[notify] ghostscript: security fix for CVE-2017-{5951,7207,8291}

6 files changed, 167 insertions, 4 deletions

diff --git a/ghostscript/.md5sum b/ghostscript/.md5sum
index 3e907eb70..650150570 100644
--- a/ghostscript/.md5sum
+++ b/ghostscript/.md5sum
@@ -1,2 +1,5 @@
+beaa36aa16eb106f887d82e79c6a2a8e  CVE-2017-5951.patch
+d4d9df9208e82d0acb281902207c96ba  CVE-2017-7207.patch
+f11a4eb98c9509bbffedbcdc49897d7b  CVE-2017-8291.patch
 631beea7aa1f70f2cdca14e0308b8801  ghostscript-9.21.tar.xz
 6865682b095f8c4500c54b285ff05ef6  ghostscript-fonts-std-8.11.tar.gz
diff --git a/ghostscript/.signature b/ghostscript/.signature
index 305ef7416..71994b060 100644
--- a/ghostscript/.signature
+++ b/ghostscript/.signature
@@ -1,6 +1,9 @@
 untrusted comment: verify with /etc/ports/opt.pub
-RWSE3ohX2g5d/XupFnAOzCWOVK6hjneL+ca49i27wsc31kgyf+4S9fTuTEs0xkSdAl3DTsQibRDRwg/Pcu4gpwa1vTOmld4n4wE=
-SHA256 (Pkgfile) = e361dcbebd28da381e99d941b1b32bee86b7651912320cd935833c70f572946a
+RWSE3ohX2g5d/Rk1akQWsf9+QYM6accX0vBc2uhyN+5kdiy5PhssYjtGc9bCC/GX+hmTVXjhuoebKkR4hQfZ6Y5ed1VQj/w9mAw=
+SHA256 (Pkgfile) = 3a98afbb46c99ef4845ee8d815cdb2d2f82fb103bffccaf45ede771b7cff08f1
 SHA256 (.footprint) = e854d143e199c879f19edfb91138e4b9741952099d12819fd068599f3719c351
 SHA256 (ghostscript-9.21.tar.xz) = 2be1d014888a34187ad4bbec19ab5692cc943bd1cb14886065aeb43a3393d053
 SHA256 (ghostscript-fonts-std-8.11.tar.gz) = 0eb6f356119f2e49b2563210852e17f57f9dcc5755f350a69a46a0d641a0c401
+SHA256 (CVE-2017-5951.patch) = bab355f618437dc24ca9cd464ffdd9dd3a00e336164027878d638e5530f85494
+SHA256 (CVE-2017-7207.patch) = 956c6702b14cf7370b4f4fca484e1fd3c042a427733d384177ecbb6ee3e56f5e
+SHA256 (CVE-2017-8291.patch) = d7932b6f149b88b9daad6ffe2d7cf85b98e5ef7698205b03301ef3002e6de7e2
diff --git a/ghostscript/CVE-2017-5951.patch b/ghostscript/CVE-2017-5951.patch
new file mode 100644
index 000000000..92f4e0632
--- /dev/null
+++ b/ghostscript/CVE-2017-5951.patch
@@ -0,0 +1,37 @@
+# https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5951
+# https://bugs.ghostscript.com/show_bug.cgi?id=697548
+
+commit bfa6b2ecbe48edc69a7d9d22a12419aed25960b8
+Author: Chris Liddell <chris.liddell@artifex.com>
+Date:   Thu Apr 6 16:44:54 2017 +0100
+
+    Bug 697548: use the correct param list enumerator
+    
+    When we encountered dictionary in a ref_param_list, we were using the enumerator
+    for the "parent" param_list, rather than the enumerator for the param_list
+    we just created for the dictionary. That parent was usually the stack
+    list enumerator, and caused a segfault.
+    
+    Using the correct enumerator works better.
+
+diff --git a/psi/iparam.c b/psi/iparam.c
+index 4e63b6d25..b2fa85fa2 100644
+--- a/psi/iparam.c
++++ b/psi/iparam.c
+@@ -770,12 +770,13 @@ ref_param_read_typed(gs_param_list * plist, gs_param_name pkey,
+                 gs_param_enumerator_t enumr;
+                 gs_param_key_t key;
+                 ref_type keytype;
++                dict_param_list *dlist = (dict_param_list *) pvalue->value.d.list;
+ 
+                 param_init_enumerator(&enumr);
+-                if (!(*((iparam_list *) plist)->enumerate)
+-                    ((iparam_list *) pvalue->value.d.list, &enumr, &key, &keytype)
++                if (!(*(dlist->enumerate))
++                    ((iparam_list *) dlist, &enumr, &key, &keytype)
+                     && keytype == t_integer) {
+-                    ((dict_param_list *) pvalue->value.d.list)->int_keys = 1;
++                    dlist->int_keys = 1;
+                     pvalue->type = gs_param_type_dict_int_keys;
+                 }
+             }
diff --git a/ghostscript/CVE-2017-7207.patch b/ghostscript/CVE-2017-7207.patch
new file mode 100644
index 000000000..8f68de8db
--- /dev/null
+++ b/ghostscript/CVE-2017-7207.patch
@@ -0,0 +1,31 @@
+# https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7207
+# https://bugs.ghostscript.com/show_bug.cgi?id=697676
+
+commit 309eca4e0a31ea70dcc844812691439312dad091
+Author: Ken Sharp <ken.sharp@artifex.com>
+Date:   Mon Mar 20 09:34:11 2017 +0000
+
+    Ensure a device has raster memory, before trying to read it.
+    
+    Bug #697676 "Null pointer dereference in mem_get_bits_rectangle()"
+    
+    This is only possible by abusing/mis-using Ghostscript-specific
+    language extensions, so cannot happen in a general PostScript program.
+    
+    Nevertheless, Ghostscript should not crash. So this commit checks the
+    memory device to see if raster memory has been allocated, before trying
+    to read from it.
+
+diff --git a/base/gdevmem.c b/base/gdevmem.c
+index afd05bdb3..d52d68414 100644
+--- a/base/gdevmem.c
++++ b/base/gdevmem.c
+@@ -606,6 +606,8 @@ mem_get_bits_rectangle(gx_device * dev, const gs_int_rect * prect,
+             GB_PACKING_CHUNKY | GB_COLORS_NATIVE | GB_ALPHA_NONE;
+         return_error(gs_error_rangecheck);
+     }
++    if (mdev->line_ptrs == 0x00)
++        return_error(gs_error_rangecheck);
+     if ((w <= 0) | (h <= 0)) {
+         if ((w | h) < 0)
+             return_error(gs_error_rangecheck);
diff --git a/ghostscript/CVE-2017-8291.patch b/ghostscript/CVE-2017-8291.patch
new file mode 100644
index 000000000..713bf971d
--- /dev/null
+++ b/ghostscript/CVE-2017-8291.patch
@@ -0,0 +1,84 @@
+# https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8291
+# https://bugs.ghostscript.com/show_bug.cgi?id=697799
+
+commit 4f83478c88c2e05d6e8d79ca4557eb039354d2f3
+Author: Chris Liddell <chris.liddell@artifex.com>
+Date:   Thu Apr 27 13:03:33 2017 +0100
+
+    Bug 697799: have .eqproc check its parameters
+    
+    The Ghostscript custom operator .eqproc was not check the number or type of
+    the parameters it was given.
+
+diff --git a/psi/zmisc3.c b/psi/zmisc3.c
+index 54b304246..37293ff4b 100644
+--- a/psi/zmisc3.c
++++ b/psi/zmisc3.c
+@@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p)
+     ref2_t stack[MAX_DEPTH + 1];
+     ref2_t *top = stack;
+ 
++    if (ref_stack_count(&o_stack) < 2)
++        return_error(gs_error_stackunderflow);
++    if (!r_is_array(op - 1) || !r_is_array(op)) {
++        return_error(gs_error_typecheck);
++    }
++
+     make_array(&stack[0].proc1, 0, 1, op - 1);
+     make_array(&stack[0].proc2, 0, 1, op);
+     for (;;) {
+commit 04b37bbce174eed24edec7ad5b920eb93db4d47d
+Author: Chris Liddell <chris.liddell@artifex.com>
+Date:   Thu Apr 27 13:21:31 2017 +0100
+
+    Bug 697799: have .rsdparams check its parameters
+    
+    The Ghostscript internal operator .rsdparams wasn't checking the number or
+    type of the operands it was being passed. Do so.
+
+diff --git a/psi/zfrsd.c b/psi/zfrsd.c
+index 191107d8a..950588d69 100644
+--- a/psi/zfrsd.c
++++ b/psi/zfrsd.c
+@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p)
+     ref *pFilter;
+     ref *pDecodeParms;
+     int Intent = 0;
+-    bool AsyncRead;
++    bool AsyncRead = false;
+     ref empty_array, filter1_array, parms1_array;
+     uint i;
+-    int code;
++    int code = 0;
++
++    if (ref_stack_count(&o_stack) < 1)
++        return_error(gs_error_stackunderflow);
++    if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {
++        return_error(gs_error_typecheck);
++    }
+ 
+     make_empty_array(&empty_array, a_readonly);
+-    if (dict_find_string(op, "Filter", &pFilter) > 0) {
++    if (r_has_type(op, t_dictionary)
++        && dict_find_string(op, "Filter", &pFilter) > 0) {
+         if (!r_is_array(pFilter)) {
+             if (!r_has_type(pFilter, t_name))
+                 return_error(gs_error_typecheck);
+@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p)
+                 return_error(gs_error_typecheck);
+         }
+     }
+-    code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
++    if (r_has_type(op, t_dictionary))
++        code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
+     if (code < 0 && code != gs_error_rangecheck) /* out-of-range int is ok, use 0 */
+         return code;
+-    if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
+-        )
+-        return code;
++    if (r_has_type(op, t_dictionary))
++        if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
++            return code;
+     push(1);
+     op[-1] = *pFilter;
+     if (pDecodeParms)
diff --git a/ghostscript/Pkgfile b/ghostscript/Pkgfile
index 63487bbc2..18685d203 100644
--- a/ghostscript/Pkgfile
+++ b/ghostscript/Pkgfile
@@ -5,13 +5,18 @@
 
 name=ghostscript
 version=9.21
-release=1
+release=2
 source=(https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${version/./}/$name-$version.tar.xz
-        http://downloads.sourceforge.net/sourceforge/gs-fonts/$name-fonts-std-8.11.tar.gz)
+        http://downloads.sourceforge.net/sourceforge/gs-fonts/$name-fonts-std-8.11.tar.gz
+        CVE-2017-5951.patch CVE-2017-7207.patch CVE-2017-8291.patch)
 
 build () {
     cd $name-$version
 
+    patch -p1 -i $SRC/CVE-2017-5951.patch
+    patch -p1 -i $SRC/CVE-2017-7207.patch
+    patch -p1 -i $SRC/CVE-2017-8291.patch
+
     ./configure --prefix=/usr \
                 --enable-cups \
                 --disable-gtk \