mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-27 12:32:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

ghostscript: upgrade to 9.25

Browse Source 
Removed below patches, as v9.25 source already has those
changes/security fixes:

0001-Bug-699665-memory-corruption-in-aesdecode.patch
0001-pdfwrite-Guard-against-trying-to-output-an-infinite-.patch
0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch
0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch
0004-Hide-the-.shfill-operator.patch
0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch
remove-direct-symlink.patch

Re-worked ghostscript-9.21-native-fix-disable-system-libtiff.patch
and ghostscript-9.21-prevent_recompiling.patch
to fix warnings in do_patch task of ghostscript v9.25 recipe.

Highlights of ghostscript v9.25 release:
---------------------------------------
- This release fixes problems with argument handling, some unintended results
  of the security fixes to the SAFER file access restrictions
  (specifically accessing ICC profile files), and some additional security
  issues over the recent 9.24 release.

- Note: The ps2epsi utility does not, and cannot call Ghostscript with
  the -dSAFER command line option. It should never be called with input
  from untrusted sources.

- Security issues have been the primary focus of this release, including
  solving several (well publicised) real and potential exploits.

- As well as Ghostscript itself, jbig2dec has had a significant amount of work
  improving its robustness in the face of out specification files.

- IMPORTANT: We are in the process of forking LittleCMS. LCMS2 is not thread
  safe, and cannot be made thread safe without breaking the ABI.
  Our fork will be thread safe, and include performance enhancements
  (these changes have all be been offered and rejected upstream). We will
  maintain compatibility between Ghostscript and LCMS2 for a time, but not in
  perpetuity. Our fork will be available as its own package separately from
  Ghostscript (and MuPDF).

- The usual round of bug fixes, compatibility changes, and incremental
  improvements.

(From OE-Core rev: 4340928b8878b91b5a2750eb6bc87918740511ca)

Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Jagadeesh Krishnanjanappa
2018-09-17 22:14:50 +05:30
committed by Richard Purdie
parent 8a839b7e2b
commit ebecaa5f48
10 changed files with 13 additions and 396 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch
View File

@@ -1,56 +0,0 @@
From b9fa1157e1f4982d42241146c9b7c6c789d6f076 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Thu, 23 Aug 2018 15:42:02 +0100
Subject: [PATCH 1/5] Bug 699665 "memory corruption in aesdecode"
The specimen file calls aesdecode without specifying the key to be
used, though it does manage to do enough work with the PDF interpreter
routines to get access to aesdecode (which isn't normally available).
This causes us to read uninitialised memory, which can (and often does)
lead to a segmentation fault.
In this commit we set the key to NULL explicitly during intialisation
and then check it before we read it. If its NULL we just return.
It seems bizarre that we don't return error codes, we should probably
look into that at some point, but this prevents the code trying to
read uninitialised memory.
CVE: CVE-2018-15911
Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
base/aes.c | 3 +++
base/saes.c | 1 +
2 files changed, 4 insertions(+)
diff --git a/base/aes.c b/base/aes.c
index a6bce93..e86f000 100644
--- a/base/aes.c
+++ b/base/aes.c
@@ -662,6 +662,9 @@ void aes_crypt_ecb( aes_context *ctx,
}
#endif
+ if (ctx == NULL || ctx->rk == NULL)
+ return;
+
RK = ctx->rk;
GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
diff --git a/base/saes.c b/base/saes.c
index 6db0e8b..307ed74 100644
--- a/base/saes.c
+++ b/base/saes.c
@@ -120,6 +120,7 @@ s_aes_process(stream_state * ss, stream_cursor_read * pr,
gs_throw(gs_error_VMerror, "could not allocate aes context");
return ERRC;
}
+ memset(state->ctx, 0x00, sizeof(aes_context));
if (state->keylength < 1 || state->keylength > SAES_MAX_KEYLENGTH) {
gs_throw1(gs_error_rangecheck, "invalid aes key length (%d bytes)",
state->keylength);
--
2.8.1

