From patchwork Wed Oct 11 23:09:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Slater, Joseph" X-Patchwork-Id: 32008 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 493B6CDB465 for ; Wed, 11 Oct 2023 23:09:23 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.1141.1697065753914013975 for ; Wed, 11 Oct 2023 16:09:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=kzRjX+Qh; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=8648ebce54=joe.slater@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.22/8.17.1.22) with ESMTP id 39BKR9T4021508 for ; Wed, 11 Oct 2023 23:09:13 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding:content-type; s=PPS06212021; bh=EAhaq KVnsUv6lTgNOG59ApXC+7Uy1zft3BQ0WHHwtAw=; b=kzRjX+QhHTlgGalDQ7mXP 0Nief1iWfilpGQH2QDePnxJAc1APC9N14EUzP3ok8GVJRDNWUO2ngGBVXoDFcKFq vg8t1/x5nlxsGYhJq79tSXWY3qcTCxMaYa2Nc6hce/Eir4lQo/XK7zUYtCPa7IhU ET8qvs8WbqUmLNpkdZrgHQLoAig48X7LrAZ4lWumcXLhp3MXbrUusUqbKwQlntXF 11XGg9ihW1lp2/5dZ2x5rnxWO7s+/bYH+PwsO6maP1cRN2O+CuFVqS5kH9J+kC2y YmxM0XrSq93/FXVOMRS2JR8JHCKw2A35JKApTFKVfSLPUeq1wtvFwZ+obJDsBGsZ Q== Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3tnhuegxhe-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 11 Oct 2023 23:09:12 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.32; Wed, 11 Oct 2023 16:09:11 -0700 Received: from ala-jslater-lx2.corp.ad.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.32 via Frontend Transport; Wed, 11 Oct 2023 16:09:11 -0700 From: To: CC: , Subject: [mickledore][oe-core][PATCH 1/1] ghostscript: fix CVE-2023-43115 Date: Wed, 11 Oct 2023 16:09:11 -0700 Message-ID: <20231011230911.3767269-1-joe.slater@windriver.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Proofpoint-GUID: sxXtlM939RcpEpRWRUBvlBTRU_tO8joC X-Proofpoint-ORIG-GUID: sxXtlM939RcpEpRWRUBvlBTRU_tO8joC X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-10-11_18,2023-10-11_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 impostorscore=0 adultscore=0 spamscore=0 mlxlogscore=999 mlxscore=0 bulkscore=0 phishscore=0 lowpriorityscore=0 clxscore=1011 priorityscore=1501 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2309180000 definitions=main-2310110204 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 11 Oct 2023 23:09:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188974 From: Joe Slater The patch is copied from kirkstone. master has advanced to ghostscript 10.02.0 which includes the fix. Signed-off-by: Joe Slater --- .../ghostscript/CVE-2023-43115.patch | 62 +++++++++++++++++++ .../ghostscript/ghostscript_10.0.0.bb | 1 + 2 files changed, 63 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch new file mode 100644 index 0000000000..979f354ed5 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch @@ -0,0 +1,62 @@ +From 8b0f20002536867bd73ff4552408a72597190cbe Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 24 Aug 2023 15:24:35 +0100 +Subject: [PATCH] IJS device - try and secure the IJS server startup + +Bug #707051 ""ijs" device can execute arbitrary commands" + +The problem is that the 'IJS' device needs to start the IJS server, and +that is indeed an arbitrary command line. There is (apparently) no way +to validate it. Indeed, this is covered quite clearly in the comments +at the start of the source: + + * WARNING: The ijs server can be selected on the gs command line + * which is a security risk, since any program can be run. + +Previously this used the awful LockSafetyParams hackery, which we +abandoned some time ago because it simply couldn't be made secure (it +was implemented in PostScript and was therefore vulnerable to PostScript +programs). + +This commit prevents PostScript programs switching to the IJS device +after SAFER has been activated, and prevents changes to the IjsServer +parameter after SAFER has been activated. + +SAFER is activated, unless explicitly disabled, before any user +PostScript is executed which means that the device and the server +invocation can only be configured on the command line. This does at +least provide minimal security against malicious PostScript programs. + +Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8b0f20002536867bd73ff4552408a72597190cbe] + +CVE: CVE-2023-43115 + +Signed-off-by: Archana Polampalli +--- + devices/gdevijs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/devices/gdevijs.c b/devices/gdevijs.c +index 8cbd84b97..16f5a1752 100644 +--- a/devices/gdevijs.c ++++ b/devices/gdevijs.c +@@ -888,6 +888,8 @@ gsijs_initialize_device(gx_device *dev) + static const char rgb[] = "DeviceRGB"; + gx_device_ijs *ijsdev = (gx_device_ijs *)dev; + ++ if (ijsdev->memory->gs_lib_ctx->core->path_control_active) ++ return_error(gs_error_invalidaccess); + if (!ijsdev->ColorSpace) { + ijsdev->ColorSpace = gs_malloc(ijsdev->memory, sizeof(rgb), 1, + "gsijs_initialize"); +@@ -1326,7 +1328,7 @@ gsijs_put_params(gx_device *dev, gs_param_list *plist) + if (code >= 0) + code = gsijs_read_string(plist, "IjsServer", + ijsdev->IjsServer, sizeof(ijsdev->IjsServer), +- dev->LockSafetyParams, is_open); ++ ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open); + + if (code >= 0) + code = gsijs_read_string_malloc(plist, "DeviceManufacturer", +-- +2.40.0 diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb index 9e2cd01ff4..5c6be991d9 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb @@ -37,6 +37,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://cve-2023-28879.patch \ file://cve-2023-36664.patch \ file://CVE-2023-38559.patch \ + file://CVE-2023-43115.patch \ " SRC_URI = "${SRC_URI_BASE} \