main/ghostscript: security fixes (fix CVE-2017-5951, CVE-2017-7207). Fixes #7309

3 files changed, 81 insertions, 2 deletions

diff --git a/main/ghostscript/APKBUILD b/main/ghostscript/APKBUILD
index 697f2ffc73..0515ffe9e2 100644
--- a/main/ghostscript/APKBUILD
+++ b/main/ghostscript/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Cameron Banta <cbanta@gmail.com>
 pkgname=ghostscript
 pkgver=9.21
-pkgrel=2
+pkgrel=3
 pkgdesc="An interpreter for the PostScript language and for PDF"
 url="http://ghostscript.com/"
 arch="all"
@@ -16,12 +16,17 @@ source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/
 	fix-sprintf.patch
 	fix-alignment.patch
 	CVE-2017-8291.patch
+	CVE-2017-7207.patch
+	CVE-2017-5951.patch
 	"
 builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
 #   9.21-r2:
 #     - CVE-2017-8291
+#   9.21-r3:
+#     - CVE-2017-7207
+#     - CVE-2017-5951
 
 prepare() {
 	cd "$builddir"
@@ -116,4 +121,6 @@ sha512sums="c5ff632dc9b418ebeecaae796cecbaf9ffcb84d7a1b62c1af2e6c9082f7b9f24fe9d
 70721e3a335afa5e21d4e6cf919119010bd4544a03ab8f53f5325c173902221ad9b88c118b4bfeee80b3e1956bcdbaf4c53f64ae7fb81f5ba57dbc956750c482  ghostscript-system-zlib.patch
 beefcf395f7f828e1b81c088022c08a506e218f27535b9de01e0f0edf7979b435316c318fa676771630f6ad16ff1ab059cd68aa128ed97e5a9f2f3fa840200c4  fix-sprintf.patch
 7c6f40217dc687df27ee6d33351fba12a737c2ae06d1c35208dc943776d8efa66c3e882f0b1b9aec566fad69fd28ce360cc243f1c1aa20834467e769889194f2  fix-alignment.patch
-c17121e564dd26033508199f3e587bfcee5589fec6e45e822c79f648c3a3b70363f04ad33538070c4d24c96e5795b277345359b66d2f360b996fca77239102b5  CVE-2017-8291.patch"
+c17121e564dd26033508199f3e587bfcee5589fec6e45e822c79f648c3a3b70363f04ad33538070c4d24c96e5795b277345359b66d2f360b996fca77239102b5  CVE-2017-8291.patch
+11ece0df5d5d5ae6d654033c42531a82db57a92aed462659d177e18234cf6d61719625368eb4448a2235bca9d6b3901696b30099642c57df57966def5850da9d  CVE-2017-7207.patch
+252d826bdf1e22c372312589e9b19067332c432eae748f2eb644bf32384925e8095ea7c218ca7bbf04bf384db42cca6b418cb6622a74d411da446776490516d8  CVE-2017-5951.patch"
diff --git a/main/ghostscript/CVE-2017-5951.patch b/main/ghostscript/CVE-2017-5951.patch
new file mode 100644
index 0000000000..c419e0653b
--- /dev/null
+++ b/main/ghostscript/CVE-2017-5951.patch
@@ -0,0 +1,39 @@
+From bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Thu, 6 Apr 2017 16:44:54 +0100
+Subject: [PATCH] Bug 697548: use the correct param list enumerator
+
+When we encountered dictionary in a ref_param_list, we were using the enumerator
+for the "parent" param_list, rather than the enumerator for the param_list
+we just created for the dictionary. That parent was usually the stack
+list enumerator, and caused a segfault.
+
+Using the correct enumerator works better.
+---
+ psi/iparam.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/psi/iparam.c b/psi/iparam.c
+index 4e63b6d..b2fa85f 100644
+--- a/psi/iparam.c
++++ b/psi/iparam.c
+@@ -770,12 +770,13 @@ ref_param_read_typed(gs_param_list * plist, gs_param_name pkey,
+                 gs_param_enumerator_t enumr;
+                 gs_param_key_t key;
+                 ref_type keytype;
++                dict_param_list *dlist = (dict_param_list *) pvalue->value.d.list;
+ 
+                 param_init_enumerator(&enumr);
+-                if (!(*((iparam_list *) plist)->enumerate)
+-                    ((iparam_list *) pvalue->value.d.list, &enumr, &key, &keytype)
++                if (!(*(dlist->enumerate))
++                    ((iparam_list *) dlist, &enumr, &key, &keytype)
+                     && keytype == t_integer) {
+-                    ((dict_param_list *) pvalue->value.d.list)->int_keys = 1;
++                    dlist->int_keys = 1;
+                     pvalue->type = gs_param_type_dict_int_keys;
+                 }
+             }
+-- 
+2.9.1
+
diff --git a/main/ghostscript/CVE-2017-7207.patch b/main/ghostscript/CVE-2017-7207.patch
new file mode 100644
index 0000000000..0cfa5942be
--- /dev/null
+++ b/main/ghostscript/CVE-2017-7207.patch
@@ -0,0 +1,33 @@
+From 309eca4e0a31ea70dcc844812691439312dad091 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Mon, 20 Mar 2017 09:34:11 +0000
+Subject: [PATCH] Ensure a device has raster memory, before trying to read it.
+
+Bug #697676 "Null pointer dereference in mem_get_bits_rectangle()"
+
+This is only possible by abusing/mis-using Ghostscript-specific
+language extensions, so cannot happen in a general PostScript program.
+
+Nevertheless, Ghostscript should not crash. So this commit checks the
+memory device to see if raster memory has been allocated, before trying
+to read from it.
+---
+ base/gdevmem.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/base/gdevmem.c b/base/gdevmem.c
+index afd05bd..d52d684 100644
+--- a/base/gdevmem.c
++++ b/base/gdevmem.c
+@@ -606,6 +606,8 @@ mem_get_bits_rectangle(gx_device * dev, const gs_int_rect * prect,
+             GB_PACKING_CHUNKY | GB_COLORS_NATIVE | GB_ALPHA_NONE;
+         return_error(gs_error_rangecheck);
+     }
++    if (mdev->line_ptrs == 0x00)
++        return_error(gs_error_rangecheck);
+     if ((w <= 0) | (h <= 0)) {
+         if ((w | h) < 0)
+             return_error(gs_error_rangecheck);
+-- 
+2.9.1
+