Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ghostscript for openSUSE:Factory checked in at 2023-07-05 15:30:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ghostscript (Old) and /work/SRC/openSUSE:Factory/.ghostscript.new.23466 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghostscript" Wed Jul 5 15:30:24 2023 rev:59 rq:1096685 version:9.56.1 Changes: -------- --- /work/SRC/openSUSE:Factory/ghostscript/ghostscript.changes 2023-04-28 16:22:42.661780032 +0200 +++ /work/SRC/openSUSE:Factory/.ghostscript.new.23466/ghostscript.changes 2023-07-05 15:30:29.242540434 +0200 @@ -1,0 +2,12 @@ +Tue Jul 4 06:16:33 UTC 2023 - Johannes Meixner <jsm...@suse.com> + +- CVE-2023-36664.patch fixes CVE-2023-36664 + see https://bugs.ghostscript.com/show_bug.cgi?id=706761 + "OS command injection in %pipe% access" + and https://bugs.ghostscript.com/show_bug.cgi?id=706778 + "%pipe% allowed_path bypass" + and bsc#1212711 + "permission validation mishandling for pipe devices + (with the %pipe% prefix or the | pipe character prefix)" + +------------------------------------------------------------------- @@ -18,9 +30,13 @@ - * New PDF Interpreter: This is an entirely new implementation written in C - (rather than PostScript, as before) - * Calling Ghostscript via the GS API is now thread safe. The one limitation - is that the X11 devices for Unix-like systems (x11, x11alpha, x11cmyk, - x11cmyk2, x11cmyk4, x11cmyk8, x11gray2, x11gray4 and x11mono) cannot be - made thread safe, due to their interaction with the X11 server, those - devices have been modified to only allow one instance in an executable. - * The PSD output device now writes ICC profiles to their output files, for - improved color fidelity. + Highlights in this release include + (excerpts from the Ghostscript upstream release summary + in https://ghostscript.com/docs/9.56.1/News.htm): + * New PDF Interpreter: This is an entirely new implementation + written in C (rather than PostScript, as before) + * Calling Ghostscript via the GS API is now thread safe. The one + limitation is that the X11 devices for Unix-like systems (x11, + x11alpha, x11cmyk, x11cmyk2, x11cmyk4, x11cmyk8, x11gray2, + x11gray4 and x11mono) cannot be made thread safe, due to their + interaction with the X11 server, those devices have been + modified to only allow one instance in an executable. + * The PSD output device now writes ICC profiles to their output + files, for improved color fidelity. @@ -28,2 +44,2 @@ - * The usual round of bug fixes, compatibility changes, and incremental - improvements. + * The usual round of bug fixes, compatibility changes, and + incremental improvements. @@ -31,6 +47,17 @@ - engine. In such a build, new devices are available (pdfocr8/pdfocr24/ - pdfocr32) which render the output file to an image, OCR that image, and - output the image "wrapped" up as a PDF file, with the OCR generated text - information included as "invisible" text (in PDF terms, text rendering mode - 3). -- drop CVE-2021-3781.patch, CVE-2021-45949.patch: upstream + engine. In such a build, new devices are available + (pdfocr8/pdfocr24/pdfocr32) which render the output file to an + image, OCR that image, and output the image "wrapped" up as a + PDF file, with the OCR generated text information included + as "invisible" text (in PDF terms, text rendering mode 3). + Mainly due to time constraints, we only support including + Tesseract from source included in our release packages, + and not linking to Tesseract/Leptonica shared libraries. + Whether we add this capability will be largely dependent + on community demand for the feature. See Enabling OCR + at https://www.ghostscript.com/ocr.html for more details. + For a release summary see: + https://www.ghostscript.com/doc/9.54.0/News.htm + For details see the News.htm and History9.htm files. +- Configure --without-tesseract because this requires C++ (it + might be added if Tesseract support in Ghostscript is needed). +- Drop CVE-2021-3781.patch, CVE-2021-45949.patch: upstream @@ -41 +68 @@ -- use _multibuild +- Use _multibuild @@ -46 +73 @@ -- use system zlib (bsc#1198449) +- Use system zlib (bsc#1198449) New: ---- CVE-2023-36664.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ghostscript.spec ++++++ --- /var/tmp/diff_new_pack.K14BhK/_old 2023-07-05 15:30:30.318546818 +0200 +++ /var/tmp/diff_new_pack.K14BhK/_new 2023-07-05 15:30:30.322546842 +0200 @@ -53,6 +53,18 @@ # cf. https://bugs.ghostscript.com/show_bug.cgi?id=706494 # and https://bugzilla.suse.com/show_bug.cgi?id=1210062 Patch102: CVE-2023-28879.patch +# Patch103 CVE-2023-36664.patch is +# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=505eab7782b429017eb434b2b95120855f2b0e3c +# and +# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d +# that fixes CVE-2023-36664 +# see https://bugs.ghostscript.com/show_bug.cgi?id=706761 +# "OS command injection in %pipe% access" +# and https://bugs.ghostscript.com/show_bug.cgi?id=706778 +# "%pipe% allowed_path bypass" +# and https://bugzilla.suse.com/show_bug.cgi?id=1212711 +# "permission validation mishandling for pipe devices (with the %pipe% prefix or the | pipe character prefix)" +Patch103: CVE-2023-36664.patch BuildRequires: freetype2-devel BuildRequires: libjpeg-devel BuildRequires: liblcms2-devel @@ -257,6 +269,18 @@ # cf. https://bugs.ghostscript.com/show_bug.cgi?id=706494 # and https://bugzilla.suse.com/show_bug.cgi?id=1210062 %patch102 +# Patch103 CVE-2023-36664.patch is +# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=505eab7782b429017eb434b2b95120855f2b0e3c +# and +# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d +# that fixes CVE-2023-36664 +# see https://bugs.ghostscript.com/show_bug.cgi?id=706761 +# "OS command injection in %pipe% access" +# and https://bugs.ghostscript.com/show_bug.cgi?id=706778 +# "%pipe% allowed_path bypass" +# and https://bugzilla.suse.com/show_bug.cgi?id=1212711 +# "permission validation mishandling for pipe devices (with the %pipe% prefix or the | pipe character prefix)" +%patch103 # Remove patch backup files to avoid packaging # cf. https://build.opensuse.org/request/show/581052 rm -f Resource/Init/*.ps.orig @@ -325,15 +349,27 @@ # (replacing JasPer - although JasPer is still included for this release) # Performance, reliability and memory use whilst decoding JPX streams are all improved. # see also http://bugs.ghostscript.com/show_bug.cgi?id=691430 -# --without-ufst and --without-luratech because those are relevant to commercial releases only +# --without-ufst because this is relevant to commercial releases only # which would require a commercial license. # --disable-compile-inits to disable compiling of resources (Fonts, init postscript files, ...) # into the library, which is the upstream recommendation for distributions. This also allows # unbundling the 35 Postscript Standard fonts, provided by the URW font package # --without-libpaper disables libpaper support because SUSE does not have libpaper. +# --without-tesseract because this requires C++ (it might be added if Tesseract support in Ghostscript is needed). %define gs_font_path %{_datadir}/fonts/truetype:%{_datadir}/fonts/Type1:%{_datadir}/fonts/CID:%{_datadir}/fonts/URW # See http://bugs.ghostscript.com/show_bug.cgi?id=693100 export SUSE_ASNEEDED=0 +# The RPM configure macro results in the build log e.g. on Tumbleweed x86_64 (very long line shown wrapped here) +# ./configure --host=x86_64-suse-linux-gnu --build=x86_64-suse-linux-gnu --program-prefix= --disable-dependency-tracking +# --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share +# --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib +# --mandir=/usr/share/man --infodir=/usr/share/info +# --with-fontpath=/usr/share/fonts/truetype:/usr/share/fonts/Type1:/usr/share/fonts/CID:/usr/share/fonts/URW +# --with-libiconv=maybe --enable-freetype --with-jbig2dec --enable-openjpeg --enable-dynamic --disable-compile-inits +# --without-local-zlib --with-ijs --enable-cups --with-drivers=ALL --with-x +# --disable-gtk --without-ufst --without-libpaper --without-tesseract +# configure: WARNING: unrecognized options: --disable-dependency-tracking +# so the "unrecognized options: --disable-dependency-tracking" warning comes from the RPM configure macro. %configure \ --with-fontpath=%{gs_font_path} \ --with-libiconv=maybe \ @@ -358,8 +394,8 @@ %endif --disable-gtk \ --without-ufst \ - --without-luratech \ - --without-libpaper + --without-libpaper \ + --without-tesseract # Make libgs.so and two programs which use it, gsx and gsc: # With --disable-gtk, gsx and gsc are identical. It provides a command line ++++++ CVE-2023-36664.patch ++++++ --- base/gpmisc.c.orig 2022-04-04 15:48:49.000000000 +0200 +++ base/gpmisc.c 2023-07-04 08:13:02.173325373 +0200 @@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t * && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) { prefix_len = 0; } - rlen = len+1; - bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); - if (bufferfull == NULL) - return gs_error_VMerror; - buffer = bufferfull + prefix_len; - if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) - return gs_error_invalidfileaccess; - buffer[rlen] = 0; + /* "%pipe%" do not follow the normal rules for path definitions, so we + don't "reduce" them to avoid unexpected results + */ + if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { + bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path"); + if (buffer == NULL) + return gs_error_VMerror; + memcpy(buffer, path, len); + buffer[len] = 0; + rlen = len; + } + else { + rlen = len+1; + bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); + if (bufferfull == NULL) + return gs_error_VMerror; + buffer = bufferfull + prefix_len; + if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) + return gs_error_invalidfileaccess; + buffer[rlen] = 0; + } while (1) { switch (mode[0]) { --- base/gslibctx.c.orig 2022-04-04 15:48:49.000000000 +0200 +++ base/gslibctx.c 2023-07-04 08:09:47.834639430 +0200 @@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_m return gs_error_rangecheck; } - rlen = len+1; - buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); - if (buffer == NULL) - return gs_error_VMerror; - - if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) - return gs_error_invalidfileaccess; - buffer[rlen] = 0; + /* "%pipe%" do not follow the normal rules for path definitions, so we + don't "reduce" them to avoid unexpected results + */ + if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { + buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len"); + if (buffer == NULL) + return gs_error_VMerror; + memcpy(buffer, path, len); + buffer[len] = 0; + rlen = len; + } + else { + rlen = len + 1; + + buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len"); + if (buffer == NULL) + return gs_error_VMerror; + + if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) + return gs_error_invalidfileaccess; + buffer[rlen] = 0; + } n = control->num; for (i = 0; i < n; i++) @@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const g return gs_error_rangecheck; } - rlen = len+1; - buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); - if (buffer == NULL) - return gs_error_VMerror; - - if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) - return gs_error_invalidfileaccess; - buffer[rlen] = 0; + /* "%pipe%" do not follow the normal rules for path definitions, so we + don't "reduce" them to avoid unexpected results + */ + if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { + buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len"); + if (buffer == NULL) + return gs_error_VMerror; + memcpy(buffer, path, len); + buffer[len] = 0; + rlen = len; + } + else { + rlen = len+1; + + buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len"); + if (buffer == NULL) + return gs_error_VMerror; + + if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) + return gs_error_invalidfileaccess; + buffer[rlen] = 0; + } n = control->num; for (i = 0; i < n; i++) {
