diff options
author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-12-17 04:11:34 +0300 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-01-09 02:21:44 +0300 |
commit | 1a4b7ee28bf7413af6513fb45ad0d0736048f866 (patch) | |
tree | 79f6d8ea698cab8f2eaf4f54b793d2ca7a1451ce /poky/meta/recipes-extended/ghostscript/files | |
parent | 5b9ede0403237c7dace972affa65cf64a1aadd0e (diff) | |
download | openbmc-1a4b7ee28bf7413af6513fb45ad0d0736048f866.tar.xz |
reset upstream subtrees to yocto 2.6
Reset the following subtrees on thud HEAD:
poky: 87e3a9739d
meta-openembedded: 6094ae18c8
meta-security: 31dc4e7532
meta-raspberrypi: a48743dc36
meta-xilinx: c42016e2e6
Also re-apply backports that didn't make it into thud:
poky:
17726d0 systemd-systemctl-native: handle Install wildcards
meta-openembedded:
4321a5d libtinyxml2: update to 7.0.1
042f0a3 libcereal: Add native and nativesdk classes
e23284f libcereal: Allow empty package
030e8d4 rsyslog: curl-less build with fmhttp PACKAGECONFIG
179a1b9 gtest: update to 1.8.1
Squashed OpenBMC subtree compatibility updates:
meta-aspeed:
Brad Bishop (1):
aspeed: add yocto 2.6 compatibility
meta-ibm:
Brad Bishop (1):
ibm: prepare for yocto 2.6
meta-ingrasys:
Brad Bishop (1):
ingrasys: set layer compatibility to yocto 2.6
meta-openpower:
Brad Bishop (1):
openpower: set layer compatibility to yocto 2.6
meta-phosphor:
Brad Bishop (3):
phosphor: set layer compatibility to thud
phosphor: libgpg-error: drop patches
phosphor: react to fitimage artifact rename
Ed Tanous (4):
Dropbear: upgrade options for latest upgrade
yocto2.6: update openssl options
busybox: remove upstream watchdog patch
systemd: Rebase CONFIG_CGROUP_BPF patch
Change-Id: I7b1fe71cca880d0372a82d94b5fd785323e3a9e7
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'poky/meta/recipes-extended/ghostscript/files')
9 files changed, 1290 insertions, 5 deletions
diff --git a/poky/meta/recipes-extended/ghostscript/files/0001-Bug-699795-add-operand-checking-to-.setnativefontmap.patch b/poky/meta/recipes-extended/ghostscript/files/0001-Bug-699795-add-operand-checking-to-.setnativefontmap.patch new file mode 100644 index 000000000..f175da0ca --- /dev/null +++ b/poky/meta/recipes-extended/ghostscript/files/0001-Bug-699795-add-operand-checking-to-.setnativefontmap.patch @@ -0,0 +1,59 @@ +From 274b2cc08b0d10a4cac3fe8b50022889f22580cb Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Thu, 20 Sep 2018 16:35:28 +0100 +Subject: [PATCH 1/5] Bug 699795: add operand checking to + .setnativefontmapbuilt + +.setnativefontmapbuilt .forceputs a value into systemdict - it is intended +to be a boolean, but in this case was being called with a compound object +(a dictionary). Such an object, in local VM, being forced into systemdict +would then confuse the garbager, since it could be restored away with the +reference remaining. + +This adds operand checking, so .setnativefontmapbuilt will simply ignore +anything other than a boolean value, and also removes the definition of +.setnativefontmapbuilt after use, since it is only used in two, closely +related places. + +CVE: CVE-2018-17961 +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + Resource/Init/gs_fonts.ps | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps +index 38f0f6c..45b6613 100644 +--- a/Resource/Init/gs_fonts.ps ++++ b/Resource/Init/gs_fonts.ps +@@ -372,9 +372,13 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if + % of strings: what the system thinks is the ps name, + % and the access path. + /.setnativefontmapbuilt { % set whether we've been run +- systemdict exch /.nativefontmapbuilt exch .forceput ++ dup type /booleantype eq { ++ systemdict exch /.nativefontmapbuilt exch .forceput ++ } ++ {pop} ++ ifelse + } .bind executeonly def +-systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt ++systemdict /NONATIVEFONTMAP known //.setnativefontmapbuilt exec + /.buildnativefontmap { % - .buildnativefontmap <bool> + systemdict /.nativefontmapbuilt .knownget not + { //false} if +@@ -415,9 +419,10 @@ systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt + } forall + } if + % record that we've been run +- //true .setnativefontmapbuilt ++ //true //.setnativefontmapbuilt exec + } ifelse + } bind def ++currentdict /.setnativefontmapbuilt .forceundef + + % Create the dictionary that registers the .buildfont procedure + % (called by definefont) for each FontType. +-- +2.7.4 + diff --git a/poky/meta/recipes-extended/ghostscript/files/0002-Bug-699816-Improve-hiding-of-security-critical-custo.patch b/poky/meta/recipes-extended/ghostscript/files/0002-Bug-699816-Improve-hiding-of-security-critical-custo.patch new file mode 100644 index 000000000..000f9c9ef --- /dev/null +++ b/poky/meta/recipes-extended/ghostscript/files/0002-Bug-699816-Improve-hiding-of-security-critical-custo.patch @@ -0,0 +1,434 @@ +From 0661bf23a5be32973682e17afed4a2f23a8214ba Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Sat, 29 Sep 2018 15:34:55 +0100 +Subject: [PATCH 2/5] Bug 699816: Improve hiding of security critical custom + operators + +Make procedures that use .forceput/.forcedef/.forceundef into operators. + +The result of this is that errors get reported against the "top" operator, +rather than the "called" operator within the procedure. + +For example: +/myproc +{ + myop +} bind def + +If 'myop' throws an error, the error handler will be passed the 'myop' +operator. Promoting 'myproc' to a operator means the error handler will be +passed 'myproc'. + +CVE: CVE-2018-17961 +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + Resource/Init/gs_diskn.ps | 2 +- + Resource/Init/gs_dps.ps | 2 +- + Resource/Init/gs_fntem.ps | 2 +- + Resource/Init/gs_fonts.ps | 10 +++++----- + Resource/Init/gs_lev2.ps | 13 +++++++++---- + Resource/Init/gs_pdfwr.ps | 2 +- + Resource/Init/gs_setpd.ps | 25 +++++++++++++++++-------- + Resource/Init/gs_typ32.ps | 14 +++++++++----- + Resource/Init/gs_type1.ps | 2 +- + Resource/Init/pdf_base.ps | 2 +- + Resource/Init/pdf_draw.ps | 10 +++++----- + Resource/Init/pdf_font.ps | 8 ++++---- + Resource/Init/pdf_main.ps | 4 ++-- + Resource/Init/pdf_ops.ps | 8 ++++---- + 14 files changed, 61 insertions(+), 43 deletions(-) + +diff --git a/Resource/Init/gs_diskn.ps b/Resource/Init/gs_diskn.ps +index 5540715..26ec0b5 100644 +--- a/Resource/Init/gs_diskn.ps ++++ b/Resource/Init/gs_diskn.ps +@@ -53,7 +53,7 @@ systemdict begin + exch .setglobal + } + if +-} .bind executeonly def % must be bound and hidden for .forceput ++} .bind executeonly odef % must be bound and hidden for .forceput + + % Modify .putdevparams to force regeneration of .searchabledevs list + /.putdevparams { +diff --git a/Resource/Init/gs_dps.ps b/Resource/Init/gs_dps.ps +index cad7056..daf7b0f 100644 +--- a/Resource/Init/gs_dps.ps ++++ b/Resource/Init/gs_dps.ps +@@ -70,7 +70,7 @@ + % Save a copy of the initial gstate. + //systemdict /savedinitialgstate gstate readonly .forceput + .setglobal +-} .bind executeonly def % must be bound and hidden for .forceput ++} .bind executeonly odef % must be bound and hidden for .forceput + + % Initialize local dictionaries and gstate when creating a new context. + % Note that until this completes, we are in the anomalous situation of +diff --git a/Resource/Init/gs_fntem.ps b/Resource/Init/gs_fntem.ps +index 3ceee18..c1f7651 100644 +--- a/Resource/Init/gs_fntem.ps ++++ b/Resource/Init/gs_fntem.ps +@@ -408,7 +408,7 @@ currentdict end def + exit + } loop + exch setglobal +-} .bind executeonly def % must be bound and hidden for .forceput ++} .bind executeonly odef % must be bound and hidden for .forceput + + currentdict end /ProcSet defineresource pop + +diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps +index 45b6613..89c3ab7 100644 +--- a/Resource/Init/gs_fonts.ps ++++ b/Resource/Init/gs_fonts.ps +@@ -377,8 +377,8 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if + } + {pop} + ifelse +-} .bind executeonly def +-systemdict /NONATIVEFONTMAP known //.setnativefontmapbuilt exec ++} .bind executeonly odef ++systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt + /.buildnativefontmap { % - .buildnativefontmap <bool> + systemdict /.nativefontmapbuilt .knownget not + { //false} if +@@ -419,7 +419,7 @@ systemdict /NONATIVEFONTMAP known //.setnativefontmapbuilt exec + } forall + } if + % record that we've been run +- //true //.setnativefontmapbuilt exec ++ //true .setnativefontmapbuilt + } ifelse + } bind def + currentdict /.setnativefontmapbuilt .forceundef +@@ -1103,7 +1103,7 @@ $error /SubstituteFont { } put + + % Check to make sure the font was actually loaded. + dup 3 index .fontknownget +- { dup /PathLoad 4 index //.putgstringcopy exec ++ { dup /PathLoad 4 index .putgstringcopy + 4 1 roll pop pop pop //true exit + } if + +@@ -1115,7 +1115,7 @@ $error /SubstituteFont { } put + { % Stack: origfontname fontdirectory path filefontname + 2 index 1 index .fontknownget + { % Yes. Stack: origfontname fontdirectory path filefontname fontdict +- dup 4 -1 roll /PathLoad exch //.putgstringcopy exec ++ dup 4 -1 roll /PathLoad exch .putgstringcopy + % Stack: origfontname fontdirectory filefontname fontdict + 3 -1 roll pop + % Stack: origfontname filefontname fontdict +diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps +index eee0b9f..a8ed892 100644 +--- a/Resource/Init/gs_lev2.ps ++++ b/Resource/Init/gs_lev2.ps +@@ -163,10 +163,11 @@ end + % Set them again to the new values. From here on, we are safe, + % since a context switch will consult userparams. + .setuserparams +-} .bind executeonly def % must be bound and hidden for .forceput ++} .bind executeonly odef % must be bound and hidden for .forceput + + /setuserparams { % <dict> setuserparams - +- .setuserparams2 ++ {.setuserparams2} stopped ++ {/setuserparams load $error /errorname get signalerror} if + } .bind odef + % Initialize user parameters managed here. + /JobName () .definepsuserparam +@@ -415,7 +416,9 @@ psuserparams /ProcessDSCComment {.checkprocesscomment} put + + % VMReclaim and VMThreshold are user parameters. + /setvmthreshold { % <int> setvmthreshold - +- mark /VMThreshold 2 .argindex .dicttomark .setuserparams2 pop ++ mark /VMThreshold 2 .argindex .dicttomark {.setuserparams2} stopped ++ {pop /setvmthreshold load $error /errorname get signalerror} ++ {pop} ifelse + } odef + /vmreclaim { % <int> vmreclaim - + dup 0 gt { +@@ -427,7 +430,9 @@ psuserparams /ProcessDSCComment {.checkprocesscomment} put + ifelse + } { + % VMReclaim userparam controls enable/disable GC +- mark /VMReclaim 2 index .dicttomark .setuserparams2 pop ++ mark /VMReclaim 2 index .dicttomark {.setuserparams2} stopped ++ {pop /vmreclaim load $error /errorname get signalerror} ++ {pop} ifelse + } ifelse + } odef + -1 setvmthreshold +diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps +index fb1c419..58e75d3 100644 +--- a/Resource/Init/gs_pdfwr.ps ++++ b/Resource/Init/gs_pdfwr.ps +@@ -660,7 +660,7 @@ currentdict /.pdfmarkparams .undef + { + pop + } ifelse +-} .bind executeonly def % must be bound and hidden for .forceput ++} .bind executeonly odef % must be bound and hidden for .forceput + + % Use the DSC processing hook to pass DSC comments to the driver. + % We use a pseudo-parameter named DSC whose value is an array: +diff --git a/Resource/Init/gs_setpd.ps b/Resource/Init/gs_setpd.ps +index 8fa7c51..afb4ffa 100644 +--- a/Resource/Init/gs_setpd.ps ++++ b/Resource/Init/gs_setpd.ps +@@ -608,6 +608,20 @@ NOMEDIAATTRS { + % in the <failed> dictionary with the policy value, + % and we replace the key in the <merged> dictionary with its prior value + % (or remove it if it had no prior value). ++ ++% Making this an operator means we can properly hide ++% the contents - specifically .forceput ++/1Policy ++{ ++ % Roll back the failed request to its previous status. ++ SETPDDEBUG { (Rolling back.) = pstack flush } if ++ 3 index 2 index 3 -1 roll .forceput ++ 4 index 1 index .knownget ++ { 4 index 3 1 roll .forceput } ++ { 3 index exch .undef } ++ ifelse ++} bind executeonly odef ++ + /.policyprocs mark + % These procedures are called with the following on the stack: + % <orig> <merged> <failed> <Policies> <key> <policy> +@@ -631,14 +645,7 @@ NOMEDIAATTRS { + /setpagedevice .systemvar /configurationerror signalerror + } ifelse + } bind +- 1 { % Roll back the failed request to its previous status. +-SETPDDEBUG { (Rolling back.) = pstack flush } if +- 3 index 2 index 3 -1 roll .forceput +- 4 index 1 index .knownget +- { 4 index 3 1 roll .forceput } +- { 3 index exch .undef } +- ifelse +- } .bind executeonly % must be bound and hidden for .forceput ++ 1 /1Policy load + 7 { % For PageSize only, just impose the request. + 1 index /PageSize eq + { pop pop 1 index /PageSize 7 put } +@@ -646,6 +653,8 @@ SETPDDEBUG { (Rolling back.) = pstack flush } if + ifelse + } bind + .dicttomark readonly def ++currentdict /1Policy undef ++ + /.applypolicies % <orig> <merged> <failed> .applypolicies + % <orig> <merged'> <failed'> + { 1 index /Policies get 1 index +diff --git a/Resource/Init/gs_typ32.ps b/Resource/Init/gs_typ32.ps +index b6600b0..9150f71 100644 +--- a/Resource/Init/gs_typ32.ps ++++ b/Resource/Init/gs_typ32.ps +@@ -79,15 +79,19 @@ systemdict /.removeglyphs .undef + .dicttomark /ProcSet defineresource pop + + /.cidfonttypes where { pop } { /.cidfonttypes 6 dict def } ifelse +-.cidfonttypes begin +- +-4 % CIDFontType 4 = FontType 32 +-{ dup /FontType 32 .forceput ++/CIDFontType4 ++{ ++ dup /FontType 32 .forceput + dup /CharStrings 20 dict .forceput + 1 index exch .buildfont32 exch pop +-} .bind executeonly def % must be bound and hidden for .forceput ++} .bind executeonly odef ++.cidfonttypes begin ++ ++ ++4 /CIDFontType4 load def % CIDFontType 4 = FontType 32 + + end % .cidfonttypes ++currentdict /CIDFontType4 .forceundef + + % Define the BuildGlyph procedure. + % Since Type 32 fonts are indexed by CID, there is no BuildChar procedure. +diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps +index efdae48..2935d9c 100644 +--- a/Resource/Init/gs_type1.ps ++++ b/Resource/Init/gs_type1.ps +@@ -283,7 +283,7 @@ currentdict /closesourcedict .undef + } if + 2 copy /WeightVector exch .forceput + .setweightvector +-} .bind executeonly def ++} .bind executeonly odef + end + + % Register the font types for definefont. +diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps +index a82a2a3..7ccd4cd 100644 +--- a/Resource/Init/pdf_base.ps ++++ b/Resource/Init/pdf_base.ps +@@ -218,7 +218,7 @@ currentdict /num-chars-dict .undef + } ifelse + } ifelse + } ifelse +-} bind executeonly def ++} bind executeonly odef + /PDFScanRules_true << /PDFScanRules //true >> def + /PDFScanRules_null << /PDFScanRules //null >> def + /.pdfrun { % <file> <opdict> .pdfrun - +diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps +index d1b6ac9..c239daf 100644 +--- a/Resource/Init/pdf_draw.ps ++++ b/Resource/Init/pdf_draw.ps +@@ -1158,7 +1158,7 @@ currentdict end readonly def + Q + PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if + PDFfile exch setfileposition +-} bind executeonly def ++} bind executeonly odef + + /.pdfpaintproc { + %% Get the /m from pdfopdict (must be present) +@@ -1189,7 +1189,7 @@ currentdict end readonly def + { + switch_to_text_marking_ops + } if +-}bind executeonly def ++}bind executeonly odef + + /resolvepattern { % <patternstreamdict> resolvepattern <patterndict> + % Don't do the resolvestream now: just capture the data +@@ -2353,7 +2353,7 @@ currentdict /last-ditch-bpc-csp undef + }{ + pdfdict /AppearanceNumber 0 .forceput + } ifelse +-}bind executeonly def ++}bind executeonly odef + + /MakeAppearanceName { + pdfdict /AppearanceNumber get +@@ -2382,7 +2382,7 @@ currentdict /last-ditch-bpc-csp undef + DoForm + pdfdict /.PreservePDFForm 3 -1 roll .forceput + grestore +-} bind executeonly def ++} bind executeonly odef + + /DoForm { + %% save the current value, if its true we will set it to false later, in order +@@ -2541,7 +2541,7 @@ currentdict /last-ditch-bpc-csp undef + end + } if + pdfdict /.PreservePDFForm 3 -1 roll .forceput +-} bind executeonly def ++} bind executeonly odef + + /_dops_save 1 array def + +diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps +index feaf0d0..535b14a 100644 +--- a/Resource/Init/pdf_font.ps ++++ b/Resource/Init/pdf_font.ps +@@ -718,7 +718,7 @@ currentdict end readonly def + {pop pop pop} + ifelse + +-} bind executeonly def ++} bind executeonly odef + + currentdict /.DoToUnicode? .forceundef + +@@ -1241,7 +1241,7 @@ currentdict /eexec_pdf_param_dict .undef + } bdef + dup currentdict Encoding .processToUnicode + currentdict end .completefont exch pop +-} bind executeonly def ++} bind executeonly odef + /.adjustcharwidth { % <wx> <wy> .adjustcharwidth <wx'> <wy'> + % Enforce the metrics, in glyph space, to the values found in the PDF Font object + % - force wy == 0 (assumed, and not stored in the PDF font) +@@ -2026,7 +2026,7 @@ currentdict /CMap_read_dict undef + } if + /findresource cvx /undefined signalerror + } loop +-} bind executeonly def ++} bind executeonly odef + + /buildCIDType0 { % <CIDFontType0-font-resource> buildCIDType0 <font> + dup /BaseFont get findCIDFont exch pop +@@ -2211,7 +2211,7 @@ currentdict /CMap_read_dict undef + /Type0 //buildType0 + /Type1 //buildType1 + /MMType1 //buildType1 +- /Type3 //buildType3 ++ /Type3 /buildType3 load + /TrueType //buildTrueType + /CIDFontType0 //buildCIDType0 + /CIDFontType2 //buildCIDType2 +diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps +index 09f8735..c823e69 100644 +--- a/Resource/Init/pdf_main.ps ++++ b/Resource/Init/pdf_main.ps +@@ -660,7 +660,7 @@ currentdict /runpdfstring .undef + } forall + pop + } ifelse +-} bind executeonly def ++} bind executeonly odef + + currentdict /pdf_collection_files .undef + +@@ -2715,7 +2715,7 @@ currentdict /PDF2PS_matrix_key undef + .setglobal + /RepairedAnError exch def + /Repaired exch def +-} bind executeonly def ++} bind executeonly odef + + % Display the contents of a page (including annotations). + /showpagecontents { % <pagedict> showpagecontents - +diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps +index c45fc51..8672d61 100644 +--- a/Resource/Init/pdf_ops.ps ++++ b/Resource/Init/pdf_ops.ps +@@ -193,7 +193,7 @@ currentdict /gput_always_allow .undef + pdfformaterror + } ifelse + } if +-} bind executeonly def ++} bind executeonly odef + + % Save PDF gstate + /qstate { % - qstate <qstate> +@@ -451,7 +451,7 @@ currentdict /gput_always_allow .undef + %% a gsave, so we haven't copied it to /self, if we don't do that here + %% then transparent annotations cause an invalid access error. + currentdict //nodict eq {/self dup load end 5 dict begin def} if +-} bind executeonly def ++} bind executeonly odef + /AIS { .setalphaisshape } bind executeonly def + /BM { + /.setblendmode where { +@@ -1077,7 +1077,7 @@ end readonly def + pdfopdict /v {inside_text_v} bind .forceput + pdfopdict /y {inside_text_y} bind .forceput + pdfopdict /re {inside_text_re} bind .forceput +-} bind executeonly def ++} bind executeonly odef + + /switch_to_normal_marking_ops { + pdfopdict /m {normal_m} bind .forceput +@@ -1086,7 +1086,7 @@ end readonly def + pdfopdict /v {normal_v} bind .forceput + pdfopdict /y {normal_y} bind .forceput + pdfopdict /re {normal_re} bind .forceput +-} bind executeonly def ++} bind executeonly odef + + /BT { + currentdict /TextSaveMatrix known { +-- +2.7.4 + diff --git a/poky/meta/recipes-extended/ghostscript/files/0003-Bug-699832-add-control-over-hiding-error-handlers.patch b/poky/meta/recipes-extended/ghostscript/files/0003-Bug-699832-add-control-over-hiding-error-handlers.patch new file mode 100644 index 000000000..cd7865958 --- /dev/null +++ b/poky/meta/recipes-extended/ghostscript/files/0003-Bug-699832-add-control-over-hiding-error-handlers.patch @@ -0,0 +1,172 @@ +From 1f9a91c86bd56acf57826b9b0e020ebe1953e2ae Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Thu, 4 Oct 2018 10:42:13 +0100 +Subject: [PATCH 3/5] Bug 699832: add control over hiding error handlers. + +With a previous commit changing error handling in SAFER so the handler gets +passed a name object (rather than executable object), it is less critical to +hide the error handlers. + +This introduces a -dSAFERERRORS option to force only use of the default error +handlers. + +It also adds a .setsafererrors Postscript call, meaning a caller, without +-dSAFERERRORS, can create their own default error handlers (in errordict, as +normal), and then call .setsafererrors meaning their own handlers are always +called. + +With -dSAFERERRORS or after a call to .setsafererrors, .setsafererrors is +removed. + +CVE: CVE-2018-17961 +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + Resource/Init/gs_init.ps | 42 +++++++++++++++++++++++++++++------------ + psi/interp.c | 49 ++++++++++++++++++++++++++++-------------------- + 2 files changed, 59 insertions(+), 32 deletions(-) + +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index bec307d..f952f32 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -188,6 +188,16 @@ currentdict /DELAYSAFER known { /DELAYSAFER //true def /NOSAFER //true def } if + currentdict /PARANOIDSAFER known or % PARANOIDSAFER is equivalent + } + ifelse def ++ ++/SAFERERRORS ++currentdict /NOSAFERERRORS known ++{ ++ //false ++} ++{ ++ currentdict /SAFERERRORS known ++} ifelse def ++ + currentdict /SHORTERRORS known /SHORTERRORS exch def + currentdict /TTYPAUSE known /TTYPAUSE exch def + currentdict /WRITESYSTEMDICT known /WRITESYSTEMDICT exch def +@@ -1123,12 +1133,23 @@ errordict begin + } bind def + end % errordict + +-% Put all the default handlers in gserrordict +-gserrordict +-errordict {2 index 3 1 roll put} forall +-noaccess pop +-% remove the non-standard errors from errordict ++gserrordict /unknownerror errordict /unknownerror get put + errordict /unknownerror .undef ++ ++/.SAFERERRORLIST ErrorNames def ++/.setsafererrors ++{ ++% Put all the requested handlers in gserrordict ++ gserrordict ++ //.SAFERERRORLIST ++ {dup errordict exch get 2 index 3 1 roll put} forall ++ noaccess pop ++ systemdict /.setsafeerrors .forceundef ++ systemdict /.SAFERERRORLIST .forceundef ++} bind executeonly odef ++ ++SAFERERRORS {.setsafererrors} if ++ + % Define a stable private copy of handleerror that we will always use under + % JOBSERVER mode. + /.GShandleerror errordict /handleerror get def +@@ -1760,18 +1781,15 @@ currentdict /.runlibfile .undef + + % Bind all the operators defined as procedures. + /.bindoperators % binds operators in currentdict +- { % Temporarily disable the typecheck error. +- errordict /typecheck 2 copy get +- errordict /typecheck { pop } put % pop the command ++ { + currentdict + { dup type /operatortype eq +- { % This might be a real operator, so bind might cause a typecheck, +- % but we've made the error a no-op temporarily. +- .bind ++ { ++ % This might be a real operator, so bind might cause a typecheck ++ {.bind} .internalstopped pop + } + if pop pop + } forall +- put + } def + DELAYBIND not { .bindoperators } if + +diff --git a/psi/interp.c b/psi/interp.c +index 3dd5f7a..cd894f9 100644 +--- a/psi/interp.c ++++ b/psi/interp.c +@@ -662,27 +662,18 @@ again: + if (gs_errorname(i_ctx_p, code, &error_name) < 0) + return code; /* out-of-range error code! */ + +- /* If LockFilePermissions is true, we only refer to gserrordict, which +- * is not accessible to Postcript jobs ++ /* We refer to gserrordict first, which is not accessible to Postcript jobs ++ * If we're running with SAFERERRORS all the handlers are copied to gserrordict ++ * so we'll always find the default one. If not SAFERERRORS, only gs specific ++ * errors are in gserrordict. + */ +- if (i_ctx_p->LockFilePermissions) { +- if (((dict_find_string(systemdict, "gserrordict", &perrordict) <= 0 || +- dict_find(perrordict, &error_name, &epref) <= 0)) +- ) +- return code; /* error name not in errordict??? */ +- } +- else { +- /* +- * For greater Adobe compatibility, only the standard PostScript errors +- * are defined in errordict; the rest are in gserrordict. +- */ +- if (dict_find_string(systemdict, "errordict", &perrordict) <= 0 || +- (dict_find(perrordict, &error_name, &epref) <= 0 && +- (dict_find_string(systemdict, "gserrordict", &perrordict) <= 0 || +- dict_find(perrordict, &error_name, &epref) <= 0)) +- ) +- return code; /* error name not in errordict??? */ +- } ++ if (dict_find_string(systemdict, "gserrordict", &perrordict) <= 0 || ++ (dict_find(perrordict, &error_name, &epref) <= 0 && ++ (dict_find_string(systemdict, "errordict", &perrordict) <= 0 || ++ dict_find(perrordict, &error_name, &epref) <= 0)) ++ ) ++ return code; /* error name not in errordict??? */ ++ + doref = *epref; + epref = &doref; + /* Push the error object on the operand stack if appropriate. */ +@@ -695,6 +686,24 @@ again: + } + *osp = *perror_object; + errorexec_find(i_ctx_p, osp); ++ /* If using SAFER, hand a name object to the error handler, rather than the executable ++ * object/operator itself. ++ */ ++ if (i_ctx_p->LockFilePermissions) { ++ code = obj_cvs(imemory, osp, buf + 2, 256, &rlen, (const byte **)&bufptr); ++ if (code < 0) { ++ const char *unknownstr = "--unknown--"; ++ rlen = strlen(unknownstr); ++ memcpy(buf, unknownstr, rlen); ++ } ++ else { ++ buf[0] = buf[1] = buf[rlen + 2] = buf[rlen + 3] = '-'; ++ rlen += 4; ++ } ++ code = name_ref(imemory, buf, rlen, osp, 1); ++ if (code < 0) ++ make_null(osp); ++ } + } + goto again; + } +-- +2.7.4 + diff --git a/poky/meta/recipes-extended/ghostscript/files/0004-For-hidden-operators-pass-a-name-object-to-error-han.patch