!57 sync patches from openEuler-22.03-LTS-SP2

From: @li_ning_jie Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen
2023-11-28 09:27:29 +00:00 · 2023-11-28 09:27:29 +00:00 · 9423c803da
commit 9423c803da
parent ad106bba6b 14035441c9
2 changed files with 65 additions and 1 deletions
--- a/backport-CVE-2023-43115-Bug707051-IJS-device-try-and-secure-the-IJS-server-startup.patch
+++ b/backport-CVE-2023-43115-Bug707051-IJS-device-try-and-secure-the-IJS-server-startup.patch
@ -0,0 +1,57 @@
 From e59216049cac290fb437a04c4f41ea46826cfba5 Mon Sep 17 00:00:00 2001
 From: Ken Sharp <ken.sharp@artifex.com>
 Date: Thu, 24 Aug 2023 15:24:35 +0100
 Subject: [PATCH 01/44] IJS device - try and secure the IJS server startup
 Bug #707051 ""ijs" device can execute arbitrary commands"
 The problem is that the 'IJS' device needs to start the IJS server, and
 that is indeed an arbitrary command line. There is (apparently) no way
 to validate it. Indeed, this is covered quite clearly in the comments
 at the start of the source:
 * WARNING: The ijs server can be selected on the gs command line
 * which is a security risk, since any program can be run.
 Previously this used the awful LockSafetyParams hackery, which we
 abandoned some time ago because it simply couldn't be made secure (it
 was implemented in PostScript and was therefore vulnerable to PostScript
 programs).
 This commit prevents PostScript programs switching to the IJS device
 after SAFER has been activated, and prevents changes to the IjsServer
 parameter after SAFER has been activated.
 SAFER is activated, unless explicitly disabled, before any user
 PostScript is executed which means that the device and the server
 invocation can only be configured on the command line. This does at
 least provide minimal security against malicious PostScript programs.
 ---
 devices/gdevijs.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/devices/gdevijs.c b/devices/gdevijs.c
 index 8cbd84b97..16f5a1752 100644
 --- a/devices/gdevijs.c
 +++ b/devices/gdevijs.c
@@ -888,6 +888,8 @@ gsijs_initialize_device(gx_device *dev)
     static const char rgb[] = "DeviceRGB";
     gx_device_ijs *ijsdev = (gx_device_ijs *)dev;
 +    if (ijsdev->memory->gs_lib_ctx->core->path_control_active)
 +        return_error(gs_error_invalidaccess);
     if (!ijsdev->ColorSpace) {
         ijsdev->ColorSpace = gs_malloc(ijsdev->memory, sizeof(rgb), 1,
                                        "gsijs_initialize");
@@ -1326,7 +1328,7 @@ gsijs_put_params(gx_device *dev, gs_param_list *plist)
     if (code >= 0)
         code = gsijs_read_string(plist, "IjsServer",
             ijsdev->IjsServer, sizeof(ijsdev->IjsServer),
 -            dev->LockSafetyParams, is_open);
 +            ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open);
     if (code >= 0)
         code = gsijs_read_string_malloc(plist, "DeviceManufacturer",
 -- 
 2.33.0
--- a/ghostscript.spec
+++ b/ghostscript.spec
@ -9,7 +9,7 @@
 Name:             ghostscript
 Version:          9.55.0
-Release:          5
+Release:          6
 Summary:          An interpreter for PostScript and PDF files
 License:          AGPLv3+
 URL:              https://ghostscript.com/
@ -21,6 +21,7 @@ Patch2:  backport-CVE-2022-2085.patch
 Patch3:  CVE-2023-38559.patch
 Patch4:  CVE-2023-28879.patch
 Patch5:  CVE-2023-36664.patch
 Patch6:  backport-CVE-2023-43115-Bug707051-IJS-device-try-and-secure-the-IJS-server-startup.patch
 BuildRequires:    automake gcc
 BuildRequires:    adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@ -181,6 +182,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
 %{_bindir}/dvipdf
 %changelog
 * Fri Sep 22 2023 dillon chen <dillon.chen@gmail.com> - 9.55.0-6
 - Type:CVE
 - ID:CVE-2023-43115
 - SUG:NA
 - DESC:fix CVE-2023-43115
 * Wed Sep 6 2023 liningjie <liningjie@xfusion.com> - 9.55.0-5
 - fix CVE-2023-36664