Brad Bishop | a34c030 | 2019-09-23 22:34:48 -0400 | [diff] [blame^] | 1 | From 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001 |
| 2 | From: Ken Sharp <ken.sharp@artifex.com> |
| 3 | Date: Tue, 20 Aug 2019 10:10:28 +0100 |
| 4 | Subject: [PATCH] make .forceput inaccessible |
| 5 | |
| 6 | Bug #701343, #701344, #701345 |
| 7 | |
| 8 | More defensive programming. We don't want people to access .forecput |
| 9 | even though it is no longer sufficient to bypass SAFER. The exploit |
| 10 | in #701343 didn't work anyway because of earlier work to stop the error |
| 11 | handler being used, but nevertheless, prevent access to .forceput from |
| 12 | .setuserparams2. |
| 13 | |
| 14 | CVE: CVE-2019-14811 |
| 15 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] |
| 16 | |
| 17 | Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> |
| 18 | --- |
| 19 | Resource/Init/gs_lev2.ps | 6 +++--- |
| 20 | Resource/Init/gs_pdfwr.ps | 4 ++-- |
| 21 | 2 files changed, 5 insertions(+), 5 deletions(-) |
| 22 | |
| 23 | diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps |
| 24 | index 98d55fe..f1b771f 100644 |
| 25 | --- a/Resource/Init/gs_lev2.ps |
| 26 | +++ b/Resource/Init/gs_lev2.ps |
| 27 | @@ -158,7 +158,7 @@ end |
| 28 | { |
| 29 | pop pop |
| 30 | } ifelse |
| 31 | - } forall |
| 32 | + } executeonly forall |
| 33 | % A context switch might have occurred during the above loop, |
| 34 | % causing the interpreter-level parameters to be reset. |
| 35 | % Set them again to the new values. From here on, we are safe, |
| 36 | @@ -229,9 +229,9 @@ end |
| 37 | { pop pop |
| 38 | } |
| 39 | ifelse |
| 40 | - } |
| 41 | + } executeonly |
| 42 | forall pop |
| 43 | -} .bind odef |
| 44 | +} .bind executeonly odef |
| 45 | |
| 46 | % Initialize the passwords. |
| 47 | % NOTE: the names StartJobPassword and SystemParamsPassword are known to |
| 48 | diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps |
| 49 | index 00c19fa..dfe504d 100644 |
| 50 | --- a/Resource/Init/gs_pdfwr.ps |
| 51 | +++ b/Resource/Init/gs_pdfwr.ps |
| 52 | @@ -652,11 +652,11 @@ currentdict /.pdfmarkparams .undef |
| 53 | systemdict /.pdf_hooked_DSC_Creator //true .forceput |
| 54 | } executeonly if |
| 55 | pop |
| 56 | - } if |
| 57 | + } executeonly if |
| 58 | } { |
| 59 | pop |
| 60 | } ifelse |
| 61 | - } |
| 62 | + } executeonly |
| 63 | { |
| 64 | pop |
| 65 | } ifelse |
| 66 | -- |
| 67 | 2.20.1 |
| 68 | |