From e40ca66c635bd7779edddbd5ac93f616fc666d8d Mon Sep 17 00:00:00 2001 From: "David Kaspar [Dee'Kej]" Date: Tue, 4 Oct 2016 10:40:24 +0200 Subject: [PATCH] ghostscript-bz1380416.patch added Security fix for BZ #1380416. --- ghostscript-bz1380416.patch | 80 +++++++++++++++++++++++++++++++++++++ ghostscript.spec | 6 +++ 2 files changed, 86 insertions(+) create mode 100644 ghostscript-bz1380416.patch diff --git a/ghostscript-bz1380416.patch b/ghostscript-bz1380416.patch new file mode 100644 index 0000000..29926e8 --- /dev/null +++ b/ghostscript-bz1380416.patch @@ -0,0 +1,80 @@ +From dea6ef9be04e25df06a02cbefa45811f640d3298 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Sat, 5 Mar 2016 14:56:03 -0800 +Subject: [PATCH] Bug 694724: Have filenameforall and getenv honor SAFER + +--- + Resource/Init/gs_init.ps | 2 ++ + psi/zfile.c | 36 ++++++++++++++++++++---------------- + 2 files changed, 22 insertions(+), 16 deletions(-) + +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index 13f11cb..722b78d 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -2030,6 +2030,7 @@ readonly def + + /.locksafe { + .locksafe_userparams ++ systemdict /getenv {pop //false} put + % setpagedevice has the side effect of clearing the page, but + % we will just document that. Using setpagedevice keeps the device + % properties and pagedevice .LockSafetyParams in agreement even +@@ -2048,6 +2049,7 @@ readonly def + %% + /.locksafeglobal { + .locksafe_userparams ++ systemdict /getenv {pop //false} put + % setpagedevice has the side effect of clearing the page, but + % we will just document that. Using setpagedevice keeps the device + % properties and pagedevice .LockSafetyParams in agreement even +diff --git a/psi/zfile.c b/psi/zfile.c +index 93fd78c..e323899 100644 +--- a/psi/zfile.c ++++ b/psi/zfile.c +@@ -371,22 +371,26 @@ file_continue(i_ctx_t *i_ctx_p) + + if (len < devlen) + return_error(e_rangecheck); /* not even room for device len */ +- memcpy((char *)pscratch->value.bytes, iodev->dname, devlen); +- code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen, +- len - devlen); +- if (code == ~(uint) 0) { /* all done */ +- esp -= 5; /* pop proc, pfen, devlen, iodev , mark */ +- return o_pop_estack; +- } else if (code > len) /* overran string */ +- return_error(e_rangecheck); +- else { +- push(1); +- ref_assign(op, pscratch); +- r_set_size(op, code + devlen); +- push_op_estack(file_continue); /* come again */ +- *++esp = pscratch[2]; /* proc */ +- return o_push_estack; +- } ++ ++ do { ++ memcpy((char *)pscratch->value.bytes, iodev->dname, devlen); ++ code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen, ++ len - devlen); ++ if (code == ~(uint) 0) { /* all done */ ++ esp -= 5; /* pop proc, pfen, devlen, iodev , mark */ ++ return o_pop_estack; ++ } else if (code > len) /* overran string */ ++ return_error(gs_error_rangecheck); ++ else if (iodev != iodev_default(imemory) ++ || (check_file_permissions_reduced(i_ctx_p, (char *)pscratch->value.bytes, code + devlen, "PermitFileReading")) == 0) { ++ push(1); ++ ref_assign(op, pscratch); ++ r_set_size(op, code + devlen); ++ push_op_estack(file_continue); /* come again */ ++ *++esp = pscratch[2]; /* proc */ ++ return o_push_estack; ++ } ++ } while(1); + } + /* Cleanup procedure for enumerating files */ + static int +-- +2.7.4 + diff --git a/ghostscript.spec b/ghostscript.spec index 196369d..404ee86 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -31,6 +31,7 @@ Patch6: ghostscript-Fontmap.local.patch Patch7: ghostscript-wrf-snprintf.patch Patch9: ghostscript-system-zlib.patch Patch10: ghostscript-urw-fonts-naming.patch +Patch11: ghostscript-bz1380416.patch Requires: %{name}-core%{?_isa} = %{version}-%{release} Requires: %{name}-x11%{?_isa} = %{version}-%{release} @@ -149,6 +150,10 @@ rm -rf expat freetype icclib jasper jpeg jpegxr lcms lcms2 libpng openjpeg zlib # Use old names for urw-fonts (bug #1207577). %patch10 -p1 -b .urw-fonts-naming +# Fix for ghostscript security issue (bug # ). +# NOTE: This patch is part of 9.20 release. +%patch11 -p1 + # Convert manual pages to UTF-8 from8859_1() { iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_" @@ -350,6 +355,7 @@ rm -rf $RPM_BUILD_ROOT %changelog * Tue Oct 4 2016 David Kaspar [Dee'Kej] - 9.16-5 - [TEMPORARY] Support for OpenJPEG disabled for builds to pass. +- Security fix for BZ #1380416 backported. * Wed Feb 03 2016 Fedora Release Engineering - 9.16-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild