Control: tags 839118 + patch Control: tags 839260 + patch Control: tags 839841 + patch Control: tags 839845 + patch
Dear maintainer, I've prepared now an NMU debdiff for ghostscript as well for the version in unstable. Due to further investigation needed for #840691 I'm not yet uploading. After updating ghostscript the same problems seem visible in unstable for evince and zathura, and I'm not yet sure that the patches just uncovered a bug in libspectre. Help in debugging this would be welcome. Regards, Salvatore
diff -Nru ghostscript-9.19~dfsg/debian/changelog ghostscript-9.19~dfsg/debian/changelog --- ghostscript-9.19~dfsg/debian/changelog 2016-09-22 12:08:56.000000000 +0200 +++ ghostscript-9.19~dfsg/debian/changelog 2016-10-16 20:40:03.000000000 +0200 @@ -1,3 +1,21 @@ +ghostscript (9.19~dfsg-3.1) unstable; urgency=medium + + * Non-maintainer upload. + * CVE-2013-5653: Information disclosure through getenv, filenameforall + (Closes: #839118) + * CVE-2016-7976: Various userparams allow %pipe% in paths, allowing remote + shell command execution (Closes: #839260) + * CVE-2016-7977: .libfile doesn't check PermitFileReading array, allowing + remote file disclosure (Closes: #839841) + * CVE-2016-7978: reference leak in .setdevice allows use-after-free and + remote code execution (Closes: #839845) + * CVE-2016-7979: type confusion in .initialize_dsc_parser allows remote code + execution (Closes: #839846) + * CVE-2016-8602: check for sufficient params in .sethalftone5 and param + types (Closes: #840451) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 16 Oct 2016 20:40:03 +0200 + ghostscript (9.19~dfsg-3) unstable; urgency=medium * Avoid merging same-licensed sections in copyright_hints. diff -Nru ghostscript-9.19~dfsg/debian/patches/CVE-2013-5653.patch ghostscript-9.19~dfsg/debian/patches/CVE-2013-5653.patch --- ghostscript-9.19~dfsg/debian/patches/CVE-2013-5653.patch 1970-01-01 01:00:00.000000000 +0100 +++ ghostscript-9.19~dfsg/debian/patches/CVE-2013-5653.patch 2016-10-16 20:40:03.000000000 +0200 @@ -0,0 +1,79 @@ +Description: CVE-2013-5653: Information disclosure through getenv, filenameforall +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ab109aaeb3ddba59518b036fb288402a65cf7ce8 +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=694724 +Bug-Debian: https://bugs.debian.org/839118 +Forwarded: not-needed +Author: Chris Liddell <chris.lidd...@artifex.com> +Last-Update: 2016-10-16 +--- + +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index fa33d88..99888ac 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -2021,6 +2021,7 @@ readonly def + + /.locksafe { + .locksafe_userparams ++ systemdict /getenv {pop //false} put + % setpagedevice has the side effect of clearing the page, but + % we will just document that. Using setpagedevice keeps the device + % properties and pagedevice .LockSafetyParams in agreement even +@@ -2039,6 +2040,7 @@ readonly def + %% + /.locksafeglobal { + .locksafe_userparams ++ systemdict /getenv {pop //false} put + % setpagedevice has the side effect of clearing the page, but + % we will just document that. Using setpagedevice keeps the device + % properties and pagedevice .LockSafetyParams in agreement even +diff --git a/psi/zfile.c b/psi/zfile.c +index 320ecd5..0b9f299 100644 +--- a/psi/zfile.c ++++ b/psi/zfile.c +@@ -371,22 +371,26 @@ file_continue(i_ctx_t *i_ctx_p) + + if (len < devlen) + return_error(gs_error_rangecheck); /* not even room for device len */ +- memcpy((char *)pscratch->value.bytes, iodev->dname, devlen); +- code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen, +- len - devlen); +- if (code == ~(uint) 0) { /* all done */ +- esp -= 5; /* pop proc, pfen, devlen, iodev , mark */ +- return o_pop_estack; +- } else if (code > len) /* overran string */ +- return_error(gs_error_rangecheck); +- else { +- push(1); +- ref_assign(op, pscratch); +- r_set_size(op, code + devlen); +- push_op_estack(file_continue); /* come again */ +- *++esp = pscratch[2]; /* proc */ +- return o_push_estack; +- } ++ ++ do { ++ memcpy((char *)pscratch->value.bytes, iodev->dname, devlen); ++ code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen, ++ len - devlen); ++ if (code == ~(uint) 0) { /* all done */ ++ esp -= 5; /* pop proc, pfen, devlen, iodev , mark */ ++ return o_pop_estack; ++ } else if (code > len) /* overran string */ ++ return_error(gs_error_rangecheck); ++ else if (iodev != iodev_default(imemory) ++ || (check_file_permissions_reduced(i_ctx_p, (char *)pscratch->value.bytes, code + devlen, "PermitFileReading")) == 0) { ++ push(1); ++ ref_assign(op, pscratch); ++ r_set_size(op, code + devlen); ++ push_op_estack(file_continue); /* come again */ ++ *++esp = pscratch[2]; /* proc */ ++ return o_push_estack; ++ } ++ } while(1); + } + /* Cleanup procedure for enumerating files */ + static int +-- +2.1.4 + diff -Nru ghostscript-9.19~dfsg/debian/patches/CVE-2016-7976.patch ghostscript-9.19~dfsg/debian/patches/CVE-2016-7976.patch --- ghostscript-9.19~dfsg/debian/patches/CVE-2016-7976.patch 1970-01-01 01:00:00.000000000 +0100 +++ ghostscript-9.19~dfsg/debian/patches/CVE-2016-7976.patch 2016-10-16 20:40:03.000000000 +0200 @@ -0,0 +1,154 @@ +Description: CVE-2016-7976: Various userparams allow %pipe% in paths, allowing remote shell command execution +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=6d444c273da5499a4cd72f21cb6d4c9a5256807d +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697178 +Bug-Debian: https://bugs.debian.org/839260 +Forwarded: not-needed +Author: Chris Liddell <chris.lidd...@artifex.com> +Last-Update: 2016-10-16 +--- + +--- a/base/gsicc_manage.c ++++ b/base/gsicc_manage.c +@@ -1104,10 +1104,12 @@ gsicc_open_search(const char* pname, int + } + + /* First just try it like it is */ +- str = sfopen(pname, "r", mem_gc); +- if (str != NULL) { +- *strp = str; +- return 0; ++ if (gs_check_file_permission(mem_gc, pname, namelen, "r") >= 0) { ++ str = sfopen(pname, "r", mem_gc); ++ if (str != NULL) { ++ *strp = str; ++ return 0; ++ } + } + + /* If that fails, try %rom% */ /* FIXME: Not sure this is needed or correct */ +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -183,7 +183,7 @@ int gs_lib_ctx_init( gs_memory_t *mem ) + mem->gs_lib_ctx = NULL; + return -1; + } +- ++ pio->client_check_file_permission = NULL; + gp_get_realtime(pio->real_time_0); + + return 0; +@@ -333,3 +333,13 @@ void errflush(const gs_memory_t *mem) + fflush(mem->gs_lib_ctx->fstderr); + /* else nothing to flush */ + } ++ ++int ++gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission) ++{ ++ int code = 0; ++ if (mem->gs_lib_ctx->client_check_file_permission != NULL) { ++ code = mem->gs_lib_ctx->client_check_file_permission(mem, fname, len, permission); ++ } ++ return code; ++} +--- a/base/gslibctx.h ++++ b/base/gslibctx.h +@@ -32,6 +32,9 @@ typedef struct gs_fapi_server_s gs_fapi_ + # define gs_font_dir_DEFINED + typedef struct gs_font_dir_s gs_font_dir; + #endif ++ ++typedef int (*client_check_file_permission_t) (gs_memory_t *mem, const char *fname, const int len, const char *permission); ++ + typedef struct gs_lib_ctx_s + { + gs_memory_t *memory; /* mem->gs_lib_ctx->memory == mem */ +@@ -61,6 +64,7 @@ typedef struct gs_lib_ctx_s + struct gx_io_device_s **io_device_table; + int io_device_table_count; + int io_device_table_size; ++ client_check_file_permission_t client_check_file_permission; + /* Define the default value of AccurateScreens that affects setscreen + and setcolorscreen. */ + bool screen_accurate_screens; +@@ -124,6 +128,9 @@ int + gs_lib_ctx_get_default_device_list(const gs_memory_t *mem, char** dev_list_str, + int *list_str_len); + ++int ++gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission); ++ + #define IS_LIBCTX_STDOUT(mem, f) (f == mem->gs_lib_ctx->fstdout) + #define IS_LIBCTX_STDERR(mem, f) (f == mem->gs_lib_ctx->fstderr) + +--- a/psi/imain.c ++++ b/psi/imain.c +@@ -57,6 +57,7 @@ + #include "ivmspace.h" + #include "idisp.h" /* for setting display device callback */ + #include "iplugin.h" ++#include "zfile.h" + + #ifdef PACIFY_VALGRIND + #include "valgrind.h" +@@ -212,6 +213,7 @@ gs_main_init1(gs_main_instance * minst) + "the_gs_name_table"); + if (code < 0) + return code; ++ mem->gs_lib_ctx->client_check_file_permission = z_check_file_permissions; + } + code = obj_init(&minst->i_ctx_p, &idmem); /* requires name_init */ + if (code < 0) +--- a/psi/int.mak ++++ b/psi/int.mak +@@ -2023,7 +2023,7 @@ $(PSOBJ)imain.$(OBJ) : $(PSSRC)imain.c $ + $(ialloc_h) $(iconf_h) $(idebug_h) $(idict_h) $(idisp_h) $(iinit_h)\ + $(iname_h) $(interp_h) $(iplugin_h) $(isave_h) $(iscan_h) $(ivmspace_h)\ + $(iinit_h) $(main_h) $(oper_h) $(ostack_h)\ +- $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h)\ ++ $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h) $(zfile_h)\ + $(INT_MAK) $(MAKEDIRS) + $(PSCC) $(PSO_)imain.$(OBJ) $(C_) $(PSSRC)imain.c + +--- a/psi/zfile.c ++++ b/psi/zfile.c +@@ -197,6 +197,25 @@ check_file_permissions(i_ctx_t *i_ctx_p, + return check_file_permissions_reduced(i_ctx_p, fname_reduced, rlen, permitgroup); + } + ++/* z_check_file_permissions: see zfile.h for explanation ++ */ ++int ++z_check_file_permissions(gs_memory_t *mem, const char *fname, const int len, const char *permission) ++{ ++ i_ctx_t *i_ctx_p = get_minst_from_memory(mem)->i_ctx_p; ++ gs_parsed_file_name_t pname; ++ const char *permitgroup = permission[0] == 'r' ? "PermitFileReading" : "PermitFileWriting"; ++ int code = gs_parse_file_name(&pname, fname, len, imemory); ++ if (code < 0) ++ return code; ++ ++ if (pname.iodev && i_ctx_p->LockFilePermissions && strcmp(pname.iodev->dname, "%pipe%") == 0) ++ return gs_error_invalidfileaccess; ++ ++ code = check_file_permissions(i_ctx_p, fname, len, permitgroup); ++ return code; ++} ++ + /* <name_string> <access_string> file <file> */ + int /* exported for zsysvm.c */ + zfile(i_ctx_t *i_ctx_p) +--- a/psi/zfile.h ++++ b/psi/zfile.h +@@ -22,4 +22,11 @@ + int zopen_file(i_ctx_t *i_ctx_p, const gs_parsed_file_name_t *pfn, + const char *file_access, stream **ps, gs_memory_t *mem); + ++/* z_check_file_permissions: a callback (via mem->gs_lib_ctx->client_check_file_permission) ++ * to allow applying the above permissions checks when opening file(s) from ++ * the graphics library ++ */ ++int ++z_check_file_permissions(gs_memory_t *mem, const char *fname, ++ const int len, const char *permission); + #endif diff -Nru ghostscript-9.19~dfsg/debian/patches/CVE-2016-7977.patch ghostscript-9.19~dfsg/debian/patches/CVE-2016-7977.patch --- ghostscript-9.19~dfsg/debian/patches/CVE-2016-7977.patch 1970-01-01 01:00:00.000000000 +0100 +++ ghostscript-9.19~dfsg/debian/patches/CVE-2016-7977.patch 2016-10-16 20:40:03.000000000 +0200 @@ -0,0 +1,27 @@ +Description: CVE-2016-7977: .libfile doesn't check PermitFileReading array, allowing remote file disclosure +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=8abd22010eb4db0fb1b10e430d5f5d83e015ef70 +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697169 +Bug-Debian: https://bugs.debian.org/839841 +Forwarded: not-needed +Author: Chris Liddell <chris.lidd...@artifex.com> +Reviewed-by: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2016-10-16 +--- + +diff --git a/psi/zfile.c b/psi/zfile.c +index b6caea2..2c6c958 100644 +--- a/psi/zfile.c ++++ b/psi/zfile.c +@@ -1081,6 +1081,9 @@ lib_file_open(gs_file_path_ptr lib_path, const gs_memory_t *mem, i_ctx_t *i_ctx + gs_main_instance *minst = get_minst_from_memory(mem); + int code; + ++ if (i_ctx_p && starting_arg_file) ++ i_ctx_p->starting_arg_file = false; ++ + /* when starting arg files (@ files) iodev_default is not yet set */ + if (iodev == 0) + iodev = (gx_io_device *)gx_io_device_table[0]; +-- +2.9.3 + diff -Nru ghostscript-9.19~dfsg/debian/patches/CVE-2016-7978.patch ghostscript-9.19~dfsg/debian/patches/CVE-2016-7978.patch --- ghostscript-9.19~dfsg/debian/patches/CVE-2016-7978.patch 1970-01-01 01:00:00.000000000 +0100 +++ ghostscript-9.19~dfsg/debian/patches/CVE-2016-7978.patch 2016-10-16 20:40:03.000000000 +0200 @@ -0,0 +1,27 @@ +Description: CVE-2016-7978: reference leak in .setdevice allows use-after-free and remote code execution +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=6f749c0c44e7b9e09737b9f29edf29925a34f0cf +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697179 +Bug-Debian: https://bugs.debian.org/839845 +Forwarded: not-needed +Author: Chris Liddell <chris.lidd...@artifex.com> +Reviewed-by: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2016-10-16 +--- + base/gsdevice.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/base/gsdevice.c b/base/gsdevice.c +index 778106f..aea986a 100644 +--- a/base/gsdevice.c ++++ b/base/gsdevice.c +@@ -614,6 +614,7 @@ gx_device_init(gx_device * dev, const gx_device * proto, gs_memory_t * mem, + dev->memory = mem; + dev->retained = !internal; + rc_init(dev, mem, (internal ? 