100644 > +--- a/Resource/Init/gs_init.ps > ++++ b/Resource/Init/gs_init.ps > +@@ -2257,6 +2257,7 @@ SAFER { .setsafeglobal } if > + /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams > /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams > + /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath > /.currentoutputdevice > + /.type /.writecvs /.setSMask /.currentSMask /.needinput /.countexecstack > /.execstack /.applypolicies > ++ /odef > + > + % Used by a free user in the Library of Congress. Apparently this is used > to > + % draw a partial page, which is then filled in by the results of a barcode > +-- > +2.18.1 > + > diff --git > a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0003.patch > b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0003.patch > new file mode 100644 > index 0000000000..a339fa2f33 > --- /dev/null > +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0003.patch > @@ -0,0 +1,295 @@ > +From 4203e04ef9e6ca22ed68a1ab10a878aa9ceaeedc Mon Sep 17 00:00:00 2001 > +From: Ray Johnston <ray.johns...@artifex.com> > +Date: Thu, 14 Feb 2019 10:20:03 -0800 > +Subject: [PATCH] Fix bug 700585: Restrict superexec and remove it from > + internals and gs_cet.ps > + > +Also while changing things, restructure the CETMODE so that it will > +work with -dSAFER. The gs_cet.ps is now run when we are still at save > +level 0 with systemdict writeable. Allows us to undefine .makeoperator > +and .setCPSImode internal operators after CETMODE is handled. > + > +Change previous uses of superexec to using .forceput (with the usual > +.bind executeonly to hide it). > + > +CVE: CVE-2019-3835 > +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] > + > +Signed-off-by: Ovidiu Panait <ovidiu.pan...@windriver.com> > +--- > + Resource/Init/gs_cet.ps | 38 ++++++++++++++------------------------ > + Resource/Init/gs_dps1.ps | 2 +- > + Resource/Init/gs_fonts.ps | 8 ++++---- > + Resource/Init/gs_init.ps | 38 +++++++++++++++++++++++++++----------- > + Resource/Init/gs_ttf.ps | 8 ++++---- > + Resource/Init/gs_type1.ps | 6 +++--- > + 6 files changed, 53 insertions(+), 47 deletions(-) > + > +diff --git a/Resource/Init/gs_cet.ps b/Resource/Init/gs_cet.ps > +index dbc5c4e..3cc6883 100644 > +--- a/Resource/Init/gs_cet.ps > ++++ b/Resource/Init/gs_cet.ps > +@@ -1,37 +1,29 @@ > + %!PS > + % Set defaults for Ghostscript to match Adobe CPSI behaviour for CET > + > +-/.odef { % <name> <proc> odef - > +- 1 index exch .makeoperator def > +-} bind def > +- > ++% skip if we've already run this -- based on fake "product" > + systemdict /product get (PhotoPRINT SE 5.0v2) readonly eq > + { > + (%END GS_CET) .skipeof > + } if > + > +-% do this in the server level so it is persistent across jobs > +-//true 0 startjob not { > +- (*** Warning: CET startup is not in server default) = flush > +-} if > ++% Note: this must be run at save level 0 and when systemdict is writeable > ++currentglobal //true setglobal > ++systemdict dup dup dup > ++/version (3017.102) readonly .forceput % match CPSI 3017.102 > ++/product (PhotoPRINT SE 5.0v2) readonly .forceput % match CPSI 3017.102 > ++/revision 0 put % match CPSI 3017.103 Tek shows > revision 5 > ++/serialnumber dup {233640} readonly .makeoperator .forceput % match CPSI > 3017.102 Tek shows serialnumber 1401788461 > ++ > ++systemdict /.odef { % <name> <proc> odef - > ++ 1 index exch //.makeoperator def > ++} .bind .forceput % this will be undefined at the end > + > + 300 .sethiresscreen % needed for language switch build since it > + % processes gs_init.ps BEFORE setting the resolution > + > + 0 array 0 setdash % CET 09-08 wants local setdash > + > +-currentglobal //true setglobal > +- > +-{ > +- systemdict dup dup dup > +- /version (3017.102) readonly put % match CPSI 3017.102 > +- /product (PhotoPRINT SE 5.0v2) readonly put % match CPSI 3017.102 > +- /revision 0 put % match CPSI 3017.103 Tek shows > revision 5 > +- /serialnumber dup {233640} readonly .makeoperator put % match CPSI > 3017.102 Tek shows serialnumber 1401788461 > +- systemdict /deviceinfo undef % for CET 20-23-1 > +-% /UNROLLFORMS true put % CET files do unreasonable things > inside forms > +-} 1183615869 internaldict /superexec get exec > +- > + /UNROLLFORMS true def > + > + (%.defaultbgrucrproc) cvn { } bind def > +@@ -118,9 +110,7 @@ userdict /.smoothness currentsmoothness put > + ofnfa > + } bind def > + > +-currentdict /.odef undef > +-% end of slightly nasty hack to give consistent cluster results > +- > +-//false 0 startjob pop % re-enter encapsulated mode > ++systemdict /.odef .undef > + > ++% end of slightly nasty hack to give consistent cluster results > + %END GS_CET > +diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps > +index 3d2cf7a..c4fd839 100644 > +--- a/Resource/Init/gs_dps1.ps > ++++ b/Resource/Init/gs_dps1.ps > +@@ -89,7 +89,7 @@ level2dict begin > + % definition, copy it into the local directory. > + //systemdict /SharedFontDirectory .knownget > + { 1 index .knownget > +- { //.FontDirectory 2 index 3 -1 roll { put } systemdict > /superexec known {//superexec}{1183615869 internaldict /superexec get exec} > ifelse } % readonly > ++ { //.FontDirectory 2 index 3 -1 roll .forceput } % readonly > + if > + } > + if > +diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps > +index 0562235..f2b4e19 100644 > +--- a/Resource/Init/gs_fonts.ps > ++++ b/Resource/Init/gs_fonts.ps > +@@ -519,11 +519,11 @@ buildfontdict 3 /.buildfont3 cvx put > + % the font in LocalFontDirectory. > + .currentglobal > + { //systemdict /LocalFontDirectory .knownget > +- { 2 index 2 index { .growput } systemdict /superexec known > {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly > ++ { 2 index 2 index .forceput } % readonly > + if > + } > + if > +- dup //.FontDirectory 4 -2 roll { .growput } systemdict /superexec known > {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly > ++ dup //.FontDirectory 4 -2 roll .forceput % readonly > + % If the font originated as a resource, register it. > + currentfile .currentresourcefile eq { dup .registerfont } if > + readonly > +@@ -1191,13 +1191,13 @@ $error /SubstituteFont { } put > + //.FontDirectory 1 index known not { > + 2 dict dup /FontName 3 index put > + dup /FontType 1 put > +- //.FontDirectory 3 1 roll { put } systemdict /superexec known > {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly > ++ //.FontDirectory 3 1 roll //.forceput exec % readonly > + } { > + pop > + } ifelse > + } forall > + } forall > +- } > ++ } executeonly % hide .forceput > + FAKEFONTS { exch } if pop def % don't bind, .current/setglobal get > redefined > + > + % Install initial fonts from Fontmap. > +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps > +index 80d9585..0d5c4f7 100644 > +--- a/Resource/Init/gs_init.ps > ++++ b/Resource/Init/gs_init.ps > +@@ -2188,9 +2188,6 @@ SAFER { .setsafeglobal } if > + /.endtransparencygroup % transparency-example.ps > + /.setdotlength % Bug687720.ps > + /.sort /.setdebug /.mementolistnewblocks /getenv > +- > +- /.makeoperator /.setCPSImode % gs_cet.ps, this won't work on > cluster with -dSAFER > +- > + /unread > + ] > + {systemdict exch .forceundef} forall > +@@ -2270,7 +2267,6 @@ SAFER { .setsafeglobal } if > + > + % Used by our own test suite files > + %/.fileposition %image-qa.ps > +- %/.makeoperator /.setCPSImode % gs_cet.ps > + > + % Either our code uses these in ways which mean they can't be undefined, > or they are used directly by > + % test files/utilities, or engineers expressed a desire to keep them > visible. > +@@ -2457,6 +2453,16 @@ end > + /vmreclaim where > + { pop NOGC not { 2 .vmreclaim 0 vmreclaim } if > + } if > ++ > ++% Do this before systemdict is locked (see below for additional CETMODE > setup using gs_cet.ps) > ++systemdict /CETMODE .knownget { > ++ { > ++ (gs_cet.ps) runlibfile > ++ } if > ++} if > ++systemdict /.makeoperator .undef % must be after gs_cet.ps > ++systemdict /.setCPSImode .undef % must be after gs_cet.ps > ++ > + DELAYBIND not { > + systemdict /.bindnow .undef % We only need this for DELAYBIND > + systemdict /.forcecopynew .undef % remove temptation > +@@ -2464,16 +2470,29 @@ DELAYBIND not { > + systemdict /.forceundef .undef % ditto > + } if > + > +-% Move superexec to internaldict if superexec is defined. > +-systemdict /superexec .knownget { > +- 1183615869 internaldict /superexec 3 -1 roll put > +- systemdict /superexec .undef > ++% Move superexec to internaldict if superexec is defined. (Level 2 or later) > ++systemdict /superexec known { > ++ % restrict superexec to single known use by PScript5.dll > ++ % We could do this only for SAFER mode, but internaldict and superexec are > ++ % not very well documented, and we don't want them to be used. > ++ 1183615869 internaldict /superexec { > ++ 2 index /Private eq % first check for typical use in > PScript5.dll > ++ 1 index length 1 eq and % expected usage is: dict /Private <value> > {put} superexec > ++ 1 index 0 get systemdict /put get eq and > ++ { > ++ //superexec exec % the only usage we allow > ++ } { > ++ /superexec load /invalidaccess signalerror > ++ } ifelse > ++ } bind cvx executeonly put > ++ systemdict /superexec .undef % get rid of the dangerous > (unrestricted) operator > + } if > + > + % Can't remove this one until the last minute :-) > + DELAYBIND not { > + systemdict /.undef .undef > + } if > ++ > + WRITESYSTEMDICT { > + SAFER { > + (\n *** WARNING - you have selected SAFER, indicating you want > Ghostscript\n) print > +@@ -2500,7 +2519,4 @@ WRITESYSTEMDICT { > + % be 'true' in some cases. > + userdict /AGM_preserve_spots //false put > + > +-systemdict /CETMODE .knownget > +-{ { (gs_cet.ps) runlibfile } if } if > +- > + % The interpreter will run the initial procedure (start). > +diff --git a/Resource/Init/gs_ttf.ps b/Resource/Init/gs_ttf.ps > +index 05943c5..da97afa 100644 > +--- a/Resource/Init/gs_ttf.ps > ++++ b/Resource/Init/gs_ttf.ps > +@@ -1421,7 +1421,7 @@ mark > + TTFDEBUG { (\n1 setting alias: ) print dup ==only > + ( to be the same as ) print 2 index //== exec } if > + > +- 7 index 2 index 3 -1 roll exch //.growput systemdict /superexec > known {//superexec}{1183615869 internaldict /superexec get exec} ifelse > ++ 7 index 2 index 3 -1 roll exch .forceput > + } forall > + pop pop pop > + } > +@@ -1439,7 +1439,7 @@ mark > + exch pop > + TTFDEBUG { (\n2 setting alias: ) print 1 index ==only > + ( to use glyph index: ) print dup //== exec } if > +- 5 index 3 1 roll //.growput systemdict /superexec known > {//superexec}{1183615869 internaldict /superexec get exec} ifelse > ++ 5 index 3 1 roll .forceput > + //false > + } > + { > +@@ -1456,7 +1456,7 @@ mark > + { % CharStrings(dict) > isunicode(boolean) cmap(dict) RAGL(dict) gname(name) codep(integer) > gindex(integer) > + TTFDEBUG { (\3 nsetting alias: ) print 1 index ==only > + ( to be index: ) print dup //== exec } if > +- exch pop 5 index 3 1 roll //.growput systemdict /superexec known > {//superexec}{1183615869 internaldict /superexec get exec} ifelse > ++ exch pop 5 index 