[arch-commits] Commit in ghostscript/trunk (CVE-2021-3781.patch PKGBUILD)
Andreas Radke
andyrtr at gemini.archlinux.org
Mon Sep 27 11:09:37 UTC 2021
Date: Monday, September 27, 2021 @ 11:09:37
Author: andyrtr
Revision: 424741
upgpkg: ghostscript 9.55.0-1: upstream update 9.55.0
Modified:
ghostscript/trunk/PKGBUILD
Deleted:
ghostscript/trunk/CVE-2021-3781.patch
---------------------+
CVE-2021-3781.patch | 232 --------------------------------------------------
PKGBUILD | 18 +--
2 files changed, 7 insertions(+), 243 deletions(-)
Deleted: CVE-2021-3781.patch
===================================================================
--- CVE-2021-3781.patch 2021-09-27 10:40:01 UTC (rev 424740)
+++ CVE-2021-3781.patch 2021-09-27 11:09:37 UTC (rev 424741)
@@ -1,232 +0,0 @@
-From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001
-From: Chris Liddell <chris.liddell at artifex.com>
-Date: Tue, 7 Sep 2021 20:36:12 +0100
-Subject: [PATCH] Bug 704342: Include device specifier strings in access
- validation
-
-for the "%pipe%", %handle%" and %printer% io devices.
-
-We previously validated only the part after the "%pipe%" Postscript device
-specifier, but this proved insufficient.
-
-This rebuilds the original file name string, and validates it complete. The
-slight complication for "%pipe%" is it can be reached implicitly using
-"|" so we have to check both prefixes.
-
-Addresses CVE-2021-3781
----
- base/gdevpipe.c | 22 +++++++++++++++-
- base/gp_mshdl.c | 11 +++++++-
- base/gp_msprn.c | 10 ++++++-
- base/gp_os2pr.c | 13 +++++++++-
- base/gslibctx.c | 69 ++++++++++---------------------------------------
- 5 files changed, 65 insertions(+), 60 deletions(-)
-
-diff --git a/base/gdevpipe.c b/base/gdevpipe.c
-index 96d71f5d8..5bdc485be 100644
---- a/base/gdevpipe.c
-+++ b/base/gdevpipe.c
-@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access,
- #else
- gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
- gs_fs_list_t *fs = ctx->core->fs;
-+ /* The pipe device can be reached in two ways, explicltly with %pipe%
-+ or implicitly with "|", so we have to check for both
-+ */
-+ char f[gp_file_name_sizeof];
-+ const char *pipestr = "|";
-+ const size_t pipestrlen = strlen(pipestr);
-+ const size_t preflen = strlen(iodev->dname);
-+ const size_t nlen = strlen(fname);
-+ int code1;
-+
-+ if (preflen + nlen >= gp_file_name_sizeof)
-+ return_error(gs_error_invalidaccess);
-+
-+ memcpy(f, iodev->dname, preflen);
-+ memcpy(f + preflen, fname, nlen + 1);
-+
-+ code1 = gp_validate_path(mem, f, access);
-+
-+ memcpy(f, pipestr, pipestrlen);
-+ memcpy(f + pipestrlen, fname, nlen + 1);
-
-- if (gp_validate_path(mem, fname, access) != 0)
-+ if (code1 != 0 && gp_validate_path(mem, f, access) != 0 )
- return gs_error_invalidfileaccess;
-
- /*
-diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c
-index 2b964ed74..8d87ceadc 100644
---- a/base/gp_mshdl.c
-+++ b/base/gp_mshdl.c
-@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access,
- long hfile; /* Correct for Win32, may be wrong for Win64 */
- gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
- gs_fs_list_t *fs = ctx->core->fs;
-+ char f[gp_file_name_sizeof];
-+ const size_t preflen = strlen(iodev->dname);
-+ const size_t nlen = strlen(fname);
-
-- if (gp_validate_path(mem, fname, access) != 0)
-+ if (preflen + nlen >= gp_file_name_sizeof)
-+ return_error(gs_error_invalidaccess);
-+
-+ memcpy(f, iodev->dname, preflen);
-+ memcpy(f + preflen, fname, nlen + 1);
-+
-+ if (gp_validate_path(mem, f, access) != 0)
- return gs_error_invalidfileaccess;
-
- /* First we try the open_handle method. */
-diff --git a/base/gp_msprn.c b/base/gp_msprn.c
-index ed4827968..746a974f7 100644
---- a/base/gp_msprn.c
-+++ b/base/gp_msprn.c
-@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
- uintptr_t *ptid = &((tid_t *)(iodev->state))->tid;
- gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
- gs_fs_list_t *fs = ctx->core->fs;
-+ const size_t preflen = strlen(iodev->dname);
-+ const size_t nlen = strlen(fname);
-
-- if (gp_validate_path(mem, fname, access) != 0)
-+ if (preflen + nlen >= gp_file_name_sizeof)
-+ return_error(gs_error_invalidaccess);
-+
-+ memcpy(pname, iodev->dname, preflen);
-+ memcpy(pname + preflen, fname, nlen + 1);
-+
-+ if (gp_validate_path(mem, pname, access) != 0)
- return gs_error_invalidfileaccess;
-
- /* First we try the open_printer method. */
-diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c
-index f852c71fc..ba54cde66 100644
---- a/base/gp_os2pr.c
-+++ b/base/gp_os2pr.c
-@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
- FILE ** pfile, char *rfname, uint rnamelen)
- {
- os2_printer_t *pr = (os2_printer_t *)iodev->state;
-- char driver_name[256];
-+ char driver_name[gp_file_name_sizeof];
- gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
- gs_fs_list_t *fs = ctx->core->fs;
-+ const size_t preflen = strlen(iodev->dname);
-+ const int size_t = strlen(fname);
-+
-+ if (preflen + nlen >= gp_file_name_sizeof)
-+ return_error(gs_error_invalidaccess);
-+
-+ memcpy(driver_name, iodev->dname, preflen);
-+ memcpy(driver_name + preflen, fname, nlen + 1);
-+
-+ if (gp_validate_path(mem, driver_name, access) != 0)
-+ return gs_error_invalidfileaccess;
-
- /* First we try the open_printer method. */
- /* Note that the loop condition here ensures we don't
-diff --git a/base/gslibctx.c b/base/gslibctx.c
-index 6dfed6cd5..318039fad 100644
---- a/base/gslibctx.c
-+++ b/base/gslibctx.c
-@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s)
- int
- gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
- {
-- char *fp, f[gp_file_name_sizeof];
-- const int pipe = 124; /* ASCII code for '|' */
-- const int len = strlen(fname);
-- int i, code;
-+ char f[gp_file_name_sizeof];
-+ int code;
-
- /* Be sure the string copy will fit */
-- if (len >= gp_file_name_sizeof)
-+ if (strlen(fname) >= gp_file_name_sizeof)
- return gs_error_rangecheck;
- strcpy(f, fname);
-- fp = f;
- /* Try to rewrite any %d (or similar) in the string */
- rewrite_percent_specifiers(f);
-- for (i = 0; i < len; i++) {
-- if (f[i] == pipe) {
-- fp = &f[i + 1];
-- /* Because we potentially have to check file permissions at two levels
-- for the output file (gx_device_open_output_file and the low level
-- fopen API, if we're using a pipe, we have to add both the full string,
-- (including the '|', and just the command to which we pipe - since at
-- the pipe_fopen(), the leading '|' has been stripped.
-- */
-- code = gs_add_control_path(mem, gs_permit_file_writing, f);
-- if (code < 0)
-- return code;
-- code = gs_add_control_path(mem, gs_permit_file_control, f);
-- if (code < 0)
-- return code;
-- break;
-- }
-- if (!IS_WHITESPACE(f[i]))
-- break;
-- }
-- code = gs_add_control_path(mem, gs_permit_file_control, fp);
-+
-+ code = gs_add_control_path(mem, gs_permit_file_control, f);
- if (code < 0)
- return code;
-- return gs_add_control_path(mem, gs_permit_file_writing, fp);
-+ return gs_add_control_path(mem, gs_permit_file_writing, f);
- }
-
- int
- gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
- {
-- char *fp, f[gp_file_name_sizeof];
-- const int pipe = 124; /* ASCII code for '|' */
-- const int len = strlen(fname);
-- int i, code;
-+ char f[gp_file_name_sizeof];
-+ int code;
-
- /* Be sure the string copy will fit */
-- if (len >= gp_file_name_sizeof)
-+ if (strlen(fname) >= gp_file_name_sizeof)
- return gs_error_rangecheck;
- strcpy(f, fname);
-- fp = f;
- /* Try to rewrite any %d (or similar) in the string */
-- for (i = 0; i < len; i++) {
-- if (f[i] == pipe) {
-- fp = &f[i + 1];
-- /* Because we potentially have to check file permissions at two levels
-- for the output file (gx_device_open_output_file and the low level
-- fopen API, if we're using a pipe, we have to add both the full string,
-- (including the '|', and just the command to which we pipe - since at
-- the pipe_fopen(), the leading '|' has been stripped.
