Hello community, here is the log from the commit of package ghostscript for openSUSE:Factory checked in at 2016-10-22 13:01:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ghostscript (Old) and /work/SRC/openSUSE:Factory/.ghostscript.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghostscript" Changes: -------- --- /work/SRC/openSUSE:Factory/ghostscript/ghostscript-mini.changes 2016-10-13 11:23:41.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.ghostscript.new/ghostscript-mini.changes 2016-10-22 13:01:57.000000000 +0200 @@ -1,0 +2,31 @@ +Mon Oct 17 13:36:57 CEST 2016 - [email protected] + +- CVE-2013-5653 (getenv and filenameforall ignore -dSAFER) + is fixed in the Ghostscript 9.20 upstream sources + see http://bugs.ghostscript.com/show_bug.cgi?id=694724 + (bsc#1001951). +- CVE-2016-7976.patch fixes that + various userparams allow %pipe% in paths, allowing + remote shell command execution + see http://bugs.ghostscript.com/show_bug.cgi?id=697178 + (bsc#1001951). +- CVE-2016-7977.patch fixes that + .libfile doesn't check PermitFileReading array, allowing + remote file disclosure + see http://bugs.ghostscript.com/show_bug.cgi?id=697169 + (bsc#1001951). +- CVE-2016-7978.patch fixes that + reference leak in .setdevice allows + use-after-free and remote code execution + see http://bugs.ghostscript.com/show_bug.cgi?id=697179 + (bsc#1001951). +- CVE-2016-7979.patch fixes that + type confusion in .initialize_dsc_parser allows + remote code execution + see http://bugs.ghostscript.com/show_bug.cgi?id=697190 + (bsc#1001951). +- CVE-2016-8602.patch fixes a NULL dereference in .sethalftone5 + see http://bugs.ghostscript.com/show_bug.cgi?id=697203 + (bsc#1004237). + +------------------------------------------------------------------- ghostscript.changes: same change New: ---- CVE-2016-7976.patch CVE-2016-7977.patch CVE-2016-7978.patch CVE-2016-7979.patch CVE-2016-8602.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ghostscript-mini.spec ++++++ --- /var/tmp/diff_new_pack.9WqK3X/_old 2016-10-22 13:01:58.000000000 +0200 +++ /var/tmp/diff_new_pack.9WqK3X/_new 2016-10-22 13:01:58.000000000 +0200 @@ -64,6 +64,30 @@ # MD5 checksum for Source0: 93c5987cd3ab341108be1ebbaadc24fe Source0: ghostscript-%{version}.tar.gz # Patch0...Patch9 is for patches from upstream: +# Patch1 CVE-2016-7976.patch fixes that +# various userparams allow %pipe% in paths, allowing remote shell command execution +# see http://bugs.ghostscript.com/show_bug.cgi?id=697178 +# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 +Patch1: CVE-2016-7976.patch +# Patch2 CVE-2016-7977.patch fixes that +# .libfile doesn't check PermitFileReading array, allowing remote file disclosure +# see http://bugs.ghostscript.com/show_bug.cgi?id=697169 +# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 +Patch2: CVE-2016-7977.patch +# Patch3 CVE-2016-7978.patch fixes that +# reference leak in .setdevice allows use-after-free and remote code execution +# see http://bugs.ghostscript.com/show_bug.cgi?id=697179 +# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 +Patch3: CVE-2016-7978.patch +# Patch4 CVE-2016-7979.patch fixes that +# type confusion in .initialize_dsc_parser allows remote code execution +# see http://bugs.ghostscript.com/show_bug.cgi?id=697190 +# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 +Patch4: CVE-2016-7979.patch +# Patch5 CVE-2016-8602.patch fixes a NULL dereference in .sethalftone5 +# see http://bugs.ghostscript.com/show_bug.cgi?id=697203 +# and https://bugzilla.suse.com/show_bug.cgi?id=1004237 +Patch5: CVE-2016-8602.patch # Source10...Source99 is for sources from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream: # Patch11 ppc64le-support.patch is a remainder of the previous patch @@ -145,6 +169,30 @@ # Be quiet when unpacking and # use a directory name matching Source0 to make it work also for ghostscript-mini: %setup -q -n ghostscript-%{tarball_version} +# Patch1 CVE-2016-7976.patch fixes that +# various userparams allow %pipe% in paths, allowing remote shell command execution +# see http://bugs.ghostscript.com/show_bug.cgi?id=697178 +# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 +%patch1 -p1 -b CVE-2016-7976.orig +# Patch2 CVE-2016-7977.patch fixes that +# .libfile doesn't check PermitFileReading array, allowing remote file disclosure +# see http://bugs.ghostscript.com/show_bug.cgi?id=697169 +# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 +%patch2 -p1 -b CVE-2016-7977.orig +# Patch3 CVE-2016-7978.patch fixes that +# reference leak in .setdevice allows use-after-free and remote code execution +# see http://bugs.ghostscript.com/show_bug.cgi?id=697179 +# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 +%patch3 -p1 -b CVE-2016-7978.orig +# Patch4 CVE-2016-7979.patch fixes that +# type confusion in .initialize_dsc_parser allows remote code execution +# see http://bugs.ghostscript.com/show_bug.cgi?id=697190 +# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 +%patch4 -p1 -b CVE-2016-7979.orig +# Patch5 CVE-2016-8602.patch fixes a NULL dereference in .sethalftone5 +# see http://bugs.ghostscript.com/show_bug.cgi?id=697203 +# and https://bugzilla.suse.com/show_bug.cgi?id=1004237 +%patch5 -p1 -b CVE-2016-8602.orig # Patch11 ppc64le-support.patch is a remainder of the previous patch # now the hunk for LCMS (lcms/include/lcms.h) is removed # because LCMS 1.x is removed since Ghostscript 9.16 ++++++ ghostscript.spec ++++++ --- /var/tmp/diff_new_pack.9WqK3X/_old 2016-10-22 13:01:58.000000000 +0200 +++ /var/tmp/diff_new_pack.9WqK3X/_new 2016-10-22 13:01:58.000000000 +0200 @@ -84,6 +84,30 @@ # MD5 checksum for Source0: 93c5987cd3ab341108be1ebbaadc24fe Source0: ghostscript-%{version}.tar.gz # Patch0...Patch9 is for patches from upstream: +# Patch1 CVE-2016-7976.patch fixes that +# various userparams allow %pipe% in paths, allowing remote shell command execution +# see http://bugs.ghostscript.com/show_bug.cgi?id=697178 +# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 +Patch1: CVE-2016-7976.patch +# Patch2 CVE-2016-7977.patch fixes that +# .libfile doesn't check PermitFileReading array, allowing remote file disclosure +# see http://bugs.ghostscript.com/show_bug.cgi?id=697169 +# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 +Patch2: CVE-2016-7977.patch +# Patch3 CVE-2016-7978.patch fixes that +# reference leak in .setdevice allows use-after-free and remote code execution +# see http://bugs.ghostscript.com/show_bug.cgi?id=697179 +# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 +Patch3: CVE-2016-7978.patch +# Patch4 CVE-2016-7979.patch fixes that +# type confusion in .initialize_dsc_parser allows remote code execution +# see http://bugs.ghostscript.com/show_bug.cgi?id=697190 +# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 +Patch4: CVE-2016-7979.patch +# Patch5 CVE-2016-8602.patch fixes a NULL dereference in .sethalftone5 +# see http://bugs.ghostscript.com/show_bug.cgi?id=697203 +# and https://bugzilla.suse.com/show_bug.cgi?id=1004237 +Patch5: CVE-2016-8602.patch # Source10...Source99 is for sources from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream: # Patch11 ppc64le-support.patch is a remainder of the previous patch @@ -281,6 +305,30 @@ # Be quiet when unpacking and # use a directory name matching Source0 to make it work also for ghostscript-mini: %setup -q -n ghostscript-%{tarball_version} +# Patch1 CVE-2016-7976.patch fixes that +# various userparams allow %pipe% in paths, allowing remote shell command execution +# see http://bugs.ghostscript.com/show_bug.cgi?id=697178 +# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 +%patch1 -p1 -b CVE-2016-7976.orig +# Patch2 CVE-2016-7977.patch fixes that +# .libfile doesn't check PermitFileReading array, allowing remote file disclosure +# see http://bugs.ghostscript.com/show_bug.cgi?id=697169 +# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 +%patch2 -p1 -b CVE-2016-7977.orig +# Patch3 CVE-2016-7978.patch fixes that +# reference leak in .setdevice allows use-after-free and remote code execution +# see http://bugs.ghostscript.com/show_bug.cgi?id=697179 +# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 +%patch3 -p1 -b CVE-2016-7978.orig +# Patch4 CVE-2016-7979.patch fixes that +# type confusion in .initialize_dsc_parser allows remote code execution +# see http://bugs.ghostscript.com/show_bug.cgi?id=697190 +# and https://bugzilla.suse.com/show_bug.cgi?id=1001951 +%patch4 -p1 -b CVE-2016-7979.orig +# Patch5 CVE-2016-8602.patch fixes a NULL dereference in .sethalftone5 +# see http://bugs.ghostscript.com/show_bug.cgi?id=697203 +# and https://bugzilla.suse.com/show_bug.cgi?id=1004237 +%patch5 -p1 -b CVE-2016-8602.orig # Patch11 ppc64le-support.patch is a remainder of the previous patch # now the hunk for LCMS (lcms/include/lcms.h) is removed # because LCMS 1.x is removed since Ghostscript 9.16 ++++++ CVE-2016-7976.patch ++++++ From: Chris Liddell <[email protected]> Date: Wed, 5 Oct 2016 08:55:55 +0000 (+0100) Subject: Bug 697178: Add a file permissions callback X-Git-Url: http://git.ghostscript.com/?p=user%2Fchrisl%2Fghostpdl.git;a=commitdiff_plain;h=71ac87493b1e445d6c07554d4246cf7d4f44875c;hp=cf046d2f0fa2c6973c6ca8d582a9b185cc4bd280 Bug 697178: Add a file permissions callback For the rare occasions when the graphics library directly opens a file (currently for reading), this allows us to apply any restrictions on file access normally applied in the interpteter. --- diff --git a/base/gsicc_manage.c b/base/gsicc_manage.c index 931c2a6..e9c09c3 100644 --- a/base/gsicc_manage.c +++ b/base/gsicc_manage.c @@ -1124,10 +1124,12 @@ gsicc_open_search(const char* pname, int namelen, gs_memory_t *mem_gc, } /* First just try it like it is */ - str = sfopen(pname, "r", mem_gc); - if (str != NULL) { - *strp = str; - return 0; + if (gs_check_file_permission(mem_gc, pname, namelen, "r") >= 0) { + str = sfopen(pname, "r", mem_gc); + if (str != NULL) { + *strp = str; + return 0; + } } /* If that fails, try %rom% */ /* FIXME: Not sure this is needed or correct */ diff --git a/base/gslibctx.c b/base/gslibctx.c index eaa0458..37ce1ca 100644 --- a/base/gslibctx.c +++ b/base/gslibctx.c @@ -189,7 +189,7 @@ Failure: mem->gs_lib_ctx = NULL; return -1; } - + pio->client_check_file_permission = NULL; gp_get_realtime(pio->real_time_0); /* Set scanconverter to 1 (default) */ @@ -343,3 +343,13 @@ void errflush(const gs_memory_t *mem) fflush(mem->gs_lib_ctx->fstderr); /* else nothing to flush */ } + +int +gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission) +{ + int code = 0; + if (mem->gs_lib_ctx->client_check_file_permission != NULL) { + code = mem->gs_lib_ctx->client_check_file_permission(mem, fname, len, permission); + } + return code; +} diff --git a/base/gslibctx.h b/base/gslibctx.h index 7a4e110..020e2d9 100644 --- a/base/gslibctx.h +++ b/base/gslibctx.h @@ -32,6 +32,9 @@ typedef struct gs_fapi_server_s gs_fapi_server; # define gs_font_dir_DEFINED typedef struct gs_font_dir_s gs_font_dir; #endif + +typedef int (*client_check_file_permission_t) (gs_memory_t *mem, const char *fname, const int len, const char *permission); + typedef struct gs_lib_ctx_s { gs_memory_t *memory; /* mem->gs_lib_ctx->memory == mem */ @@ -61,6 +64,7 @@ typedef struct gs_lib_ctx_s struct