[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
11/11: gnu: ghostscript: Fix CVE-2023-36664.
|
From: |
guix-commits |
|
Subject: |
11/11: gnu: ghostscript: Fix CVE-2023-36664. |
|
Date: |
Fri, 14 Jul 2023 08:19:21 -0400 (EDT) |
nckx pushed a commit to branch master
in repository guix.
commit 67fb8efdf782592c133726a1ab7bc6692259e385
Author: Tobias Geerinckx-Rice <me@tobias.gr>
AuthorDate: Sun Jul 9 02:00:01 2023 +0200
gnu: ghostscript: Fix CVE-2023-36664.
* gnu/packages/ghostscript.scm (ghostscript/fixed): New variable.
(ghostscript)[replacement]: Assign it to new field.
* gnu/packages/patches/ghostscript-CVE-2023-36664.patch,
gnu/packages/patches/ghostscript-CVE-2023-36664-fixup.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
---
gnu/local.mk | 2 +
gnu/packages/ghostscript.scm | 7 +
.../patches/ghostscript-CVE-2023-36664-fixup.patch | 56 ++++++++
.../patches/ghostscript-CVE-2023-36664.patch | 142 +++++++++++++++++++++
4 files changed, 207 insertions(+)
diff --git a/gnu/local.mk b/gnu/local.mk
index b5c28dafac..06a376a99a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1237,6 +1237,8 @@ dist_patch_DATA =
\
%D%/packages/patches/ghc-bloomfilter-ghc9.2.patch \
%D%/packages/patches/ghc-bytestring-handle-ghc9.patch \
%D%/packages/patches/ghc-language-haskell-extract-ghc-8.10.patch \
+ %D%/packages/patches/ghostscript-CVE-2023-36664.patch \
+ %D%/packages/patches/ghostscript-CVE-2023-36664-fixup.patch \
%D%/packages/patches/ghostscript-no-header-id.patch \
%D%/packages/patches/ghostscript-no-header-uuid.patch \
%D%/packages/patches/ghostscript-no-header-creationdate.patch \
diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm
index 1813cc367e..8d35f1195c 100644
--- a/gnu/packages/ghostscript.scm
+++ b/gnu/packages/ghostscript.scm
@@ -145,6 +145,7 @@ printing, and psresize, for adjusting page sizes.")
(package
(name "ghostscript")
(version "9.56.1")
+ (replacement ghostscript/fixed)
(source
(origin
(method url-fetch)
@@ -266,6 +267,12 @@ output file formats and printers.")
(home-page "https://www.ghostscript.com/";)
(license license:agpl3+)))
+(define ghostscript/fixed
+ (package-with-patches
+ ghostscript
+ (search-patches "ghostscript-CVE-2023-36664.patch"
+ "ghostscript-CVE-2023-36664-fixup.patch")))
+
(define-public ghostscript/x
(package/inherit ghostscript
(name (string-append (package-name ghostscript) "-with-x"))
diff --git a/gnu/packages/patches/ghostscript-CVE-2023-36664-fixup.patch
b/gnu/packages/patches/ghostscript-CVE-2023-36664-fixup.patch
new file mode 100644
index 0000000000..c2a222701f
--- /dev/null
+++ b/gnu/packages/patches/ghostscript-CVE-2023-36664-fixup.patch
@@ -0,0 +1,56 @@
+From 0974e4f2ac0005d3731e0b5c13ebc7e965540f4d Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 14 Jun 2023 09:08:12 +0100
+Subject: [PATCH] Bug 706778: 706761 revisit
+
+Two problems with the original commit. The first a silly typo inverting the
+logic of a test.
+
+The second was forgetting that we actually actually validate two candidate
+strings for pipe devices. One with the expected "%pipe%" prefix, the other
+using the pipe character prefix: "|".
+
+This addresses both those.
+---
+ base/gpmisc.c | 2 +-
+ base/gslibctx.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index 58511270e..2b0064bea 100644
+--- a/base/gpmisc.c
++++ b/base/gpmisc.c
+@@ -1081,7 +1081,7 @@ gp_validate_path_len(const gs_memory_t *mem,
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory,
len + 1, "gp_validate_path");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index d2a1aa91d..42af99090 100644
+--- a/base/gslibctx.c
++++ b/base/gslibctx.c
+@@ -743,7 +743,7 @@ gs_add_control_path_len_flags(const gs_memory_t *mem,
gs_path_control_t type, co
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1,
"gs_add_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+@@ -850,7 +850,7 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem,
gs_path_control_t type,
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1,
"gs_remove_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+--
+2.34.1
+
diff --git a/gnu/packages/patches/ghostscript-CVE-2023-36664.patch
b/gnu/packages/patches/ghostscript-CVE-2023-36664.patch
new file mode 100644
index 0000000000..e9c53c1f87
--- /dev/null
+++ b/gnu/packages/patches/ghostscript-CVE-2023-36664.patch
@@ -0,0 +1,142 @@
+From 505eab7782b429017eb434b2b95120855f2b0e3c Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 7 Jun 2023 10:23:06 +0100
+Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission
+ validation
+
+For regular file names, we try to simplfy relative paths before we use them.
+
+Because the %pipe% device can, effectively, accept command line calls, we
+shouldn't be simplifying that string, because the command line syntax can end
+up confusing the path simplifying code. That can result in permitting a pipe
+command which does not match what was originally permitted.
