* [Buildroot] [PATCH] ghostscript: add upstream security fixes for CVE-2017-8291
@ 2017-04-28 7:49 Peter Korsgaard
2017-04-28 12:15 ` Peter Korsgaard
2017-05-01 7:17 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2017-04-28 7:49 UTC (permalink / raw)
To: buildroot
CVE-2017-8291 - Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass
and remote command execution via a "/OutputFile (%pipe%" substring in a
crafted .eps document that is an input to the gs program, as exploited in
the wild in April 2017.
For more details, see https://bugzilla.suse.com/show_bug.cgi?id=1036453
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
...-697799-have-.eqproc-check-its-parameters.patch | 33 ++++++++++++
...7799-have-.rsdparams-check-its-parameters.patch | 62 ++++++++++++++++++++++
2 files changed, 95 insertions(+)
create mode 100644 package/ghostscript/0003-Bug-697799-have-.eqproc-check-its-parameters.patch
create mode 100644 package/ghostscript/0004-Bug-697799-have-.rsdparams-check-its-parameters.patch
diff --git a/package/ghostscript/0003-Bug-697799-have-.eqproc-check-its-parameters.patch b/package/ghostscript/0003-Bug-697799-have-.eqproc-check-its-parameters.patch
new file mode 100644
index 000000000..becdc6605
--- /dev/null
+++ b/package/ghostscript/0003-Bug-697799-have-.eqproc-check-its-parameters.patch
@@ -0,0 +1,33 @@
+From 4f83478c88c2e05d6e8d79ca4557eb039354d2f3 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Thu, 27 Apr 2017 13:03:33 +0100
+Subject: [PATCH] Bug 697799: have .eqproc check its parameters
+
+The Ghostscript custom operator .eqproc was not check the number or type of
+the parameters it was given.
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ psi/zmisc3.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/psi/zmisc3.c b/psi/zmisc3.c
+index 54b304246..37293ff4b 100644
+--- a/psi/zmisc3.c
++++ b/psi/zmisc3.c
+@@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p)
+ ref2_t stack[MAX_DEPTH + 1];
+ ref2_t *top = stack;
+
++ if (ref_stack_count(&o_stack) < 2)
++ return_error(gs_error_stackunderflow);
++ if (!r_is_array(op - 1) || !r_is_array(op)) {
++ return_error(gs_error_typecheck);
++ }
++
+ make_array(&stack[0].proc1, 0, 1, op - 1);
+ make_array(&stack[0].proc2, 0, 1, op);
+ for (;;) {
+--
+2.11.0
+
diff --git a/package/ghostscript/0004-Bug-697799-have-.rsdparams-check-its-parameters.patch b/package/ghostscript/0004-Bug-697799-have-.rsdparams-check-its-parameters.patch
new file mode 100644
index 000000000..9ba170b31
--- /dev/null
+++ b/package/ghostscript/0004-Bug-697799-have-.rsdparams-check-its-parameters.patch
@@ -0,0 +1,62 @@
+From 04b37bbce174eed24edec7ad5b920eb93db4d47d Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Thu, 27 Apr 2017 13:21:31 +0100
+Subject: [PATCH] Bug 697799: have .rsdparams check its parameters
+
+The Ghostscript internal operator .rsdparams wasn't checking the number or
+type of the operands it was being passed. Do so.
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ psi/zfrsd.c | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/psi/zfrsd.c b/psi/zfrsd.c
+index 191107d8a..950588d69 100644
+--- a/psi/zfrsd.c
++++ b/psi/zfrsd.c
+@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p)
+ ref *pFilter;
+ ref *pDecodeParms;
+ int Intent = 0;
+- bool AsyncRead;
++ bool AsyncRead = false;
+ ref empty_array, filter1_array, parms1_array;
+ uint i;
+- int code;
++ int code = 0;
++
++ if (ref_stack_count(&o_stack) < 1)
++ return_error(gs_error_stackunderflow);
++ if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {
++ return_error(gs_error_typecheck);
++ }
+
+ make_empty_array(&empty_array, a_readonly);
+- if (dict_find_string(op, "Filter", &pFilter) > 0) {
++ if (r_has_type(op, t_dictionary)
++ && dict_find_string(op, "Filter", &pFilter) > 0) {
+ if (!r_is_array(pFilter)) {
+ if (!r_has_type(pFilter, t_name))
+ return_error(gs_error_typecheck);
+@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p)
+ return_error(gs_error_typecheck);
+ }
+ }
+- code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
++ if (r_has_type(op, t_dictionary))
++ code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
+ if (code < 0 && code != gs_error_rangecheck) /* out-of-range int is ok, use 0 */
+ return code;
+- if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
+- )
+- return code;
++ if (r_has_type(op, t_dictionary))
++ if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
++ return code;
+ push(1);
+ op[-1] = *pFilter;
+ if (pDecodeParms)
+--
+2.11.0
+
--
2.11.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* [Buildroot] [PATCH] ghostscript: add upstream security fixes for CVE-2017-8291
2017-04-28 7:49 [Buildroot] [PATCH] ghostscript: add upstream security fixes for CVE-2017-8291 Peter Korsgaard
@ 2017-04-28 12:15 ` Peter Korsgaard
2017-05-01 7:17 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2017-04-28 12:15 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> CVE-2017-8291 - Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass
> and remote command execution via a "/OutputFile (%pipe%" substring in a
> crafted .eps document that is an input to the gs program, as exploited in
> the wild in April 2017.
> For more details, see https://bugzilla.suse.com/show_bug.cgi?id=1036453
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] ghostscript: add upstream security fixes for CVE-2017-8291
2017-04-28 7:49 [Buildroot] [PATCH] ghostscript: add upstream security fixes for CVE-2017-8291 Peter Korsgaard
2017-04-28 12:15 ` Peter Korsgaard
@ 2017-05-01 7:17 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2017-05-01 7:17 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> CVE-2017-8291 - Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass
> and remote command execution via a "/OutputFile (%pipe%" substring in a
> crafted .eps document that is an input to the gs program, as exploited in
> the wild in April 2017.
> For more details, see https://bugzilla.suse.com/show_bug.cgi?id=1036453
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2017.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-05-01 7:17 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-04-28 7:49 [Buildroot] [PATCH] ghostscript: add upstream security fixes for CVE-2017-8291 Peter Korsgaard
2017-04-28 12:15 ` Peter Korsgaard
2017-05-01 7:17 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox