me
/
guix
Archived
1
0
Fork 0
Code

gnu: ghostscript: Fix CVE-2023-36664. 

* gnu/packages/ghostscript.scm (ghostscript/fixed): New variable.
(ghostscript)[replacement]: Assign it to new field.
* gnu/packages/patches/ghostscript-CVE-2023-36664.patch,
gnu/packages/patches/ghostscript-CVE-2023-36664-fixup.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
master
Tobias Geerinckx-Rice 2023-07-09 02:00:01 +02:00
parent b29bd4d35e
commit 67fb8efdf7
No known key found for this signature in database
GPG Key ID: 0DB0FF884F556D79
4 changed files with 207 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
gnu/local.mk
View File

@ -1237,6 +1237,8 @@ dist_patch_DATA = \
%D%/packages/patches/ghc-bloomfilter-ghc9.2.patch \ %D%/packages/patches/ghc-bloomfilter-ghc9.2.patch \
%D%/packages/patches/ghc-bytestring-handle-ghc9.patch \ %D%/packages/patches/ghc-bytestring-handle-ghc9.patch \
%D%/packages/patches/ghc-language-haskell-extract-ghc-8.10.patch \ %D%/packages/patches/ghc-language-haskell-extract-ghc-8.10.patch \
%D%/packages/patches/ghostscript-CVE-2023-36664.patch \
%D%/packages/patches/ghostscript-CVE-2023-36664-fixup.patch \
%D%/packages/patches/ghostscript-no-header-id.patch \ %D%/packages/patches/ghostscript-no-header-id.patch \
%D%/packages/patches/ghostscript-no-header-uuid.patch \ %D%/packages/patches/ghostscript-no-header-uuid.patch \
%D%/packages/patches/ghostscript-no-header-creationdate.patch \ %D%/packages/patches/ghostscript-no-header-creationdate.patch \

7
gnu/packages/ghostscript.scm
View File

@ -145,6 +145,7 @@ printing, and psresize, for adjusting page sizes.")
(package (package
(name "ghostscript") (name "ghostscript")
(version "9.56.1") (version "9.56.1")
(replacement ghostscript/fixed)
(source (source
(origin (origin
(method url-fetch) (method url-fetch)
@ -266,6 +267,12 @@ output file formats and printers.")
(home-page "https://www.ghostscript.com/") (home-page "https://www.ghostscript.com/")
(license license:agpl3+))) (license license:agpl3+)))
(define ghostscript/fixed
(package-with-patches
ghostscript
(search-patches "ghostscript-CVE-2023-36664.patch"
"ghostscript-CVE-2023-36664-fixup.patch")))
(define-public ghostscript/x (define-public ghostscript/x
(package/inherit ghostscript (package/inherit ghostscript
(name (string-append (package-name ghostscript) "-with-x")) (name (string-append (package-name ghostscript) "-with-x"))

56
gnu/packages/patches/ghostscript-CVE-2023-36664-fixup.patch 100644
View File

@ -0,0 +1,56 @@
From 0974e4f2ac0005d3731e0b5c13ebc7e965540f4d Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 14 Jun 2023 09:08:12 +0100
Subject: [PATCH] Bug 706778: 706761 revisit
Two problems with the original commit. The first a silly typo inverting the
logic of a test.
The second was forgetting that we actually actually validate two candidate
strings for pipe devices. One with the expected "%pipe%" prefix, the other
using the pipe character prefix: "|".
This addresses both those.
---
base/gpmisc.c | 2 +-
base/gslibctx.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/base/gpmisc.c b/base/gpmisc.c
index 58511270e..2b0064bea 100644
--- a/base/gpmisc.c
+++ b/base/gpmisc.c
@@ -1081,7 +1081,7 @@ gp_validate_path_len(const gs_memory_t *mem,
/* "%pipe%" do not follow the normal rules for path definitions, so we
don't "reduce" them to avoid unexpected results
*/
- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
if (buffer == NULL)
return gs_error_VMerror;
diff --git a/base/gslibctx.c b/base/gslibctx.c
index d2a1aa91d..42af99090 100644
--- a/base/gslibctx.c
+++ b/base/gslibctx.c
@@ -743,7 +743,7 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co
/* "%pipe%" do not follow the normal rules for path definitions, so we
don't "reduce" them to avoid unexpected results
*/
- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
if (buffer == NULL)
return gs_error_VMerror;
@@ -850,7 +850,7 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type,
/* "%pipe%" do not follow the normal rules for path definitions, so we
don't "reduce" them to avoid unexpected results
*/
- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
if (buffer == NULL)
return gs_error_VMerror;
--
2.34.1

142
gnu/packages/patches/ghostscript-CVE-2023-36664.patch 100644
View File

@ -0,0 +1,142 @@
From 505eab7782b429017eb434b2b95120855f2b0e3c Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 7 Jun 2023 10:23:06 +0100
Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission
validation
For regular file names, we try to simplfy relative paths before we use them.
Because the %pipe% device can, effectively, accept command line calls, we
shouldn't be simplifying that string, because the command line syntax can end
up confusing the path simplifying code. That can result in permitting a pipe
command which does not match what was originally permitted.
Special case "%pipe" in the validation code so we always deal with the entire
string.
---
base/gpmisc.c | 31 +++++++++++++++++++--------
base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++-------------
2 files changed, 64 insertions(+), 23 deletions(-)
diff --git a/base/gpmisc.c b/base/gpmisc.c
index 5f39ebba7..2fb87f769 100644
--- a/base/gpmisc.c
+++ b/base/gpmisc.c
@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *mem,
&& !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
prefix_len = 0;
}
- rlen = len+1;
- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
- if (bufferfull == NULL)
- return gs_error_VMerror;
-
- buffer = bufferfull + prefix_len;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len+1;
+ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+ if (bufferfull == NULL)
+ return gs_error_VMerror;
+
+ buffer = bufferfull + prefix_len;
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
while (1) {
switch (mode[0])
{
diff --git a/base/gslibctx.c b/base/gslibctx.c
index eb566ed06..d2a1aa91d 100644
--- a/base/gslibctx.c
+++ b/base/gslibctx.c
@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co
return gs_error_rangecheck;
}
- rlen = len+1;
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
- if (buffer == NULL)
- return gs_error_VMerror;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len + 1;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
n = control->num;
for (i = 0; i < n; i++)
@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type,
return gs_error_rangecheck;
}
- rlen = len+1;
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
- if (buffer == NULL)
- return gs_error_VMerror;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len+1;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
n = control->num;
for (i = 0; i < n; i++) {
--
2.34.1