diff options
Diffstat (limited to 'app-text/ghostscript-gpl/files/ghostscript-gpl-9.54.0-CVE-2021-3781.patch')
| -rw-r--r-- | app-text/ghostscript-gpl/files/ghostscript-gpl-9.54.0-CVE-2021-3781.patch | 213 |
1 files changed, 0 insertions, 213 deletions
diff --git a/app-text/ghostscript-gpl/files/ghostscript-gpl-9.54.0-CVE-2021-3781.patch b/app-text/ghostscript-gpl/files/ghostscript-gpl-9.54.0-CVE-2021-3781.patch deleted file mode 100644 index 779bedad4bde..000000000000 --- a/app-text/ghostscript-gpl/files/ghostscript-gpl-9.54.0-CVE-2021-3781.patch +++ /dev/null @@ -1,213 +0,0 @@ -https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a9bd3dec9fde03327a4a2c69dad1036bf9632e20 -https://bugs.gentoo.org/812509 - -From: Chris Liddell <chris.liddell@artifex.com> -Date: Tue, 7 Sep 2021 20:36:12 +0100 -Subject: [PATCH 1/1] Bug 704342: Include device specifier strings in access - validation - -for the "%pipe%", %handle%" and %printer% io devices. - -We previously validated only the part after the "%pipe%" Postscript device -specifier, but this proved insufficient. - -This rebuilds the original file name string, and validates it complete. The -slight complication for "%pipe%" is it can be reached implicitly using -"|" so we have to check both prefixes. - -Addresses CVE-2021-3781 ---- a/base/gdevpipe.c -+++ b/base/gdevpipe.c -@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access, - #else - gs_lib_ctx_t *ctx = mem->gs_lib_ctx; - gs_fs_list_t *fs = ctx->core->fs; -+ /* The pipe device can be reached in two ways, explicltly with %pipe% -+ or implicitly with "|", so we have to check for both -+ */ -+ char f[gp_file_name_sizeof]; -+ const char *pipestr = "|"; -+ const size_t pipestrlen = strlen(pipestr); -+ const size_t preflen = strlen(iodev->dname); -+ const size_t nlen = strlen(fname); -+ int code1; -+ -+ if (preflen + nlen >= gp_file_name_sizeof) -+ return_error(gs_error_invalidaccess); -+ -+ memcpy(f, iodev->dname, preflen); -+ memcpy(f + preflen, fname, nlen + 1); -+ -+ code1 = gp_validate_path(mem, f, access); -+ -+ memcpy(f, pipestr, pipestrlen); -+ memcpy(f + pipestrlen, fname, nlen + 1); - -- if (gp_validate_path(mem, fname, access) != 0) -+ if (code1 != 0 && gp_validate_path(mem, f, access) != 0 ) - return gs_error_invalidfileaccess; - - /* ---- a/base/gp_mshdl.c -+++ b/base/gp_mshdl.c -@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access, - long hfile; /* Correct for Win32, may be wrong for Win64 */ - gs_lib_ctx_t *ctx = mem->gs_lib_ctx; - gs_fs_list_t *fs = ctx->core->fs; -+ char f[gp_file_name_sizeof]; -+ const size_t preflen = strlen(iodev->dname); -+ const size_t nlen = strlen(fname); - -- if (gp_validate_path(mem, fname, access) != 0) -+ if (preflen + nlen >= gp_file_name_sizeof) -+ return_error(gs_error_invalidaccess); -+ -+ memcpy(f, iodev->dname, preflen); -+ memcpy(f + preflen, fname, nlen + 1); -+ -+ if (gp_validate_path(mem, f, access) != 0) - return gs_error_invalidfileaccess; - - /* First we try the open_handle method. */ ---- a/base/gp_msprn.c -+++ b/base/gp_msprn.c -@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, - uintptr_t *ptid = &((tid_t *)(iodev->state))->tid; - gs_lib_ctx_t *ctx = mem->gs_lib_ctx; - gs_fs_list_t *fs = ctx->core->fs; -+ const size_t preflen = strlen(iodev->dname); -+ const size_t nlen = strlen(fname); - -- if (gp_validate_path(mem, fname, access) != 0) -+ if (preflen + nlen >= gp_file_name_sizeof) -+ return_error(gs_error_invalidaccess); -+ -+ memcpy(pname, iodev->dname, preflen); -+ memcpy(pname + preflen, fname, nlen + 1); -+ -+ if (gp_validate_path(mem, pname, access) != 0) - return gs_error_invalidfileaccess; - - /* First we try the open_printer method. */ ---- a/base/gp_os2pr.c -+++ b/base/gp_os2pr.c -@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, - FILE ** pfile, char *rfname, uint rnamelen) - { - os2_printer_t *pr = (os2_printer_t *)iodev->state; -- char driver_name[256]; -+ char driver_name[gp_file_name_sizeof]; - gs_lib_ctx_t *ctx = mem->gs_lib_ctx; - gs_fs_list_t *fs = ctx->core->fs; -+ const size_t preflen = strlen(iodev->dname); -+ const int size_t = strlen(fname); -+ -+ if (preflen + nlen >= gp_file_name_sizeof) -+ return_error(gs_error_invalidaccess); -+ -+ memcpy(driver_name, iodev->dname, preflen); -+ memcpy(driver_name + preflen, fname, nlen + 1); -+ -+ if (gp_validate_path(mem, driver_name, access) != 0) -+ return gs_error_invalidfileaccess; - - /* First we try the open_printer method. */ - /* Note that the loop condition here ensures we don't ---- a/base/gslibctx.c -+++ b/base/gslibctx.c -@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s) - int - gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) - { -- char *fp, f[gp_file_name_sizeof]; -- const int pipe = 124; /* ASCII code for '|' */ -- const int len = strlen(fname); -- int i, code; -+ char f[gp_file_name_sizeof]; -+ int code; - - /* Be sure the string copy will fit */ -- if (len >= gp_file_name_sizeof) -+ if (strlen(fname) >= gp_file_name_sizeof) - return gs_error_rangecheck; - strcpy(f, fname); -- fp = f; - /* Try to rewrite any %d (or similar) in the string */ - rewrite_percent_specifiers(f); -- for (i = 0; i < len; i++) { -- if (f[i] == pipe) { -- fp = &f[i + 1]; -- /* Because we potentially have to check file permissions at two levels -- for the output file (gx_device_open_output_file and the low level -- fopen API, if we're using a pipe, we have to add both the full string, -- (including the '|', and just the command to which we pipe - since at -- the pipe_fopen(), the leading '|' has been stripped. -- */ -- code = gs_add_control_path(mem, gs_permit_file_writing, f); -- if (code < 0) -- return code; -- code = gs_add_control_path(mem, gs_permit_file_control, f); -- if (code < 0) -- return code; -- break; -- } -- if (!IS_WHITESPACE(f[i])) -- break; -- } -- code = gs_add_control_path(mem, gs_permit_file_control, fp); -+ -+ code = gs_add_control_path(mem, gs_permit_file_control, f); - if (code < 0) - return code; -- return gs_add_control_path(mem, gs_permit_file_writing, fp); -+ return gs_add_control_path(mem, gs_permit_file_writing, f); - } - - int - gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) - { -- char *fp, f[gp_file_name_sizeof]; -- const int pipe = 124; /* ASCII code for '|' */ -- const int len = strlen(fname); -- int i, code; -+ char f[gp_file_name_sizeof]; -+ int code; - - /* Be sure the string copy will fit */ -- if (len >= gp_file_name_sizeof) -+ if (strlen(fname) >= gp_file_name_sizeof) - return gs_error_rangecheck; - strcpy(f, fname); -- fp = f; - /* Try to rewrite any %d (or similar) in the string */ -- for (i = 0; i < len; i++) { -- if (f[i] == pipe) { -- fp = &f[i + 1]; -- /* Because we potentially have to check file permissions at two levels -- for the output file (gx_device_open_output_file and the low level -- fopen API, if we're using a pipe, we have to add both the full string, -- (including the '|', and just the command to which we pipe - since at -- the pipe_fopen(), the leading '|' has been stripped. -- */ -- code = gs_remove_control_path(mem, gs_permit_file_writing, f); -- if (code < 0) -- return code; -- code = gs_remove_control_path(mem, gs_permit_file_control, f); -- if (code < 0) -- return code; -- break; -- } -- if (!IS_WHITESPACE(f[i])) -- break; -- } -- code = gs_remove_control_path(mem, gs_permit_file_control, fp); -+ rewrite_percent_specifiers(f); -+ -+ code = gs_remove_control_path(mem, gs_permit_file_control, f); - if (code < 0) - return code; -- return gs_remove_control_path(mem, gs_permit_file_writing, fp); -+ return gs_remove_control_path(mem, gs_permit_file_writing, f); - } - - int |