49
meta/recipes-extended/ghostscript/ghostscript/0001-pdfwrite-Guard-against-trying-to-output-an-infinite-.patch
View File

@@ -1,49 +0,0 @@
From 39b1e54b2968620723bf32e96764c88797714879 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Wed, 18 Apr 2018 15:46:32 +0100
Subject: [PATCH] pdfwrite - Guard against trying to output an infinite number
Bug #699255 " Buffer overflow on pprintg1 due to mishandle postscript file data to pdf"
The file uses an enormous parameter to xyxhow, causing an overflow in
the calculation of text positioning (value > 1e39).
Since this is basically a nonsense value, and PostScript only supports
real values up to 1e38, this patch follows the same approach as for
a degenerate CTM, and treats it as 0.
Adobe Acrobat Distiller throws a limitcheck error, so we could do that
instead if this approach proves to be a problem.
Upstream-Status: Backport
git://git.ghostscript.com/ghostpdl.git
CVE: CVE-2018-10194
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
devices/vector/gdevpdts.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/devices/vector/gdevpdts.c b/devices/vector/gdevpdts.c
index 848ad78..172fe6b 100644
--- a/devices/vector/gdevpdts.c
+++ b/devices/vector/gdevpdts.c
@@ -103,9 +103,14 @@ append_text_move(pdf_text_state_t *pts, double dw)
static int
set_text_distance(gs_point *pdist, double dx, double dy, const gs_matrix *pmat)
{
- int code = gs_distance_transform_inverse(dx, dy, pmat, pdist);
+ int code;
double rounded;
+ if (dx > 1e38 || dy > 1e38)
+ code = gs_error_undefinedresult;
+ else
+ code = gs_distance_transform_inverse(dx, dy, pmat, pdist);
+
if (code == gs_error_undefinedresult) {
/* The CTM is degenerate.
Can't know the distance in user space.
--
2.7.4

53
meta/recipes-extended/ghostscript/ghostscript/0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch
View File

@@ -1,53 +0,0 @@
From 1b516be5f6829ab6ce37835529ba08abd6d18663 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Tue, 21 Aug 2018 16:42:45 +0100
Subject: [PATCH 2/5] Bug 699656: Handle LockDistillerParams not being a
boolean
This caused a function call commented as "Can't fail" to fail, and resulted
in memory correuption and a segfault.
CVE: CVE-2018-15910
Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
devices/vector/gdevpdfp.c | 2 +-
psi/iparam.c | 7 ++++---
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/devices/vector/gdevpdfp.c b/devices/vector/gdevpdfp.c
index 522db7a..f2816b9 100644
--- a/devices/vector/gdevpdfp.c
+++ b/devices/vector/gdevpdfp.c
@@ -364,7 +364,7 @@ gdev_pdf_put_params_impl(gx_device * dev, const gx_device_pdf * save_dev, gs_par
* LockDistillerParams is read again, and reset if necessary, in
* psdf_put_params.
*/
- ecode = param_read_bool(plist, "LockDistillerParams", &locked);
+ ecode = param_read_bool(plist, (param_name = "LockDistillerParams"), &locked);
if (ecode < 0)
param_signal_error(plist, param_name, ecode);
diff --git a/psi/iparam.c b/psi/iparam.c
index 68c20d4..0279455 100644
--- a/psi/iparam.c
+++ b/psi/iparam.c
@@ -822,10 +822,11 @@ static int
ref_param_read_signal_error(gs_param_list * plist, gs_param_name pkey, int code)
{
iparam_list *const iplist = (iparam_list *) plist;
- iparam_loc loc;
+ iparam_loc loc = {0};
- ref_param_read(iplist, pkey, &loc, -1); /* can't fail */
- *loc.presult = code;
+ ref_param_read(iplist, pkey, &loc, -1);
+ if (loc.presult)
+ *loc.presult = code;
switch (ref_param_read_get_policy(plist, pkey)) {
case gs_param_policy_ignore:
return 0;
--
2.8.1

