Bug#1053239: bookworm-pu: package ghostscript/10.0.0~dfsg-11+deb12u2
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ghostscript@packages.debian.org, carnil@debian.org
Control: affects -1 + src:ghostscript
Hi stable release managers,
[ Reason ]
Fix two CVEs which we did mark no-dsa (though one might after more
thinking be a candiate). Fix CVE-2023-38559 and CVE-2023-43115.
[ Impact ]
CVE-2023-38559 and CVE-2023-43115 would remain open so far.
[ Tests ]
Performed manual test for CVE-2023-43115.
[ Risks ]
Should be low, following the upstream commits to resolve the issues
which are very targeted.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Apply upstream fixes to address the CVEs. Adjust checks on input and
for the second issue, prevent PostScript programs switching to the IJS
device after SAFER has been activated (and prevent changes to the
IjsServer parameter after SAFER has been activated).
[ Other info ]
None.
Regards,
Salvatore
diff -Nru ghostscript-10.0.0~dfsg/debian/changelog ghostscript-10.0.0~dfsg/debian/changelog
--- ghostscript-10.0.0~dfsg/debian/changelog 2023-07-02 10:50:27.000000000 +0200
+++ ghostscript-10.0.0~dfsg/debian/changelog 2023-09-29 14:33:30.000000000 +0200
@@ -1,3 +1,12 @@
+ghostscript (10.0.0~dfsg-11+deb12u2) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Copy pcx buffer overrun fix from devices/gdevpcx.c (CVE-2023-38559)
+ (Closes: #1043033)
+ * IJS device - try and secure the IJS server startup (CVE-2023-43115)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 29 Sep 2023 14:33:30 +0200
+
ghostscript (10.0.0~dfsg-11+deb12u1) bookworm-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0005-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch ghostscript-10.0.0~dfsg/debian/patches/0005-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch
--- ghostscript-10.0.0~dfsg/debian/patches/0005-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch 1970-01-01 01:00:00.000000000 +0100
+++ ghostscript-10.0.0~dfsg/debian/patches/0005-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch 2023-09-29 14:17:17.000000000 +0200
@@ -0,0 +1,28 @@
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Mon, 17 Jul 2023 14:06:37 +0100
+Subject: Bug 706897: Copy pcx buffer overrun fix from devices/gdevpcx.c
+Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f
+Bug-Debian: https://bugs.debian.org/1043033
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-38559
+
+Bounds check the buffer, before dereferencing the pointer.
+---
+ base/gdevdevn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/base/gdevdevn.c b/base/gdevdevn.c
+index 7b14d9c712b4..6351fb77ac75 100644
+--- a/base/gdevdevn.c
++++ b/base/gdevdevn.c
+@@ -1983,7 +1983,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file
+ byte data = *from;
+
+ from += step;
+- if (data != *from || from == end) {
++ if (from >= end || data != *from) {
+ if (data >= 0xc0)
+ gp_fputc(0xc1, file);
+ } else {
+--
+2.40.1
+
diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0006-IJS-device-try-and-secure-the-IJS-server-startup.patch ghostscript-10.0.0~dfsg/debian/patches/0006-IJS-device-try-and-secure-the-IJS-server-startup.patch
--- ghostscript-10.0.0~dfsg/debian/patches/0006-IJS-device-try-and-secure-the-IJS-server-startup.patch 1970-01-01 01:00:00.000000000 +0100
+++ ghostscript-10.0.0~dfsg/debian/patches/0006-IJS-device-try-and-secure-the-IJS-server-startup.patch 2023-09-29 14:22:09.000000000 +0200
@@ -0,0 +1,58 @@
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Thu, 24 Aug 2023 15:24:35 +0100
+Subject: IJS device - try and secure the IJS server startup
+Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8b0f20002536867bd73ff4552408a72597190cbe
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-43115
+
+Bug #707051 ""ijs" device can execute arbitrary commands"
+
+The problem is that the 'IJS' device needs to start the IJS server, and
+that is indeed an arbitrary command line. There is (apparently) no way
+to validate it. Indeed, this is covered quite clearly in the comments
+at the start of the source:
+
+ * WARNING: The ijs server can be selected on the gs command line
+ * which is a security risk, since any program can be run.
+
+Previously this used the awful LockSafetyParams hackery, which we
+abandoned some time ago because it simply couldn't be made secure (it
+was implemented in PostScript and was therefore vulnerable to PostScript
+programs).
+
+This commit prevents PostScript programs switching to the IJS device
+after SAFER has been activated, and prevents changes to the IjsServer
+parameter after SAFER has been activated.
+
+SAFER is activated, unless explicitly disabled, before any user
+PostScript is executed which means that the device and the server
+invocation can only be configured on the command line. This does at
+least provide minimal security against malicious PostScript programs.
+---
+ devices/gdevijs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/devices/gdevijs.c b/devices/gdevijs.c
+index 8cbd84b978cc..16f5a17520e8 100644
+--- a/devices/gdevijs.c
++++ b/devices/gdevijs.c
+@@ -888,6 +888,8 @@ gsijs_initialize_device(gx_device *dev)
+ static const char rgb[] = "DeviceRGB";
+ gx_device_ijs *ijsdev = (gx_device_ijs *)dev;
+
++ if (ijsdev->memory->gs_lib_ctx->core->path_control_active)
++ return_error(gs_error_invalidaccess);
+ if (!ijsdev->ColorSpace) {
+ ijsdev->ColorSpace = gs_malloc(ijsdev->memory, sizeof(rgb), 1,
+ "gsijs_initialize");
+@@ -1326,7 +1328,7 @@ gsijs_put_params(gx_device *dev, gs_param_list *plist)
+ if (code >= 0)
+ code = gsijs_read_string(plist, "IjsServer",
+ ijsdev->IjsServer, sizeof(ijsdev->IjsServer),
+- dev->LockSafetyParams, is_open);
++ ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open);
+
+ if (code >= 0)
+ code = gsijs_read_string_malloc(plist, "DeviceManufacturer",
+--
+2.40.1
+
diff -Nru ghostscript-10.0.0~dfsg/debian/patches/series ghostscript-10.0.0~dfsg/debian/patches/series
--- ghostscript-10.0.0~dfsg/debian/patches/series 2023-07-02 10:47:35.000000000 +0200
+++ ghostscript-10.0.0~dfsg/debian/patches/series 2023-09-29 14:22:20.000000000 +0200
@@ -2,6 +2,8 @@
0002_Graphics-library-prevent-buffer-overrun-in-T-BCP-enc.patch
0003_Bug-706761-Don-t-reduce-pipe-file-names-for-permissi.patch
0004_Bug-706778-706761-revisit.patch
+0005-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch
+0006-IJS-device-try-and-secure-the-IJS-server-startup.patch
1004_enable_spot_devices.patch
2001_docdir_fix_for_debian.patch
2002_gs_man_fix_debian.patch
Reply to: