[OE-core] [warrior][PATCH] ghostscript: fix CVE-2019-3839
Naveen Saini
naveen.kumar.saini at intel.com
Wed Jul 31 07:18:51 UTC 2019
Signed-off-by: Naveen Saini <naveen.kumar.saini at intel.com>
---
.../ghostscript/CVE-2019-3839-0008.patch | 440 ++++++++++++++++++
.../ghostscript/ghostscript_9.26.bb | 1 +
2 files changed, 441 insertions(+)
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3839-0008.patch
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3839-0008.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3839-0008.patch
new file mode 100644
index 0000000000..4be1c84f92
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3839-0008.patch
@@ -0,0 +1,440 @@
+From c253752ef731f49922e0a97490d1ef09ca697c91 Mon Sep 17 00:00:00 2001
+From: Ray Johnston <ray.johnston at artifex.com>
+Date: Thu, 31 Jan 2019 11:31:30 -0800
+Subject: [PATCH] Hide pdfdict and GS_PDF_ProcSet (internal stuff for the PDF
+ interp).
+
+We now keep GS_PDF_ProcSet in pdfdict, and immediately bind pdfdict
+where needed so we can undef it after the last PDF interp file has
+run (pdf_sec.ps).
+
+CVE: CVE-2019-3839
+Upstream-Status: Backport [http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4ec9ca74bed49f2a82acb4bf430eae0d8b3b75c9]
+Signed-off-by: Naveen Saini <naveen.kumar.saini at intel.com>
+---
+ Resource/Init/pdf_base.ps | 11 ++++----
+ Resource/Init/pdf_draw.ps | 59 +++++++++++++++++++--------------------
+ Resource/Init/pdf_font.ps | 9 +++---
+ Resource/Init/pdf_main.ps | 25 +++++++++--------
+ Resource/Init/pdf_ops.ps | 11 ++++----
+ Resource/Init/pdf_sec.ps | 4 ++-
+ 6 files changed, 60 insertions(+), 59 deletions(-)
+
+diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps
+index e35e0e373..13dd51f46 100644
+--- a/Resource/Init/pdf_base.ps
++++ b/Resource/Init/pdf_base.ps
+@@ -23,7 +23,6 @@
+
+ /.setlanguagelevel where { pop 2 .setlanguagelevel } if
+ .currentglobal //true .setglobal
+-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
+ pdfdict begin
+
+ % Define the name interpretation dictionary for reading values.
+@@ -133,11 +132,11 @@ currentdict /num-chars-dict .undef
+
+ /.pdfexectoken { % <count> <opdict> <exectoken> .pdfexectoken ?
+ PDFDEBUG {
+- pdfdict /PDFSTEPcount known not { pdfdict /PDFSTEPcount 1 .forceput } executeonly if
++ //pdfdict /PDFSTEPcount known not { //pdfdict /PDFSTEPcount 1 .forceput } executeonly if
+ PDFSTEP {
+- pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput
++ //pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput
+ PDFSTEPcount 1 gt {
+- pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput
++ //pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput
+ } executeonly
+ {
+ dup ==only
+@@ -145,10 +144,10 @@ currentdict /num-chars-dict .undef
+ ( ? ) print flush 1 //false .outputpage
+ (%stdin) (r) file 255 string readline {
+ token {
+- exch pop pdfdict /PDFSTEPcount 3 -1 roll .forceput
++ exch pop //pdfdict /PDFSTEPcount 3 -1 roll .forceput
+ } executeonly
+ {
+- pdfdict /PDFSTEPcount 1 .forceput
++ //pdfdict /PDFSTEPcount 1 .forceput
+ } executeonly ifelse % token
+ } {
+ pop /PDFSTEP //false def % EOF on stdin
+diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
+index 36c41a9a3..2e39c87d2 100644
+--- a/Resource/Init/pdf_draw.ps
++++ b/Resource/Init/pdf_draw.ps
+@@ -18,8 +18,7 @@
+
+ /.setlanguagelevel where { pop 2 .setlanguagelevel } if
+ .currentglobal //true .setglobal
+-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
+-GS_PDF_ProcSet begin
++/GS_PDF_ProcSet load begin
+ pdfdict begin
+
+ % For simplicity, we use a single interpretation dictionary for all
+@@ -113,7 +112,7 @@ pdfdict begin
+
+ /resolvefunction { % <fndict> resolvefunction <function>
+ .resolvefn
+- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Function: ) print dup === flush } if } if
++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Function: ) print dup === flush } if } if
+ } bind executeonly def
+
+ /resolvefnproc { % <fndict> resolvefnproc <proc>
+@@ -1086,7 +1085,7 @@ currentdict end readonly def
+ %% finished running the PaintProc.