b/poky/meta/recipes-extended/ghostscript/files/0004-For-hidden-operators-pass-a-name-object-to-error-han.patch new file mode 100644 index 000000000..6c715ad43 --- /dev/null +++ b/poky/meta/recipes-extended/ghostscript/files/0004-For-hidden-operators-pass-a-name-object-to-error-han.patch @@ -0,0 +1,105 @@ +From 34a8c5aa987d4db5234172a62218b168371606b1 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Tue, 2 Oct 2018 16:02:58 +0100 +Subject: [PATCH 4/5] For hidden operators, pass a name object to error + handler. + +In normal operation, Postscript error handlers are passed the object which +triggered the error: this is invariably an operator object. + +The issue arises when an error is triggered by an operator which is for internal +use only, and that operator is then passed to the error handler, meaning it +becomes visible to the error handler code. + +By converting to a name object, the error message is still valid, but we no +longer expose internal use only operators. + +The change in gs_dps1.ps is related to the above: previously an error in +scheck would throw an error against .gcheck, but as .gcheck is now a hidden +operator, it resulted in a name object being passed to the error handler. As +scheck is a 'real' operator, it's better to use the real operator, rather than +the name of an internal, hidden one. + +CVE: CVE-2018-17961 +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + Resource/Init/gs_dps1.ps | 2 +- + psi/interp.c | 33 ++++++++++++++++++++++++--------- + 2 files changed, 25 insertions(+), 10 deletions(-) + +diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps +index 1182f53..ec5db61 100644 +--- a/Resource/Init/gs_dps1.ps ++++ b/Resource/Init/gs_dps1.ps +@@ -21,7 +21,7 @@ level2dict begin + % ------ Virtual memory ------ % + + /currentshared /.currentglobal load def +-/scheck /.gcheck load def ++/scheck {.gcheck} bind odef + %****** FOLLOWING IS WRONG ****** + /shareddict currentdict /globaldict .knownget not { 20 dict } if def + +diff --git a/psi/interp.c b/psi/interp.c +index cd894f9..b70769d 100644 +--- a/psi/interp.c ++++ b/psi/interp.c +@@ -678,6 +678,8 @@ again: + epref = &doref; + /* Push the error object on the operand stack if appropriate. */ + if (!GS_ERROR_IS_INTERRUPT(code)) { ++ byte buf[260], *bufptr; ++ uint rlen; + /* Replace the error object if within an oparray or .errorexec. */ + osp++; + if (osp >= ostop) { +@@ -686,23 +688,36 @@ again: + } + *osp = *perror_object; + errorexec_find(i_ctx_p, osp); +- /* If using SAFER, hand a name object to the error handler, rather than the executable +- * object/operator itself. +- */ +- if (i_ctx_p->LockFilePermissions) { ++ ++ if (!r_has_type(osp, t_string) && !r_has_type(osp, t_name)) { + code = obj_cvs(imemory, osp, buf + 2, 256, &rlen, (const byte **)&bufptr); + if (code < 0) { + const char *unknownstr = "--unknown--"; + rlen = strlen(unknownstr); + memcpy(buf, unknownstr, rlen); ++ bufptr = buf; + } + else { +- buf[0] = buf[1] = buf[rlen + 2] = buf[rlen + 3] = '-'; +- rlen += 4; ++ ref *tobj; ++ bufptr[rlen] = '\0'; ++ /* Only pass a name object if the operator doesn't exist in systemdict ++ * i.e. it's an internal operator we have hidden ++ */ ++ code = dict_find_string(systemdict, (const char *)bufptr, &tobj); ++ if (code < 0) { ++ buf[0] = buf[1] = buf[rlen + 2] = buf[rlen + 3] = '-'; ++ rlen += 4; ++ bufptr = buf; ++ } ++ else { ++ bufptr = NULL; ++ } ++ } ++ if (bufptr) { ++ code = name_ref(imemory, buf, rlen, osp, 1); ++ if (code < 0) ++ make_null(osp); + } +- code = name_ref(imemory, buf, rlen, osp, 1); +- if (code < 0) +- make_null(osp); + } + } + goto again; +-- +2.7.4 + diff --git a/poky/meta/recipes-extended/ghostscript/files/0005-Bug-699938-.loadfontloop-must-be-an-operator.patch b/poky/meta/recipes-extended/ghostscript/files/0005-Bug-699938-.loadfontloop-must-be-an-operator.patch new file mode 100644 index 000000000..4924b3cac --- /dev/null +++ b/poky/meta/recipes-extended/ghostscript/files/0005-Bug-699938-.loadfontloop-must-be-an-operator.patch @@ -0,0 +1,31 @@ +From f0a61679d28bc1561640403d92492e199bc1c0f3 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Wed, 10 Oct 2018 23:25:51 +0100 +Subject: [PATCH 5/5] Bug 699938: .loadfontloop must be an operator + +In the fix for Bug 699816, I omitted to make .loadfontloop into an operator, to +better hide .forceundef and .putgstringcopy. + +CVE: CVE-2018-17961 +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + Resource/Init/gs_fonts.ps | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps +index 89c3ab7..72feff2 100644 +--- a/Resource/Init/gs_fonts.ps ++++ b/Resource/Init/gs_fonts.ps +@@ -1148,7 +1148,7 @@ $error /SubstituteFont { } put + + } loop % end of loop + +- } bind executeonly def % must be bound and hidden for .putgstringcopy ++ } bind executeonly odef % must be bound and hidden for .putgstringcopy + + currentdict /.putgstringcopy .undef + +-- +2.7.4 + diff --git a/poky/meta/recipes-extended/ghostscript/files/0006-Undefine-some-additional-internal-operators.patch b/poky/meta/recipes-extended/ghostscript/files/0006-Undefine-some-additional-internal-operators.patch new file mode 100644 index 000000000..19cf7cc8c --- /dev/null +++ b/poky/meta/recipes-extended/ghostscript/files/0006-Undefine-some-additional-internal-operators.patch @@ -0,0 +1,42 @@ +From 37d7c9117b70e75ebed21c6c8192251f127c0fb0 Mon Sep 17 00:00:00 2001 +From: Nancy Durgin <nancy.durgin@artifex.com> +Date: Mon, 5 Nov 2018 15:36:27 +0800 +Subject: [PATCH 1/2] Undefine some additional internal operators. + +.type, .writecvs, .setSMask, .currentSMask + +These don't seem to be referenced anywhere outside of the initialization code, +which binds their usages. Passes cluster if they are removed. + +CVE: CVE-2018-18073 +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] + +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + Resource/Init/gs_init.ps | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index f952f32..7c71d18 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -2230,6 +2230,7 @@ SAFER { .setsafeglobal } if + /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile + /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams + /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath ++ /.type /.writecvs /.setSMask /.currentSMask + + % Used by a free user in the Library