diff options
| -rw-r--r-- | main/ghostscript/APKBUILD | 11 | ||||
| -rw-r--r-- | main/ghostscript/CVE-2017-5951.patch | 39 | ||||
| -rw-r--r-- | main/ghostscript/CVE-2017-7207.patch | 33 |
3 files changed, 81 insertions, 2 deletions
diff --git a/main/ghostscript/APKBUILD b/main/ghostscript/APKBUILD index 697f2ffc73..0515ffe9e2 100644 --- a/main/ghostscript/APKBUILD +++ b/main/ghostscript/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Cameron Banta <cbanta@gmail.com> pkgname=ghostscript pkgver=9.21 -pkgrel=2 +pkgrel=3 pkgdesc="An interpreter for the PostScript language and for PDF" url="http://ghostscript.com/" arch="all" @@ -16,12 +16,17 @@ source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/ fix-sprintf.patch fix-alignment.patch CVE-2017-8291.patch + CVE-2017-7207.patch + CVE-2017-5951.patch " builddir="$srcdir/$pkgname-$pkgver" # secfixes: # 9.21-r2: # - CVE-2017-8291 +# 9.21-r3: +# - CVE-2017-7207 +# - CVE-2017-5951 prepare() { cd "$builddir" @@ -116,4 +121,6 @@ sha512sums="c5ff632dc9b418ebeecaae796cecbaf9ffcb84d7a1b62c1af2e6c9082f7b9f24fe9d 70721e3a335afa5e21d4e6cf919119010bd4544a03ab8f53f5325c173902221ad9b88c118b4bfeee80b3e1956bcdbaf4c53f64ae7fb81f5ba57dbc956750c482 ghostscript-system-zlib.patch beefcf395f7f828e1b81c088022c08a506e218f27535b9de01e0f0edf7979b435316c318fa676771630f6ad16ff1ab059cd68aa128ed97e5a9f2f3fa840200c4 fix-sprintf.patch 7c6f40217dc687df27ee6d33351fba12a737c2ae06d1c35208dc943776d8efa66c3e882f0b1b9aec566fad69fd28ce360cc243f1c1aa20834467e769889194f2 fix-alignment.patch -c17121e564dd26033508199f3e587bfcee5589fec6e45e822c79f648c3a3b70363f04ad33538070c4d24c96e5795b277345359b66d2f360b996fca77239102b5 CVE-2017-8291.patch" +c17121e564dd26033508199f3e587bfcee5589fec6e45e822c79f648c3a3b70363f04ad33538070c4d24c96e5795b277345359b66d2f360b996fca77239102b5 CVE-2017-8291.patch +11ece0df5d5d5ae6d654033c42531a82db57a92aed462659d177e18234cf6d61719625368eb4448a2235bca9d6b3901696b30099642c57df57966def5850da9d CVE-2017-7207.patch +252d826bdf1e22c372312589e9b19067332c432eae748f2eb644bf32384925e8095ea7c218ca7bbf04bf384db42cca6b418cb6622a74d411da446776490516d8 CVE-2017-5951.patch" diff --git a/main/ghostscript/CVE-2017-5951.patch b/main/ghostscript/CVE-2017-5951.patch new file mode 100644 index 0000000000..c419e0653b --- /dev/null +++ b/main/ghostscript/CVE-2017-5951.patch @@ -0,0 +1,39 @@ +From bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Thu, 6 Apr 2017 16:44:54 +0100 +Subject: [PATCH] Bug 697548: use the correct param list enumerator + +When we encountered dictionary in a ref_param_list, we were using the enumerator +for the "parent" param_list, rather than the enumerator for the param_list +we just created for the dictionary. That parent was usually the stack +list enumerator, and caused a segfault. + +Using the correct enumerator works better. +--- + psi/iparam.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/psi/iparam.c b/psi/iparam.c +index 4e63b6d..b2fa85f 100644 +--- a/psi/iparam.c ++++ b/psi/iparam.c +@@ -770,12 +770,13 @@ ref_param_read_typed(gs_param_list * plist, gs_param_name pkey, + gs_param_enumerator_t enumr; + gs_param_key_t key; + ref_type keytype; ++ dict_param_list *dlist = (dict_param_list *) pvalue->value.d.list; + + param_init_enumerator(&enumr); +- if (!(*((iparam_list *) plist)->enumerate) +- ((iparam_list *) pvalue->value.d.list, &enumr, &key, &keytype) ++ if (!(*(dlist->enumerate)) ++ ((iparam_list *) dlist, &enumr, &key, &keytype) + && keytype == t_integer) { +- ((dict_param_list *) pvalue->value.d.list)->int_keys = 1; ++ dlist->int_keys = 1; + pvalue->type = gs_param_type_dict_int_keys; + } + } +-- +2.9.1 + diff --git a/main/ghostscript/CVE-2017-7207.patch b/main/ghostscript/CVE-2017-7207.patch new file mode 100644 index 0000000000..0cfa5942be --- /dev/null +++ b/main/ghostscript/CVE-2017-7207.patch @@ -0,0 +1,33 @@ +From 309eca4e0a31ea70dcc844812691439312dad091 Mon Sep 17 00:00:00 2001 +From: Ken Sharp <ken.sharp@artifex.com> +Date: Mon, 20 Mar 2017 09:34:11 +0000 +Subject: [PATCH] Ensure a device has raster memory, before trying to read it. + +Bug #697676 "Null pointer dereference in mem_get_bits_rectangle()" + +This is only possible by abusing/mis-using Ghostscript-specific +language extensions, so cannot happen in a general PostScript program. + +Nevertheless, Ghostscript should not crash. So this commit checks the +memory device to see if raster memory has been allocated, before trying +to read from it. +--- + base/gdevmem.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/base/gdevmem.c b/base/gdevmem.c +index afd05bd..d52d684 100644 +--- a/base/gdevmem.c ++++ b/base/gdevmem.c +@@ -606,6 +606,8 @@ mem_get_bits_rectangle(gx_device * dev, const gs_int_rect * prect, + GB_PACKING_CHUNKY | GB_COLORS_NATIVE | GB_ALPHA_NONE; + return_error(gs_error_rangecheck); + } ++ if (mdev->line_ptrs == 0x00) ++ return_error(gs_error_rangecheck); + if ((w <= 0) | (h <= 0)) { + if ((w | h) < 0) + return_error(gs_error_rangecheck); +-- +2.9.1 + |