[Buildroot] [PATCH] package/ghostscript: add upstream security patch for CVE-2021-3781
Arnout Vandecappelle
arnout at mind.be
Wed Sep 22 19:27:26 UTC 2021
On 21/09/2021 21:16, Peter Korsgaard wrote:
> The file access protection built into Ghostscript proved insufficient for
> the "%pipe%" PostScript device, when combined with Ghostscript's requirement
> to be able to create and control temporary files in the conventional
> temporary file directories (for example, "/tmp" or "/temp). This exploit is
> restricted to Unix-like systems (i.e., it doesn't affect Windows). The most
> severe claimed results are only feasible if the exploit is run as a "high
> privilege" user (root/superuser level) \u2013 a practice we would discourage
> under any circumstances.
>
> For more details, see the advisory:
> https://ghostscript.com/CVE-2021-3781.html
>
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Applied to master, thanks.
Regards,
Arnout
> ---
> ...de-device-specifier-strings-in-acces.patch | 234 ++++++++++++++++++
> package/ghostscript/ghostscript.mk | 3 +
> 2 files changed, 237 insertions(+)
> create mode 100644 package/ghostscript/0002-Bug-704342-Include-device-specifier-strings-in-acces.patch
>
> diff --git a/package/ghostscript/0002-Bug-704342-Include-device-specifier-strings-in-acces.patch b/package/ghostscript/0002-Bug-704342-Include-device-specifier-strings-in-acces.patch
> new file mode 100644
> index 0000000000..81436d8228
> --- /dev/null
> +++ b/package/ghostscript/0002-Bug-704342-Include-device-specifier-strings-in-acces.patch
> @@ -0,0 +1,234 @@
> +From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001
> +From: Chris Liddell <chris.liddell at artifex.com>
> +Date: Tue, 7 Sep 2021 20:36:12 +0100
> +Subject: [PATCH] Bug 704342: Include device specifier strings in access
> + validation
> +
> +for the "%pipe%", %handle%" and %printer% io devices.
> +
> +We previously validated only the part after the "%pipe%" Postscript device
> +specifier, but this proved insufficient.
> +
> +This rebuilds the original file name string, and validates it complete. The
> +slight complication for "%pipe%" is it can be reached implicitly using
> +"|" so we have to check both prefixes.
> +
> +Addresses CVE-2021-3781
> +
> +Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
> +---
> + base/gdevpipe.c | 22 +++++++++++++++-
> + base/gp_mshdl.c | 11 +++++++-
> + base/gp_msprn.c | 10 ++++++-
> + base/gp_os2pr.c | 13 +++++++++-
> + base/gslibctx.c | 69 ++++++++++---------------------------------------
> + 5 files changed, 65 insertions(+), 60 deletions(-)
> +
> +diff --git a/base/gdevpipe.c b/base/gdevpipe.c
> +index 96d71f5d8..5bdc485be 100644
> +--- a/base/gdevpipe.c
> ++++ b/base/gdevpipe.c
> +@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access,
> + #else
> + gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
> + gs_fs_list_t *fs = ctx->core->fs;
> ++ /* The pipe device can be reached in two ways, explicltly with %pipe%
> ++ or implicitly with "|", so we have to check for both
> ++ */
> ++ char f[gp_file_name_sizeof];
> ++ const char *pipestr = "|";
> ++ const size_t pipestrlen = strlen(pipestr);
> ++ const size_t preflen = strlen(iodev->dname);
> ++ const size_t nlen = strlen(fname);
> ++ int code1;
> ++
> ++ if (preflen + nlen >= gp_file_name_sizeof)
> ++ return_error(gs_error_invalidaccess);
> ++
> ++ memcpy(f, iodev->dname, preflen);
> ++ memcpy(f + preflen, fname, nlen + 1);
> ++
> ++ code1 = gp_validate_path(mem, f, access);
> ++
> ++ memcpy(f, pipestr, pipestrlen);
> ++ memcpy(f + pipestrlen, fname, nlen + 1);
> +
> +- if (gp_validate_path(mem, fname, access) != 0)
> ++ if (code1 != 0 && gp_validate_path(mem, f, access) != 0 )
> + return gs_error_invalidfileaccess;
> +
> + /*
> +diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c