91
meta/recipes-extended/ghostscript/ghostscript/0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch
View File

@@ -1,91 +0,0 @@
From 759238fd904aab1706dc1007826a13a670cda320 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Thu, 23 Aug 2018 14:12:48 +0100
Subject: [PATCH 3/5] Fix Bug 699660 "shading_param incomplete type checking"
Its possible to pass a t_struct parameter to .shfill which is not a
shading function built by .buildshading. This could then lead to memory
corruption or a segmentation fault by treating the object passed in
as if it were a shading.
Its non-trivial to check the t_struct, because this function can take
7 different kinds of structures as a parameter. Checking these is
possible, of course, but would add a performance penalty.
However, we can note that we never call .shfill without first calling
.buildshading, and we never call .buildshading without immediately
calling .shfill. So we can treat these as an atomic operation. The
.buildshading function takes all its parameters as PostScript objects
and validates them, so that should be safe.
This allows us to 'hide' the .shfill operator preventing the possibility
of passing an invalid parameter.
CVE: CVE-2018-15909
Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
Resource/Init/gs_init.ps | 4 ++--
Resource/Init/gs_ll3.ps | 7 ++++++-
Resource/Init/pdf_draw.ps | 3 +--
3 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
index 6c8da53..1956ed5 100644
--- a/Resource/Init/gs_init.ps
+++ b/Resource/Init/gs_init.ps
@@ -2181,8 +2181,8 @@ SAFER { .setsafeglobal } if
/.getiodevice /.getdevparms /.putdevparams /.bbox_transform /.matchmedia /.matchpagesize /.defaultpapersize
/.oserrno /.setoserrno /.oserrorstring /.getCPSImode
/.getscanconverter /.setscanconverter /.type1encrypt /.type1decrypt/.languagelevel /.setlanguagelevel /.eqproc /.fillpage /.buildpattern1 /.saslprep
-/.buildshading1 /.buildshadin2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern
-/.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring
+/.buildshading1 /.buildshading2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern
+%/.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring
/.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile
/.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams
/.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath
diff --git a/Resource/Init/gs_ll3.ps b/Resource/Init/gs_ll3.ps
index 5aa56a3..1d37e53 100644
--- a/Resource/Init/gs_ll3.ps
+++ b/Resource/Init/gs_ll3.ps
@@ -440,6 +440,11 @@ systemdict /.reuseparamdict mark
/shfill .systemvar /undefined signalerror
} ifelse
} bind def
+
+/.buildshading_and_shfill {
+ .buildshading .shfill
+} bind def
+
systemdict /.reuseparamdict undef
/.buildpattern2 { % <template> <matrix> .buildpattern2
@@ -464,7 +469,7 @@ systemdict /.reuseparamdict undef
% Currently, .shfill requires that the color space
% in the pattern be the current color space.
% Disable overprintmode for shfill
- { dup gsave 0 .setoverprintmode .buildshading .shfill } stopped
+ { dup gsave 0 .setoverprintmode .buildshading_and_shfill } stopped
grestore {
/$error .systemvar /errorinfo 2 copy known {
pop pop
diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
index e8ca213..a7144d3 100644
--- a/Resource/Init/pdf_draw.ps
+++ b/Resource/Init/pdf_draw.ps
@@ -1365,9 +1365,8 @@ drawopdict begin
{ dup /.shading .knownget {
exch pop
} {
- .buildshading
+ .buildshading_and_shfill
} ifelse
- .shfill
} stopped {
pop
( **** Error: Ignoring invalid smooth shading object, output may be incorrect.\n)
--
2.8.1

35
meta/recipes-extended/ghostscript/ghostscript/0004-Hide-the-.shfill-operator.patch
View File

