[kirkstone,02/17] ghostscript: fix CVE-2023-43115

Message ID	1d169e50f28c93434461aa3ecbc47c21509143e9.1695869144.git.steve@sakoman.com
State	Accepted, archived
Commit	1d169e50f28c93434461aa3ecbc47c21509143e9
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.221.180, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 02/17] ghostscript: fix CVE-2023-43115 Date: Wed, 27 Sep 2023 16:48:31 -1000 Message-Id: <1d169e50f28c93434461aa3ecbc47c21509143e9.1695869144.git.steve@sakoman.com> In-Reply-To: <cover.1695869144.git.steve@sakoman.com> References: <cover.1695869144.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,01/17] shadow: Fix CVE-2023-4641 \| expand [kirkstone,01/17] shadow: Fix CVE-2023-4641 [kirkstone,02/17] ghostscript: fix CVE-2023-43115 [kirkstone,03/17] gstreamer1.0-plugins-bad: fix CVE-2023-40474 [kirkstone,04/17] gstreamer1.0-plugins-bad: fix CVE-2023-40475 [kirkstone,05/17] gstreamer1.0-plugins-bad: fix CVE-2023-40476 [kirkstone,06/17] go: Fix CVE-2023-39318 [kirkstone,07/17] linux-yocto: update CVE exclusions [kirkstone,08/17] ruby: fix CVE-2023-36617 [kirkstone,09/17] webkitgtk: fix CVE-2023-32439 [kirkstone,10/17] xserver-xorg: ignore CVE-2022-3553 as it is XQuartz-specific [kirkstone,11/17] cups: Fix CVE-2023-4504 [kirkstone,12/17] libwebp: Fix CVE-2023-5129 [kirkstone,13/17] openssl: Upgrade 3.0.10 -> 3.0.11 [kirkstone,14/17] python3-git: upgrade 3.1.32 -> 3.1.37 [kirkstone,15/17] bind: update to 9.18.19 [kirkstone,16/17] cml1: Fix KCONFIG_CONFIG_COMMAND not conveyed fully in do_menuconfig [kirkstone,17/17] kernel.bbclass: Add force flag to rm calls

Message ID

1d169e50f28c93434461aa3ecbc47c21509143e9.1695869144.git.steve@sakoman.com

State

Accepted, archived

Commit

1d169e50f28c93434461aa3ecbc47c21509143e9

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 02/17] ghostscript: fix CVE-2023-43115
Date: Wed, 27 Sep 2023 16:48:31 -1000
Message-Id: 
 <1d169e50f28c93434461aa3ecbc47c21509143e9.1695869144.git.steve@sakoman.com>
In-Reply-To: <cover.1695869144.git.steve@sakoman.com>
References: <cover.1695869144.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,01/17] shadow: Fix CVE-2023-4641 | expand

Commit Message

Steve Sakoman Sept. 28, 2023, 2:48 a.m. UTC

From: Archana Polampalli <archana.polampalli@windriver.com>

In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote
code execution via crafted PostScript documents because they can switch to the
IJS device, or change the IjsServer parameter, after SAFER has been activated.
NOTE: it is a documented risk that the IJS server can be specified on a gs
command line (the IJS device inherently must execute a command to start the IJS server).

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-43115

Upstream patches:
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8b0f20002536867bd73ff4552408a72597190cbe

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ghostscript/CVE-2023-43115.patch          | 62 +++++++++++++++++++
 .../ghostscript/ghostscript_9.55.0.bb         |  1 +
 2 files changed, 63 insertions(+)
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch
new file mode 100644
index 0000000000..979f354ed5
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch
@@ -0,0 +1,62 @@ 
+From 8b0f20002536867bd73ff4552408a72597190cbe Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Thu, 24 Aug 2023 15:24:35 +0100
+Subject: [PATCH] IJS device - try and secure the IJS server startup
+
+Bug #707051 ""ijs" device can execute arbitrary commands"
+
+The problem is that the 'IJS' device needs to start the IJS server, and
+that is indeed an arbitrary command line. There is (apparently) no way
+to validate it. Indeed, this is covered quite clearly in the comments
+at the start of the source:
+
+ * WARNING: The ijs server can be selected on the gs command line
+ * which is a security risk, since any program can be run.
+
+Previously this used the awful LockSafetyParams hackery, which we
+abandoned some time ago because it simply couldn't be made secure (it
+was implemented in PostScript and was therefore vulnerable to PostScript
+programs).
+
+This commit prevents PostScript programs switching to the IJS device
+after SAFER has been activated, and prevents changes to the IjsServer
+parameter after SAFER has been activated.
+
+SAFER is activated, unless explicitly disabled, before any user
+PostScript is executed which means that the device and the server
+invocation can only be configured on the command line. This does at
+least provide minimal security against malicious PostScript programs.
+
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8b0f20002536867bd73ff4552408a72597190cbe]
+
+CVE: CVE-2023-43115
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ devices/gdevijs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/devices/gdevijs.c b/devices/gdevijs.c
+index 8cbd84b97..16f5a1752 100644
+--- a/devices/gdevijs.c
++++ b/devices/gdevijs.c
+@@ -888,6 +888,8 @@ gsijs_initialize_device(gx_device *dev)
+     static const char rgb[] = "DeviceRGB";
+     gx_device_ijs *ijsdev = (gx_device_ijs *)dev;
+
++    if (ijsdev->memory->gs_lib_ctx->core->path_control_active)
++        return_error(gs_error_invalidaccess);
+     if (!ijsdev->ColorSpace) {
+         ijsdev->ColorSpace = gs_malloc(ijsdev->memory, sizeof(rgb), 1,
+                                        "gsijs_initialize");
+@@ -1326,7 +1328,7 @@ gsijs_put_params(gx_device *dev, gs_param_list *plist)
+     if (code >= 0)
+         code = gsijs_read_string(plist, "IjsServer",
+             ijsdev->IjsServer, sizeof(ijsdev->IjsServer),
+-            dev->LockSafetyParams, is_open);
++            ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open);
+
+     if (code >= 0)
+         code = gsijs_read_string_malloc(plist, "DeviceManufacturer",
+--
+2.40.0
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index ad0b008cab..4c4c22cf39 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -38,6 +38,7 @@  SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                 file://CVE-2023-36664-0001.patch \
                 file://CVE-2023-36664-0002.patch \
                 file://CVE-2023-38559.patch \
+                file://CVE-2023-43115.patch \
 "
 
 SRC_URI = "${SRC_URI_BASE} \

[kirkstone,02/17] ghostscript: fix CVE-2023-43115

Commit Message

Patch