diff options
author | Juergen Daubert <jue@jue.li> | 2017-04-28 18:24:53 +0200 |
---|---|---|
committer | Juergen Daubert <jue@jue.li> | 2017-04-28 18:24:53 +0200 |
commit | 108ec6ca15de6859f2da425bc37f49f9aa119560 (patch) | |
tree | 1efbd93ea116af0393e4a877877eb18bdd35f35c /ghostscript | |
parent | 6770bdee73fd3ff5c2545da91d3937966ecc33fc (diff) | |
download | opt-108ec6ca15de6859f2da425bc37f49f9aa119560.tar.gz opt-108ec6ca15de6859f2da425bc37f49f9aa119560.tar.xz |
[notify] ghostscript: security fix for CVE-2017-{5951,7207,8291}
Diffstat (limited to 'ghostscript')
-rw-r--r-- | ghostscript/.md5sum | 3 | ||||
-rw-r--r-- | ghostscript/.signature | 7 | ||||
-rw-r--r-- | ghostscript/CVE-2017-5951.patch | 37 | ||||
-rw-r--r-- | ghostscript/CVE-2017-7207.patch | 31 | ||||
-rw-r--r-- | ghostscript/CVE-2017-8291.patch | 84 | ||||
-rw-r--r-- | ghostscript/Pkgfile | 9 |
6 files changed, 167 insertions, 4 deletions
diff --git a/ghostscript/.md5sum b/ghostscript/.md5sum index 3e907eb70..650150570 100644 --- a/ghostscript/.md5sum +++ b/ghostscript/.md5sum @@ -1,2 +1,5 @@ +beaa36aa16eb106f887d82e79c6a2a8e CVE-2017-5951.patch +d4d9df9208e82d0acb281902207c96ba CVE-2017-7207.patch +f11a4eb98c9509bbffedbcdc49897d7b CVE-2017-8291.patch 631beea7aa1f70f2cdca14e0308b8801 ghostscript-9.21.tar.xz 6865682b095f8c4500c54b285ff05ef6 ghostscript-fonts-std-8.11.tar.gz diff --git a/ghostscript/.signature b/ghostscript/.signature index 305ef7416..71994b060 100644 --- a/ghostscript/.signature +++ b/ghostscript/.signature @@ -1,6 +1,9 @@ untrusted comment: verify with /etc/ports/opt.pub -RWSE3ohX2g5d/XupFnAOzCWOVK6hjneL+ca49i27wsc31kgyf+4S9fTuTEs0xkSdAl3DTsQibRDRwg/Pcu4gpwa1vTOmld4n4wE= -SHA256 (Pkgfile) = e361dcbebd28da381e99d941b1b32bee86b7651912320cd935833c70f572946a +RWSE3ohX2g5d/Rk1akQWsf9+QYM6accX0vBc2uhyN+5kdiy5PhssYjtGc9bCC/GX+hmTVXjhuoebKkR4hQfZ6Y5ed1VQj/w9mAw= +SHA256 (Pkgfile) = 3a98afbb46c99ef4845ee8d815cdb2d2f82fb103bffccaf45ede771b7cff08f1 SHA256 (.footprint) = e854d143e199c879f19edfb91138e4b9741952099d12819fd068599f3719c351 SHA256 (ghostscript-9.21.tar.xz) = 2be1d014888a34187ad4bbec19ab5692cc943bd1cb14886065aeb43a3393d053 SHA256 (ghostscript-fonts-std-8.11.tar.gz) = 0eb6f356119f2e49b2563210852e17f57f9dcc5755f350a69a46a0d641a0c401 +SHA256 (CVE-2017-5951.patch) = bab355f618437dc24ca9cd464ffdd9dd3a00e336164027878d638e5530f85494 +SHA256 (CVE-2017-7207.patch) = 956c6702b14cf7370b4f4fca484e1fd3c042a427733d384177ecbb6ee3e56f5e +SHA256 (CVE-2017-8291.patch) = d7932b6f149b88b9daad6ffe2d7cf85b98e5ef7698205b03301ef3002e6de7e2 diff --git a/ghostscript/CVE-2017-5951.patch b/ghostscript/CVE-2017-5951.patch new file mode 100644 index 000000000..92f4e0632 --- /dev/null +++ b/ghostscript/CVE-2017-5951.patch @@ -0,0 +1,37 @@ +# https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5951 +# https://bugs.ghostscript.com/show_bug.cgi?id=697548 + +commit bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 +Author: Chris Liddell <chris.liddell@artifex.com> +Date: Thu Apr 6 16:44:54 2017 +0100 + + Bug 697548: use the correct param list enumerator + + When we encountered dictionary in a ref_param_list, we were using the enumerator + for the "parent" param_list, rather than the enumerator for the param_list + we just created for the dictionary. That parent was usually the stack + list enumerator, and caused a segfault. + + Using the correct enumerator works better. + +diff --git a/psi/iparam.c b/psi/iparam.c +index 4e63b6d25..b2fa85fa2 100644 +--- a/psi/iparam.c ++++ b/psi/iparam.c +@@ -770,12 +770,13 @@ ref_param_read_typed(gs_param_list * plist, gs_param_name pkey, + gs_param_enumerator_t enumr; + gs_param_key_t key; + ref_type keytype; ++ dict_param_list *dlist = (dict_param_list *) pvalue->value.d.list; + + param_init_enumerator(&enumr); +- if (!(*((iparam_list *) plist)->enumerate) +- ((iparam_list *) pvalue->value.d.list, &enumr, &key, &keytype) ++ if (!(*(dlist->enumerate)) ++ ((iparam_list *) dlist, &enumr, &key, &keytype) + && keytype == t_integer) { +- ((dict_param_list *) pvalue->value.d.list)->int_keys = 1; ++ dlist->int_keys = 1; + pvalue->type = gs_param_type_dict_int_keys; + } + } diff --git a/ghostscript/CVE-2017-7207.patch b/ghostscript/CVE-2017-7207.patch new file mode 100644 index 000000000..8f68de8db --- /dev/null +++ b/ghostscript/CVE-2017-7207.patch @@ -0,0 +1,31 @@ +# https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7207 +# https://bugs.ghostscript.com/show_bug.cgi?id=697676 + +commit 309eca4e0a31ea70dcc844812691439312dad091 +Author: Ken Sharp <ken.sharp@artifex.com> +Date: Mon Mar 20 09:34:11 2017 +0000 + + Ensure a device has raster memory, before trying to read it. + + Bug #697676 "Null pointer dereference in mem_get_bits_rectangle()" + + This is only possible by abusing/mis-using Ghostscript-specific + language extensions, so cannot happen in a general PostScript program. + + Nevertheless, Ghostscript should not crash. So this commit checks the + memory device to see if raster memory has been allocated, before trying + to read from it. + +diff --git a/base/gdevmem.c b/base/gdevmem.c +index afd05bdb3..d52d68414 100644 +--- a/base/gdevmem.c ++++ b/base/gdevmem.c +@@ -606,6 +606,8 @@ mem_get_bits_rectangle(gx_device * dev, const gs_int_rect * prect, + GB_PACKING_CHUNKY | GB_COLORS_NATIVE | GB_ALPHA_NONE; + return_error(gs_error_rangecheck); + } ++ if (mdev->line_ptrs == 0x00) ++ return_error(gs_error_rangecheck); + if ((w <= 0) | (h <= 0)) { + if ((w | h) < 0) + return_error(gs_error_rangecheck); diff --git a/ghostscript/CVE-2017-8291.patch b/ghostscript/CVE-2017-8291.patch new file mode 100644 index 000000000..713bf971d --- /dev/null +++ b/ghostscript/CVE-2017-8291.patch @@ -0,0 +1,84 @@ +# https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8291 +# https://bugs.ghostscript.com/show_bug.cgi?id=697799 + +commit 4f83478c88c2e05d6e8d79ca4557eb039354d2f3 +Author: Chris Liddell <chris.liddell@artifex.com> +Date: Thu Apr 27 13:03:33 2017 +0100 + + Bug 697799: have .eqproc check its parameters + + The Ghostscript custom operator .eqproc was not check the number or type of + the parameters