3 1 roll .forceput > + } > + { > + pop pop > +@@ -1486,7 +1486,7 @@ mark > + } ifelse > + ] > + TTFDEBUG { (Encoding: ) print dup === flush } if > +-} bind def > ++} .bind executeonly odef % hides .forceput > + > + % to be removed 9.09...... > + currentdict /postalias undef > +diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps > +index 96e1ced..61f5269 100644 > +--- a/Resource/Init/gs_type1.ps > ++++ b/Resource/Init/gs_type1.ps > +@@ -116,7 +116,7 @@ > + { % > scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname aglname > + CFFDEBUG { (\nsetting alias: ) print dup ==only > + ( to be the same as glyph: ) print 1 index //== > exec } if > +- 3 index exch 3 index //.growput systemdict /superexec > known {//superexec}{1183615869 internaldict /superexec get exec} ifelse > ++ 3 index exch 3 index .forceput > + % > scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname > + } > + {pop} ifelse > +@@ -135,7 +135,7 @@ > + 3 1 roll pop pop > + } if > + pop > +- dup /.AGLprocessed~GS //true //.growput systemdict /superexec known > {//superexec}{1183615869 internaldict /superexec get exec} ifelse > ++ dup /.AGLprocessed~GS //true .forceput > + } if > + > + %% We need to excute the C .buildfont1 in a stopped context so that, if > there > +@@ -148,7 +148,7 @@ > + {//.buildfont1} stopped > + 4 3 roll .setglobal > + {//.buildfont1 $error /errorname get signalerror} if > +- } bind def > ++ } .bind executeonly def % hide .forceput > + > + % If the diskfont feature isn't included, define a dummy .loadfontdict. > + /.loadfontdict where > +-- > +2.20.1 > + > diff --git > a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0004.patch > b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0004.patch > new file mode 100644 > index 0000000000..5228cace24 > --- /dev/null > +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0004.patch > @@ -0,0 +1,167 @@ > +From 5845e667dda3c945ee793fbe6af021533cb4fbec Mon Sep 17 00:00:00 2001 > +From: Ray Johnston <ray.johns...@artifex.com> > +Date: Sun, 24 Feb 2019 22:01:04 -0800 > +Subject: [PATCH] Bug 700585: Obliterate "superexec". We don't need it, nor > + do any known apps. > + > +We were under the impression that the Windows driver 'PScript5.dll' used > +superexec, but after testing with our extensive suite of PostScript file, > +and analysis of the PScript5 "Adobe CoolType ProcSet, it does not appear > +that this operator is needed anymore. Get rid of superexec and all of the > +references to it, since it is a potential security hole. > + > +CVE: CVE-2019-3835 > +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] > + > +Signed-off-by: Ovidiu Panait <ovidiu.pan...@windriver.com> > +--- > + Resource/Init/gs_init.ps | 18 ------------------ > + psi/icontext.c | 1 - > + psi/icstate.h | 1 - > + psi/zcontrol.c | 30 ------------------------------ > + psi/zdict.c | 6 ++---- > + psi/zgeneric.c | 3 +-- > + 6 files changed, 3 insertions(+), 56 deletions(-) > + > +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps > +index 0d5c4f7..c5ac82a 100644 > +--- a/Resource/Init/gs_init.ps > ++++ b/Resource/Init/gs_init.ps > +@@ -2470,24 +2470,6 @@ DELAYBIND not { > + systemdict /.forceundef .undef % ditto > + } if > + > +-% Move superexec to internaldict if superexec is defined. (Level 2 or later) > +-systemdict /superexec known { > +- % restrict superexec to single known use by PScript5.dll > +- % We could do this only for SAFER mode, but internaldict and superexec are > +- % not very well documented, and we don't want them to be used. > +- 1183615869 internaldict /superexec { > +- 2 index /Private eq % first check for typical use in > PScript5.dll > +- 1 index length 1 eq and % expected usage is: dict /Private <value> > {put} superexec > +- 1 index 0 get systemdict /put get eq and > +- { > +- //superexec exec % the only usage we allow > +- } { > +- /superexec load /invalidaccess signalerror > +- } ifelse > +- } bind cvx executeonly put > +- systemdict /superexec .undef % get rid of the dangerous > (unrestricted) operator > +-} if > +- > + % Can't remove this one until the last minute :-) > + DELAYBIND not { > + systemdict /.undef .undef > +diff --git a/psi/icontext.c b/psi/icontext.c > +index 1fbe486..7462ea3 100644 > +--- a/psi/icontext.c > ++++ b/psi/icontext.c > +@@ -151,7 +151,6 @@ context_state_alloc(gs_context_state_t ** ppcst, > + pcst->rand_state = rand_state_initial; > + pcst->usertime_total = 0; > + pcst->keep_usertime = false; > +- pcst->in_superexec = 0; > + pcst->plugin_list = 0; > + make_t(&pcst->error_object, t__invalid); > + { /* > +diff --git a/psi/icstate.h b/psi/icstate.h > +index 4c6a14d..1009d85 100644 > +--- a/psi/icstate.h > ++++ b/psi/icstate.h > +@@ -54,7 +54,6 @@ struct gs_context_state_s { > + long usertime_total; /* total accumulated usertime, */ > + /* not counting current time if running */ > + bool keep_usertime; /* true if context ever executed > usertime */ > +- int in_superexec; /* # of levels of superexec */ > + /* View clipping is handled in the graphics state. */ > + ref error_object; /* t__invalid or error object from operator */ > + ref userparams; /* t_dictionary */ > +diff --git a/psi/zcontrol.c b/psi/zcontrol.c > +index 0362cf4..dc813e8 100644 > +--- a/psi/zcontrol.c > ++++ b/psi/zcontrol.c > +@@ -158,34 +158,6 @@ zexecn(i_ctx_t *i_ctx_p) > + return o_push_estack; > + } > + > +-/* <obj> superexec - */ > +-static int end_superexec(i_ctx_t *); > +-static int > +-zsuperexec(i_ctx_t *i_ctx_p) > +-{ > +- os_ptr op = osp; > +- es_ptr ep; > +- > +- check_op(1); > +- if (!r_has_attr(op, a_executable)) > +- return 0; /* literal object just gets pushed back */ > +- check_estack(2); > +- ep = esp += 3; > +- make_mark_estack(ep - 2, es_other, end_superexec); /* error case */ > +- make_op_estack(ep - 1, end_superexec); /* normal case */ > +- ref_assign(ep, op); > +- esfile_check_cache(); > +- pop(1); > +- i_ctx_p->in_superexec++; > +- return o_push_estack; > +-} > +-static int > +-end_superexec(i_ctx_t *i_ctx_p) > +-{ > +- i_ctx_p->in_superexec--; > +- return 0; > +-} > +- > + /* <array> <executable> .runandhide <obj> */ > + /* before executing <executable>, <array> is been removed from */ > + /* the operand stack and placed on the execstack with attributes */ > +@@ -971,8 +943,6 @@ const op_def zcontrol3_op_defs[] = { > + {"0%loop_continue", loop_continue}, > + {"0%repeat_continue", repeat_continue}, > + {"0%stopped_push", stopped_push}, > +- {"1superexec", zsuperexec}, > +- {"0%end_superexec", end_superexec}, > + {"2.runandhide", zrunandhide}, > + {"0%end_runandhide", end_runandhide}, > + op_def_end(0) > +diff --git a/psi/zdict.c b/psi/zdict.c > +index b0deaaa..e2e525d 100644 > +--- a/psi/zdict.c > ++++ b/psi/zdict.c > +@@ -212,8 +212,7 @@ zundef(i_ctx_t *i_ctx_p) > + int code; > + > + check_type(*op1, t_dictionary); > +- if (i_ctx_p->in_superexec == 0) > +- check_dict_write(*op1); > ++ check_dict_write(*op1); > + code = idict_undef(op1, op); > + if (code < 0 && code != gs_error_undefined) /* ignore undefined error */ > + return code; > +@@ -504,8 +503,7 @@ zsetmaxlength(i_ctx_t *i_ctx_p) > + int code; > + > + check_type(*op1, t_dictionary); > +- if (i_ctx_p->in_superexec == 0) > +- check_dict_write(*op1); > ++ check_dict_write(*op1); > + check_type(*op, t_integer); > + if (op->value.intval < 0) > + return_error(gs_error_rangecheck); > +diff --git a/psi/zgeneric.c b/psi/zgeneric.c > +index 8048e28..d4edddb 100644 > +--- a/psi/zgeneric.c > ++++ b/psi/zgeneric.c > +@@ -204,8 +204,7 @@ zput(i_ctx_t *i_ctx_p) > + > + switch (r_type(op2)) { > + case t_dictionary: > +- if (i_ctx_p->in_superexec == 0) > +- check_dict_write(*op2); > ++ check_dict_write(*op2); > + { > + int code = idict_put(op2, op1, op); > + > +-- > +2.18.1 > + > diff --git > a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0001.patch > b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0001.patch > new file mode 100644 > index 0000000000..593109fb9f > --- /dev/null > +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0001.patch > @@ -0,0 +1,34 @@ > +From 53f0cb4c54ac951697704cb87d24154ae08aecce Mon Sep 17 00:00:00 2001 > +From: Chris Liddell <chris.lidd...@artifex.com> > +Date: Wed, 20 Feb 2019 09:54:28 +0000 > +Subject: [PATCH] Bug 700576: Make a transient proc executeonly (in > + DefineResource). > + > +This prevents access to .forceput > + > +Solution originally suggested by cbuis...@redhat.com. > + > +CVE: CVE-2019-3838 > +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] > + > +Signed-off-by: Ovidiu Panait <ovidiu.pan...@windriver.com> > +--- > + Resource/Init/gs_res.ps | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps > +index 89c0ed6..a163541 100644 > +--- a/Resource/Init/gs_res.ps > ++++ b/Resource/Init/gs_res.ps > +@@ -426,7 +426,7 @@ status { > + % so we have to use .forceput here. > + currentdict /.Instances 2 index .forceput % Category > dict is read-only > + } executeonly if > +- } > ++ } executeonly > + { .LocalInstances dup //.emptydict eq > + { pop 3 dict localinstancedict Category 2 index put > + } > +-- > +2.18.1 > + > diff --git > a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0002.patch > b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0002.patch > new file mode 100644 > index 0000000000..921e5b6876 > --- /dev/null > +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0002.patch > @@ -0,0 +1,30 @@ > +From 0cb5e967c0200559f946291b5b54f8da30c32cd6 Mon Sep 17 00:00:00 2001 > +From: Chris Liddell <chris.lidd...@artifex.com> > +Date: Fri, 22 Feb 2019 12:28:23 +0000 > +Subject: [PATCH] Bug 700576(redux): an extra transient proc needs > + executeonly'ed. > + > +CVE: CVE-2019-3838 > +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] > + > +Signed-off-by: Ovidiu Panait <ovidiu.pan...@windriver.com> > +--- > + Resource/Init/gs_res.ps | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps > +index a163541..8ce4ae3 100644 > +--- a/Resource/Init/gs_res.ps > ++++ b/Resource/Init/gs_res.ps > +@@ -438,7 +438,7 @@ status { > + % Now make the resource value read-only. > + 0 2 copy get { readonly } .internalstopped pop > + dup 4 1 roll put exch pop exch pop > +- } > ++ } executeonly > + { /defineresource cvx /typecheck signaloperror > + } > + ifelse > +-- > +2.18.1 > + > diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.26.bb > b/meta/recipes-extended/ghostscript/ghostscript_9.26.bb > index ad4c5e17d2..bb32347880 100644 > --- a/meta/recipes-extended/ghostscript/ghostscript_9.26.bb > +++ b/meta/recipes-extended/ghostscript/ghostscript_9.26.bb > @@ -39,6 +39,12 @@ SRC_URI = "${SRC_URI_BASE} \ > file://CVE-2019-6116-0005.patch \ > file://CVE-2019-6116-0006.patch \ > file://CVE-2019-6116-0007.patch \ > + file://CVE-2019-3835-0001.patch \ > + file://CVE-2019-3835-0002.patch \ > + file://CVE-2019-3835-0003.patch \ > + file://CVE-2019-3835-0004.patch \ > + file://CVE-2019-3838-0001.patch \ > + file://CVE-2019-3838-0002.patch \ > " > > SRC_URI_class-native = "${SRC_URI_BASE} \ > -- > 2.20.1 > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core