From 434e3367d66a5f41ef6fe4627dd5d73b867ff230 Mon Sep 17 00:00:00 2001 From: "David Kaspar [Dee'Kej]" Date: Fri, 28 Apr 2017 13:57:20 +0200 Subject: [PATCH] Added security patch for CVE-2017-8291 Resolves: #1446063 --- ghostscript-9.20-cve-2017-8291.patch | 92 ++++++++++++++++++++++++++++ ghostscript.spec | 5 ++ 2 files changed, 97 insertions(+) create mode 100644 ghostscript-9.20-cve-2017-8291.patch diff --git a/ghostscript-9.20-cve-2017-8291.patch b/ghostscript-9.20-cve-2017-8291.patch new file mode 100644 index 0000000..7da2678 --- /dev/null +++ b/ghostscript-9.20-cve-2017-8291.patch @@ -0,0 +1,92 @@ +From 4f83478c88c2e05d6e8d79ca4557eb039354d2f3 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Thu, 27 Apr 2017 13:03:33 +0100 +Subject: [PATCH 1/2] Bug 697799: have .eqproc check its parameters + +The Ghostscript custom operator .eqproc was not check the number or type of +the parameters it was given. +--- + psi/zmisc3.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/psi/zmisc3.c b/psi/zmisc3.c +index 54b3042..37293ff 100644 +--- a/psi/zmisc3.c ++++ b/psi/zmisc3.c +@@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p) + ref2_t stack[MAX_DEPTH + 1]; + ref2_t *top = stack; + ++ if (ref_stack_count(&o_stack) < 2) ++ return_error(gs_error_stackunderflow); ++ if (!r_is_array(op - 1) || !r_is_array(op)) { ++ return_error(gs_error_typecheck); ++ } ++ + make_array(&stack[0].proc1, 0, 1, op - 1); + make_array(&stack[0].proc2, 0, 1, op); + for (;;) { +-- +2.9.3 + + +From 04b37bbce174eed24edec7ad5b920eb93db4d47d Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Thu, 27 Apr 2017 13:21:31 +0100 +Subject: [PATCH 2/2] Bug 697799: have .rsdparams check its parameters + +The Ghostscript internal operator .rsdparams wasn't checking the number or +type of the operands it was being passed. Do so. +--- + psi/zfrsd.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/psi/zfrsd.c b/psi/zfrsd.c +index 191107d..950588d 100644 +--- a/psi/zfrsd.c ++++ b/psi/zfrsd.c +@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p) + ref *pFilter; + ref *pDecodeParms; + int Intent = 0; +- bool AsyncRead; ++ bool AsyncRead = false; + ref empty_array, filter1_array, parms1_array; + uint i; +- int code; ++ int code = 0; ++ ++ if (ref_stack_count(&o_stack) < 1) ++ return_error(gs_error_stackunderflow); ++ if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) { ++ return_error(gs_error_typecheck); ++ } + + make_empty_array(&empty_array, a_readonly); +- if (dict_find_string(op, "Filter", &pFilter) > 0) { ++ if (r_has_type(op, t_dictionary) ++ && dict_find_string(op, "Filter", &pFilter) > 0) { + if (!r_is_array(pFilter)) { + if (!r_has_type(pFilter, t_name)) + return_error(gs_error_typecheck); +@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p) + return_error(gs_error_typecheck); + } + } +- code = dict_int_param(op, "Intent", 0, 3, 0, &Intent); ++ if (r_has_type(op, t_dictionary)) ++ code = dict_int_param(op, "Intent", 0, 3, 0, &Intent); + if (code < 0 && code != gs_error_rangecheck) /* out-of-range int is ok, use 0 */ + return code; +- if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0 +- ) +- return code; ++ if (r_has_type(op, t_dictionary)) ++ if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0) ++ return code; + push(1); + op[-1] = *pFilter; + if (pDecodeParms) +-- +2.9.3 + diff --git a/ghostscript.spec b/ghostscript.spec index b2cb1a8..ba93dd7 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -36,6 +36,7 @@ Patch15: ghostscript-9.20-cve-2016-10218.patch Patch16: ghostscript-9.20-cve-2016-10219.patch Patch17: ghostscript-9.20-cve-2016-10220.patch Patch18: ghostscript-9.20-cve-2017-5951.patch +Patch19: ghostscript-9.20-cve-2017-8291.patch Requires: %{name}-core%{?_isa} = %{version}-%{release} Requires: %{name}-x11%{?_isa} = %{version}-%{release} @@ -179,6 +180,9 @@ rm -rf expat freetype icclib jasper jpeg jpegxr lcms lcms2 libpng openjpeg zlib # CVE-2017-5951 (bug #1441572): %patch18 -p1 +# CVE-2017-8291 (bug #1446063): +%patch19 -p1 + # Convert manual pages to UTF-8 from8859_1() { iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_" @@ -382,6 +386,7 @@ rm -rf $RPM_BUILD_ROOT - CVE-2016-10219 (bug #1441569) - CVE-2016-10220 (bug #1441571) - CVE-2017-5951 (bug #1441572) + - CVE-2017-8291 (bug #1446063) * Thu Apr 06 2017 David Kaspar [Dee'Kej] - 9.20-8 Added security fix for CVE-2017-7207 (bug #1434497)