From a82e34fd34c73d5009d8160dd68eda1f96f75c90 Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Thu, 30 Jul 2009 13:49:52 +0000 Subject: [PATCH] - Fixed CVE-2009-0583,0584 patch by using 255 as the maximum number of points, not 100, and by not treating a missing black point tag as an error (bug #487744). --- ghostscript-CVE-2009-0583,0584.patch | 12 ++++++++++-- ghostscript.spec | 7 ++++++- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/ghostscript-CVE-2009-0583,0584.patch b/ghostscript-CVE-2009-0583,0584.patch index cb733ed..4471433 100644 --- a/ghostscript-CVE-2009-0583,0584.patch +++ b/ghostscript-CVE-2009-0583,0584.patch @@ -1,6 +1,6 @@ diff -up ghostscript-8.64/icclib/icc.c.CVE-2009-0583,0584 ghostscript-8.64/icclib/icc.c --- ghostscript-8.64/icclib/icc.c.CVE-2009-0583,0584 2008-05-09 05:12:01.000000000 +0100 -+++ ghostscript-8.64/icclib/icc.c 2009-03-06 15:24:33.000000000 +0000 ++++ ghostscript-8.64/icclib/icc.c 2009-07-30 13:29:08.853734640 +0100 @@ -152,6 +152,8 @@ * Various bug fixes and enhancements. */ @@ -373,7 +373,7 @@ diff -up ghostscript-8.64/icclib/icc.c.CVE-2009-0583,0584 ghostscript-8.64/iccli return icp->errc = 1; } -+ if (p->clutPoints > 100) { ++ if (p->clutPoints > 255) { + sprintf(icp->err,"icmLut_read: too many clutPoints"); + return icp->errc = 1; + } @@ -987,3 +987,11 @@ diff -up ghostscript-8.64/icclib/icc.c.CVE-2009-0583,0584 ghostscript-8.64/iccli if (p->data == NULL) tp = p->al->malloc(p->al, (p->count+1) * sizeof(icmTag)); else +@@ -12246,6 +12545,7 @@ static icmLuBase* icc_get_luobj ( + if ((blackPointTag = (icmXYZArray *)p->read_tag(p, icSigMediaBlackPointTag)) == NULL + || blackPointTag->ttype != icSigXYZType || blackPointTag->size < 1) { + blackPoint = icmBlack; /* default */ ++ p->errc = 0; /* reset the error code. black point is NOT required */ + } else + blackPoint = blackPointTag->data[0]; /* Copy structure */ + } diff --git a/ghostscript.spec b/ghostscript.spec index be92d81..a49c10f 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -5,7 +5,7 @@ Summary: A PostScript interpreter and renderer. Name: ghostscript Version: %{gs_ver} -Release: 10%{?dist} +Release: 11%{?dist} # Included CMap data is Redistributable, no modification permitted, # see http://bugzilla.redhat.com/487510 @@ -312,6 +312,11 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libgs.so %changelog +* Thu Jul 30 2009 Tim Waugh 8.64-11 +- Fixed CVE-2009-0583,0584 patch by using 255 as the maximum number of + points, not 100, and by not treating a missing black point tag as an + error (bug #487744). + * Thu Jul 30 2009 Rex Dieter - 8.64-10 - License: GPLv2 and Redistributable, no modification permitted (bug #487510)