+
+ /.actual_pdfpaintproc { % <patdict> <resdict> .pdfpaintproc -
+- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Begin PaintProc) print dup === flush } if } if
++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Begin PaintProc) print dup === flush } if } if
+ PDFfile fileposition 3 1 roll
+ q
+ 1 index /PaintType oget 1 eq {
+@@ -1121,21 +1120,21 @@ currentdict end readonly def
+ Q
+ }{
+ (\n **** Error: File has unbalanced q/Q operators \(too many Q's\)\n Output may be incorrect.\n)
+- pdfdict /.Qqwarning_issued .knownget
++ //pdfdict /.Qqwarning_issued .knownget
+ {
+ {
+ pop
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+@@ -1144,21 +1143,21 @@ currentdict end readonly def
+ } loop
+ {
+ (\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
+- pdfdict /.Qqwarning_issued .knownget
++ //pdfdict /.Qqwarning_issued .knownget
+ {
+ {
+ pop
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+@@ -1169,7 +1168,7 @@ currentdict end readonly def
+ /pdfemptycount exch def
+
+ Q
+- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if
++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if
+ PDFfile exch setfileposition
+ } bind executeonly odef
+
+@@ -1240,7 +1239,7 @@ currentdict end readonly def
+ ] cvx put
+ dup /BBox 2 copy knownoget { normrect FixPatternBBox put } { pop pop } ifelse
+ dup /.pattern_uses_transparency 1 index patternusestransparency put
+- PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Pattern: ) print dup === flush } if } if
++ PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Pattern: ) print dup === flush } if } if
+ } bind executeonly def
+
+ /ignore_color_op ( **** Error: Ignoring a color operation in a cached context.\n Output may be incorrect.\n) readonly def
+@@ -2361,16 +2360,16 @@ currentdict /last-ditch-bpc-csp undef
+ } bind executeonly def
+
+ /IncrementAppearanceNumber {
+- pdfdict /AppearanceNumber .knownget {
+- 1 add pdfdict /AppearanceNumber 3 -1 roll .forceput
++ //pdfdict /AppearanceNumber .knownget {
++ 1 add //pdfdict /AppearanceNumber 3 -1 roll .forceput
+ } executeonly
+ {
+- pdfdict /AppearanceNumber 0 .forceput
++ //pdfdict /AppearanceNumber 0 .forceput
+ } executeonly ifelse
+ }bind executeonly odef
+
+ /MakeAppearanceName {
+- pdfdict /AppearanceNumber get
++ //pdfdict /AppearanceNumber get
+ 10 string cvs
+ dup length 10 add string dup 0 (\{FormName) putinterval
+ dup 3 -1 roll
+@@ -2391,17 +2390,17 @@ currentdict /last-ditch-bpc-csp undef
+ gsave initclip
+ MakeNewAppearanceName
+ .pdfFormName
+- pdfdict /.PreservePDFForm known {pdfdict /.PreservePDFForm get} {//false}ifelse exch
+- pdfdict /.PreservePDFForm true .forceput
++ //pdfdict /.PreservePDFForm known {//pdfdict /.PreservePDFForm get} {//false}ifelse exch
++ //pdfdict /.PreservePDFForm true .forceput
+ DoForm
+- pdfdict /.PreservePDFForm 3 -1 roll .forceput
++ //pdfdict /.PreservePDFForm 3 -1 roll .forceput
+ grestore
+ } bind executeonly odef
+
+ /DoForm {
+ %% save the current value, if its true we will set it to false later, in order
+ %% to prevent us preserving Forms which are used *from* an annotation /Appearance.
+- pdfdict /.PreservePDFForm known {pdfdict /.PreservePDFForm get} {//false}ifelse exch
++ //pdfdict /.PreservePDFForm known {//pdfdict /.PreservePDFForm get} {//false}ifelse exch
+
+ %% We may alter the Default* colour spaces, if the Resources
+ %% ColorSpace entry contains one of them. But we don't want that
+@@ -2516,13 +2515,13 @@ currentdict /last-ditch-bpc-csp undef
+ pdfemptycount countdictstack 3 -1 roll
+ /pdfemptycount count 4 sub store
+
+- pdfdict /.PreservePDFForm known {pdfdict /.PreservePDFForm get}{//false} ifelse
++ //pdfdict /.PreservePDFForm known {//pdfdict /.PreservePDFForm get}{//false} ifelse
+ {
+ %% We must *not* preserve any subsidiary forms (curently at least) as PDF
+ %% form preservation doesn't really work. This is used just for Annotation
+ %% Appearances currently, and if they should happen to use a form, we do not
+ %% want to preserve it.
