[1/2] package/ghostscript: fix CVE-2021-45944

Message ID	20220115101535.1699671-1-fontaine.fabrice@gmail.com
State	Accepted
Headers	show Return-Path: <buildroot-bounces@buildroot.org> From: Fabrice Fontaine <fontaine.fabrice@gmail.com> To: buildroot@buildroot.org Date: Sat, 15 Jan 2022 11:15:34 +0100 Message-Id: <20220115101535.1699671-1-fontaine.fabrice@gmail.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 1/2] package/ghostscript: fix CVE-2021-45944 Precedence: list Cc: Bernd Kuhls <bernd.kuhls@t-online.de>, Fabrice Fontaine <fontaine.fabrice@gmail.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" <buildroot-bounces@buildroot.org>
Series	[1/2] package/ghostscript: fix CVE-2021-45944 \| expand [1/2] package/ghostscript: fix CVE-2021-45944 [2/2] package/ghostscript: fix CVE-2021-45949

Message ID

20220115101535.1699671-1-fontaine.fabrice@gmail.com

State

Accepted

Headers

From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
To: buildroot@buildroot.org
Date: Sat, 15 Jan 2022 11:15:34 +0100
Message-Id: <20220115101535.1699671-1-fontaine.fabrice@gmail.com>
MIME-Version: 1.0
Subject: [Buildroot] [PATCH 1/2] package/ghostscript: fix CVE-2021-45944
Precedence: list
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>,
 Fabrice Fontaine <fontaine.fabrice@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: buildroot-bounces@buildroot.org
Sender: "buildroot" <buildroot-bounces@buildroot.org>

Series

[1/2] package/ghostscript: fix CVE-2021-45944 | expand

Commit Message

Fabrice Fontaine Jan. 15, 2022, 10:15 a.m. UTC

Ghostscript GhostPDL 9.50 through 9.53.3 has a use-after-free in
sampled_data_sample (called from sampled_data_continue and interp).

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 ...ack-limits-after-function-evaluation.patch | 52 +++++++++++++++++++
 package/ghostscript/ghostscript.mk            |  3 ++
 2 files changed, 55 insertions(+)
 create mode 100644 package/ghostscript/0003-oss-fuzz-30715-Check-stack-limits-after-function-evaluation.patch

Comments

Peter Korsgaard Jan. 28, 2022, 4:59 p.m. UTC | #1

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Ghostscript GhostPDL 9.50 through 9.53.3 has a use-after-free in
 > sampled_data_sample (called from sampled_data_continue and interp).

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2021.02.x and 2021.11.x, thanks.

diff --git a/package/ghostscript/0003-oss-fuzz-30715-Check-stack-limits-after-function-evaluation.patch b/package/ghostscript/0003-oss-fuzz-30715-Check-stack-limits-after-function-evaluation.patch
new file mode 100644
index 0000000000..352f1754f6
--- /dev/null
+++ b/package/ghostscript/0003-oss-fuzz-30715-Check-stack-limits-after-function-evaluation.patch
@@ -0,0 +1,52 @@ 
+From 7861fcad13c497728189feafb41cd57b5b50ea25 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Fri, 12 Feb 2021 10:34:23 +0000
+Subject: [PATCH] oss-fuzz 30715: Check stack limits after function evaluation.
+
+During function result sampling, after the callout to the Postscript
+interpreter, make sure there is enough stack space available before pushing
+or popping entries.
+
+In thise case, the Postscript procedure for the "function" is totally invalid
+(as a function), and leaves the op stack in an unrecoverable state (as far as
+function evaluation is concerned). We end up popping more entries off the
+stack than are available.
+
+To cope, add in stack limit checking to throw an appropriate error when this
+happens.
+
+[Retrieved from:
+https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=7861fcad13c497728189feafb41cd57b5b50ea25]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ psi/zfsample.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/psi/zfsample.c b/psi/zfsample.c
+index 290809405..652ae02c6 100644
+--- a/psi/zfsample.c
++++ b/psi/zfsample.c
+@@ -551,9 +551,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
+     } else {
+         if (stack_depth_adjust) {
+             stack_depth_adjust -= num_out;
+-            push(O_STACK_PAD - stack_depth_adjust);
+-            for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
+-                make_null(op - i);
++            if ((O_STACK_PAD - stack_depth_adjust) < 0) {
++                stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
++                check_op(stack_depth_adjust);
++                pop(stack_depth_adjust);
++            }
++            else {
++                check_ostack(O_STACK_PAD - stack_depth_adjust);
++                push(O_STACK_PAD - stack_depth_adjust);
++                for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
++                    make_null(op - i);
++            }
+         }
+     }
+ 
+-- 
+2.25.1
+
diff --git a/package/ghostscript/ghostscript.mk b/package/ghostscript/ghostscript.mk
index d502d19206..91871728ba 100644
--- a/package/ghostscript/ghostscript.mk
+++ b/package/ghostscript/ghostscript.mk
@@ -24,6 +24,9 @@  GHOSTSCRIPT_DEPENDENCIES = \
 # 0002-Bug-704342-Include-device-specifier-strings-in-acces.patch
 GHOSTSCRIPT_IGNORE_CVES += CVE-2021-3781
 
+# 0003-oss-fuzz-30715-Check-stack-limits-after-function-evaluation.patch
+GHOSTSCRIPT_IGNORE_CVES += CVE-2021-45944
+
 # Ghostscript includes (old) copies of several libraries, delete them.
 # Inspired by linuxfromscratch:
 # http://www.linuxfromscratch.org/blfs/view/svn/pst/gs.html

[1/2] package/ghostscript: fix CVE-2021-45944

Commit Message

Comments

Patch