@@ -1,35 +0,0 @@
From ee9e8065e7d7b3adbc25fd655727ca72861ee032 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Fri, 24 Aug 2018 12:44:26 +0100
Subject: [PATCH 4/5] Hide the .shfill operator
Commit 0b6cd1918e1ec4ffd087400a754a845180a4522b was supposed to make
the .shfill operator unobtainable, but I accidentally left a comment
in the line doing so.
Fix it here, without this the operator can still be exploited.
CVE: CVE-2018-15909
Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
Resource/Init/gs_init.ps | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
index 1956ed5..955b843 100644
--- a/Resource/Init/gs_init.ps
+++ b/Resource/Init/gs_init.ps
@@ -2182,7 +2182,7 @@ SAFER { .setsafeglobal } if
/.oserrno /.setoserrno /.oserrorstring /.getCPSImode
/.getscanconverter /.setscanconverter /.type1encrypt /.type1decrypt/.languagelevel /.setlanguagelevel /.eqproc /.fillpage /.buildpattern1 /.saslprep
/.buildshading1 /.buildshading2 /.buildshading3 /.buildshading4 /.buildshading5 /.buildshading6 /.buildshading7 /.buildshadingpattern
-%/.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring
+/.shfill /.argindex /.bytestring /.namestring /.stringbreak /.stringmatch /.globalvmarray /.globalvmdict /.globalvmpackedarray /.globalvmstring
/.localvmarray /.localvmdict /.localvmpackedarray /.localvmstring /.systemvmarray /.systemvmdict /.systemvmpackedarray /.systemvmstring /.systemvmfile /.systemvmlibfile
/.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams
/.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath
--
2.8.1

54
meta/recipes-extended/ghostscript/ghostscript/0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch
View File

@@ -1,54 +0,0 @@
From f4f50ceea8e8852b8c3ac73f5807d8b54b735c3e Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Tue, 21 Aug 2018 20:17:05 +0100
Subject: [PATCH 5/5] Bug 699657: properly apply file permissions to .tempfile
CVE: CVE-2018-15908
Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
psi/zfile.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/psi/zfile.c b/psi/zfile.c
index a0acd5a..19996b0 100644
--- a/psi/zfile.c
+++ b/psi/zfile.c
@@ -134,7 +134,7 @@ check_file_permissions_reduced(i_ctx_t *i_ctx_p, const char *fname, int len,
/* we're protecting arbitrary file system accesses, not Postscript device accesses.
* Although, note that %pipe% is explicitly checked for and disallowed elsewhere
*/
- if (iodev != iodev_default(imemory)) {
+ if (iodev && iodev != iodev_default(imemory)) {
return 0;
}
@@ -734,7 +734,23 @@ ztempfile(i_ctx_t *i_ctx_p)
}
if (gp_file_name_is_absolute(pstr, strlen(pstr))) {
- if (check_file_permissions(i_ctx_p, pstr, strlen(pstr),
+ int plen = strlen(pstr);
+ const char *sep = gp_file_name_separator();
+#ifdef DEBUG
+ int seplen = strlen(sep);
+ if (seplen != 1)
+ return_error(gs_error_Fatal);
+#endif
+ /* strip off the file name prefix, leave just the directory name
+ * so we can check if we are allowed to write to it
+ */
+ for ( ; plen >=0; plen--) {
+ if (pstr[plen] == sep[0])
+ break;
+ }
+ memcpy(fname, pstr, plen);
+ fname[plen] = '\0';
+ if (check_file_permissions(i_ctx_p, fname, strlen(fname),
NULL, "PermitFileWriting") < 0) {
code = gs_note_error(gs_error_invalidfileaccess);
goto done;
--
2.8.1

9
meta/recipes-extended/ghostscript/ghostscript/ghostscript-9.21-native-fix-disable-system-libtiff.patch
View File

