Added security patch for CVE-2017-5951

Resolves: #1441572
2017-04-28 13:20:59 +02:00 · 2017-04-28 13:20:59 +02:00 · a5b3ec305a
commit a5b3ec305a
parent e76b7b9160
2 changed files with 44 additions and 0 deletions
--- a/ghostscript-9.20-cve-2017-5951.patch
+++ b/ghostscript-9.20-cve-2017-5951.patch
@ -0,0 +1,39 @@
+From bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Thu, 6 Apr 2017 16:44:54 +0100
+Subject: [PATCH] Bug 697548: use the correct param list enumerator
+
+When we encountered dictionary in a ref_param_list, we were using the enumerator
+for the "parent" param_list, rather than the enumerator for the param_list
+we just created for the dictionary. That parent was usually the stack
+list enumerator, and caused a segfault.
+
+Using the correct enumerator works better.
+---
+ psi/iparam.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/psi/iparam.c b/psi/iparam.c
+index 4e63b6d..b2fa85f 100644
+--- a/psi/iparam.c
+++ b/psi/iparam.c
+@@ -770,12 +770,13 @@ ref_param_read_typed(gs_param_list * plist, gs_param_name pkey,
+                 gs_param_enumerator_t enumr;
+                 gs_param_key_t key;
+                 ref_type keytype;
+                dict_param_list *dlist = (dict_param_list *) pvalue->value.d.list;
+ 
+                 param_init_enumerator(&enumr);
+-                if (!(*((iparam_list *) plist)->enumerate)
+-                    ((iparam_list *) pvalue->value.d.list, &enumr, &key, &keytype)
+                if (!(*(dlist->enumerate))
+                    ((iparam_list *) dlist, &enumr, &key, &keytype)
+                     && keytype == t_integer) {
+-                    ((dict_param_list *) pvalue->value.d.list)->int_keys = 1;
+                    dlist->int_keys = 1;
+                     pvalue->type = gs_param_type_dict_int_keys;
+                 }
+             }
+-- 
+2.9.3
+
--- a/ghostscript.spec
+++ b/ghostscript.spec
@ -35,6 +35,7 @@ Patch14: ghostscript-9.20-cve-2016-10217.patch
 Patch15: ghostscript-9.20-cve-2016-10218.patch
 Patch16: ghostscript-9.20-cve-2016-10219.patch
 Patch17: ghostscript-9.20-cve-2016-10220.patch
+Patch18: ghostscript-9.20-cve-2017-5951.patch

 Requires: %{name}-core%{?_isa} = %{version}-%{release}
 Requires: %{name}-x11%{?_isa} = %{version}-%{release}
@ -175,6 +176,9 @@ rm -rf expat freetype icclib jasper jpeg jpegxr lcms lcms2 libpng openjpeg zlib
 # CVE-2016-10220 (bug #1441571):
 %patch17 -p1

+# CVE-2017-5951 (bug #1441572):
+%patch18 -p1
+
 # Convert manual pages to UTF-8
 from8859_1() {
        iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
@ -377,6 +381,7 @@ rm -rf $RPM_BUILD_ROOT
  - CVE-2016-10218 (bug #1441568)
  - CVE-2016-10219 (bug #1441569)
  - CVE-2016-10220 (bug #1441571)
+  - CVE-2017-5951  (bug #1441572)

 * Thu Apr 06 2017 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.20-8
  Added security fix for CVE-2017-7207 (bug #1434497)