- Fix debugging output from gdevcups (CVE-2009-4270, bug #540760).
- Harden ghostscript's debugging output functions (bug #540760).
This commit is contained in:
parent
2656f78197
commit
59db7de965
17
ghostscript-CVE-2009-4270.patch
Normal file
17
ghostscript-CVE-2009-4270.patch
Normal file
@ -0,0 +1,17 @@
|
||||
diff -up ghostscript-8.70/cups/gdevcups.c.gdevcups-debug ghostscript-8.70/cups/gdevcups.c
|
||||
--- ghostscript-8.70/cups/gdevcups.c.gdevcups-debug 2009-05-20 23:30:48.000000000 +0100
|
||||
+++ ghostscript-8.70/cups/gdevcups.c 2009-11-24 17:16:11.929250977 +0000
|
||||
@@ -2816,11 +2816,11 @@ cups_put_params(gx_device *pdev, /*
|
||||
} \
|
||||
else if (code == 0) \
|
||||
{ \
|
||||
- dprintf2("DEBUG: Setting %s to \"%s\"...\n", sname, \
|
||||
- (char *)stringval.data); \
|
||||
strncpy(cups->header.name, (const char *)stringval.data, \
|
||||
stringval.size); \
|
||||
cups->header.name[stringval.size] = '\0'; \
|
||||
+ dprintf2("DEBUG: Setting %s to \"%s\"...\n", sname, \
|
||||
+ cups->header.name); \
|
||||
}
|
||||
|
||||
#define intoption(name, sname, type) \
|
64
ghostscript-vsnprintf.patch
Normal file
64
ghostscript-vsnprintf.patch
Normal file
@ -0,0 +1,64 @@
|
||||
diff -up ghostscript-8.70/base/gsmisc.c.vsnprintf ghostscript-8.70/base/gsmisc.c
|
||||
--- ghostscript-8.70/base/gsmisc.c.vsnprintf 2008-01-07 18:43:02.000000000 +0000
|
||||
+++ ghostscript-8.70/base/gsmisc.c 2009-11-24 17:16:38.575250571 +0000
|
||||
@@ -69,10 +69,10 @@ int outprintf(const gs_memory_t *mem, co
|
||||
|
||||
va_start(args, fmt);
|
||||
|
||||
- count = vsprintf(buf, fmt, args);
|
||||
+ count = vsnprintf(buf, sizeof (buf), fmt, args);
|
||||
outwrite(mem, buf, count);
|
||||
- if (count >= PRINTF_BUF_LENGTH) {
|
||||
- count = sprintf(buf,
|
||||
+ if (count == -1 || count >= sizeof (buf)) {
|
||||
+ count = snprintf(buf, sizeof (buf),
|
||||
"PANIC: printf exceeded %d bytes. Stack has been corrupted.\n",
|
||||
PRINTF_BUF_LENGTH);
|
||||
outwrite(mem, buf, count);
|
||||
@@ -89,10 +89,10 @@ int errprintf(const char *fmt, ...)
|
||||
|
||||
va_start(args, fmt);
|
||||
|
||||
- count = vsprintf(buf, fmt, args);
|
||||
+ count = vsnprintf(buf, sizeof (buf), fmt, args);
|
||||
errwrite(buf, count);
|
||||
- if (count >= PRINTF_BUF_LENGTH) {
|
||||
- count = sprintf(buf,
|
||||
+ if (count == -1 || count >= sizeof (buf)) {
|
||||
+ count = snprintf(buf, sizeof (buf),
|
||||
"PANIC: printf exceeded %d bytes. Stack has been corrupted.\n",
|
||||
PRINTF_BUF_LENGTH);
|
||||
errwrite(buf, count);
|
||||
@@ -236,7 +236,7 @@ int gs_throw_imp(const char *func, const
|
||||
va_list ap;
|
||||
|
||||
va_start(ap, fmt);
|
||||
- vsprintf(msg, fmt, ap);
|
||||
+ vsnprintf(msg, sizeof (msg), fmt, ap);
|
||||
msg[sizeof(msg) - 1] = 0;
|
||||
va_end(ap);
|
||||
|
||||
diff -up ghostscript-8.70/base/gxttfb.c.vsnprintf ghostscript-8.70/base/gxttfb.c
|
||||
--- ghostscript-8.70/base/gxttfb.c.vsnprintf 2009-07-09 06:59:44.000000000 +0100
|
||||
+++ ghostscript-8.70/base/gxttfb.c 2009-11-24 17:16:38.577250996 +0000
|
||||
@@ -246,7 +246,7 @@ static int DebugPrint(ttfFont *ttf, cons
|
||||
|
||||
if (gs_debug_c('Y')) {
|
||||
va_start(args, fmt);
|
||||
- count = vsprintf(buf, fmt, args);
|
||||
+ count = vsnprintf(buf, sizeof (buf), fmt, args);
|
||||
/* NB: moved debug output from stdout to stderr
|
||||
*/
|
||||
errwrite(buf, count);
|
||||
diff -up ghostscript-8.70/base/rinkj/rinkj-byte-stream.c.vsnprintf ghostscript-8.70/base/rinkj/rinkj-byte-stream.c
|
||||
--- ghostscript-8.70/base/rinkj/rinkj-byte-stream.c.vsnprintf 2008-04-04 02:02:16.000000000 +0100
|
||||
+++ ghostscript-8.70/base/rinkj/rinkj-byte-stream.c 2009-11-24 17:16:38.577250996 +0000
|
||||
@@ -43,7 +43,7 @@ rinkj_byte_stream_printf (RinkjByteStrea
|
||||
va_list ap;
|
||||
|
||||
va_start (ap, fmt);
|
||||
- len = vsprintf (str, fmt, ap);
|
||||
+ len = vsnprintf (str, sizeof (str), fmt, ap);
|
||||
va_end (ap);
|
||||
return rinkj_byte_stream_write (bs, str, len);
|
||||
}
|
@ -5,7 +5,7 @@ Summary: A PostScript interpreter and renderer.
|
||||
Name: ghostscript
|
||||
Version: %{gs_ver}
|
||||
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
|
||||
# Included CMap data is Redistributable, no modification permitted,
|
||||
# see http://bugzilla.redhat.com/487510
|
||||
@ -25,6 +25,8 @@ Patch6: ghostscript-system-jasper.patch
|
||||
Patch7: ghostscript-pksmraw.patch
|
||||
Patch8: ghostscript-jbig2dec-nullderef.patch
|
||||
Patch9: ghostscript-gs-executable.patch
|
||||
Patch10: ghostscript-CVE-2009-4270.patch
|
||||
Patch11: ghostscript-vsnprintf.patch
|
||||
|
||||
Requires: urw-fonts >= 1.1, ghostscript-fonts
|
||||
BuildRequires: xz
|
||||
@ -115,6 +117,12 @@ rm -rf libpng zlib jpeg jasper
|
||||
# Fix scripts so they don't get broken on install (bug #502550).
|
||||
%patch9 -p1 -b .gs-executable
|
||||
|
||||
# Fix debugging output from gdevcups (bug #540760).
|
||||
%patch10 -p1 -b .CVE-2009-4270
|
||||
|
||||
# Harden ghostscript's debugging output functions (bug #540760).
|
||||
%patch11 -p1 -b .vsnprintf
|
||||
|
||||
# Convert manual pages to UTF-8
|
||||
from8859_1() {
|
||||
iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
|
||||
@ -296,6 +304,10 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_libdir}/libgs.so
|
||||
|
||||
%changelog
|
||||
* Thu Dec 24 2009 Tim Waugh <twaugh@redhat.com> 8.70-2
|
||||
- Fix debugging output from gdevcups (CVE-2009-4270, bug #540760).
|
||||
- Harden ghostscript's debugging output functions (bug #540760).
|
||||
|
||||
* Mon Aug 3 2009 Tim Waugh <twaugh@redhat.com> 8.70-1
|
||||
- 8.70.
|
||||
- License has changed to GPLv3+. Packages containing programs that
|
||||
|
Loading…
Reference in New Issue
Block a user