summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCatalin Enache <catalin.enache@windriver.com>2017-05-08 13:42:59 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-06-05 22:30:21 (GMT)
commit31e9be198160dbeb3d6ab10a3324457f9e502537 (patch)
tree796fc57a809ad78d0c86d69512edee6b8b491180
parent829e2027b6c7f4f2d6fa03e158bfe371b7848919 (diff)
downloadpoky-31e9be198160dbeb3d6ab10a3324457f9e502537.tar.gz
ghostscript: CVE-2016-8602, CVE-2017-7975
The .sethalftone5 function in psi/zht2.c in Ghostscript before 9.21 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Postscript document that calls .sethalftone5 with an empty operand stack. Artifex jbig2dec 0.13, as used in Ghostscript, allows out-of-bounds writes because of an integer overflow in the jbig2_build_huffman_table function in jbig2_huffman.c during operations on a crafted JBIG2 file, leading to a denial of service (application crash) or possibly execution of arbitrary code. References: https://nvd.nist.gov/vuln/detail/CVE-2016-8602 https://nvd.nist.gov/vuln/detail/CVE-2017-7975 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=f5c7555c303 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e57e483298 (From OE-Core rev: 8f919c2df47ca93132f21160d919b6ee2207d9a6) (From OE-Core rev: 6040b8735b79397bf49a2154f81e9aab34c15413) Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2016-8602.patch47
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2017-7975.patch36
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript_9.20.bb2
3 files changed, 85 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-8602.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-8602.patch
new file mode 100644
index 0000000..e58567c
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-8602.patch
@@ -0,0 +1,47 @@
1From f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78 Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Sat, 8 Oct 2016 16:10:27 +0100
4Subject: [PATCH] Bug 697203: check for sufficient params in .sethalftone5
5
6and param types
7
8Upstream-Status: Backport
9CVE: CVE-2016-8602
10
11Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
12---
13 psi/zht2.c | 12 ++++++++++--
14 1 file changed, 10 insertions(+), 2 deletions(-)
15
16diff --git a/psi/zht2.c b/psi/zht2.c
17index fb4a264..dfa27a4 100644
18--- a/psi/zht2.c
19+++ b/psi/zht2.c
20@@ -82,14 +82,22 @@ zsethalftone5(i_ctx_t *i_ctx_p)
21 gs_memory_t *mem;
22 uint edepth = ref_stack_count(&e_stack);
23 int npop = 2;
24- int dict_enum = dict_first(op);
25+ int dict_enum;
26 ref rvalue[2];
27 int cname, colorant_number;
28 byte * pname;
29 uint name_size;
30 int halftonetype, type = 0;
31 gs_gstate *pgs = igs;
32- int space_index = r_space_index(op - 1);
33+ int space_index;
34+
35+ if (ref_stack_count(&o_stack) < 2)
36+ return_error(gs_error_stackunderflow);
37+ check_type(*op, t_dictionary);
38+ check_type(*(op - 1), t_dictionary);
39+
40+ dict_enum = dict_first(op);
41+ space_index = r_space_index(op - 1);
42
43 mem = (gs_memory_t *) idmemory->spaces_indexed[space_index];
44
45--
462.10.2
47
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-7975.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-7975.patch
new file mode 100644
index 0000000..d0886c9
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-7975.patch
@@ -0,0 +1,36 @@
1From 5e57e483298dae8b8d4ec9aab37a526736ac2e97 Mon Sep 17 00:00:00 2001
2From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
3Date: Wed, 26 Apr 2017 22:12:14 +0100
4Subject: [PATCH] Bug 697693: Prevent SEGV due to integer overflow.
5
6While building a Huffman table, the start and end points were susceptible
7to integer overflow.
8
9Thank you to Jiaqi for finding this issue and suggesting a patch.
10
11Upstream-Status: Backport
12CVE: CVE-2017-7975
13
14Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
15---
16 jbig2dec/jbig2_huffman.c | 4 ++--
17 1 file changed, 2 insertions(+), 2 deletions(-)
18
19diff --git a/jbig2dec/jbig2_huffman.c b/jbig2dec/jbig2_huffman.c
20index 511e461..b4189a1 100644
21--- a/jbig2dec/jbig2_huffman.c
22+++ b/jbig2dec/jbig2_huffman.c
23@@ -421,8 +421,8 @@ jbig2_build_huffman_table(Jbig2Ctx *ctx, const Jbig2HuffmanParams *params)
24
25 if (PREFLEN == CURLEN) {
26 int RANGELEN = lines[CURTEMP].RANGELEN;
27- int start_j = CURCODE << shift;
28- int end_j = (CURCODE + 1) << shift;
29+ uint32_t start_j = CURCODE << shift;
30+ uint32_t end_j = (CURCODE + 1) << shift;
31 byte eflags = 0;
32
33 if (end_j > max_j) {
34--
352.10.2
36
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.20.bb b/meta/recipes-extended/ghostscript/ghostscript_9.20.bb
index 3c8a2e6..87a7a55 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.20.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.20.bb
@@ -35,6 +35,8 @@ SRC_URI = "${SRC_URI_BASE} \
35 file://CVE-2016-10219.patch \ 35 file://CVE-2016-10219.patch \
36 file://CVE-2016-10220.patch \ 36 file://CVE-2016-10220.patch \
37 file://CVE-2017-5951.patch \ 37 file://CVE-2017-5951.patch \
38 file://CVE-2016-8602.patch \
39 file://CVE-2017-7975.patch \
38 " 40 "
39 41
40SRC_URI_class-native = "${SRC_URI_BASE} \ 42SRC_URI_class-native = "${SRC_URI_BASE} \