> +index 2b964ed74..8d87ceadc 100644
> +--- a/base/gp_mshdl.c
> ++++ b/base/gp_mshdl.c
> +@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access,
> + long hfile; /* Correct for Win32, may be wrong for Win64 */
> + gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
> + gs_fs_list_t *fs = ctx->core->fs;
> ++ char f[gp_file_name_sizeof];
> ++ const size_t preflen = strlen(iodev->dname);
> ++ const size_t nlen = strlen(fname);
> +
> +- if (gp_validate_path(mem, fname, access) != 0)
> ++ if (preflen + nlen >= gp_file_name_sizeof)
> ++ return_error(gs_error_invalidaccess);
> ++
> ++ memcpy(f, iodev->dname, preflen);
> ++ memcpy(f + preflen, fname, nlen + 1);
> ++
> ++ if (gp_validate_path(mem, f, access) != 0)
> + return gs_error_invalidfileaccess;
> +
> + /* First we try the open_handle method. */
> +diff --git a/base/gp_msprn.c b/base/gp_msprn.c
> +index ed4827968..746a974f7 100644
> +--- a/base/gp_msprn.c
> ++++ b/base/gp_msprn.c
> +@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
> + uintptr_t *ptid = &((tid_t *)(iodev->state))->tid;
> + gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
> + gs_fs_list_t *fs = ctx->core->fs;
> ++ const size_t preflen = strlen(iodev->dname);
> ++ const size_t nlen = strlen(fname);
> +
> +- if (gp_validate_path(mem, fname, access) != 0)
> ++ if (preflen + nlen >= gp_file_name_sizeof)
> ++ return_error(gs_error_invalidaccess);
> ++
> ++ memcpy(pname, iodev->dname, preflen);
> ++ memcpy(pname + preflen, fname, nlen + 1);
> ++
> ++ if (gp_validate_path(mem, pname, access) != 0)
> + return gs_error_invalidfileaccess;
> +
> + /* First we try the open_printer method. */
> +diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c
> +index f852c71fc..ba54cde66 100644
> +--- a/base/gp_os2pr.c
> ++++ b/base/gp_os2pr.c
> +@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
> + FILE ** pfile, char *rfname, uint rnamelen)
> + {
> + os2_printer_t *pr = (os2_printer_t *)iodev->state;
> +- char driver_name[256];
> ++ char driver_name[gp_file_name_sizeof];
> + gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
> + gs_fs_list_t *fs = ctx->core->fs;
> ++ const size_t preflen = strlen(iodev->dname);
> ++ const int size_t = strlen(fname);
> ++
> ++ if (preflen + nlen >= gp_file_name_sizeof)
> ++ return_error(gs_error_invalidaccess);
> ++
> ++ memcpy(driver_name, iodev->dname, preflen);
> ++ memcpy(driver_name + preflen, fname, nlen + 1);
> ++
> ++ if (gp_validate_path(mem, driver_name, access) != 0)
> ++ return gs_error_invalidfileaccess;
> +
> + /* First we try the open_printer method. */
> + /* Note that the loop condition here ensures we don't
> +diff --git a/base/gslibctx.c b/base/gslibctx.c
> +index 6dfed6cd5..318039fad 100644
> +--- a/base/gslibctx.c
> ++++ b/base/gslibctx.c
> +@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s)
> + int
> + gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
> + {
> +- char *fp, f[gp_file_name_sizeof];
> +- const int pipe = 124; /* ASCII code for '|' */
> +- const int len = strlen(fname);
> +- int i, code;
> ++ char f[gp_file_name_sizeof];
> ++ int code;
> +
> + /* Be sure the string copy will fit */
> +- if (len >= gp_file_name_sizeof)
> ++ if (strlen(fname) >= gp_file_name_sizeof)
> + return gs_error_rangecheck;
> + strcpy(f, fname);
> +- fp = f;
> + /* Try to rewrite any %d (or similar) in the string */
> + rewrite_percent_specifiers(f);
> +- for (i = 0; i < len; i++) {
> +- if (f[i] == pipe) {
> +- fp = &f[i + 1];
> +- /* Because we potentially have to check file permissions at two levels
> +- for the output file (gx_device_open_output_file and the low level
> +- fopen API, if we're using a pipe, we have to add both the full string,
> +- (including the '|', and just the command to which we pipe - since at
> +- the pipe_fopen(), the leading '|' has been stripped.
> +- */
> +- code = gs_add_control_path(mem, gs_permit_file_writing, f);
> +- if (code < 0)
> +- return code;
> +- code = gs_add_control_path(mem, gs_permit_file_control, f);
> +- if (code < 0)
> +- return code;
> +- break;
> +- }
> +- if (!IS_WHITESPACE(f[i]))
> +- break;
> +- }
> +- code = gs_add_control_path(mem, gs_permit_file_control, fp);
> ++
> ++ code = gs_add_control_path(mem, gs_permit_file_control, f);
> + if (code < 0)
> + return code;
> +- return gs_add_control_path(mem, gs_permit_file_writing, fp);
> ++ return gs_add_control_path(mem, gs_permit_file_writing, f);
> + }
> +
> + int
> + gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
> + {
> +- char *fp, f[gp_file_name_sizeof];
> +- const int pipe = 124; /* ASCII code for '|' */
> +- const int len = strlen(fname);
> +- int i, code;
> ++ char f[gp_file_name_sizeof];
> ++ int code;
> +
> + /* Be sure the string copy will fit */
> +- if (len >= gp_file_name_sizeof)
> ++ if (strlen(fname) >= gp_file_name_sizeof)
> + return gs_error_rangecheck;
> + strcpy(f, fname);
> +- fp = f;
> + /* Try to rewrite any %d (or similar) in the string */
> +- for (i = 0; i < len; i++) {
> +- if (f[i] == pipe) {
> +- fp = &f[i + 1];
> +- /* Because we potentially have to check file permissions at two levels
> +- for the output file (gx_device_open_output_file and the low level
> +- fopen API, if we're using a pipe, we have to add both the full string,
> +- (including the '|', and just the command to which we pipe - since at
> +- the pipe_fopen(), the leading '|' has been stripped.
> +- */
> +- code = gs_remove_control_path(mem, gs_permit_file_writing, f);
> +- if (code < 0)
> +- return code;
> +- code = gs_remove_control_path(mem, gs_permit_file_control, f);
> +- if (code < 0)
> +- return code;
> +- break;
> +- }
> +- if (!IS_WHITESPACE(f[i]))
> +- break;
> +- }
> +- code = gs_remove_control_path(mem, gs_permit_file_control, fp);
> ++ rewrite_percent_specifiers(f);
> ++
> ++ code = gs_remove_control_path(mem, gs_permit_file_control, f);
> + if (code < 0)
> + return code;
> +- return gs_remove_control_path(mem, gs_permit_file_writing, fp);
> ++ return gs_remove_control_path(mem, gs_permit_file_writing, f);
> + }
> +
> + int
> +--
> +2.20.1
> +
> diff --git a/package/ghostscript/ghostscript.mk b/package/ghostscript/ghostscript.mk
> index 5b50c94405..ca24c61678 100644
> --- a/package/ghostscript/ghostscript.mk
> +++ b/package/ghostscript/ghostscript.mk
> @@ -21,6 +21,9 @@ GHOSTSCRIPT_DEPENDENCIES = \
> libpng \
> tiff
>
> +# 0002-Bug-704342-Include-device-specifier-strings-in-acces.patch
> +GHOSTSCRIPT_IGNORE_CVES += CVE-2021-3781
> +
> # Ghostscript includes (old) copies of several libraries, delete them.
> # Inspired by linuxfromscratch:
> # http://www.linuxfromscratch.org/blfs/view/svn/pst/gs.html
>
More information about the buildroot
mailing list