0 : 1)); ++ rc_increment(dev->icc_struct); + } + + void +-- +2.1.4 + diff -Nru ghostscript-9.19~dfsg/debian/patches/CVE-2016-7979.patch ghostscript-9.19~dfsg/debian/patches/CVE-2016-7979.patch --- ghostscript-9.19~dfsg/debian/patches/CVE-2016-7979.patch 1970-01-01 01:00:00.000000000 +0100 +++ ghostscript-9.19~dfsg/debian/patches/CVE-2016-7979.patch 2016-10-16 20:40:03.000000000 +0200 @@ -0,0 +1,40 @@ +Description: CVE-2016-7979: type confusion in .initialize_dsc_parser allows remote code execution +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=875a0095f37626a721c7ff57d606a0f95af03913 +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697190 +Bug-Debian: https://bugs.debian.org/839846 +Forwarded: not-needed +Author: Ken Sharp <ken.sh...@artifex.com> +Reviewed-by: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2016-10-16 +--- + psi/zdscpars.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/psi/zdscpars.c b/psi/zdscpars.c +index c05e154..9b4b605 100644 +--- a/psi/zdscpars.c ++++ b/psi/zdscpars.c +@@ -150,11 +150,16 @@ zinitialize_dsc_parser(i_ctx_t *i_ctx_p) + ref local_ref; + int code; + os_ptr const op = osp; +- dict * const pdict = op->value.pdict; +- gs_memory_t * const mem = (gs_memory_t *)dict_memory(pdict); +- dsc_data_t * const data = +- gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init"); ++ dict *pdict; ++ gs_memory_t *mem; ++ dsc_data_t *data; + ++ check_read_type(*op, t_dictionary); ++ ++ pdict = op->value.pdict; ++ mem = (gs_memory_t *)dict_memory(pdict); ++ ++ data = gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init"); + if (!data) + return_error(gs_error_VMerror); + data->document_level = 0; +-- +2.1.4 + diff -Nru ghostscript-9.19~dfsg/debian/patches/CVE-2016-8602.patch ghostscript-9.19~dfsg/debian/patches/CVE-2016-8602.patch --- ghostscript-9.19~dfsg/debian/patches/CVE-2016-8602.patch 1970-01-01 01:00:00.000000000 +0100 +++ ghostscript-9.19~dfsg/debian/patches/CVE-2016-8602.patch 2016-10-16 20:40:03.000000000 +0200 @@ -0,0 +1,38 @@ +Description: CVE-2016-8602: check for sufficient params in .sethalftone5 and param types +Origin: backport, http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78 +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697203 +Bug-Debian: https://bugs.debian.org/840451 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2016-10-16 +--- + psi/zht2.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/psi/zht2.c ++++ b/psi/zht2.c +@@ -82,14 +82,22 @@ zsethalftone5(i_ctx_t *i_ctx_p) + gs_memory_t *mem; + uint edepth = ref_stack_count(&e_stack); + int npop = 2; +- int dict_enum = dict_first(op); ++ int dict_enum; + ref rvalue[2]; + int cname, colorant_number; + byte * pname; + uint name_size; + int halftonetype, type = 0; + gs_state *pgs = igs; +- int space_index = r_space_index(op - 1); ++ int space_index; ++ ++ if (ref_stack_count(&o_stack) < 2) ++ return_error(gs_error_stackunderflow); ++ check_type(*op, t_dictionary); ++ check_type(*(op - 1), t_dictionary); ++ ++ dict_enum = dict_first(op); ++ space_index = r_space_index(op - 1); + + mem = (gs_memory_t *) idmemory->spaces_indexed[space_index]; + diff -Nru ghostscript-9.19~dfsg/debian/patches/series ghostscript-9.19~dfsg/debian/patches/series --- ghostscript-9.19~dfsg/debian/patches/series 2016-08-11 13:20:32.000000000 +0200 +++ ghostscript-9.19~dfsg/debian/patches/series 2016-10-16 20:40:03.000000000 +0200 @@ -9,3 +9,9 @@ 2007_suggest_install_ghostscript-doc_in_code.patch 2008_mention_ghostscript-x_in_docs.patch 2010_add_build_timestamp_setting.patch +CVE-2013-5653.patch +CVE-2016-7976.patch +CVE-2016-7977.patch +CVE-2016-7978.patch +CVE-2016-7979.patch +CVE-2016-8602.patch