+
+Special case "%pipe" in the validation code so we always deal with the entire
+string.
+---
+ base/gpmisc.c | 31 +++++++++++++++++++--------
+ base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++-------------
+ 2 files changed, 64 insertions(+), 23 deletions(-)
+
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index 5f39ebba7..2fb87f769 100644
+--- a/base/gpmisc.c
++++ b/base/gpmisc.c
+@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *mem,
+ && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
+ prefix_len = 0;
+ }
+- rlen = len+1;
+- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen +
prefix_len, "gp_validate_path");
+- if (bufferfull == NULL)
+- return gs_error_VMerror;
+-
+- buffer = bufferfull + prefix_len;
+- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) !=
gp_combine_success)
+- return gs_error_invalidfileaccess;
+- buffer[rlen] = 0;
+
++ /* "%pipe%" do not follow the normal rules for path definitions, so we
++ don't "reduce" them to avoid unexpected results
++ */
++ if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory,
len + 1, "gp_validate_path");
++ if (buffer == NULL)
++ return gs_error_VMerror;
++ memcpy(buffer, path, len);
++ buffer[len] = 0;
++ rlen = len;
++ }
++ else {
++ rlen = len+1;
++ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen +
prefix_len, "gp_validate_path");
++ if (bufferfull == NULL)
++ return gs_error_VMerror;
++
++ buffer = bufferfull + prefix_len;
++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) !=
gp_combine_success)
++ return gs_error_invalidfileaccess;
++ buffer[rlen] = 0;
++ }
+ while (1) {
+ switch (mode[0])
+ {
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index eb566ed06..d2a1aa91d 100644
+--- a/base/gslibctx.c
++++ b/base/gslibctx.c
+@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_memory_t *mem,
gs_path_control_t type, co
+ return gs_error_rangecheck;
+ }
+
+- rlen = len+1;
+- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
+- if (buffer == NULL)
+- return gs_error_VMerror;
++ /* "%pipe%" do not follow the normal rules for path definitions, so we
++ don't "reduce" them to avoid unexpected results
++ */
++ if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++ buffer = (char *)gs_alloc_bytes(core->memory, len + 1,
"gs_add_control_path_len");
++ if (buffer == NULL)
++ return gs_error_VMerror;
++ memcpy(buffer, path, len);
++ buffer[len] = 0;
++ rlen = len;
++ }
++ else {
++ rlen = len + 1;
+
+- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) !=
gp_combine_success)
+- return gs_error_invalidfileaccess;
+- buffer[rlen] = 0;
++ buffer = (char *)gs_alloc_bytes(core->memory, rlen,
"gs_add_control_path_len");
++ if (buffer == NULL)
++ return gs_error_VMerror;
++
++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) !=
gp_combine_success)
++ return gs_error_invalidfileaccess;
++ buffer[rlen] = 0;
++ }
+
+ n = control->num;
+ for (i = 0; i < n; i++)
+@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem,
gs_path_control_t type,
+ return gs_error_rangecheck;
+ }
+
+- rlen = len+1;
+- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
+- if (buffer == NULL)
+- return gs_error_VMerror;
++ /* "%pipe%" do not follow the normal rules for path definitions, so we
++ don't "reduce" them to avoid unexpected results
++ */
++ if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++ buffer = (char *)gs_alloc_bytes(core->memory, len + 1,
"gs_remove_control_path_len");
++ if (buffer == NULL)
++ return gs_error_VMerror;
++ memcpy(buffer, path, len);
++ buffer[len] = 0;
++ rlen = len;
++ }
++ else {
++ rlen = len+1;
+
+- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) !=
gp_combine_success)
+- return gs_error_invalidfileaccess;
+- buffer[rlen] = 0;
++ buffer = (char *)gs_alloc_bytes(core->memory, rlen,
"gs_remove_control_path_len");
++ if (buffer == NULL)
++ return gs_error_VMerror;
++
++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) !=
gp_combine_success)
++ return gs_error_invalidfileaccess;
++ buffer[rlen] = 0;
++ }
+
+ n = control->num;
+ for (i = 0; i < n; i++) {
+--
+2.34.1
+
- branch master updated (5f7c714c63 -> 67fb8efdf7), guix-commits, 2023/07/14
- 01/11: gnu: borg: Update to 1.2.4., guix-commits, 2023/07/14
- 02/11: gnu: aiger: Use HTTPS source & home page., guix-commits, 2023/07/14
- 05/11: gnu: altermime: Download over HTTPS., guix-commits, 2023/07/14
- 10/11: gnu: antiword: Use Web Archive URLs., guix-commits, 2023/07/14
- 04/11: gnu: alpine: Download over HTTPS., guix-commits, 2023/07/14
- 06/11: gnu: altermime: Use G-expressions., guix-commits, 2023/07/14
- 11/11: gnu: ghostscript: Fix CVE-2023-36664.,
guix-commits <=
- 03/11: download: Remove obsolete Savannah subdirectory., guix-commits, 2023/07/14
- 07/11: gnu: altermime: Cross-compile., guix-commits, 2023/07/14
- 09/11: gnu: anthy: Mark up description., guix-commits, 2023/07/14
- 08/11: gnu: anthy: Add source mirror URL., guix-commits, 2023/07/14