gx_io_device_s **io_device_table; int io_device_table_count; int io_device_table_size; + client_check_file_permission_t client_check_file_permission; /* Define the default value of AccurateScreens that affects setscreen and setcolorscreen. */ bool screen_accurate_screens; @@ -133,6 +137,9 @@ int gs_lib_ctx_get_default_device_list(const gs_memory_t *mem, char** dev_list_str, int *list_str_len); +int +gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission); + #define IS_LIBCTX_STDOUT(mem, f) (f == mem->gs_lib_ctx->fstdout) #define IS_LIBCTX_STDERR(mem, f) (f == mem->gs_lib_ctx->fstderr) diff --git a/psi/imain.c b/psi/imain.c index 9a9bb5d..6874128 100644 --- a/psi/imain.c +++ b/psi/imain.c @@ -57,6 +57,7 @@ #include "ivmspace.h" #include "idisp.h" /* for setting display device callback */ #include "iplugin.h" +#include "zfile.h" #ifdef PACIFY_VALGRIND #include "valgrind.h" @@ -212,6 +213,7 @@ gs_main_init1(gs_main_instance * minst) "the_gs_name_table"); if (code < 0) return code; + mem->gs_lib_ctx->client_check_file_permission = z_check_file_permissions; } code = obj_init(&minst->i_ctx_p, &idmem); /* requires name_init */ if (code < 0) diff --git a/psi/int.mak b/psi/int.mak index 4654afc..bb30d51 100644 --- a/psi/int.mak +++ b/psi/int.mak @@ -2024,7 +2024,7 @@ $(PSOBJ)imain.$(OBJ) : $(PSSRC)imain.c $(GH) $(memory__h) $(string__h)\ $(ialloc_h) $(iconf_h) $(idebug_h) $(idict_h) $(idisp_h) $(iinit_h)\ $(iname_h) $(interp_h) $(iplugin_h) $(isave_h) $(iscan_h) $(ivmspace_h)\ $(iinit_h) $(main_h) $(oper_h) $(ostack_h)\ - $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h)\ + $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h) $(zfile_h)\ $(INT_MAK) $(MAKEDIRS) $(PSCC) $(PSO_)imain.$(OBJ) $(C_) $(PSSRC)imain.c diff --git a/psi/zfile.c b/psi/zfile.c index 2c6c958..bc6c70f 100644 --- a/psi/zfile.c +++ b/psi/zfile.c @@ -197,6 +197,25 @@ check_file_permissions(i_ctx_t *i_ctx_p, const char *fname, int len, return check_file_permissions_reduced(i_ctx_p, fname_reduced, rlen, permitgroup); } +/* z_check_file_permissions: see zfile.h for explanation + */ +int +z_check_file_permissions(gs_memory_t *mem, const char *fname, const int len, const char *permission) +{ + i_ctx_t *i_ctx_p = get_minst_from_memory(mem)->i_ctx_p; + gs_parsed_file_name_t pname; + char *permitgroup = permission[0] == 'r' ? "PermitFileReading" : "PermitFileWriting"; + int code = gs_parse_file_name(&pname, fname, len, imemory); + if (code < 0) + return code; + + if (pname.iodev && i_ctx_p->LockFilePermissions && strcmp(pname.iodev->dname, "%pipe%") == 0) + return gs_error_invalidfileaccess; + + code = check_file_permissions(i_ctx_p, fname, len, permitgroup); + return code; +} + /* <name_string> <access_string> file <file> */ int /* exported for zsysvm.c */ zfile(i_ctx_t *i_ctx_p) diff --git a/psi/zfile.h b/psi/zfile.h index fdf1373..a9399c7 100644 --- a/psi/zfile.h +++ b/psi/zfile.h @@ -22,4 +22,11 @@ int zopen_file(i_ctx_t *i_ctx_p, const gs_parsed_file_name_t *pfn, const char *file_access, stream **ps, gs_memory_t *mem); +/* z_check_file_permissions: a callback (via mem->gs_lib_ctx->client_check_file_permission) + * to allow applying the above permissions checks when opening file(s) from + * the graphics library + */ +int +z_check_file_permissions(gs_memory_t *mem, const char *fname, + const int len, const char *permission); #endif ++++++ CVE-2016-7977.patch ++++++ From: Chris Liddell <[email protected]> Date: Mon, 3 Oct 2016 00:46:28 +0000 (+0100) Subject: Bug 697169: Be rigorous with SAFER permissions X-Git-Url: http://git.ghostscript.com/?p=user%2Fchrisl%2Fghostpdl.git;a=commitdiff_plain;h=cf046d2f0fa2c6973c6ca8d582a9b185cc4bd280;hp=3826c0c7a4fc781c8222ef458b706360600f1711 Bug 697169: Be rigorous with SAFER permissions