1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
|
From ed607fedbcd41f4a0e71df6af4ba5b07dd630209 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 7 Jun 2023 10:23:06 +0100
Subject: [PATCH 1/2] Bug 706761: Don't "reduce" %pipe% file names for
permission validation
For regular file names, we try to simplfy relative paths before we use them.
Because the %pipe% device can, effectively, accept command line calls, we
shouldn't be simplifying that string, because the command line syntax can end
up confusing the path simplifying code. That can result in permitting a pipe
command which does not match what was originally permitted.
Special case "%pipe" in the validation code so we always deal with the entire
string.
Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea]
CVE: CVE-2023-36664
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
base/gpmisc.c | 31 +++++++++++++++++++--------
base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++-------------
2 files changed, 64 insertions(+), 23 deletions(-)
diff --git a/base/gpmisc.c b/base/gpmisc.c
index 8b6458a..c61ab3f 100644
--- a/base/gpmisc.c
+++ b/base/gpmisc.c
@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *mem,
&& !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
prefix_len = 0;
}
- rlen = len+1;
- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
- if (bufferfull == NULL)
- return gs_error_VMerror;
-
- buffer = bufferfull + prefix_len;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len+1;
+ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+ if (bufferfull == NULL)
+ return gs_error_VMerror;
+
+ buffer = bufferfull + prefix_len;
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
while (1) {
switch (mode[0])
{
diff --git a/base/gslibctx.c b/base/gslibctx.c
index 5bf497b..5fdfe25 100644
--- a/base/gslibctx.c
+++ b/base/gslibctx.c
@@ -734,14 +734,28 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type, co
return gs_error_rangecheck;
}
- rlen = len+1;
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
- if (buffer == NULL)
- return gs_error_VMerror;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len + 1;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
n = control->num;
for (i = 0; i < n; i++)
@@ -827,14 +841,28 @@ gs_remove_control_path_len_flags(const gs_memory_t *mem, gs_path_control_t type,
return gs_error_rangecheck;
}
- rlen = len+1;
- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
- if (buffer == NULL)
- return gs_error_VMerror;
+ /* "%pipe%" do not follow the normal rules for path definitions, so we
+ don't "reduce" them to avoid unexpected results
+ */
+ if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+ memcpy(buffer, path, len);
+ buffer[len] = 0;
+ rlen = len;
+ }
+ else {
+ rlen = len+1;
- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
- return gs_error_invalidfileaccess;
- buffer[rlen] = 0;
+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
+ if (buffer == NULL)
+ return gs_error_VMerror;
+
+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+ return gs_error_invalidfileaccess;
+ buffer[rlen] = 0;
+ }
n = control->num;
for (i = 0; i < n; i++) {
--
2.40.1
|
