summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCatalin Enache <catalin.enache@windriver.com>2017-04-21 15:04:17 +0300
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-04-29 11:17:23 +0100
commit5970acb3fe28d4af59834b5cacb2d8d4d3511506 (patch)
tree0c53e13118b56cf279e4037459e6a9d581948187
parent8913e94511812c44a9847bb9ea17af2469923187 (diff)
downloadpoky-5970acb3fe28d4af59834b5cacb2d8d4d3511506.tar.gz
ghostscript : CVE-2016-10219, CVE-2016-10220, CVE-2017-5951
The intersect function in base/gxfill.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted file. The gs_makewordimagedevice function in base/gsdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file that is mishandled in the PDF Transparency module. The mem_get_bits_rectangle function in base/gdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10219 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10220 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5951 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;h=4bef1a1d32e29b68855616020dbff574b9cda08f http://git.ghostscript.com/?p=ghostpdl.git;h=daf85701dab05f17e924a48a81edc9195b4a04e8 http://git.ghostscript.com/?p=ghostpdl.git;h=bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 (From OE-Core rev: 6679a4d4379f6f18554ed0042546cce94d5d0b19) Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10219.patch49
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch55
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2017-5951.patch44
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript_9.20.bb3
4 files changed, 151 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10219.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10219.patch
new file mode 100644
index 0000000000..574abe0e42
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10219.patch
@@ -0,0 +1,49 @@
1From 4bef1a1d32e29b68855616020dbff574b9cda08f Mon Sep 17 00:00:00 2001
2From: Robin Watts <Robin.Watts@artifex.com>
3Date: Thu, 29 Dec 2016 15:57:43 +0000
4Subject: [PATCH] Bug 697453: Avoid divide by 0 in scan conversion code.
5
6Arithmetic overflow due to extreme values in the scan conversion
7code can cause a division by 0.
8
9Avoid this with a simple extra check.
10
11 dx_old=cf814d81
12 endp->x_next=b0e859b9
13 alp->x_next=8069a73a
14
15leads to dx_den = 0
16
17Upstream-Status: Backport
18CVE: CVE-2016-10219
19
20Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
21---
22 base/gxfill.c | 4 ++--
23 1 file changed, 2 insertions(+), 2 deletions(-)
24
25diff --git a/base/gxfill.c b/base/gxfill.c
26index 99196c0..2f81bb0 100644
27--- a/base/gxfill.c
28+++ b/base/gxfill.c
29@@ -1741,7 +1741,7 @@ intersect(active_line *endp, active_line *alp, fixed y, fixed y1, fixed *p_y_new
30 fixed dx_old = alp->x_current - endp->x_current;
31 fixed dx_den = dx_old + endp->x_next - alp->x_next;
32
33- if (dx_den <= dx_old)
34+ if (dx_den <= dx_old || dx_den == 0)
35 return false; /* Intersection isn't possible. */
36 dy = y1 - y;
37 if_debug3('F', "[F]cross: dy=%g, dx_old=%g, dx_new=%g\n",
38@@ -1750,7 +1750,7 @@ intersect(active_line *endp, active_line *alp, fixed y, fixed y1, fixed *p_y_new
39 /* Do the computation in single precision */
40 /* if the values are small enough. */
41 y_new =
42- ((dy | dx_old) < 1L << (size_of(fixed) * 4 - 1) ?
43+ (((ufixed)(dy | dx_old)) < (1L << (size_of(fixed) * 4 - 1)) ?
44 dy * dx_old / dx_den :
45 (INCR_EXPR(mq_cross), fixed_mult_quo(dy, dx_old, dx_den)))
46 + y;
47--
482.10.2
49
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch
new file mode 100644
index 0000000000..5e1e8ba10c
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch
@@ -0,0 +1,55 @@
1From daf85701dab05f17e924a48a81edc9195b4a04e8 Mon Sep 17 00:00:00 2001
2From: Ken Sharp <ken.sharp@artifex.com>
3Date: Wed, 21 Dec 2016 16:54:14 +0000
4Subject: [PATCH] fix crash with bad data supplied to makeimagedevice
5
6Bug #697450 "Null pointer dereference in gx_device_finalize()"
7
8The problem here is that the code to finalise a device unconditionally
9frees the icc_struct member of the device structure. However this
10particular (weird) device is not setup as a normal device, probably
11because its very, very ancient. Its possible for the initialisation
12of the device to abort with an error before calling gs_make_mem_device()
13which is where the icc_struct member gets allocated (or set to NULL).
