- Applied patch to fix CVE-2009-0792 (bug #491853).

- Applied patch to fix CVE-2009-0196 (bug #493379).
2009-04-15 16:25:02 +00:00 · 2009-04-15 16:25:02 +00:00 · b62d20303f
parent d22b996f9e
commit b62d20303f
3 changed files with 198 additions and 1 deletions
--- a/ghostscript-CVE-2009-0196.patch
+++ b/ghostscript-CVE-2009-0196.patch
@ -0,0 +1,19 @@
+diff -up ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c.CVE-2009-0196 ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c
+--- ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c.CVE-2009-0196	2007-12-11 08:29:58.000000000 +0000
+++ ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c	2009-04-15 16:27:43.000000000 +0100
+@@ -699,6 +699,15 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+         exrunlength = params->SDNUMEXSYMS;
+       else
+         code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
+      if (exrunlength > params->SDNUMEXSYMS - j) {
+        jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
+          "runlength too large in export symbol table (%d > %d - %d)\n",
+          exrunlength, params->SDNUMEXSYMS, j);
+        jbig2_sd_release(ctx, SDEXSYMS);
+        /* skip to the cleanup code and return SDEXSYMS = NULL */
+        SDEXSYMS = NULL;
+        break;
+      }
+       for(k = 0; k < exrunlength; k++)
+         if (exflag) {
+           SDEXSYMS->glyphs[j++] = (i < m) ? 
--- a/ghostscript-CVE-2009-0792.patch
+++ b/ghostscript-CVE-2009-0792.patch
@ -0,0 +1,166 @@
+diff -up ghostscript-8.64/icclib/icc.c.CVE-2009-0792 ghostscript-8.64/icclib/icc.c
+--- ghostscript-8.64/icclib/icc.c.CVE-2009-0792	2009-04-15 16:20:04.000000000 +0100
+++ ghostscript-8.64/icclib/icc.c	2009-04-15 16:20:24.000000000 +0100
+@@ -2982,7 +2982,7 @@ static int icmCurve_lookup_fwd(
+ 			rv |= 1;
+ 		}
+ 		ix = (int)floor(val);		/* Coordinate */
+-		if (ix > (p->size-2))
+		if (ix < 0 || ix > (p->size-2))
+ 			ix = (p->size-2);
+ 		w = val - (double)ix;		/* weight */
+ 		val = p->data[ix];
+@@ -3004,6 +3004,11 @@ static int icmTable_setup_bwd(
+ ) {
+ 	int i;
+ 
+	if (size > INT_MAX - 2)
+		/* Although rt->size is unsigned long, the rt data
+		 * structure uses int data types to store indices. */
+		return 2;
+
+ 	rt->size = size;		/* Stash pointers to these away */
+ 	rt->data = data;
+ 	
+@@ -3022,7 +3027,7 @@ static int icmTable_setup_bwd(
+ 	rt->qscale = (double)rt->rsize/(rt->rmax - rt->rmin);	/* Scale factor to quantize to */
+ 	
+ 	/* Initialize the reverse lookup structures, and get overall min/max */
+-	if ((rt->rlists = (int **) icp->al->calloc(icp->al, 1, rt->rsize * sizeof(int *))) == NULL) {
+	if ((rt->rlists = (int **) icp->al->calloc(icp->al, rt->rsize, sizeof(int *))) == NULL) {
+ 		return 2;
+ 	}
+ 
+@@ -3035,6 +3040,15 @@ static int icmTable_setup_bwd(
+ 			int t;
+ 			t = s; s = e; e = t;
+ 		}
+		/* s and e should both be in the range [0,rt->rsize]
+		 * now, but let's not rely on floating point
+		 * calculations -- double-check. */
+		if (s < 0)
+			s = 0;
+		if (e < 0)
+			e = 0;
+		if (s >= rt->rsize)
+			s = rt->rsize-1;
+ 		if (e >= rt->rsize)
+ 			e = rt->rsize-1;
+ 
+@@ -3053,6 +3067,9 @@ static int icmTable_setup_bwd(
+ 				as = rt->rlists[j][0];	/* Allocate space for this list */
+ 				nf = rt->rlists[j][1];	/* Next free location in list */
+ 				if (nf >= as) {			/* need to expand space */
+					if (as > INT_MAX / 2 / sizeof (int))
+						return 2;
+
+ 					as *= 2;
+ 					rt->rlists[j] = (int *) icp->al->realloc(icp->al,rt->rlists[j], sizeof(int) * as);
+ 					if (rt->rlists[j] == NULL) {
+@@ -3104,7 +3121,7 @@ static int icmTable_lookup_bwd(
+ 		val = rsize_1;
+ 	ix = (int)floor(val);		/* Coordinate */
+ 
+-	if (ix > (rt->size-2))
+	if (ix < 0 || ix > (rt->size-2))
+ 		ix = (rt->size-2);
+ 	if (rt->rlists[ix] != NULL)  {		/* There is a list of fwd candidates */
+ 		/* For each candidate forward range */
+@@ -3131,6 +3148,7 @@ static int icmTable_lookup_bwd(
+ 	/* We have failed to find an exact value, so return the nearest value */
+ 	/* (This is slow !) */
+ 	val = fabs(ival - rt->data[0]);
+	/* rt->size is known to be < INT_MAX */
+ 	for (k = 0, i = 1; i < rt->size; i++) {