@@ -11,9 +11,10 @@ Upstream-Status: Pending
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Rebase to ghostscript 9.23.
Rebase to ghostscript 9.25.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
configure.ac | 5 +++++
1 file changed, 5 insertions(+)
@@ -22,15 +23,15 @@ diff --git a/configure.ac b/configure.ac
index 80a60b1..f3e9efb 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1284,6 +1284,7 @@ case "x$with_system_libtiff" in
esac
@@ -1319,6 +1319,7 @@ AC_TRY_COMPILE([], [return 0;],
CFLAGS=$CGLAGS_STORE
if test x"$SHARE_LIBTIFF" = x"0" ; then
+ if test -e $LIBTIFFDIR/configure; then
echo "Running libtiff configure script..."
olddir=`pwd`
if ! test -d "$LIBTIFFCONFDIR" ; then
@@ -1302,6 +1303,10 @@ if test x"$SHARE_LIBTIFF" = x"0" ; then
@@ -1337,6 +1338,10 @@ if test x"$SHARE_LIBTIFF" = x"0" ; then
echo
echo "Continuing with Ghostscript configuration..."

9
meta/recipes-extended/ghostscript/ghostscript/ghostscript-9.21-prevent_recompiling.patch
View File

@@ -11,8 +11,9 @@ Upstream-Status: Pending
Signed-off-by: Kang Kai <kai.kang@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Rebase to 9.23
Rebase to 9.25
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
base/unix-aux.mak | 44 --------------------------------------------
1 file changed, 44 deletions(-)
@@ -21,9 +22,9 @@ diff --git a/base/unix-aux.mak b/base/unix-aux.mak
index 5bf72e9..9cb39d7 100644
--- a/base/unix-aux.mak
+++ b/base/unix-aux.mak
@@ -64,50 +64,6 @@ $(GLOBJ)gp_sysv.$(OBJ): $(GLSRC)gp_sysv.c $(stdio__h) $(time__h) $(AK)\
$(UNIX_AUX_MAK) $(MAKEDIRS)
$(GLCC) $(GLO_)gp_sysv.$(OBJ) $(C_) $(GLSRC)gp_sysv.c
@@ -54,50 +54,6 @@ $(AUX)gp_stdia.$(OBJ): $(GLSRC)gp_stdia.
$(stdio__h) $(time__h) $(unistd__h) $(gx_h) $(gp_h) $(UNIX_AUX_MAK) $(MAKEDIRS)
$(GLCCAUX) $(AUXO_)gp_stdia.$(OBJ) $(C_) $(GLSRC)gp_stdia.c
-# -------------------------- Auxiliary programs --------------------------- #
-

40
meta/recipes-extended/ghostscript/ghostscript/remove-direct-symlink.patch
View File

@@ -1,40 +0,0 @@
From 2ce79942ca509663ddf8171f45d1d324bb71bad6 Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@windriver.com>
Date: Thu, 29 Mar 2018 17:22:35 +0800
Subject: [PATCH] remove direct symlink
The upstream create a direct symlink to stay backward
compatible, a symlink is automatically created to point
from the old location (/usr/share/ghostscript/<version>/doc)
to the new location.
It caused do_populate_sysroot failure
...
|ERROR: ghostscript-9.23-r0 do_populate_sysroot: sstate found an absolute
path symlink
...
Without the symlink is no harm for OE
Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
base/unixinst.mak | 1 -
1 file changed, 1 deletion(-)
diff --git a/base/unixinst.mak b/base/unixinst.mak
index 7fec86c..0cf2361 100644
--- a/base/unixinst.mak
+++ b/base/unixinst.mak
@@ -165,7 +165,6 @@ install-doc: $(PSDOCDIR)/News.htm
$(SH) -c 'for f in $(DOC_PAGES) ;\
do if ( test -f $(PSDOCDIR)/$$f ); then $(INSTALL_DATA) $(PSDOCDIR)/$$f $(DESTDIR)$(docdir); fi;\
done'
- ln -s $(DESTDIR)$(docdir) $(DESTDIR)$(gsdatadir)/doc
# install the man pages for each locale
MAN_LCDIRS=. de
--
1.8.3.1