of Congress. Apparently this is used to + % draw a partial page, which is then filled in by the results of a barcode +@@ -2248,7 +2249,7 @@ SAFER { .setsafeglobal } if + % test files/utilities, or engineers expressed a desire to keep them visible. + % + %/currentdevice /.sort /.buildfont0 /.buildfont1 /.buildfont2 /.buildfont3 /.buildfont4 /.buildfont9 /.buildfont10 /.buildfont11 +- %/.buildfotn32 /.buildfont42 /.type9mapcid /.type11mapcid /.swapcolors ++ %/.buildfont32 /.buildfont42 /.type9mapcid /.type11mapcid /.swapcolors + %/currentdevice /.quit /.setuseciecolor /.needinput /.setoverprintmode /.special_op /.dicttomark /.knownget + %/.FAPIavailable /.FAPIpassfont /.FAPIrebuildfont /.FAPIBuildGlyph /.FAPIBuildChar /.FAPIBuildGlyph9 + %/.tempfile /.numicc_components /.set_outputintent /.max /.min /.vmreclaim /.getpath /.setglobal +-- +2.7.4 + diff --git a/poky/meta/recipes-extended/ghostscript/files/0007-Bug-699927-don-t-include-operator-arrays-in-execstac.patch b/poky/meta/recipes-extended/ghostscript/files/0007-Bug-699927-don-t-include-operator-arrays-in-execstac.patch new file mode 100644 index 000000000..ad66fc3d6 --- /dev/null +++ b/poky/meta/recipes-extended/ghostscript/files/0007-Bug-699927-don-t-include-operator-arrays-in-execstac.patch @@ -0,0 +1,197 @@ +From 430f39144244ba4fd7b720cf87031e415e0fabce Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Mon, 5 Nov 2018 15:42:52 +0800 +Subject: [PATCH 2/2] Bug 699927: don't include operator arrays in execstack + output + +When we transfer the contents of the execution stack into the array, take the +extra step of replacing any operator arrays on the stack with the operator +that reference them. + +This prevents the contents of Postscript defined, internal only operators (those +created with .makeoperator) being exposed via execstack (and thus, via error +handling). + +This necessitates a change in the resource remapping 'resource', which contains +a procedure which relies on the contents of the operators arrays being present. +As we already had internal-only variants of countexecstack and execstack +(.countexecstack and .execstack) - using those, and leaving thier operation +including the operator arrays means the procedure continues to work correctly. + +Both .countexecstack and .execstack are undefined after initialization. + +Also, when we store the execstack (or part thereof) for an execstackoverflow +error, make the same oparray/operator substitution as above for execstack. + +CVE: CVE-2018-18073 +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + Resource/Init/gs_init.ps | 4 ++-- + Resource/Init/gs_resmp.ps | 2 +- + psi/int.mak | 2 +- + psi/interp.c | 14 +++++++++++--- + psi/interp.h | 2 ++ + psi/zcontrol.c | 13 ++++++++++--- + 6 files changed, 27 insertions(+), 10 deletions(-) + +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index 7c71d18..f4c1053 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -2191,7 +2191,7 @@ SAFER { .setsafeglobal } if + %% but can be easily restored (just delete the name from the list in the array). In future + %% we may remove the operator and the code implementation entirely. + [ +- /.bitadd /.charboxpath /.cond /.countexecstack /.execstack /.runandhide /.popdevicefilter ++ /.bitadd /.charboxpath /.cond /.runandhide /.popdevicefilter + /.execfile /.filenamesplit /.file_name_parent + /.setdefaultmatrix /.isprocfilter /.unread /.psstringencode + /.buildsampledfunction /.isencapfunction /.currentaccuratecurves /.currentcurvejoin /.currentdashadapt /.currentdotlength +@@ -2230,7 +2230,7 @@ SAFER { .setsafeglobal } if + /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile + /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams + /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath +- /.type /.writecvs /.setSMask /.currentSMask ++ /.type /.writecvs /.setSMask /.currentSMask /.countexecstack /.execstack + + % Used by a free user in the Library of Congress. Apparently this is used to + % draw a partial page, which is then filled in by the results of a barcode +diff --git a/Resource/Init/gs_resmp.ps b/Resource/Init/gs_resmp.ps +index 7cacaf8..9bb4263 100644 +--- a/Resource/Init/gs_resmp.ps ++++ b/Resource/Init/gs_resmp.ps +@@ -183,7 +183,7 @@ setpacking + % We don't check them. + + currentglobal //false setglobal % <object> bGlobal +- countexecstack array execstack % <object> bGlobal [execstack] ++ //false .countexecstack array //false .execstack % <object> bGlobal [execstack] + dup //null exch % <object> bGlobal [execstack] null [execstack] + length 3 sub -1 0 { % <object> bGlobal [execstack] null i + 2 index exch get % <object> bGlobal [execstack] null proc +diff --git a/psi/int.mak b/psi/int.mak +index 5d9b3d5..6ab5bf0 100644 +--- a/psi/int.mak ++++ b/psi/int.mak +@@ -323,7 +323,7 @@ $(PSOBJ)zarray.$(OBJ) : $(PSSRC)zarray.c $(OP) $(memory__h)\ + + $(PSOBJ)zcontrol.$(OBJ) : $(PSSRC)zcontrol.c $(OP) $(string__h)\ + $(estack_h) $(files_h) $(ipacked_h) $(iutil_h) $(store_h) $(stream_h)\ +- $(INT_MAK) $(MAKEDIRS) ++ $(interp_h) $(INT_MAK) $(MAKEDIRS) + $(PSCC) $(PSO_)zcontrol.$(OBJ) $(C_) $(PSSRC)zcontrol.c + + $(PSOBJ)zdict.$(OBJ) : $(PSSRC)zdict.c $(OP)\ +diff --git a/psi/interp.c b/psi/interp.c +index b70769d..6dc0dda 100644 +--- a/psi/interp.c ++++ b/psi/interp.c +@@ -142,7 +142,6 @@ static int oparray_pop(i_ctx_t *); + static int oparray_cleanup(i_ctx_t *); + static int zerrorexec(i_ctx_t *); + static int zfinderrorobject(i_ctx_t *); +-static int errorexec_find(i_ctx_t *, ref *); + static int errorexec_pop(i_ctx_t *); + static int errorexec_cleanup(i_ctx_t *); + static int zsetstackprotect(i_ctx_t *); +@@ -761,7 +760,7 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_stack_t * pstack, int skip, ref * arr) + { + uint size = ref_stack_count(pstack) - skip; + uint save_space = ialloc_space(idmemory); +- int code; ++ int code, i; + + if (size > 65535) + size = 65535; +@@ -770,6 +769,15 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_stack_t * pstack, int skip, ref * arr) + if (code >= 0) + code = ref_stack_store(pstack, arr, size, 0, 1, true, idmemory, + "copy_stack"); ++ /* If we are copying the exec stack, try to replace any oparrays with ++ * with the operator than references them ++ */ ++ if (pstack == &e_stack) { ++ for (i = 0; i < size; i++) { ++ if (errorexec_find(i_ctx_p, &arr->value.refs[i]) < 0) ++ make_null(&arr->value.refs[i]); ++ } ++ } + ialloc_set_space(idmemory, save_space); + return code; + } +@@ -1934,7 +1942,7 @@ zfinderrorobject(i_ctx_t *i_ctx_p) + * .errorexec with errobj != null, store it in *perror_object and return 1, + * otherwise return 0; + */ +-static int ++int + errorexec_find(i_ctx_t *i_ctx_p, ref *perror_object) + { + long i; +diff --git a/psi/interp.h b/psi/interp.h +index e9275b9..4f551d1 100644 +--- a/psi/interp.h ++++ b/psi/interp.h +@@ -91,5 +91,7 @@ void gs_interp_reset(i_ctx_t *i_ctx_p); + /* Define the top-level interface to the interpreter. */ + int gs_interpret(i_ctx_t **pi_ctx_p, ref * pref, int user_errors, + int *pexit_code, ref * perror_object); ++int ++errorexec_find(i_ctx_t *i_ctx_p, ref *perror_object); + + #endif /* interp_INCLUDED */ +diff --git a/psi/zcontrol.c b/psi/zcontrol.c +index 36da22c..0362cf4 100644 +--- a/psi/zcontrol.c ++++ b/psi/zcontrol.c +@@ -24,6 +24,7 @@ + #include "ipacked.h" + #include "iutil.h" + #include "store.h" ++#include "interp.h" + + /* Forward references */ + static int check_for_exec(const_os_ptr); +@@ -787,7 +788,7 @@ zexecstack2(i_ctx_t *i_ctx_p) + /* Continuation operator to do the actual transfer. */ + /* r_size(op1) was set just above. */ + static int +-do_execstack(i_ctx_t *i_ctx_p, bool include_marks, os_ptr op1) ++do_execstack(i_ctx_t *i_ctx_p, bool include_marks, bool include_oparrays, os_ptr op1) + { + os_ptr op = osp; + ref *arefs = op1->value.refs; +@@ -829,6 +830,12 @@ do_execstack(i_ctx_t *i_ctx_p, bool include_marks, os_ptr op1) + strlen(tname), (const byte *)tname); + break; + } ++ case t_array: ++ case t_shortarray: ++ case t_mixedarray: ++ if (!include_oparrays && errorexec_find(i_ctx_p, rq) < 0) ++ make_null(rq); ++ break; + default: + ; + } +@@ -841,14 +848,14 @@ execstack_continue(i_ctx_t *i_ctx_p) + { + os_ptr op = osp; + +- return do_execstack(i_ctx_p, false, op); ++ return do_execstack(i_ctx_p, false, false, op); + } + static int + execstack2_continue(i_ctx_t *i_ctx_p) + { + os_ptr op = osp; + +- return do_execstack(i_ctx_p, op->value.boolval, op - 1); ++ return do_execstack(i_ctx_p, op->value.boolval, true, op - 1); + } + + /* - .needinput - */ +-- +2.7.4 + diff --git a/poky/meta/recipes-extended/ghostscript/files/0008-Make-.forceput-unavailable-from-.policyprocs-helper-.patch b/poky/meta/recipes-extended/ghostscript/files/0008-Make-.forceput-unavailable-from-.policyprocs-helper-.patch new file mode 100644 index 000000000..7cc51629e --- /dev/null +++ b/poky/meta/recipes-extended/ghostscript/files/0008-Make-.forceput-unavailable-from-.policyprocs-helper-.patch @@ -0,0 +1,245 @@ +From 9096beaa4451c12dd2a2caf000658fbac4a5bcdf Mon Sep 17 00:00:00 2001 +From: Ken Sharp <ken.sharp@artifex.com> +Date: Mon, 5 Nov 2018 15:51:32 +0800 +Subject: [PATCH] Make .forceput unavailable from '.policyprocs' helper + dictionary + +Bug #69963 "1Policy is a dangerous operator, any callers should be odef" + +Leaving the .policyprocs dictionary with a procedure which is a simple +wrapper for .forceput effectively leaves .forceput available. + +It seems that the only reason to have .policyprocs is to minimise the +code in .applypolicies, so we can remove the dictionary and put the +code straight into .applypolicies, which we can then bind and make +executeonly, which hides the .forceput. Also, since we don't need +.applypolicies after startup, we can undefine that from systemdict too. + +While we're here, review all the uses of .force* to make certain that +there are no other similar cases. This showed a few places where we +hadn't made a function executeonly, so do that too. Its probably not +required, since I'm reasonably sure its impossible to load those +functions as packed arrays (they are all defined as operators), but lets +have a belt and braces approach, the additional time cost is negligible. + +CVE: CVE-2018-18284 +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] + +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + Resource/Init/gs_diskn.ps | 2 +- + Resource/Init/gs_dps.ps | 2 +- + Resource/Init/gs_epsf.ps | 2 +- + Resource/Init/gs_fonts.ps | 4 +- + Resource/Init/gs_init.ps | 2 +- + Resource/Init/gs_setpd.ps | 100 ++++++++++++++++++++++++---------------------- + 6 files changed, 58 insertions(+), 54 deletions(-) + +diff --git a/Resource/Init/gs_diskn.ps b/Resource/Init/gs_diskn.ps +index 26ec0b5..fd694bc 100644 +--- a/Resource/Init/gs_diskn.ps ++++ b/Resource/Init/gs_diskn.ps +@@ -61,7 +61,7 @@ systemdict begin + % doesn't get run enough to justify the complication + //.putdevparams + //systemdict /.searchabledevs .forceundef +-} .bind odef % must be bound and hidden for .forceundef ++} .bind executeonly odef % must be bound and hidden for .forceundef + + % ------ extend filenameforall to handle wildcards in %dev% part of pattern -------% + /filenameforall { +diff --git a/Resource/Init/gs_dps.ps b/Resource/Init/gs_dps.ps +index daf7b0f..00c14d5 100644 +--- a/Resource/Init/gs_dps.ps ++++ b/Resource/Init/gs_dps.ps +@@ -124,7 +124,7 @@ + /savedinitialgstate .systemvar setgstate gsave + % Wrap up. + end .setglobal +-} odef ++} bind executeonly odef + + % Check whether an object is a procedure. + /.proccheck { % <obj> .proccheck <bool> +diff --git a/Resource/Init/gs_epsf.ps b/Resource/Init/gs_epsf.ps +index e4037d9..2d0f677 100644 +--- a/Resource/Init/gs_epsf.ps ++++ b/Resource/Init/gs_epsf.ps +@@ -31,7 +31,7 @@ + /EPSBoundingBoxState 5 def + /EPSBoundingBoxSetState { + //systemdict /EPSBoundingBoxState 3 -1 roll .forceput +-} .bind odef % .forceput must be bound and hidden ++} .bind executeonly odef % .forceput must be bound and hidden + + % Parse 4 numbers for a bounding box + /EPSBoundingBoxParse { % (llx lly urx ury) -- llx lly urx ury true OR false +diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps +index 72feff2..803faca 100644 +--- a/Resource/Init/gs_fonts.ps ++++ b/Resource/Init/gs_fonts.ps +@@ -583,7 +583,7 @@ buildfontdict 3 /.buildfont3 cvx put + } bind def + /.setloadingfont { + //systemdict /.loadingfont 3 -1 roll .forceput +-} .bind odef % .forceput must be bound and hidden ++} .bind executeonly odef % .forceput must be bound and hidden + /.loadfont + { % Some buggy fonts leave extra junk on the stack, + % so we have to make a closure that records the stack depth +@@ -1012,7 +1012,7 @@ $error /SubstituteFont { } put + dup length string copy + .forceput setglobal + } ifelse +-} .bind odef % must be bound and hidden for .forceput ++} .bind executeonly odef % must be bound and hidden for .forceput + + % Attempt to load a font from a file. + /.tryloadfont { % <fontname> .tryloadfont <font> true +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index f4c1053..07ee968 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -2230,7 +2230,7 @@ SAFER { .setsafeglobal } if + /.