Version in base suite: 9.53.3~dfsg-7+deb11u4 Base version: ghostscript_9.53.3~dfsg-7+deb11u4 Target version: ghostscript_9.53.3~dfsg-7+deb11u5 Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/ghostscript/ghostscript_9.53.3~dfsg-7+deb11u4.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/g/ghostscript/ghostscript_9.53.3~dfsg-7+deb11u5.dsc changelog | 9 ++ patches/020230607~5e65eea.patch | 145 ++++++++++++++++++++++++++++++++++++++++ patches/020230614~fb342fd.patch | 59 ++++++++++++++++ patches/series | 2 4 files changed, 215 insertions(+) diff -Nru ghostscript-9.53.3~dfsg/debian/changelog ghostscript-9.53.3~dfsg/debian/changelog --- ghostscript-9.53.3~dfsg/debian/changelog 2023-04-03 17:30:02.000000000 +0000 +++ ghostscript-9.53.3~dfsg/debian/changelog 2023-07-02 09:54:08.000000000 +0000 @@ -1,3 +1,12 @@ +ghostscript (9.53.3~dfsg-7+deb11u5) bullseye-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Don't "reduce" %pipe% file names for permission validation + (CVE-2023-36664) + * Revisit fix for upstream bug 706761 (CVE-2023-36664) + + -- Salvatore Bonaccorso Sun, 02 Jul 2023 11:54:08 +0200 + ghostscript (9.53.3~dfsg-7+deb11u4) bullseye-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru ghostscript-9.53.3~dfsg/debian/patches/020230607~5e65eea.patch ghostscript-9.53.3~dfsg/debian/patches/020230607~5e65eea.patch --- ghostscript-9.53.3~dfsg/debian/patches/020230607~5e65eea.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.53.3~dfsg/debian/patches/020230607~5e65eea.patch 2023-07-02 09:54:08.000000000 +0000 @@ -0,0 +1,145 @@ +From: Chris Liddell +Date: Wed, 7 Jun 2023 10:23:06 +0100 +Subject: Bug 706761: Don't "reduce" %pipe% file names for permission + validation +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=706778 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=706761 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-36664 + +For regular file names, we try to simplfy relative paths before we use them. + +Because the %pipe% device can, effectively, accept command line calls, we +shouldn't be simplifying that string, because the command line syntax can end +up confusing the path simplifying code. That can result in permitting a pipe +command which does not match what was originally permitted. + +Special case "%pipe" in the validation code so we always deal with the entire +string. +--- + base/gpmisc.c | 31 +++++++++++++++++++-------- + base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++------------- + 2 files changed, 64 insertions(+), 23 deletions(-) + +diff --git a/base/gpmisc.c b/base/gpmisc.c +index 38d6d60e2252..cad018219874 100644 +--- a/base/gpmisc.c ++++ b/base/gpmisc.c +@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *mem, + && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) { + prefix_len = 0; + } +- rlen = len+1; +- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); +- if (bufferfull == NULL) +- return gs_error_VMerror; +- +- buffer = bufferfull + prefix_len; +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; +- buffer[rlen] = 0; + ++ /* "%pipe%" do not follow the normal rules for path definitions, so we ++ don't "reduce" them to avoid unexpected results ++ */ ++ if (len > 5 && memcmp(path, "%pipe", 5) != 0) { ++ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ memcpy(buffer, path, len); ++ buffer[len] = 0; ++ rlen = len; ++ } ++ else { ++ rlen = len+1; ++ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); ++ if (bufferfull == NULL) ++ return gs_error_VMerror; ++ ++ buffer = bufferfull + prefix_len; ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) ++ return gs_error_invalidfileaccess; ++ buffer[rlen] = 0; ++ } + while (1) { + switch (mode[0]) + { +diff --git a/base/gslibctx.c b/base/gslibctx.c +index 186248211fad..3b737df4b9e3 100644 +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -740,14 +740,28 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co + return gs_error_rangecheck; + } + +- rlen = len+1; +- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); +- if (buffer == NULL) +- return gs_error_VMerror; ++ /* "%pipe%" do not follow the normal rules for path definitions, so we ++ don't "reduce" them to avoid unexpected results ++ */ ++ if (len > 5 && memcmp(path, "%pipe", 5) != 0) { ++ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ memcpy(buffer, path, len); ++ buffer[len] = 0; ++ rlen = len; ++ } ++ else { ++ rlen = len + 1; + +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; +- buffer[rlen] = 0; ++ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) ++ return gs_error_invalidfileaccess; ++ buffer[rlen] = 0; ++ } + + n = control->num; + for (i = 0; i < n; i++) +@@ -833,14 +847,28 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, + return gs_error_rangecheck; + } + +- rlen = len+1; +- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); +- if (buffer == NULL) +- return gs_error_VMerror; ++ /* "%pipe%" do not follow the normal rules for path definitions, so we ++ don't "reduce" them to avoid unexpected results ++ */ ++ if (len > 5 && memcmp(path, "%pipe", 5) != 0) { ++ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ memcpy(buffer, path, len); ++ buffer[len] = 0; ++ rlen = len; ++ } ++ else { ++ rlen = len+1; + +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; +- buffer[rlen] = 0; ++ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) ++ return gs_error_invalidfileaccess; ++ buffer[rlen] = 0; ++ } + + n = control->num; + for (i = 0; i < n; i++) { +-- +2.40.1 + diff -Nru ghostscript-9.53.3~dfsg/debian/patches/020230614~fb342fd.patch ghostscript-9.53.3~dfsg/debian/patches/020230614~fb342fd.patch --- ghostscript-9.53.3~dfsg/debian/patches/020230614~fb342fd.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.53.3~dfsg/debian/patches/020230614~fb342fd.patch 2023-07-02 09:54:08.000000000 +0000 @@ -0,0 +1,59 @@ +From: Chris Liddell +Date: Wed, 14 Jun 2023 09:08:12 +0100 +Subject: Bug 706778: 706761 revisit +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb342fdb60391073a69147cb71af1ac416a81099 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=706778 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=706761 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-36664 + +Two problems with the original commit. The first a silly typo inverting the +logic of a test. + +The second was forgetting that we actually actually validate two candidate +strings for pipe devices. One with the expected "%pipe%" prefix, the other +using the pipe character prefix: "|". + +This addresses both those. +--- + base/gpmisc.c | 2 +- + base/gslibctx.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/base/gpmisc.c b/base/gpmisc.c +index 4fd9c01cd21a..a193437f69b1 100644 +--- a/base/gpmisc.c ++++ b/base/gpmisc.c +@@ -1081,7 +1081,7 @@ gp_validate_path_len(const gs_memory_t *mem, + /* "%pipe%" do not follow the normal rules for path definitions, so we + don't "reduce" them to avoid unexpected results + */ +- if (len > 5 && memcmp(path, "%pipe", 5) != 0) { ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { + bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path"); + if (buffer == NULL) + return gs_error_VMerror; +diff --git a/base/gslibctx.c b/base/gslibctx.c +index 3b737df4b9e3..8bfe4bb91d15 100644 +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -743,7 +743,7 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co + /* "%pipe%" do not follow the normal rules for path definitions, so we + don't "reduce" them to avoid unexpected results + */ +- if (len > 5 && memcmp(path, "%pipe", 5) != 0) { ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { + buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len"); + if (buffer == NULL) + return gs_error_VMerror; +@@ -850,7 +850,7 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, + /* "%pipe%" do not follow the normal rules for path definitions, so we + don't "reduce" them to avoid unexpected results + */ +- if (len > 5 && memcmp(path, "%pipe", 5) != 0) { ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { + buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len"); + if (buffer == NULL) + return gs_error_VMerror; +-- +2.40.1 + diff -Nru ghostscript-9.53.3~dfsg/debian/patches/series ghostscript-9.53.3~dfsg/debian/patches/series --- ghostscript-9.53.3~dfsg/debian/patches/series 2023-04-03 17:30:02.000000000 +0000 +++ ghostscript-9.53.3~dfsg/debian/patches/series 2023-07-02 09:54:08.000000000 +0000 @@ -8,6 +8,8 @@ 020210603~2a31293.patch 020210907~a9bd3de.patch 020230324~37ed502.patch +020230607~5e65eea.patch +020230614~fb342fd.patch 1001_cross.patch 1002-Update-lcms2-non-mt-code-for-buff_desc-endian_swap.patch 1003_fix_gdevdsp_size_check.patch