mirror of
https://git.yoctoproject.org/poky
synced 2026-04-26 09:32:14 +02:00
ba1a77347c
Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix). Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-36664 Upstream patches: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=fb342fdb60391073a69147cb71af1ac416a81099 (From OE-Core rev: cd3921215cb782ecc9aeda5bb3b76863911bcb61) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
61 lines
2.6 KiB
Diff
61 lines
2.6 KiB
Diff
From f96350aeb7f8c2e3f7129866c694a24f241db18c Mon Sep 17 00:00:00 2001
|
|
From: Chris Liddell <chris.liddell@artifex.com>
|
|
Date: Wed, 14 Jun 2023 09:08:12 +0100
|
|
Subject: [PATCH 2/2] Bug 706778: 706761 revisit
|
|
|
|
Two problems with the original commit. The first a silly typo inverting the
|
|
logic of a test.
|
|
|
|
The second was forgetting that we actually actually validate two candidate
|
|
strings for pipe devices. One with the expected "%pipe%" prefix, the other
|
|
using the pipe character prefix: "|".
|
|
|
|
This addresses both those.
|
|
|
|
Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=fb342fdb60391073a69147cb71af1ac416a81099]
|
|
CVE: CVE-2023-36664
|
|
|
|
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
|
|
---
|
|
base/gpmisc.c | 2 +-
|
|
base/gslibctx.c | 4 ++--
|
|
2 files changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/base/gpmisc.c b/base/gpmisc.c
|
|
index c61ab3f..e459f6a 100644
|
|
--- a/base/gpmisc.c
|
|
+++ b/base/gpmisc.c
|
|
@@ -1080,7 +1080,7 @@ gp_validate_path_len(const gs_memory_t *mem,
|
|
/* "%pipe%" do not follow the normal rules for path definitions, so we
|
|
don't "reduce" them to avoid unexpected results
|
|
*/
|
|
- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
|
|
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
|
|
bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
|
|
if (buffer == NULL)
|
|
return gs_error_VMerror;
|
|
diff --git a/base/gslibctx.c b/base/gslibctx.c
|
|
index 5fdfe25..2a1addf 100644
|
|
--- a/base/gslibctx.c
|
|
+++ b/base/gslibctx.c
|
|
@@ -737,7 +737,7 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co
|
|
/* "%pipe%" do not follow the normal rules for path definitions, so we
|
|
don't "reduce" them to avoid unexpected results
|
|
*/
|
|
- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
|
|
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
|
|
buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
|
|
if (buffer == NULL)
|
|
return gs_error_VMerror;
|
|
@@ -844,7 +844,7 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type,
|
|
/* "%pipe%" do not follow the normal rules for path definitions, so we
|
|
don't "reduce" them to avoid unexpected results
|
|
*/
|
|
- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
|
|
+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
|
|
buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
|
|
if (buffer == NULL)
|
|
return gs_error_VMerror;
|
|
--
|
|
2.40.1
|