[mickledore,03/27] ghostscript: fix CVE-2023-43115

Message ID	80a9b54ca94a9fe5818daa1cd03ae8035043e1e8.1697233866.git.steve@sakoman.com
State	New
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.210.176, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][mickledore 03/27] ghostscript: fix CVE-2023-43115 Date: Fri, 13 Oct 2023 11:52:27 -1000 Message-Id: <80a9b54ca94a9fe5818daa1cd03ae8035043e1e8.1697233866.git.steve@sakoman.com> In-Reply-To: <cover.1697233866.git.steve@sakoman.com> References: <cover.1697233866.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[mickledore,01/27] tiff: fix CVE-2023-40745 \| expand [mickledore,01/27] tiff: fix CVE-2023-40745 [mickledore,02/27] tiff: fix CVE-2023-41175 [mickledore,03/27] ghostscript: fix CVE-2023-43115 [mickledore,04/27] curl: fix CVE-2023-38545 [mickledore,05/27] curl: fix CVE-2023-38546 [mickledore,06/27] dbus: upgrade 1.14.8 -> 1.14.10 [mickledore,07/27] wireless-regdb: upgrade 2023.05.03 -> 2023.09.01 [mickledore,08/27] gzip: update 1.12 -> 1.13 [mickledore,09/27] screen: update 4.9.0 -> 4.9.1 [mickledore,10/27] vim: Upgrade 9.0.1894 -> 9.0.2009 [mickledore,11/27] nativesdk-intercept: Fix bad intercept chgrp/chown logic [mickledore,12/27] avahi: handle invalid service types gracefully [mickledore,13/27] runqemu: check permissions of available render nodes as well as their presence [mickledore,14/27] build-sysroots: target or native sysroot population need to be selected explicit… [mickledore,15/27] weston-init: remove misleading comment about udev rule [mickledore,16/27] weston-init: fix init code indentation [mickledore,17/27] libc-test: Run as non-root user [mickledore,18/27] oeqa dnf_runtime.py: fix HTTP server IP address and port [mickledore,19/27] oeqa/selftest/context.py: check git command return values [mickledore,20/27] igt-gpu-tools: do not write shortened git commit hash into binaries [mickledore,21/27] ptest: report tests that were killed on timeout [mickledore,22/27] strace: parallelize ptest [mickledore,23/27] openssl: parallelize tests [mickledore,24/27] openssl: ensure all ptest fails are caught [mickledore,25/27] libsoup-2.4: Only specify --cross-file when building for target [mickledore,26/27] oeqa/selftest/wic: Improve assertTrue calls [mickledore,27/27] gdb: fix RDEPENDS for PACKAGECONFIG[tui]

Message ID

80a9b54ca94a9fe5818daa1cd03ae8035043e1e8.1697233866.git.steve@sakoman.com

State

New

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][mickledore 03/27] ghostscript: fix CVE-2023-43115
Date: Fri, 13 Oct 2023 11:52:27 -1000
Message-Id: 
 <80a9b54ca94a9fe5818daa1cd03ae8035043e1e8.1697233866.git.steve@sakoman.com>
In-Reply-To: <cover.1697233866.git.steve@sakoman.com>
References: <cover.1697233866.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[mickledore,01/27] tiff: fix CVE-2023-40745 | expand

Commit Message

Steve Sakoman Oct. 13, 2023, 9:52 p.m. UTC

From: Joe Slater <joe.slater@windriver.com>

The patch is copied from kirkstone.  master has advanced
to ghostscript 10.02.0 which includes the fix.

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ghostscript/CVE-2023-43115.patch          | 62 +++++++++++++++++++
 .../ghostscript/ghostscript_10.0.0.bb         |  1 +
 2 files changed, 63 insertions(+)
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch
new file mode 100644
index 0000000000..979f354ed5
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch
@@ -0,0 +1,62 @@ 
+From 8b0f20002536867bd73ff4552408a72597190cbe Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Thu, 24 Aug 2023 15:24:35 +0100
+Subject: [PATCH] IJS device - try and secure the IJS server startup
+
+Bug #707051 ""ijs" device can execute arbitrary commands"
+
+The problem is that the 'IJS' device needs to start the IJS server, and
+that is indeed an arbitrary command line. There is (apparently) no way
+to validate it. Indeed, this is covered quite clearly in the comments
+at the start of the source:
+
+ * WARNING: The ijs server can be selected on the gs command line
+ * which is a security risk, since any program can be run.
+
+Previously this used the awful LockSafetyParams hackery, which we
+abandoned some time ago because it simply couldn't be made secure (it
+was implemented in PostScript and was therefore vulnerable to PostScript
+programs).
+
+This commit prevents PostScript programs switching to the IJS device
+after SAFER has been activated, and prevents changes to the IjsServer
+parameter after SAFER has been activated.
+
+SAFER is activated, unless explicitly disabled, before any user
+PostScript is executed which means that the device and the server
+invocation can only be configured on the command line. This does at
+least provide minimal security against malicious PostScript programs.
+
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8b0f20002536867bd73ff4552408a72597190cbe]
+
+CVE: CVE-2023-43115
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ devices/gdevijs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/devices/gdevijs.c b/devices/gdevijs.c
+index 8cbd84b97..16f5a1752 100644
+--- a/devices/gdevijs.c
++++ b/devices/gdevijs.c
+@@ -888,6 +888,8 @@ gsijs_initialize_device(gx_device *dev)
+     static const char rgb[] = "DeviceRGB";
+     gx_device_ijs *ijsdev = (gx_device_ijs *)dev;
+
++    if (ijsdev->memory->gs_lib_ctx->core->path_control_active)
++        return_error(gs_error_invalidaccess);
+     if (!ijsdev->ColorSpace) {
+         ijsdev->ColorSpace = gs_malloc(ijsdev->memory, sizeof(rgb), 1,
+                                        "gsijs_initialize");
+@@ -1326,7 +1328,7 @@ gsijs_put_params(gx_device *dev, gs_param_list *plist)
+     if (code >= 0)
+         code = gsijs_read_string(plist, "IjsServer",
+             ijsdev->IjsServer, sizeof(ijsdev->IjsServer),
+-            dev->LockSafetyParams, is_open);
++            ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open);
+
+     if (code >= 0)
+         code = gsijs_read_string_malloc(plist, "DeviceManufacturer",
+--
+2.40.0
diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb
index 9e2cd01ff4..5c6be991d9 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb
@@ -37,6 +37,7 @@  SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                 file://cve-2023-28879.patch \
                 file://cve-2023-36664.patch \
                 file://CVE-2023-38559.patch \
+                file://CVE-2023-43115.patch \
 "
 
 SRC_URI = "${SRC_URI_BASE} \

[mickledore,03/27] ghostscript: fix CVE-2023-43115

Commit Message

Patch