Once we've opened our input file from the command line, enforce the SAFER rules. --- diff --git a/psi/zfile.c b/psi/zfile.c index b6caea2..2c6c958 100644 --- a/psi/zfile.c +++ b/psi/zfile.c @@ -1081,6 +1081,9 @@ lib_file_open(gs_file_path_ptr lib_path, const gs_memory_t *mem, i_ctx_t *i_ctx gs_main_instance *minst = get_minst_from_memory(mem); int code; + if (i_ctx_p && starting_arg_file) + i_ctx_p->starting_arg_file = false; + /* when starting arg files (@ files) iodev_default is not yet set */ if (iodev == 0) iodev = (gx_io_device *)gx_io_device_table[0]; ++++++ CVE-2016-7978.patch ++++++ From: Chris Liddell <[email protected]> Date: Wed, 5 Oct 2016 08:59:25 +0000 (+0100) Subject: Bug 697179: Reference count device icc profile X-Git-Url: http://git.ghostscript.com/?p=user%2Fchrisl%2Fghostpdl.git;a=commitdiff_plain;h=d5ad1e0298e1c193087c824eb4f79628b182e28b;hp=71ac87493b1e445d6c07554d4246cf7d4f44875c Bug 697179: Reference count device icc profile when copying a device --- diff --git a/base/gsdevice.c b/base/gsdevice.c index 778106f..aea986a 100644 --- a/base/gsdevice.c +++ b/base/gsdevice.c @@ -614,6 +614,7 @@ gx_device_init(gx_device * dev, const gx_device * proto, gs_memory_t * mem, dev->memory = mem; dev->retained = !internal; rc_init(dev, mem, (internal ? 0 : 1)); + rc_increment(dev->icc_struct); } void ++++++ CVE-2016-7979.patch ++++++ From: Ken Sharp <[email protected]> Date: Wed, 5 Oct 2016 09:10:58 +0000 (+0100) Subject: DSC parser - validate parameters X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=875a0095f37626a721c7ff57d606a0f95af03913;hp=aef8f6cfbff9080e4b9c54053bc909875c09a2be DSC parser - validate parameters Bug #697190 ".initialize_dsc_parser doesn't validate the parameter is a dict type before using it." Regardless of any security implications, its simply wrong for a PostScript operator not to validate its parameter(s). No differences expected. --- diff --git a/psi/zdscpars.c b/psi/zdscpars.c index c05e154..9b4b605 100644 --- a/psi/zdscpars.c +++ b/psi/zdscpars.c @@ -150,11 +150,16 @@ zinitialize_dsc_parser(i_ctx_t *i_ctx_p) ref local_ref; int code; os_ptr const op = osp; - dict * const pdict = op->value.pdict; - gs_memory_t * const mem = (gs_memory_t *)dict_memory(pdict); - dsc_data_t * const data = - gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init"); + dict *pdict; + gs_memory_t *mem; + dsc_data_t *data; + check_read_type(*op, t_dictionary); + + pdict = op->value.pdict; + mem = (gs_memory_t *)dict_memory(pdict); + + data = gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init"); if (!data) return_error(gs_error_VMerror); data->document_level = 0; ++++++ CVE-2016-8602.patch ++++++ From: Chris Liddell <[email protected]> Date: Sat, 8 Oct 2016 15:10:27 +0000 (+0100) Subject: Bug 697203: check for sufficient params in .sethalftone5 X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78;hp=a5360401495654e89301b2516703c1d2877fc5ba Bug 697203: check for sufficient params in .sethalftone5 and param types --- diff --git a/psi/zht2.c b/psi/zht2.c index fb4a264..dfa27a4 100644 --- a/psi/zht2.c +++ b/psi/zht2.c @@ -82,14 +82,22 @@ zsethalftone5(i_ctx_t *i_ctx_p) gs_memory_t *mem; uint edepth = ref_stack_count(&e_stack); int npop = 2; - int dict_enum = dict_first(op); + int dict_enum; ref rvalue[2]; int cname, colorant_number; byte * pname; uint name_size; int halftonetype, type = 0; gs_gstate *pgs = igs; - int space_index = r_space_index(op - 1); + int space_index; + + if (ref_stack_count(&o_stack) < 2) + return_error(gs_error_stackunderflow); + check_type(*op, t_dictionary); + check_type(*(op - 1), t_dictionary); + + dict_enum = dict_first(op); + space_index = r_space_index(op - 1); mem = (gs_memory_t *) idmemory->spaces_indexed[space_index];