it was given. + +diff --git a/psi/zmisc3.c b/psi/zmisc3.c +index 54b304246..37293ff4b 100644 +--- a/psi/zmisc3.c ++++ b/psi/zmisc3.c +@@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p) + ref2_t stack[MAX_DEPTH + 1]; + ref2_t *top = stack; + ++ if (ref_stack_count(&o_stack) < 2) ++ return_error(gs_error_stackunderflow); ++ if (!r_is_array(op - 1) || !r_is_array(op)) { ++ return_error(gs_error_typecheck); ++ } ++ + make_array(&stack[0].proc1, 0, 1, op - 1); + make_array(&stack[0].proc2, 0, 1, op); + for (;;) { +commit 04b37bbce174eed24edec7ad5b920eb93db4d47d +Author: Chris Liddell <chris.liddell@artifex.com> +Date: Thu Apr 27 13:21:31 2017 +0100 + + Bug 697799: have .rsdparams check its parameters + + The Ghostscript internal operator .rsdparams wasn't checking the number or + type of the operands it was being passed. Do so. + +diff --git a/psi/zfrsd.c b/psi/zfrsd.c +index 191107d8a..950588d69 100644 +--- a/psi/zfrsd.c ++++ b/psi/zfrsd.c +@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p) + ref *pFilter; + ref *pDecodeParms; + int Intent = 0; +- bool AsyncRead; ++ bool AsyncRead = false; + ref empty_array, filter1_array, parms1_array; + uint i; +- int code; ++ int code = 0; ++ ++ if (ref_stack_count(&o_stack) < 1) ++ return_error(gs_error_stackunderflow); ++ if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) { ++ return_error(gs_error_typecheck); ++ } + + make_empty_array(&empty_array, a_readonly); +- if (dict_find_string(op, "Filter", &pFilter) > 0) { ++ if (r_has_type(op, t_dictionary) ++ && dict_find_string(op, "Filter", &pFilter) > 0) { + if (!r_is_array(pFilter)) { + if (!r_has_type(pFilter, t_name)) + return_error(gs_error_typecheck); +@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p) + return_error(gs_error_typecheck); + } + } +- code = dict_int_param(op, "Intent", 0, 3, 0, &Intent); ++ if (r_has_type(op, t_dictionary)) ++ code = dict_int_param(op, "Intent", 0, 3, 0, &Intent); + if (code < 0 && code != gs_error_rangecheck) /* out-of-range int is ok, use 0 */ + return code; +- if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0 +- ) +- return code; ++ if (r_has_type(op, t_dictionary)) ++ if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0) ++ return code; + push(1); + op[-1] = *pFilter; + if (pDecodeParms) diff --git a/ghostscript/Pkgfile b/ghostscript/Pkgfile index 63487bbc2..18685d203 100644 --- a/ghostscript/Pkgfile +++ b/ghostscript/Pkgfile @@ -5,13 +5,18 @@ name=ghostscript version=9.21 -release=1 +release=2 source=(https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${version/./}/$name-$version.tar.xz - http://downloads.sourceforge.net/sourceforge/gs-fonts/$name-fonts-std-8.11.tar.gz) + http://downloads.sourceforge.net/sourceforge/gs-fonts/$name-fonts-std-8.11.tar.gz + CVE-2017-5951.patch CVE-2017-7207.patch CVE-2017-8291.patch) build () { cd $name-$version + patch -p1 -i $SRC/CVE-2017-5951.patch + patch -p1 -i $SRC/CVE-2017-7207.patch + patch -p1 -i $SRC/CVE-2017-8291.patch + ./configure --prefix=/usr \ --enable-cups \ --disable-gtk \ |