From a5b3ec305a9743ae48ed9c8a649eb66b4a17017e Mon Sep 17 00:00:00 2001 From: "David Kaspar [Dee'Kej]" Date: Fri, 28 Apr 2017 13:20:59 +0200 Subject: [PATCH] Added security patch for CVE-2017-5951 Resolves: #1441572 --- ghostscript-9.20-cve-2017-5951.patch | 39 ++++++++++++++++++++++++++++ ghostscript.spec | 5 ++++ 2 files changed, 44 insertions(+) create mode 100644 ghostscript-9.20-cve-2017-5951.patch diff --git a/ghostscript-9.20-cve-2017-5951.patch b/ghostscript-9.20-cve-2017-5951.patch new file mode 100644 index 0000000..a924c7f --- /dev/null +++ b/ghostscript-9.20-cve-2017-5951.patch @@ -0,0 +1,39 @@ +From bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Thu, 6 Apr 2017 16:44:54 +0100 +Subject: [PATCH] Bug 697548: use the correct param list enumerator + +When we encountered dictionary in a ref_param_list, we were using the enumerator +for the "parent" param_list, rather than the enumerator for the param_list +we just created for the dictionary. That parent was usually the stack +list enumerator, and caused a segfault. + +Using the correct enumerator works better. +--- + psi/iparam.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/psi/iparam.c b/psi/iparam.c +index 4e63b6d..b2fa85f 100644 +--- a/psi/iparam.c ++++ b/psi/iparam.c +@@ -770,12 +770,13 @@ ref_param_read_typed(gs_param_list * plist, gs_param_name pkey, + gs_param_enumerator_t enumr; + gs_param_key_t key; + ref_type keytype; ++ dict_param_list *dlist = (dict_param_list *) pvalue->value.d.list; + + param_init_enumerator(&enumr); +- if (!(*((iparam_list *) plist)->enumerate) +- ((iparam_list *) pvalue->value.d.list, &enumr, &key, &keytype) ++ if (!(*(dlist->enumerate)) ++ ((iparam_list *) dlist, &enumr, &key, &keytype) + && keytype == t_integer) { +- ((dict_param_list *) pvalue->value.d.list)->int_keys = 1; ++ dlist->int_keys = 1; + pvalue->type = gs_param_type_dict_int_keys; + } + } +-- +2.9.3 + diff --git a/ghostscript.spec b/ghostscript.spec index 3dd5236..b2cb1a8 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -35,6 +35,7 @@ Patch14: ghostscript-9.20-cve-2016-10217.patch Patch15: ghostscript-9.20-cve-2016-10218.patch Patch16: ghostscript-9.20-cve-2016-10219.patch Patch17: ghostscript-9.20-cve-2016-10220.patch +Patch18: ghostscript-9.20-cve-2017-5951.patch Requires: %{name}-core%{?_isa} = %{version}-%{release} Requires: %{name}-x11%{?_isa} = %{version}-%{release} @@ -175,6 +176,9 @@ rm -rf expat freetype icclib jasper jpeg jpegxr lcms lcms2 libpng openjpeg zlib # CVE-2016-10220 (bug #1441571): %patch17 -p1 +# CVE-2017-5951 (bug #1441572): +%patch18 -p1 + # Convert manual pages to UTF-8 from8859_1() { iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_" @@ -377,6 +381,7 @@ rm -rf $RPM_BUILD_ROOT - CVE-2016-10218 (bug #1441568) - CVE-2016-10219 (bug #1441569) - CVE-2016-10220 (bug #1441571) + - CVE-2017-5951 (bug #1441572) * Thu Apr 06 2017 David Kaspar [Dee'Kej] - 9.20-8 Added security fix for CVE-2017-7207 (bug #1434497)