main/ghostscript: add security patches

CVE-2019-14811
CVE-2019-14812
CVE-2019-14813

2 files changed, 71 insertions, 2 deletions

diff --git a/main/ghostscript/APKBUILD b/main/ghostscript/APKBUILD
index 02999ebc1d..26b4e9fc19 100644
--- a/main/ghostscript/APKBUILD
+++ b/main/ghostscript/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Cameron Banta <cbanta@gmail.com>
 pkgname=ghostscript
 pkgver=9.27
-pkgrel=2
+pkgrel=3
 pkgdesc="An interpreter for the PostScript language and for PDF"
 url="https://ghostscript.com/"
 arch="all"
@@ -17,9 +17,14 @@ source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/
 	ghostscript-system-zlib.patch
 	fix-sprintf.patch
 	CVE-2019-10216.patch
+	forceput-inaccessible.patch
 	"
 
 # secfixes:
+#   9.27-r3:
+#     - CVE-2019-14811
+#     - CVE-2019-14812
+#     - CVE-2019-14813
 #   9.27-r2:
 #     - CVE-2019-10216
 #   9.26-r2:
@@ -130,4 +135,5 @@ sha512sums="9ad7bd24b6d9b7d258e943783817be036a2e0234517baffa1016804ef9b6f3062fb5
 289d916a0b0da410e6f721e42bc44659c91c66ca0f7b96b1a6b010ae1c25e47788e282edc3578b4e4b120a2c684c7b1fd4cc574084bdc9cbbf6e431a01fbae0e  0001-Bug700317-Address-.force-operators-exposure.tgz
 70721e3a335afa5e21d4e6cf919119010bd4544a03ab8f53f5325c173902221ad9b88c118b4bfeee80b3e1956bcdbaf4c53f64ae7fb81f5ba57dbc956750c482  ghostscript-system-zlib.patch
 beefcf395f7f828e1b81c088022c08a506e218f27535b9de01e0f0edf7979b435316c318fa676771630f6ad16ff1ab059cd68aa128ed97e5a9f2f3fa840200c4  fix-sprintf.patch
-f89744b17922b7d9c04c6de69ce35fa621732e4373eccc158b7ff6a9e56d2cf0bbea30c28119f4808864ca584e94342e5125d7bcc6195252455b5f223f379e3f  CVE-2019-10216.patch"
+f89744b17922b7d9c04c6de69ce35fa621732e4373eccc158b7ff6a9e56d2cf0bbea30c28119f4808864ca584e94342e5125d7bcc6195252455b5f223f379e3f  CVE-2019-10216.patch
+d7045aa5a02a3fc882552da0b9a60ea565a36d5d038cdf576dc7188158dc05a470ce9fa40bdf1e1003a48995f6707431980910372da549918caf789eb3a2f81f  forceput-inaccessible.patch"
diff --git a/main/ghostscript/forceput-inaccessible.patch b/main/ghostscript/forceput-inaccessible.patch
new file mode 100644
index 0000000000..d2bfe9f43f
--- /dev/null
+++ b/main/ghostscript/forceput-inaccessible.patch
@@ -0,0 +1,63 @@
+From 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Tue, 20 Aug 2019 10:10:28 +0100
+Subject: [PATCH] make .forceput inaccessible
+
+Bug #701343, #701344, #701345
+
+More defensive programming. We don't want people to access .forecput
+even though it is no longer sufficient to bypass SAFER. The exploit
+in #701343 didn't work anyway because of earlier work to stop the error
+handler being used, but nevertheless, prevent access to .forceput from
+.setuserparams2.
+---
+ Resource/Init/gs_lev2.ps  | 6 +++---
+ Resource/Init/gs_pdfwr.ps | 4 ++--
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
+index 4cc7f82..0fd4164 100644
+--- a/Resource/Init/gs_lev2.ps
++++ b/Resource/Init/gs_lev2.ps
+@@ -158,7 +158,7 @@ end
+     {
+       pop pop
+     } ifelse
+-  } forall
++  } executeonly forall
+         % A context switch might have occurred during the above loop,
+         % causing the interpreter-level parameters to be reset.
+         % Set them again to the new values.  From here on, we are safe,
+@@ -229,9 +229,9 @@ end
+        { pop pop
+        }
+       ifelse
+-    }
++    } executeonly
+    forall pop
+-} .bind odef
++} .bind executeonly odef
+ 
+ % Initialize the passwords.
+ % NOTE: the names StartJobPassword and SystemParamsPassword are known to
+diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps
+index c158a8f..422e66e 100644
+--- a/Resource/Init/gs_pdfwr.ps
++++ b/Resource/Init/gs_pdfwr.ps
+@@ -658,11 +658,11 @@ currentdict /.pdfmarkparams .undef
+           systemdict /.pdf_hooked_DSC_Creator //true .forceput
+         } executeonly if
+         pop
+-      } if
++      } executeonly if
+     } {
+       pop
+     } ifelse
+-  }
++  } executeonly
+   {
+     pop
+   } ifelse
+-- 
+2.9.1
+