From 59db7de965af35ce80e9bf6080957e9ae95a67c3 Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Thu, 24 Dec 2009 11:31:29 +0000 Subject: [PATCH] - Fix debugging output from gdevcups (CVE-2009-4270, bug #540760). - Harden ghostscript's debugging output functions (bug #540760). --- ghostscript-CVE-2009-4270.patch | 17 +++++++++ ghostscript-vsnprintf.patch | 64 +++++++++++++++++++++++++++++++++ ghostscript.spec | 14 +++++++- 3 files changed, 94 insertions(+), 1 deletion(-) create mode 100644 ghostscript-CVE-2009-4270.patch create mode 100644 ghostscript-vsnprintf.patch diff --git a/ghostscript-CVE-2009-4270.patch b/ghostscript-CVE-2009-4270.patch new file mode 100644 index 0000000..c498feb --- /dev/null +++ b/ghostscript-CVE-2009-4270.patch @@ -0,0 +1,17 @@ +diff -up ghostscript-8.70/cups/gdevcups.c.gdevcups-debug ghostscript-8.70/cups/gdevcups.c +--- ghostscript-8.70/cups/gdevcups.c.gdevcups-debug 2009-05-20 23:30:48.000000000 +0100 ++++ ghostscript-8.70/cups/gdevcups.c 2009-11-24 17:16:11.929250977 +0000 +@@ -2816,11 +2816,11 @@ cups_put_params(gx_device *pdev, /* + } \ + else if (code == 0) \ + { \ +- dprintf2("DEBUG: Setting %s to \"%s\"...\n", sname, \ +- (char *)stringval.data); \ + strncpy(cups->header.name, (const char *)stringval.data, \ + stringval.size); \ + cups->header.name[stringval.size] = '\0'; \ ++ dprintf2("DEBUG: Setting %s to \"%s\"...\n", sname, \ ++ cups->header.name); \ + } + + #define intoption(name, sname, type) \ diff --git a/ghostscript-vsnprintf.patch b/ghostscript-vsnprintf.patch new file mode 100644 index 0000000..a7fac21 --- /dev/null +++ b/ghostscript-vsnprintf.patch @@ -0,0 +1,64 @@ +diff -up ghostscript-8.70/base/gsmisc.c.vsnprintf ghostscript-8.70/base/gsmisc.c +--- ghostscript-8.70/base/gsmisc.c.vsnprintf 2008-01-07 18:43:02.000000000 +0000 ++++ ghostscript-8.70/base/gsmisc.c 2009-11-24 17:16:38.575250571 +0000 +@@ -69,10 +69,10 @@ int outprintf(const gs_memory_t *mem, co + + va_start(args, fmt); + +- count = vsprintf(buf, fmt, args); ++ count = vsnprintf(buf, sizeof (buf), fmt, args); + outwrite(mem, buf, count); +- if (count >= PRINTF_BUF_LENGTH) { +- count = sprintf(buf, ++ if (count == -1 || count >= sizeof (buf)) { ++ count = snprintf(buf, sizeof (buf), + "PANIC: printf exceeded %d bytes. Stack has been corrupted.\n", + PRINTF_BUF_LENGTH); + outwrite(mem, buf, count); +@@ -89,10 +89,10 @@ int errprintf(const char *fmt, ...) + + va_start(args, fmt); + +- count = vsprintf(buf, fmt, args); ++ count = vsnprintf(buf, sizeof (buf), fmt, args); + errwrite(buf, count); +- if (count >= PRINTF_BUF_LENGTH) { +- count = sprintf(buf, ++ if (count == -1 || count >= sizeof (buf)) { ++ count = snprintf(buf, sizeof (buf), + "PANIC: printf exceeded %d bytes. Stack has been corrupted.\n", + PRINTF_BUF_LENGTH); + errwrite(buf, count); +@@ -236,7 +236,7 @@ int gs_throw_imp(const char *func, const + va_list ap; + + va_start(ap, fmt); +- vsprintf(msg, fmt, ap); ++ vsnprintf(msg, sizeof (msg), fmt, ap); + msg[sizeof(msg) - 1] = 0; + va_end(ap); + +diff -up ghostscript-8.70/base/gxttfb.c.vsnprintf ghostscript-8.70/base/gxttfb.c +--- ghostscript-8.70/base/gxttfb.c.vsnprintf 2009-07-09 06:59:44.000000000 +0100 ++++ ghostscript-8.70/base/gxttfb.c 2009-11-24 17:16:38.577250996 +0000 +@@ -246,7 +246,7 @@ static int DebugPrint(ttfFont *ttf, cons + + if (gs_debug_c('Y')) { + va_start(args, fmt); +- count = vsprintf(buf, fmt, args); ++ count = vsnprintf(buf, sizeof (buf), fmt, args); + /* NB: moved debug output from stdout to stderr + */ + errwrite(buf, count); +diff -up ghostscript-8.70/base/rinkj/rinkj-byte-stream.c.vsnprintf ghostscript-8.70/base/rinkj/rinkj-byte-stream.c +--- ghostscript-8.70/base/rinkj/rinkj-byte-stream.c.vsnprintf 2008-04-04 02:02:16.000000000 +0100 ++++ ghostscript-8.70/base/rinkj/rinkj-byte-stream.c 2009-11-24 17:16:38.577250996 +0000 +@@ -43,7 +43,7 @@ rinkj_byte_stream_printf (RinkjByteStrea + va_list ap; + + va_start (ap, fmt); +- len = vsprintf (str, fmt, ap); ++ len = vsnprintf (str, sizeof (str), fmt, ap); + va_end (ap); + return rinkj_byte_stream_write (bs, str, len); + } diff --git a/ghostscript.spec b/ghostscript.spec index f25231a..1e3bba6 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -5,7 +5,7 @@ Summary: A PostScript interpreter and renderer. Name: ghostscript Version: %{gs_ver} -Release: 1%{?dist} +Release: 2%{?dist} # Included CMap data is Redistributable, no modification permitted, # see http://bugzilla.redhat.com/487510 @@ -25,6 +25,8 @@ Patch6: ghostscript-system-jasper.patch Patch7: ghostscript-pksmraw.patch Patch8: ghostscript-jbig2dec-nullderef.patch Patch9: ghostscript-gs-executable.patch +Patch10: ghostscript-CVE-2009-4270.patch +Patch11: ghostscript-vsnprintf.patch Requires: urw-fonts >= 1.1, ghostscript-fonts BuildRequires: xz @@ -115,6 +117,12 @@ rm -rf libpng zlib jpeg jasper # Fix scripts so they don't get broken on install (bug #502550). %patch9 -p1 -b .gs-executable +# Fix debugging output from gdevcups (bug #540760). +%patch10 -p1 -b .CVE-2009-4270 + +# Harden ghostscript's debugging output functions (bug #540760). +%patch11 -p1 -b .vsnprintf + # Convert manual pages to UTF-8 from8859_1() { iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_" @@ -296,6 +304,10 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libgs.so %changelog +* Thu Dec 24 2009 Tim Waugh 8.70-2 +- Fix debugging output from gdevcups (CVE-2009-4270, bug #540760). +- Harden ghostscript's debugging output functions (bug #540760). + * Mon Aug 3 2009 Tim Waugh 8.70-1 - 8.70. - License has changed to GPLv3+. Packages containing programs that