mirror of
git://slackware.nl/current.git
synced 2025-02-04 20:46:11 +01:00
caa5f28b83
a/hwdata-0.322-noarch-1.txz: Upgraded.
a/kernel-firmware-20190402_67b7579-noarch-1.txz: Upgraded.
a/shadow-4.6-x86_64-2.txz: Rebuilt.
adduser: reprompt on invalid user input. Thanks to ttk.
ap/ghostscript-9.26-x86_64-2.txz: Rebuilt.
Fixes security issues:
A specially crafted PostScript file could have access to the file system
outside of the constrains imposed by -dSAFER.
Transient procedures can allow access to system operators, leading to
remote code execution.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3838
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6116
(* Security fix *)
d/vala-0.44.2-x86_64-1.txz: Upgraded.
l/glib-networking-2.60.1-x86_64-1.txz: Upgraded.
l/imagemagick-6.9.10_36-x86_64-1.txz: Upgraded.
l/python-pillow-6.0.0-x86_64-1.txz: Upgraded.
n/wget-1.20.2-x86_64-1.txz: Upgraded.
Fixed an unspecified buffer overflow vulnerability.
(* Security fix *)
56 lines
1.8 KiB
Diff
56 lines
1.8 KiB
Diff
From ed9fcd95bb01f0768bf273b2526732e381202319 Mon Sep 17 00:00:00 2001
|
|
From: Chris Liddell <chris.liddell@artifex.com>
|
|
Date: Wed, 20 Feb 2019 09:54:28 +0000
|
|
Subject: [PATCH 1/2] Bug 700576: Make a transient proc executeonly (in
|
|
DefineResource).
|
|
|
|
This prevents access to .forceput
|
|
|
|
Solution originally suggested by cbuissar@redhat.com.
|
|
---
|
|
Resource/Init/gs_res.ps | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps
|
|
index d9b3459..b646329 100644
|
|
--- a/Resource/Init/gs_res.ps
|
|
+++ b/Resource/Init/gs_res.ps
|
|
@@ -425,7 +425,7 @@ status {
|
|
% so we have to use .forcedef here.
|
|
/.Instances 1 index .forcedef % Category dict is read-only
|
|
} executeonly if
|
|
- }
|
|
+ } executeonly
|
|
{ .LocalInstances dup //.emptydict eq
|
|
{ pop 3 dict localinstancedict Category 2 index put
|
|
}
|
|
--
|
|
2.20.1
|
|
|
|
|
|
From a82601e8f95a2f2147f3b3b9e44ec2b8f3a6be8b Mon Sep 17 00:00:00 2001
|
|
From: Chris Liddell <chris.liddell@artifex.com>
|
|
Date: Fri, 22 Feb 2019 12:28:23 +0000
|
|
Subject: [PATCH 2/2] Bug 700576(redux): an extra transient proc needs
|
|
executeonly'ed.
|
|
|
|
---
|
|
Resource/Init/gs_res.ps | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps
|
|
index b646329..8c1f29f 100644
|
|
--- a/Resource/Init/gs_res.ps
|
|
+++ b/Resource/Init/gs_res.ps
|
|
@@ -437,7 +437,7 @@ status {
|
|
% Now make the resource value read-only.
|
|
0 2 copy get { readonly } .internalstopped pop
|
|
dup 4 1 roll put exch pop exch pop
|
|
- }
|
|
+ } executeonly
|
|
{ /defineresource cvx /typecheck signaloperror
|
|
}
|
|
ifelse
|
|
--
|
|
2.20.1
|
|
|