spectre-gs: Enforce minimum ghostscript version

Ghostscript versions before 9.24 had a critical vulnerability
allowing to escape -dSAFER; refuse to do anything if the version
is less than 9.24.

https://gitlab.freedesktop.org/libspectre/libspectre/issues/25

2 files changed, 12 insertions, 2 deletions

diff --git a/configure.ac b/configure.ac
index ac040c3..47f5d05 100644
--- a/configure.ac
+++ b/configure.ac
@@ -63,7 +63,7 @@ AC_CHECK_FUNC(vasprintf, [ AC_DEFINE(HAVE_VASPRINTF, 1, [Define if the 'vasprint
 
 AC_CHECK_FUNC(_vscprintf, [ AC_DEFINE(HAVE__VSCPRINTF, 1, [Define if the '_vscprintf' function is available.]) ])
 
-LIBGS_REQUIRED="8.62"
+LIBGS_REQUIRED="9.24"
 
 AC_CHECK_LIB(gs, gsapi_new_instance, have_libgs=yes, have_libgs=no)
 if test "x$have_libgs" = "xyes"; then
diff --git a/libspectre/spectre-gs.c b/libspectre/spectre-gs.c
index 414175a..f586321 100644
--- a/libspectre/spectre-gs.c
+++ b/libspectre/spectre-gs.c
@@ -29,6 +29,11 @@
 #include <ghostscript/iapi.h>
 #include <ghostscript/ierrors.h>
 
+/* Ghostscript before version 9.24 has a critial vulnerability
+ * where -dSAFER could be escaped from.
+ */
+#define GS_MIN_VERSION (924)
+
 /* e_ macros have been removed from Ghostscript in 9.18. */
 #ifndef e_Fatal
 #define e_Fatal gs_error_Fatal
@@ -166,8 +171,13 @@ int
 spectre_gs_create_instance (SpectreGS *gs,
 			    void      *caller_handle)
 {
+        int version;
 	int error;
-	
+
+        version = spectre_gs_get_version ();
+        if (version < GS_MIN_VERSION)
+                return FALSE;
+
 	error = gsapi_new_instance (&gs->ghostscript_instance, caller_handle);
 	if (!critic_error_code (error)) {
 		gsapi_set_stdio (gs->ghostscript_instance,