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile + /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams + /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath +- /.type /.writecvs /.setSMask /.currentSMask /.countexecstack /.execstack ++ /.type /.writecvs /.setSMask /.currentSMask /.countexecstack /.execstack /.applypolicies + + % Used by a free user in the Library of Congress. Apparently this is used to + % draw a partial page, which is then filled in by the results of a barcode +diff --git a/Resource/Init/gs_setpd.ps b/Resource/Init/gs_setpd.ps +index afb4ffa..7c076ad 100644 +--- a/Resource/Init/gs_setpd.ps ++++ b/Resource/Init/gs_setpd.ps +@@ -609,6 +609,23 @@ NOMEDIAATTRS { + % and we replace the key in the <merged> dictionary with its prior value + % (or remove it if it had no prior value). + ++% These procedures are called with the following on the stack: ++% <orig> <merged> <failed> <Policies> <key> <policy> ++% They are expected to consume the top 2 operands. ++% NOTE: we currently treat all values other than 0, 1, or 7 (for PageSize) ++% the same as 0, i.e., we signal an error. ++/0Policy { % Set errorinfo and signal a configurationerror. ++ NOMEDIAATTRS { ++ % NOMEDIAATTRS means that the default policy is 7... ++ pop 2 index exch 7 put ++ } { ++ pop dup 4 index exch get 2 array astore ++ $error /errorinfo 3 -1 roll put ++ cleartomark ++ /setpagedevice .systemvar /configurationerror signalerror ++ } ifelse ++} bind executeonly odef ++ + % Making this an operator means we can properly hide + % the contents - specifically .forceput + /1Policy +@@ -617,59 +634,46 @@ NOMEDIAATTRS { + SETPDDEBUG { (Rolling back.) = pstack flush } if + 3 index 2 index 3 -1 roll .forceput + 4 index 1 index .knownget +- { 4 index 3 1 roll .forceput } +- { 3 index exch .undef } ++ { 4 index 3 1 roll .forceput } ++ { 3 index exch .undef } + ifelse + } bind executeonly odef + +-/.policyprocs mark +-% These procedures are called with the following on the stack: +-% <orig> <merged> <failed> <Policies> <key> <policy> +-% They are expected to consume the top 2 operands. +-% NOTE: we currently treat all values other than 0, 1, or 7 (for PageSize) +-% the same as 0, i.e., we signal an error. +-% +-% M. Sweet, Easy Software Products: +-% +-% Define NOMEDIAATTRS to turn off the default (but unimplementable) media +-% selection policies for setpagedevice. This is used by CUPS to support +-% the standard Adobe media attributes. +- 0 { % Set errorinfo and signal a configurationerror. +- NOMEDIAATTRS { +- % NOMEDIAATTRS means that the default policy is 7... +- pop 2 index exch 7 put +- } { +- pop dup 4 index exch get 2 array astore +- $error /errorinfo 3 -1 roll put +- cleartomark +- /setpagedevice .systemvar /configurationerror signalerror +- } ifelse +- } bind +- 1 /1Policy load +- 7 { % For PageSize only, just impose the request. +- 1 index /PageSize eq +- { pop pop 1 index /PageSize 7 put } +- { .policyprocs 0 get exec } +- ifelse +- } bind +-.dicttomark readonly def +-currentdict /1Policy undef ++/7Policy { % For PageSize only, just impose the request. ++ 1 index /PageSize eq ++ { pop pop 1 index /PageSize 7 put } ++ { .policyprocs 0 get exec } ++ ifelse ++} bind executeonly odef + + /.applypolicies % <orig> <merged> <failed> .applypolicies + % <orig> <merged'> <failed'> +- { 1 index /Policies get 1 index +- { type /integertype eq +- { pop % already processed +- } +- { 2 copy .knownget not { 1 index /PolicyNotFound get } if +- % Stack: <orig> <merged> <failed> <Policies> <key> +- % <policy> +- .policyprocs 1 index .knownget not { .policyprocs 0 get } if exec +- } +- ifelse +- } +- forall pop +- } bind def ++{ ++ 1 index /Policies get 1 index ++ { type /integertype eq ++ { ++ pop % already processed ++ }{ ++ 2 copy .knownget not { 1 index /PolicyNotFound get } if ++ % Stack: <orig> <merged> <failed> <Policies> <key> ++ % <policy> ++ dup 1 eq { ++ 1Policy ++ }{ ++ dup 7 eq { ++ 7Policy ++ }{ ++ 0Policy ++ } ifelse ++ } ifelse ++ } ifelse ++ } ++ forall pop ++} bind executeonly odef ++ ++currentdict /0Policy undef ++currentdict /1Policy undef ++currentdict /7Policy undef + + % Prepare to present parameters to the device, by spreading them onto the + % operand stack and removing any that shouldn't be presented. +@@ -1006,7 +1010,7 @@ SETPDDEBUG { (Installing.) = pstack flush } if + .postinstall + } ifelse + setglobal % return to original VM allocation mode +-} odef ++} bind executeonly odef + + % We break out the code after calling the Install procedure into a + % separate procedure, since it is executed even if Install causes an error. +-- +2.7.4 + diff --git a/poky/meta/recipes-extended/ghostscript/files/do-not-check-local-libpng-source.patch b/poky/meta/recipes-extended/ghostscript/files/do-not-check-local-libpng-source.patch index c3e44fe86..5834ffaf9 100644 --- a/poky/meta/recipes-extended/ghostscript/files/do-not-check-local-libpng-source.patch +++ b/poky/meta/recipes-extended/ghostscript/files/do-not-check-local-libpng-source.patch @@ -1,7 +1,7 @@ -From 5ef8b85bc98f3bd9a15d5f47e24d3e23ae27c265 Mon Sep 17 00:00:00 2001 +From a954bf29a5f906b3151dffbecb5856e02e1565da Mon Sep 17 00:00:00 2001 From: Hongxu Jia <hongxu.jia@windriver.com> Date: Mon, 18 Jan 2016 01:00:30 -0500 -Subject: [PATCH] configure.ac: do not check local png source +Subject: [PATCH 03/10] configure.ac: do not check local png source In oe-core, it did not need to compile local libpng source in ghostscript, so do not check local png @@ -16,10 +16,10 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac -index bf6d3f5..01df03f 100644 +index 9341930..80a60b1 100644 --- a/configure.ac +++ b/configure.ac -@@ -930,11 +930,11 @@ AC_SUBST(ZLIBDIR) +@@ -1114,11 +1114,11 @@ AC_SUBST(ZLIBDIR) AC_SUBST(FT_SYS_ZLIB) dnl png for the png output device; it also requires zlib @@ -34,5 +34,5 @@ index bf6d3f5..01df03f 100644 SHARE_LIBPNG=0 LIBPNGDIR=$srcdir/libpng -- -2.8.1 +1.8.3.1 |