mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-27 03:32:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

ghostscript: upgrade 10.02.1 -> 10.03.1

Browse Source 
avoid-host-contamination.patch refreshed for 10.03.1

Below patches are no longer needed as it's included in this upgrade.

1. CVE-2024-29510.patch
2. CVE-2024-33869-0001.patch
3. CVE-2024-33869-0002.patch
4. CVE-2024-33870.patch
5. CVE-2024-33871.patch
6. configure.ac-add-option-to-explicitly-disable-neon.patch

other patch release to address security bugs:
CVE-2024-29506
CVE-2024-29507
CVE-2024-29508
CVE-2024-29509
CVE-2024-29511

(From OE-Core rev: 9a424fbcdc0c792ff3b99bf0e8a5e380582f53bc)

(From OE-Core rev: 2a19132aca9d62be0d1e58444b0a8881456311dc)

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Hitendra Prajapati
2024-07-08 11:58:40 +05:30
committed by Steve Sakoman
parent ca27724b44
commit 262cb8eb14
8 changed files with 5 additions and 430 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch
View File

@@ -1,84 +0,0 @@
From 3b1735085ecef20b29e8db3416ab36de93e86d1f Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Thu, 21 Mar 2024 09:01:15 +0000
Subject: [PATCH 5/5] Uniprint device - prevent string configuration changes
when SAFER
Bug #707662
We cannot sanitise the string arguments used by the Uniprint device
because they can potentially include anything.
This commit ensures that these strings are locked and cannot be
changed by PostScript once SAFER is activated. Full configuration from
the command line is still possible (see the *.upp files in lib).
This addresses CVE-2024-29510
CVE: CVE-2024-29510
Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=3b1735085ecef20b29e]
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/devices/gdevupd.c b/devices/gdevupd.c
index 740dae0..a50571a 100644
--- a/devices/gdevupd.c
+++ b/devices/gdevupd.c
@@ -1887,6 +1887,16 @@ out on this copies.
if(!upd_strings[i]) continue;
UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory);
if(0 == code) {
+ if (gs_is_path_control_active(udev->memory)) {
+ if (strings[i].size != value.size)
+ error = gs_error_invalidaccess;
+ else {
+ if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0)
+ error = gs_error_invalidaccess;
+ }
+ if (error < 0)
+ goto exit;
+ }
if(0 <= error) error |= UPD_PUT_STRINGS;
UPD_MM_DEL_PARAM(udev->memory, strings[i]);
if(!value.size) {
@@ -1904,6 +1914,26 @@ out on this copies.
if(!upd_string_a[i]) continue;
UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory);
if(0 == code) {
+ if (gs_is_path_control_active(udev->memory)) {
+ if (string_a[i].size != value.size)
+ error = gs_error_invalidaccess;
+ else {
+ int loop;
+ for (loop = 0;loop < string_a[i].size;loop++) {
+ gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]);
+ gs_param_string *tmp2 = (gs_param_string *)&value.data[loop];
+
+ if (tmp1->size != tmp2->size)
+ error = gs_error_invalidaccess;
+ else {
+ if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0)
+ error = gs_error_invalidaccess;
+ }
+ }
+ }
+ if (error < 0)
+ goto exit;
+ }
if(0 <= error) error |= UPD_PUT_STRING_A;
UPD_MM_DEL_APARAM(udev->memory, string_a[i]);
if(!value.size) {
@@ -2098,6 +2128,7 @@ transferred into the device-structure. In the case of "uniprint", this may
if(0 > code) error = code;
}
+exit:
if(0 < error) { /* Actually something loaded without error */
if(!(upd = udev->upd)) {
--
2.40.0

39
meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0001.patch
View File

@@ -1,39 +0,0 @@
From 5ae2e320d69a7d0973011796bd388cd5befa1a43 Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Tue, 26 Mar 2024 12:02:57 +0000
Subject: [PATCH 2/5] Bug #707691
Part 1; when stripping a potential Current Working Dirctory specifier
from a path, make certain it really is a CWD, and not simply large
ebough to be a CWD.
Reasons are in the bug thread, this is not (IMO) serious.
This is part of the fix for CVE-2024-33869
CVE: CVE-2024-33869
Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=5ae2e320d69a7d0973]
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
base/gpmisc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/base/gpmisc.c b/base/gpmisc.c
index c4a69b0..1d4d5d8 100644
--- a/base/gpmisc.c
+++ b/base/gpmisc.c
@@ -1164,8 +1164,8 @@ gp_validate_path_len(const gs_memory_t *mem,
continue;
}
- else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
- buffer = bufferfull + cdirstrl + dirsepstrl;
+ else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull
+ && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) {
continue;
}
break;
--
2.40.0