+ 		double er;
+ 		er = fabs(ival - rt->data[i]);
+@@ -3671,7 +3689,7 @@ static int icmData_allocate(
+ 	if (p->size != p->_size) {
+ 		if (p->data != NULL)
+ 			icp->al->free(icp->al, p->data);
+-		if ((p->data = (unsigned char *) icp->al->malloc(icp->al, p->size * sizeof(unsigned char))) == NULL) {
+		if ((p->data = (unsigned char *) icp->al->calloc(icp->al, p->size, sizeof(unsigned char))) == NULL) {
+ 			sprintf(icp->err,"icmData_alloc: malloc() of icmData data failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -3887,7 +3905,7 @@ static int icmText_allocate(
+ 	if (p->size != p->_size) {
+ 		if (p->data != NULL)
+ 			icp->al->free(icp->al, p->data);
+-		if ((p->data = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) {
+		if ((p->data = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {
+ 			sprintf(icp->err,"icmText_alloc: malloc() of icmText data failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -4301,7 +4319,7 @@ double *in		/* Input array[inputChan] */
+ 			rv |= 1;
+ 		}
+ 		ix = (int)floor(val);		/* Grid coordinate */
+-		if (ix > (p->inputEnt-2))
+		if (ix < 0 || ix > (p->inputEnt-2))
+ 			ix = (p->inputEnt-2);
+ 		w = val - (double)ix;		/* weight */
+ 		val = table[ix];
+@@ -4360,7 +4378,7 @@ double *in		/* Input array[outputChan] *
+ 				rv |= 1;
+ 			}
+ 			x = (int)floor(val);		/* Grid coordinate */
+-			if (x > clutPoints_2)
+			if (x < 0 || x > clutPoints_2)
+ 				x = clutPoints_2;
+ 			co[e] = val - (double)x;	/* 1.0 - weight */
+ 			gp += x * p->dinc[e];		/* Add index offset for base of cube */
+@@ -4433,7 +4451,7 @@ double *in		/* Input array[outputChan] *
+ 				rv |= 1;
+ 			}
+ 			x = (int)floor(val);		/* Grid coordinate */
+-			if (x > clutPoints_2)
+			if (x < 0 || x > clutPoints_2)
+ 				x = clutPoints_2;
+ 			co[e] = val - (double)x;	/* 1.0 - weight */
+ 			gp += x * p->dinc[e];		/* Add index offset for base of cube */
+@@ -4506,7 +4524,7 @@ double *in		/* Input array[outputChan] *
+ 			rv |= 1;
+ 		}
+ 		ix = (int)floor(val);		/* Grid coordinate */
+-		if (ix > (p->outputEnt-2))
+		if (ix < 0 || ix > (p->outputEnt-2))
+ 			ix = (p->outputEnt-2);
+ 		w = val - (double)ix;		/* weight */
+ 		val = table[ix];
+@@ -6714,7 +6732,7 @@ static int icmTextDescription_allocate(
+ 	if (p->size != p->_size) {
+ 		if (p->desc != NULL)
+ 			icp->al->free(icp->al, p->desc);
+-		if ((p->desc = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) {
+		if ((p->desc = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {
+ 			sprintf(icp->err,"icmTextDescription_alloc: malloc() of Ascii description failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -7888,7 +7906,7 @@ static int icmUcrBg_allocate(
+ 	if (p->size != p->_size) {
+ 		if (p->string != NULL)
+ 			icp->al->free(icp->al, p->string);
+-		if ((p->string = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) {
+		if ((p->string = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {
+ 			sprintf(icp->err,"icmUcrBg_allocate: malloc() of string data failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -8827,7 +8845,7 @@ static int icmCrdInfo_allocate(
+ 	if (p->ppsize != p->_ppsize) {
+ 		if (p->ppname != NULL)
+ 			icp->al->free(icp->al, p->ppname);
+-		if ((p->ppname = (char *) icp->al->malloc(icp->al, p->ppsize * sizeof(char))) == NULL) {
+		if ((p->ppname = (char *) icp->al->calloc(icp->al, p->ppsize, sizeof(char))) == NULL) {
+ 			sprintf(icp->err,"icmCrdInfo_alloc: malloc() of string data failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -8837,7 +8855,7 @@ static int icmCrdInfo_allocate(
+ 		if (p->crdsize[t] != p->_crdsize[t]) {
+ 			if (p->crdname[t] != NULL)
+ 				icp->al->free(icp->al, p->crdname[t]);
+-			if ((p->crdname[t] = (char *) icp->al->malloc(icp->al, p->crdsize[t] * sizeof(char))) == NULL) {
+			if ((p->crdname[t] = (char *) icp->al->calloc(icp->al, p->crdsize[t], sizeof(char))) == NULL) {
+ 				sprintf(icp->err,"icmCrdInfo_alloc: malloc() of CRD%d name string failed",t);
+ 				return icp->errc = 2;
+ 			}
--- a/ghostscript.spec
+++ b/ghostscript.spec
@ -5,7 +5,7 @@ Summary: A PostScript interpreter and renderer.
 Name: ghostscript
 Version: %{gs_ver}