-- */
-- code = gs_remove_control_path(mem, gs_permit_file_writing, f);
-- if (code < 0)
-- return code;
-- code = gs_remove_control_path(mem, gs_permit_file_control, f);
-- if (code < 0)
-- return code;
-- break;
-- }
-- if (!IS_WHITESPACE(f[i]))
-- break;
-- }
-- code = gs_remove_control_path(mem, gs_permit_file_control, fp);
-+ rewrite_percent_specifiers(f);
-+
-+ code = gs_remove_control_path(mem, gs_permit_file_control, f);
- if (code < 0)
- return code;
-- return gs_remove_control_path(mem, gs_permit_file_writing, fp);
-+ return gs_remove_control_path(mem, gs_permit_file_writing, f);
- }
-
- int
---
-2.17.1
-
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2021-09-27 10:40:01 UTC (rev 424740)
+++ PKGBUILD 2021-09-27 11:09:37 UTC (rev 424741)
@@ -2,8 +2,8 @@
pkgbase=ghostscript
pkgname=(ghostscript ghostxps ghostpcl)
-pkgver=9.54.0
-pkgrel=3
+pkgver=9.55.0
+pkgrel=1
pkgdesc="An interpreter for the PostScript language"
url="https://www.ghostscript.com/"
arch=('x86_64')
@@ -12,10 +12,9 @@
'libtiff' 'lcms2' 'dbus' 'libpaper' 'ijs' 'openjpeg2' 'libidn')
makedepends=('gtk3' 'gnutls' 'glu' 'freeglut')
# https://github.com/ArtifexSoftware/ghostpdl-downloads/releases
-source=(https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${pkgver//./}/ghostpdl-${pkgver}.tar.xz
- CVE-2021-3781.patch)
-sha512sums=('fed500f5f267f0eeecc4ab44c2785ddaa9ad6965b689e9792021e2348296ee19150f10decb264a4689464088449be44fe8e6c30566a26e6e4e978c8b2d4654ec'
- '26a625518b18433309ccf404cbe90e2240a75091ae8c38d197d5dce5e1ac7e3df73be83683b64de2d38f429ffa45cb3eda9ecf9388e40094a1ca84328457a8f4')
+source=(#https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${pkgver//./}/ghostpdl-${pkgver}.tar.xz
+ https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/ghostpdl-${pkgver/.0//}/ghostpdl-${pkgver}.tar.xz)
+sha512sums=('d23864be1548ce7c7ae61398f52c34c5485dfe74e78bf7ef16c8fa5690e2ea857cc9795409a70feda5ff78c27b3c2bbc0e0710d190763fca77137ee9c56a0fed')
### update jbig2dec first! ###
@@ -53,9 +52,8 @@
# libs link unwanted to libgpdl that isn't installed
rm -rf gpdl
-
- # CVE-2021-3781 / CVE-2021-3781.patch
- patch -Np1 -i ../CVE-2021-3781.patch
+ # https://bugs.ghostscript.com/show_bug.cgi?id=704405
+ sed -i "s/gscms_transformm_color_const/gscms_transform_color_const/" base/gsicc_lcms2.c
}
build() {
@@ -66,12 +64,10 @@
--with-jbig2dec \
--with-x \
--with-drivers=ALL \
- --with-openprinting \
--with-fontpath=/usr/share/fonts/gsfonts \
--enable-fontconfig \
--enable-freetype \
--enable-openjpeg \
- --without-luratech \
--with-system-libtiff \
--with-libpaper \
--disable-compile-inits #--help # needed for linking with system-zlib
More information about the arch-commits
mailing list