+- pdfdict /.PreservePDFForm false .forceput
++ //pdfdict /.PreservePDFForm false .forceput
+ /q cvx /execform cvx 5 -2 roll
+ } executeonly
+ {
+@@ -2555,7 +2554,7 @@ currentdict /last-ditch-bpc-csp undef
+ saved_DCMYK /DefaultCMYK exch /ColorSpace defineresource pop
+ end
+ } if
+- pdfdict /.PreservePDFForm 3 -1 roll .forceput
++ //pdfdict /.PreservePDFForm 3 -1 roll .forceput
+ } bind executeonly odef
+
+ /_dops_save 1 array def
+@@ -2714,13 +2713,13 @@ drawopdict begin
+ % Start by getting the object number for a Form XObject
+ dup Page /XObject obj_get dup 0 eq not {
+ % Now get the recording dictionary and see if that object number has been seen
+- pdfdict /Recursive_XObject_D get 1 index known {
++ //pdfdict /Recursive_XObject_D get 1 index known {
+ ( **** Error: Recursive XObject detected, ignoring ") print 1 index 256 string cvs print (", object number ) print 256 string cvs print (\n) print
+ ( Output may be incorrect.\n) pdfformaterror
+ //false
+ }{
+ % We haven't seen it yet, so record it.
+- pdfdict /Recursive_XObject_D get 1 index null put
++ //pdfdict /Recursive_XObject_D get 1 index null put
+ 3 1 roll
+ //true
+ }ifelse
+@@ -2758,7 +2757,7 @@ drawopdict begin
+ ( Output may be incorrect.\n) pdfformaterror
+ } ifelse
+ PDFfile exch setfileposition
+- pdfdict /Recursive_XObject_D get exch undef
++ //pdfdict /Recursive_XObject_D get exch undef
+ }{
+ % Otherwise ignore it and tidy up the stacks
+ pop pop
+diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps
+index 7e35c02ac..6b09be61f 100644
+--- a/Resource/Init/pdf_font.ps
++++ b/Resource/Init/pdf_font.ps
+@@ -37,8 +37,7 @@
+
+ /.setlanguagelevel where { pop 2 .setlanguagelevel } if
+ .currentglobal //true .setglobal
+-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
+-GS_PDF_ProcSet begin
++/GS_PDF_ProcSet load begin % from userdict at this point
+ pdfdict begin
+
+ % We cache the PostScript font in an additional element of the
+@@ -1227,11 +1226,11 @@ currentdict /eexec_pdf_param_dict .undef
+ .pdfruncontext
+ countdictstack BuildCharDictDepth sub
+ {
+- pdfdict /.Qqwarning_issued .knownget {not}{//true} ifelse
++ //pdfdict /.Qqwarning_issued .knownget {not}{//true} ifelse
+ {
+ (\n **** Warning: Type 3 glyph has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
+ pdfformatwarning
+- pdfdict /.Qqwarning_issued //true .forceput
++ //pdfdict /.Qqwarning_issued //true .forceput
+ } executeonly if
+ Q
+ } repeat
+@@ -2361,7 +2360,7 @@ currentdict /bndef undef
+ dup //null eq
+ {pop}
+ {
+- pdfdict /InputPDFFileName .knownget {.CRCHashFilenameAndObject} if
++ //pdfdict /InputPDFFileName .knownget {.CRCHashFilenameAndObject} if
+ exch dup /.OrigUniqueIDXUID .knownget not
+ {
+ dup /XUID .knownget not
+diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps
+index 0a8929a2a..c1de1b0ef 100644
+--- a/Resource/Init/pdf_main.ps
++++ b/Resource/Init/pdf_main.ps
+@@ -18,8 +18,9 @@
+
+ /.setlanguagelevel where { pop 2 .setlanguagelevel } if
+ .currentglobal //true .setglobal
+-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
+ pdfdict begin
++/GS_PDF_ProcSet dup load def % keep in pdfdict to hide it
++userdict /GS_PDF_ProcSet undef
+
+ % Patch in an obsolete variable used by some third-party software.