-Release: 5%{?dist}
+Release: 6%{?dist}

 License: GPLv2
 URL: http://www.ghostscript.com/
@ -23,6 +23,8 @@ Patch6: ghostscript-system-jasper.patch
 Patch7: ghostscript-pksmraw.patch
 Patch8: ghostscript-bitcmyk.patch
 Patch9: ghostscript-CVE-2009-0583,0584.patch
+Patch10: ghostscript-CVE-2009-0792.patch
+Patch11: ghostscript-CVE-2009-0196.patch

 Requires: urw-fonts >= 1.1, ghostscript-fonts
 BuildRequires: libjpeg-devel, libXt-devel
@ -113,6 +115,12 @@ rm -rf libpng zlib jpeg jasper
 # (bug #487744).
 %patch9 -p1 -b .CVE-2009-0583,0584

+# Applied patch to fix CVE-2009-0792 (bug #491853).
+%patch10 -p1 -b .CVE-2009-0792
+
+# Applied patch to fix CVE-2009-0196 (bug #493379).
+%patch11 -p1 -b .CVE-2009-0196
+
 # Convert manual pages to UTF-8
 from8859_1() {
 	iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
@ -294,6 +302,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/libgs.so

 %changelog
+* Wed Apr 15 2009 Tim Waugh <twaugh@redhat.com> 8.64-6
+- Applied patch to fix CVE-2009-0792 (bug #491853).
+- Applied patch to fix CVE-2009-0196 (bug #493379).
+
 * Fri Mar 20 2009 Tim Waugh <twaugh@redhat.com> 8.64-5
 - Applied patch to fix CVE-2009-0583 (bug #487742) and CVE-2009-0584
  (bug #487744).