52
meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0002.patch
View File

@@ -1,52 +0,0 @@
From f5336e5b4154f515ac83bc5b9eba94302e6618d4 Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Tue, 26 Mar 2024 12:07:18 +0000
Subject: [PATCH 3/5] Bug 707691 part 2
See bug thread for details
This is the second part of the fix for CVE-2024-33869
CVE: CVE-2024-33869
Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f5336e5b4154f515ac83]
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
base/gpmisc.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/base/gpmisc.c b/base/gpmisc.c
index 1d4d5d8..b0d5c71 100644
--- a/base/gpmisc.c
+++ b/base/gpmisc.c
@@ -1090,6 +1090,27 @@ gp_validate_path_len(const gs_memory_t *mem,
rlen = len;
}
else {
+ char *test = (char *)path, *test1;
+ uint tlen = len, slen;
+
+ /* Look for any pipe (%pipe% or '|' specifications between path separators
+ * Reject any path spec which has a %pipe% or '|' anywhere except at the start.
+ */
+ while (tlen > 0) {
+ if (test[0] == '|' || (tlen > 5 && memcmp(test, "%pipe", 5) == 0)) {
+ code = gs_note_error(gs_error_invalidfileaccess);
+ goto exit;
+ }
+ test1 = test;
+ slen = search_separator((const char **)&test, path + len, test1, 1);
+ if(slen == 0)
+ break;
+ test += slen;
+ tlen -= test - test1;
+ if (test >= path + len)
+ break;
+ }
+
rlen = len+1;
bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
if (bufferfull == NULL)
--
2.40.0

99
meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch
View File

@@ -1,99 +0,0 @@
From 79aef19c685984dc3da2dc090450407d9fbcff80 Mon Sep 17 00:00:00 2001
From: Ken Sharp <Ken.Sharp@artifex.com>
Date: Tue, 26 Mar 2024 12:00:14 +0000
Subject: [PATCH 1/5] Bug #707686
See bug thread for details
In addition to the noted bug; an error path (return from
gp_file_name_reduce not successful) could elad to a memory leak as we
did not free 'bufferfull'. Fix that too.
This addresses CVE-2024-33870
CVE: CVE-2024-33870
Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=79aef19c685984dc]
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
base/gpmisc.c | 36 ++++++++++++++++++++++++++++++++----
1 file changed, 32 insertions(+), 4 deletions(-)
diff --git a/base/gpmisc.c b/base/gpmisc.c
index 2b0064b..c4a69b0 100644
--- a/base/gpmisc.c
+++ b/base/gpmisc.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2023 Artifex Software, Inc.
+/* Copyright (C) 2001-2024 Artifex Software, Inc.
All Rights Reserved.
This software is provided AS-IS with no warranty, either express or
@@ -1042,7 +1042,7 @@ gp_validate_path_len(const gs_memory_t *mem,
const uint len,
const char *mode)
{
- char *buffer, *bufferfull;
+ char *buffer, *bufferfull = NULL;
uint rlen;
int code = 0;
const char *cdirstr = gp_file_name_current();
@@ -1096,8 +1096,10 @@ gp_validate_path_len(const gs_memory_t *mem,
return gs_error_VMerror;
buffer = bufferfull + prefix_len;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) {
+ code = gs_note_error(gs_error_invalidfileaccess);
+ goto exit;
+ }
buffer[rlen] = 0;
}
while (1) {
@@ -1132,9 +1134,34 @@ gp_validate_path_len(const gs_memory_t *mem,
code = gs_note_error(gs_error_invalidfileaccess);
}
if (code < 0 && prefix_len > 0 && buffer > bufferfull) {
+ uint newlen = rlen + cdirstrl + dirsepstrl;
+ char *newbuffer;
+ int code;
+
buffer = bufferfull;
memcpy(buffer, cdirstr, cdirstrl);
memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl);
+
+ /* We've prepended a './' or similar for the current working directory. We need
+ * to execute file_name_reduce on that, to eliminate any '../' or similar from
+ * the (new) full path.
+ */
+ newbuffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, newlen + 1, "gp_validate_path");
+ if (newbuffer == NULL) {
+ code = gs_note_error(gs_error_VMerror);
+ goto exit;
+ }
+
+ memcpy(newbuffer, buffer, rlen + cdirstrl + dirsepstrl);
+ newbuffer[newlen] = 0x00;
+
+ code = gp_file_name_reduce(newbuffer, (uint)newlen, buffer, &newlen);
+ gs_free_object(mem->thread_safe_memory, newbuffer, "gp_validate_path");
+ if (code != gp_combine_success) {
+ code = gs_note_error(gs_error_invalidfileaccess);
+ goto exit;
+ }
+
continue;
}
else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
@@ -1153,6 +1180,7 @@ gp_validate_path_len(const gs_memory_t *mem,
gs_path_control_flag_is_scratch_file);
}
+exit:
gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path");
#ifdef EACCES
if (code == gs_error_invalidfileaccess)
--
2.40.0

43
meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33871.patch
View File

@@ -1,43 +0,0 @@
From 7145885041bb52cc23964f0aa2aec1b1c82b5908 Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Mon, 22 Apr 2024 13:33:47 +0100
Subject: [PATCH 4/5] OPVP device - prevent unsafe parameter change with SAFER
Bug #707754 "OPVP device - Arbitrary code execution via custom Driver library"
The "Driver" parameter for the "opvp"/"oprp" device specifies the name
of a dynamic library and allows any library to be loaded.
The patch does not allow changing this parameter after activating path
control.
This addresses CVE-2024-33871
CVE: CVE-2024-33871
Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=7145885041bb52cc2396]
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
contrib/opvp/gdevopvp.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c
index 74200cf..80eb23b 100644
--- a/contrib/opvp/gdevopvp.c
+++ b/contrib/opvp/gdevopvp.c
@@ -3456,6 +3456,12 @@ _put_params(gx_device *dev, gs_param_list *plist)
code = param_read_string(plist, pname, &vdps);
switch (code) {
case 0:
+ if (gs_is_path_control_active(dev->memory)
+ && (!opdev->globals.vectorDriver || strlen(opdev->globals.vectorDriver) != vdps.size
+ || memcmp(opdev->globals.vectorDriver, vdps.data, vdps.size) != 0)) {
+ param_signal_error(plist, pname, gs_error_invalidaccess);
+ return_error(gs_error_invalidaccess);
+ }
buff = realloc(buff, vdps.size + 1);
memcpy(buff, vdps.data, vdps.size);
buff[vdps.size] = 0;
--
2.40.0

11
meta/recipes-extended/ghostscript/ghostscript/avoid-host-contamination.patch
View File

@@ -1,7 +1,7 @@
From 0ccbaa134093bf6afc79f2d20d061bca5a8754ed Mon Sep 17 00:00:00 2001
From b36713c8f1ba0e5755b78845a433354a63663b1a Mon Sep 17 00:00:00 2001
From: Kai Kang <kai.kang@windriver.com>
Date: Thu, 29 Mar 2018 16:02:05 +0800
Subject: [PATCH 04/10] avoid host contamination
Subject: [PATCH] avoid host contamination
Remove hardcode path refer to host to avoid host contamination.
@@ -15,10 +15,10 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/devices/devs.mak b/devices/devs.mak
index 846aa50..9570182 100644
index 186f704..88ab8c9 100644
--- a/devices/devs.mak
+++ b/devices/devs.mak
@@ -393,7 +393,7 @@ $(DEVOBJ)gdevxalt.$(OBJ) : $(DEVSRC)gdevxalt.c $(GDEVX) $(math__h) $(memory__h)\
@@ -397,7 +397,7 @@ $(DEVOBJ)gdevxalt.$(OBJ) : $(DEVSRC)gdevxalt.c $(GDEVX) $(math__h) $(memory__h)\
### NON PORTABLE, ONLY UNIX WITH GCC SUPPORT
$(DEVOBJ)X11.so : $(x11alt_) $(x11_) $(DEVS_MAK) $(MAKEDIRS)
@@ -27,6 +27,3 @@ index 846aa50..9570182 100644
###### --------------- Memory-buffered printer devices --------------- ######
--
1.8.3.1

99
meta/recipes-extended/ghostscript/ghostscript/configure.ac-add-option-to-explicitly-disable-neon.patch
View File

@@ -1,99 +0,0 @@
From fd37229a17822c5ad21a369f670b8a6f6cc6b95b Mon Sep 17 00:00:00 2001
From: Benjamin Bara <benjamin.bara@skidata.com>
Date: Mon, 4 Sep 2023 12:16:39 +0200
Subject: [PATCH] configure.ac: add option to explicitly disable neon
Uncomment an already existing possibility to explicitly disable neon and
use it on both implemented neon checks.
Upstream-Status: Submitted [https://bugs.ghostscript.com/show_bug.cgi?id=707097]
Signed-off-by: Benjamin Bara <benjamin.bara@skidata.com>
---
configure.ac | 52 +++++++++++++++++++++++++++++-----------------------
1 file changed, 29 insertions(+), 23 deletions(-)
diff --git a/configure.ac b/configure.ac
index 09d881dd1..62718e15e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -749,6 +749,33 @@ SUBCONFIG_OPTS="--build=$build --host=$host"
# SUBCONFIG_OPTS="$SUBCONFIG_OPTS --host=$host_alias"
#fi
+dnl --------------------------------------------------
+dnl Check for NEON support
+dnl --------------------------------------------------
+save_cflags=$CFLAGS
+AC_MSG_CHECKING([neon support])
+CFLAGS="$save_cflags $OPT_CFLAGS -mfpu=neon -mcpu=cortex-a53"
+HAVE_NEON=""
+AC_LINK_IFELSE(
+ [AC_LANG_PROGRAM([#include "arm_neon.h"], [
+ int32x4_t round = vdupq_n_s32(10);
+ return(0);
+ ])],
+ [HAVE_NEON="-DHAVE_NEON"], [HAVE_NEON=""])
+
+AC_ARG_ENABLE([neon], AS_HELP_STRING([--disable-neon],
+ [Do not use neon instrinsics]), [
+ if test "x$enable_neon" = xno; then
+ HAVE_NEON=""
+ fi])
+
+if test "x$HAVE_NEON" != x; then
+ AC_MSG_RESULT(yes)
+else
+ AC_MSG_RESULT(no)
+fi
+CFLAGS=$save_cflags
+
dnl --------------------------------------------------
dnl Check for libraries
dnl --------------------------------------------------
@@ -971,11 +998,12 @@ if test x$with_tesseract != xno; then
[TESS_NEON="-mfpu=neon -mcpu=cortex-a53 -D__ARM_NEON__"],
[TESS_NEON=""])
- if test "x$TESS_NEON" != x; then
+ if test "x$TESS_NEON" != x && test "x$enable_neon" != xno; then
AC_MSG_RESULT(yes)
TESS_CXXFLAGS="$TESS_CXXFLAGS -DHAVE_NEON"
else
AC_MSG_RESULT(no)
+ TESS_NEON=""
fi
CXXFLAGS="$save_cxxflags"
@@ -2387,28 +2415,6 @@ if test x$WITH_CAL != x0; then
AC_MSG_RESULT(no)
fi
- AC_MSG_CHECKING([neon support])
- CFLAGS="$save_cflags $OPT_CFLAGS -mfpu=neon -mcpu=cortex-a53"
- HAVE_NEON=""
- AC_LINK_IFELSE(
- [AC_LANG_PROGRAM([#include "arm_neon.h"], [
- int32x4_t round = vdupq_n_s32(10);
- return(0);
- ])],
- [HAVE_NEON="-DHAVE_NEON"], [HAVE_NEON=""])
-
- #AC_ARG_ENABLE([neon], AS_HELP_STRING([--disable-neon],
- # [Do not use neon instrinsics]), [
- # if test "x$enable_neon" = xno; then
- # HAVE_NEON=""
- # fi])
-
- if test "x$HAVE_NEON" != x; then
- AC_MSG_RESULT(yes)
- else
- AC_MSG_RESULT(no)
- fi
-
#AC_SUBST(HAVE_SSE4_2)
#AC_SUBST(HAVE_NEON)
CFLAGS=$save_cflags
--
2.34.1

8
meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb → meta/recipes-extended/ghostscript/ghostscript_10.03.1.bb
View File

@@ -25,15 +25,9 @@ def gs_verdir(v):
SRC_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${@gs_verdir("${PV}")}/${BPN}-${PV}.tar.gz \
file://ghostscript-9.16-Werror-return-type.patch \
file://avoid-host-contamination.patch \
file://configure.ac-add-option-to-explicitly-disable-neon.patch \
file://CVE-2024-33870.patch \
file://CVE-2024-33869-0001.patch \
file://CVE-2024-33869-0002.patch \
file://CVE-2024-33871.patch \
file://CVE-2024-29510.patch \
"
SRC_URI[sha256sum] = "e429e4f5b01615a4f0f93a4128e8a1a4d932dff983b1774174c79c0630717ad9"
SRC_URI[sha256sum] = "31cd01682ad23a801cc3bbc222a55f07c4ea3e068bdfb447792d54db21a2e8ad"
PACKAGECONFIG ??= ""
PACKAGECONFIG[gtk] = "--enable-gtk,--disable-gtk,gtk+3"