gnu/packages/patches/ghostscript-CVE-2013-5653.patch

   1 The following patch was adapted for GNU Ghostscript
   2 by Mark H Weaver <mhw@netris.org> based on:
   3
   4 http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ab109aaeb3ddba59518b036fb288402a65cf7ce8
   5
   6 From ab109aaeb3ddba59518b036fb288402a65cf7ce8 Mon Sep 17 00:00:00 2001
   7 From: Chris Liddell <chris.liddell@artifex.com>
   8 Date: Sat, 5 Mar 2016 14:56:03 -0800
   9 Subject: [PATCH] Bug 694724: Have filenameforall and getenv honor SAFER
  10
  11 ---
  12  Resource/Init/gs_init.ps |  2 ++
  13  psi/zfile.c              | 36 ++++++++++++++++++++----------------
  14  2 files changed, 22 insertions(+), 16 deletions(-)
  15
  16 diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
  17 index fa33d88..99888ac 100644
  18 --- a/Resource/Init/gs_init.ps
  19 +++ b/Resource/Init/gs_init.ps
  20 @@ -2018,6 +2018,7 @@ readonly def
  21
  22  /.locksafe {
  23    .locksafe_userparams
  24 +  systemdict /getenv {pop //false} put
  25    % setpagedevice has the side effect of clearing the page, but
  26    % we will just document that. Using setpagedevice keeps the device
  27    % properties and pagedevice .LockSafetyParams in agreement even
  28 @@ -2036,6 +2037,7 @@ readonly def
  29  %%
  30  /.locksafeglobal {
  31    .locksafe_userparams
  32 +  systemdict /getenv {pop //false} put
  33    % setpagedevice has the side effect of clearing the page, but
  34    % we will just document that. Using setpagedevice keeps the device
  35    % properties and pagedevice .LockSafetyParams in agreement even
  36 diff --git a/psi/zfile.c b/psi/zfile.c
  37 index 320ecd5..0b9f299 100644
  38 --- a/psi/zfile.c
  39 +++ b/psi/zfile.c
  40 @@ -371,22 +371,26 @@ file_continue(i_ctx_t *i_ctx_p)
  41
  42      if (len < devlen)
  43          return_error(e_rangecheck);     /* not even room for device len */
  44 -    memcpy((char *)pscratch->value.bytes, iodev->dname, devlen);
  45 -    code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen,
  46 -                len - devlen);
  47 -    if (code == ~(uint) 0) {    /* all done */
  48 -        esp -= 5;               /* pop proc, pfen, devlen, iodev , mark */
  49 -        return o_pop_estack;
  50 -    } else if (code > len)      /* overran string */
  51 -        return_error(e_rangecheck);
  52 -    else {
  53 -        push(1);
  54 -        ref_assign(op, pscratch);
  55 -        r_set_size(op, code + devlen);
  56 -        push_op_estack(file_continue);  /* come again */
  57 -        *++esp = pscratch[2];   /* proc */
  58 -        return o_push_estack;
  59 -    }
  60 +
  61 +    do {
  62 +        memcpy((char *)pscratch->value.bytes, iodev->dname, devlen);
  63 +        code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen,
  64 +                    len - devlen);
  65 +        if (code == ~(uint) 0) {    /* all done */
  66 +            esp -= 5;               /* pop proc, pfen, devlen, iodev , mark */
  67 +            return o_pop_estack;
  68 +        } else if (code > len)      /* overran string */
  69 +            return_error(e_rangecheck);
  70 +        else if (iodev != iodev_default(imemory)
  71 +              || (check_file_permissions_reduced(i_ctx_p, (char *)pscratch->value.bytes, code + devlen, "PermitFileReading")) == 0) {
  72 +            push(1);
  73 +            ref_assign(op, pscratch);
  74 +            r_set_size(op, code + devlen);
  75 +            push_op_estack(file_continue);  /* come again */
  76 +            *++esp = pscratch[2];   /* proc */
  77 +            return o_push_estack;
  78 +        }
  79 +    } while(1);
  80  }
  81  /* Cleanup procedure for enumerating files */
  82  static int
  83 --
  84 2.9.1
  85