From: Ken Sharp <ken.sharp@artifex.com>
Date: Tue, 20 Aug 2019 10:10:28 +0100
Subject: make .forceput inaccessible
Origin: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33
Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701443
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14813
Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701444
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14812
Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701445
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14811

Bug #701343, #701344, #701345

More defensive programming. We don't want people to access .forecput
even though it is no longer sufficient to bypass SAFER. The exploit
in #701343 didn't work anyway because of earlier work to stop the error
handler being used, but nevertheless, prevent access to .forceput from
.setuserparams2.
---
 Resource/Init/gs_lev2.ps  | 6 +++---
 Resource/Init/gs_pdfwr.ps | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
index 4cc7f820f765..0fd4164650ab 100644
--- a/Resource/Init/gs_lev2.ps
+++ b/Resource/Init/gs_lev2.ps
@@ -158,7 +158,7 @@ end
     {
       pop pop
     } ifelse
-  } forall
+  } executeonly forall
         % A context switch might have occurred during the above loop,
         % causing the interpreter-level parameters to be reset.
         % Set them again to the new values.  From here on, we are safe,
@@ -229,9 +229,9 @@ end
        { pop pop
        }
       ifelse
-    }
+    } executeonly
    forall pop
-} .bind odef
+} .bind executeonly odef
 
 % Initialize the passwords.
 % NOTE: the names StartJobPassword and SystemParamsPassword are known to
diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps
index c158a8faf540..422e66e1a6ca 100644
--- a/Resource/Init/gs_pdfwr.ps
+++ b/Resource/Init/gs_pdfwr.ps
@@ -658,11 +658,11 @@ currentdict /.pdfmarkparams .undef
           systemdict /.pdf_hooked_DSC_Creator //true .forceput
         } executeonly if
         pop
-      } if
+      } executeonly if
     } {
       pop
     } ifelse
-  }
+  } executeonly
   {
     pop
   } ifelse
-- 
2.23.0.rc1