+ /#? //false def
+@@ -304,8 +305,8 @@ currentdict /runpdfstring .undef
+ /Page //null def
+ /DSCPageCount 0 def
+ /PDFSave //null def
+- GS_PDF_ProcSet begin
+- pdfdict begin
++ //pdfdict /GS_PDF_ProcSet get begin
++ //pdfdict begin
+ pdfopen begin
+ /CumulativePageCount currentpagedevice /PageCount get def
+ } bind executeonly def
+@@ -624,7 +625,7 @@ currentdict /runpdfstring .undef
+ %% copied to a temporary file) and store it in pdfdict. We will use this for
+ %% hashing fonts to detect if fonts with the same name are from different files.
+ %%
+- dup currentglobal exch true setglobal .getfilename exch setglobal /InputPDFFileName exch pdfdict 3 1 roll .forceput
++ dup currentglobal exch true setglobal .getfilename exch setglobal /InputPDFFileName exch //pdfdict 3 1 roll .forceput
+
+ //runpdfbegin exec
+ //pdf_collection_files exec
+@@ -1390,7 +1391,7 @@ currentdict /xref-char-dict undef
+ } bind executeonly def
+
+ /pdfopenfile { % <file> pdfopenfile <dict>
+- pdfdict readonly pop % can't do it any earlier than this
++ //pdfdict readonly pop % can't do it any earlier than this
+ 32 dict begin
+ /LocalResources 0 dict def
+ /DefaultQstate //null def % establish binding
+@@ -2717,21 +2718,21 @@ currentdict /PDF2PS_matrix_key undef
+ StreamRunAborted not {
+ (\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
+
+- pdfdict /.Qqwarning_issued .knownget
++ //pdfdict /.Qqwarning_issued .knownget
+ {
+ {
+ pop
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+@@ -2743,8 +2744,8 @@ currentdict /PDF2PS_matrix_key undef
+ Repaired % pass Repaired state around the restore
+ RepairedAnError
+ PDFSave restore
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //false .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //false .forceput
+ .setglobal
+ /RepairedAnError exch def
+ /Repaired exch def
+diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps
+index 34e2fbd58..46de547f7 100644
+--- a/Resource/Init/pdf_ops.ps
++++ b/Resource/Init/pdf_ops.ps
+@@ -24,6 +24,7 @@
+ systemdict /pdfmark known not
+ { userdict /pdfmark { cleartomark } bind executeonly put } if
+
++systemdict /pdfdict where { pop } { /pdfdict 100 dict put } ifelse
+ userdict /GS_PDF_ProcSet 256 dict dup begin
+
+ % ---------------- Abbreviations ---------------- %
+@@ -174,21 +175,21 @@ currentdict /gput_always_allow .undef
+ {
+ (\n **** Error: File has unbalanced q/Q operators \(too many Q's\)\n Output may be incorrect.\n)
+
+- pdfdict /.Qqwarning_issued .knownget
++ //pdfdict /.Qqwarning_issued .knownget
+ {
+ {
+ pop
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+ }
+ {
+- currentglobal pdfdict gcheck .setglobal
+- pdfdict /.Qqwarning_issued //true .forceput
++ currentglobal //pdfdict gcheck .setglobal
++ //pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+ } executeonly ifelse
+diff --git a/Resource/Init/pdf_sec.ps b/Resource/Init/pdf_sec.ps
+index d8cc94c86..163dd6877 100644
+--- a/Resource/Init/pdf_sec.ps
++++ b/Resource/Init/pdf_sec.ps
+@@ -39,7 +39,6 @@
+
+ /.setlanguagelevel where { pop 2 .setlanguagelevel } if
+ .currentglobal //true .setglobal
+-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
+ pdfdict begin
+
+ % Older ghostscript versions do not have .pdftoken, so we use 'token' instead.
+@@ -748,4 +747,7 @@ currentdict /PDFScanRules_null undef
+ } bind executeonly def
+
+ end % pdfdict
++
++systemdict /pdfdict .forceundef % hide pdfdict
++
+ .setglobal
+--
+2.17.1
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.26.bb b/meta/recipes-extended/ghostscript/ghostscript_9.26.bb
index 2630084a07..03e4569dbc 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.26.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.26.bb
@@ -45,6 +45,7 @@ SRC_URI = "${SRC_URI_BASE} \
file://CVE-2019-3835-0004.patch \
file://CVE-2019-3838-0001.patch \
file://CVE-2019-3838-0002.patch \
+ file://CVE-2019-3839-0008.patch \
"
SRC_URI_class-native = "${SRC_URI_BASE} \
--
2.17.1
More information about the Openembedded-core
mailing list