| From 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001 |
| From: Ken Sharp <ken.sharp@artifex.com> |
| Date: Tue, 20 Aug 2019 10:10:28 +0100 |
| Subject: [PATCH] make .forceput inaccessible |
| |
| Bug #701343, #701344, #701345 |
| |
| More defensive programming. We don't want people to access .forecput |
| even though it is no longer sufficient to bypass SAFER. The exploit |
| in #701343 didn't work anyway because of earlier work to stop the error |
| handler being used, but nevertheless, prevent access to .forceput from |
| .setuserparams2. |
| |
| CVE: CVE-2019-14811 |
| Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] |
| |
| Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> |
| --- |
| Resource/Init/gs_lev2.ps | 6 +++--- |
| Resource/Init/gs_pdfwr.ps | 4 ++-- |
| 2 files changed, 5 insertions(+), 5 deletions(-) |
| |
| diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps |
| index 98d55fe..f1b771f 100644 |
| --- a/Resource/Init/gs_lev2.ps |
| +++ b/Resource/Init/gs_lev2.ps |
| @@ -158,7 +158,7 @@ end |
| { |
| pop pop |
| } ifelse |
| - } forall |
| + } executeonly forall |
| % A context switch might have occurred during the above loop, |
| % causing the interpreter-level parameters to be reset. |
| % Set them again to the new values. From here on, we are safe, |
| @@ -229,9 +229,9 @@ end |
| { pop pop |
| } |
| ifelse |
| - } |
| + } executeonly |
| forall pop |
| -} .bind odef |
| +} .bind executeonly odef |
| |
| % Initialize the passwords. |
| % NOTE: the names StartJobPassword and SystemParamsPassword are known to |
| diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps |
| index 00c19fa..dfe504d 100644 |
| --- a/Resource/Init/gs_pdfwr.ps |
| +++ b/Resource/Init/gs_pdfwr.ps |
| @@ -652,11 +652,11 @@ currentdict /.pdfmarkparams .undef |
| systemdict /.pdf_hooked_DSC_Creator //true .forceput |
| } executeonly if |
| pop |
| - } if |
| + } executeonly if |
| } { |
| pop |
| } ifelse |
| - } |
| + } executeonly |
| { |
| pop |
| } ifelse |
| -- |
| 2.20.1 |
| |