14
15If that happens, then the cleanup code tries to free the device, which
16calls finalize() which tries to free a garbage pointer.
17
18Setting the device memory to 0x00 after we allocate it means that the
19icc_struct member will be NULL< and our memory manager allows for that
20happily enough, which avoids the problem.
21
22Upstream-Status: Backport
23CVE: CVE-2016-10220
24
25Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
26---
27 base/gsdevmem.c | 12 ++++++++++++
28 1 file changed, 12 insertions(+)
29
30diff --git a/base/gsdevmem.c b/base/gsdevmem.c
31index 97b9cf4..fe75bcc 100644
32--- a/base/gsdevmem.c
33+++ b/base/gsdevmem.c
34@@ -225,6 +225,18 @@ gs_makewordimagedevice(gx_device ** pnew_dev, const gs_matrix * pmat,
35
36 if (pnew == 0)
37 return_error(gs_error_VMerror);
38+
39+ /* Bug #697450 "Null pointer dereference in gx_device_finalize()"
40+ * If we have incorrect data passed to gs_initialise_wordimagedevice() then the
41+ * initialisation will fail, crucially it will fail *before* it calls
42+ * gs_make_mem_device() which initialises the device. This means that the
43+ * icc_struct member will be uninitialsed, but the device finalise method
44+ * will unconditionally free that memory. Since its a garbage pointer, bad things happen.
45+ * Apparently we do still need makeimagedevice to be available from
46+ * PostScript, so in here just zero the device memory, which means that
47+ * the finalise routine won't have a problem.
48+ */
49+ memset(pnew, 0x00, st_device_memory.ssize);
50 code = gs_initialize_wordimagedevice(pnew, pmat, width, height,
51 colors, num_colors, word_oriented,
52 page_device, mem);
53--
542.10.2
55
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-5951.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-5951.patch
new file mode 100644
index 0000000000..62cc1342ad
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-5951.patch
@@ -0,0 +1,44 @@
1From bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Thu, 6 Apr 2017 16:44:54 +0100
4Subject: [PATCH] Bug 697548: use the correct param list enumerator
5
6When we encountered dictionary in a ref_param_list, we were using the enumerator
7for the "parent" param_list, rather than the enumerator for the param_list
8we just created for the dictionary. That parent was usually the stack
9list enumerator, and caused a segfault.
10
11Using the correct enumerator works better.
12
13Upstream-Status: Backport
14CVE: CVE-2017-5951
15
16Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
17---
18 psi/iparam.c | 7 ++++---
19 1 file changed, 4 insertions(+), 3 deletions(-)
20
21diff --git a/psi/iparam.c b/psi/iparam.c
22index 4e63b6d..b2fa85f 100644
23--- a/psi/iparam.c
24+++ b/psi/iparam.c
25@@ -770,12 +770,13 @@ ref_param_read_typed(gs_param_list * plist, gs_param_name pkey,
26 gs_param_enumerator_t enumr;
27 gs_param_key_t key;
28 ref_type keytype;
29+ dict_param_list *dlist = (dict_param_list *) pvalue->value.d.list;
30
31 param_init_enumerator(&enumr);
32- if (!(*((iparam_list *) plist)->enumerate)
33- ((iparam_list *) pvalue->value.d.list, &enumr, &key, &keytype)
34+ if (!(*(dlist->enumerate))
35+ ((iparam_list *) dlist, &enumr, &key, &keytype)
36 && keytype == t_integer) {
37- ((dict_param_list *) pvalue->value.d.list)->int_keys = 1;
38+ dlist->int_keys = 1;
39 pvalue->type = gs_param_type_dict_int_keys;
40 }
41 }
42--
432.10.2
44
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.20.bb b/meta/recipes-extended/ghostscript/ghostscript_9.20.bb
index e8fc5dfbb6..3c8a2e6d3c 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.20.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.20.bb
@@ -32,6 +32,9 @@ SRC_URI = "${SRC_URI_BASE} \
32 file://objarch.h \ 32 file://objarch.h \
33 file://cups-no-gcrypt.patch \ 33 file://cups-no-gcrypt.patch \
34 file://CVE-2017-7207.patch \ 34 file://CVE-2017-7207.patch \
35 file://CVE-2016-10219.patch \
36 file://CVE-2016-10220.patch \
37 file://CVE-2017-5951.patch \
35 " 38 "
36 39
37SRC_URI_class-native = "${SRC_URI_BASE} \ 40SRC_URI_class-native = "${SRC_URI_BASE} \