poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14811-0001.patch - openbmc/openbmc - Gitiles

 From 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001
 From: Ken Sharp <ken.sharp@artifex.com>
 Date: Tue, 20 Aug 2019 10:10:28 +0100
 Subject: [PATCH] make .forceput inaccessible

 Bug #701343, #701344, #701345

 More defensive programming. We don't want people to access .forecput
 even though it is no longer sufficient to bypass SAFER. The exploit
 in #701343 didn't work anyway because of earlier work to stop the error
 handler being used, but nevertheless, prevent access to .forceput from
 .setuserparams2.

 CVE: CVE-2019-14811
 Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]

 Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
 ---
  Resource/Init/gs_lev2.ps  | 6 +++---
  Resource/Init/gs_pdfwr.ps | 4 ++--
  2 files changed, 5 insertions(+), 5 deletions(-)

 diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
 index 98d55fe..f1b771f 100644
 --- a/Resource/Init/gs_lev2.ps
 +++ b/Resource/Init/gs_lev2.ps
 @@ -158,7 +158,7 @@ end
      {
        pop pop
      } ifelse
 -  } forall
 +  } executeonly forall
          % A context switch might have occurred during the above loop,
          % causing the interpreter-level parameters to be reset.
          % Set them again to the new values.  From here on, we are safe,
 @@ -229,9 +229,9 @@ end
         { pop pop
         }
        ifelse
 -    }
 +    } executeonly
     forall pop
 -} .bind odef
 +} .bind executeonly odef

  % Initialize the passwords.
  % NOTE: the names StartJobPassword and SystemParamsPassword are known to
 diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps
 index 00c19fa..dfe504d 100644
 --- a/Resource/Init/gs_pdfwr.ps
 +++ b/Resource/Init/gs_pdfwr.ps
 @@ -652,11 +652,11 @@ currentdict /.pdfmarkparams .undef
            systemdict /.pdf_hooked_DSC_Creator //true .forceput
          } executeonly if
          pop
 -      } if
 +      } executeonly if
      } {
        pop
      } ifelse
 -  }
 +  } executeonly
    {
      pop
    } ifelse
 --
 2.20.1
	From 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001
	From: Ken Sharp <ken.sharp@artifex.com>
	Date: Tue, 20 Aug 2019 10:10:28 +0100
	Subject: [PATCH] make .forceput inaccessible

	Bug #701343, #701344, #701345

	More defensive programming. We don't want people to access .forecput
	even though it is no longer sufficient to bypass SAFER. The exploit
	in #701343 didn't work anyway because of earlier work to stop the error
	handler being used, but nevertheless, prevent access to .forceput from
	.setuserparams2.

	CVE: CVE-2019-14811
	Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]

	Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
	---
	Resource/Init/gs_lev2.ps \| 6 +++---
	Resource/Init/gs_pdfwr.ps \| 4 ++--
	2 files changed, 5 insertions(+), 5 deletions(-)

	diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
	index 98d55fe..f1b771f 100644
	--- a/Resource/Init/gs_lev2.ps
	+++ b/Resource/Init/gs_lev2.ps
	@@ -158,7 +158,7 @@ end
	{
	pop pop
	} ifelse
	- } forall
	+ } executeonly forall
	% A context switch might have occurred during the above loop,
	% causing the interpreter-level parameters to be reset.
	% Set them again to the new values. From here on, we are safe,
	@@ -229,9 +229,9 @@ end
	{ pop pop
	}
	ifelse
	- }
	+ } executeonly
	forall pop
	-} .bind odef
	+} .bind executeonly odef

	% Initialize the passwords.
	% NOTE: the names StartJobPassword and SystemParamsPassword are known to
	diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps
	index 00c19fa..dfe504d 100644
	--- a/Resource/Init/gs_pdfwr.ps
	+++ b/Resource/Init/gs_pdfwr.ps
	@@ -652,11 +652,11 @@ currentdict /.pdfmarkparams .undef
	systemdict /.pdf_hooked_DSC_Creator //true .forceput
	} executeonly if
	pop
	- } if
	+ } executeonly if
	} {
	pop
	} ifelse
	- }
	+ } executeonly
	{
	pop
	} ifelse
	--
	2.20.1