ghostscript: CVE-2017-7207

The mem_get_bits_rectangle function in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted PostScript document. Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7207 Upstream patch: http://git.ghostscript.com/?p=ghostpdl.git;h=309eca4e0a31ea70dcc844812691439312dad091 (From OE-Core rev: 0f22a27c2abd2f2dd9119681f139dd85dcb6479d) Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Catalin Enache <catalin.enache@windriver.com> 2017-04-05 15:06:51 +0300
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-04-10 23:00:42 +0100
commit: 6df3fde8e952799b91f3812b4f7929d7a34cddfe (patch)
tree: 379da18a1bd83a76fcb4fe23ee0158a4bd8dd2d6
parent: 77de4e58bfd291ea98c20609c5524c6983d29d89 (diff)
download: poky-6df3fde8e952799b91f3812b4f7929d7a34cddfe.tar.gz
2 files changed, 40 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-7207.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-7207.patch
new file mode 100644
index 0000000000..a05dc02c6c
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-7207.patch
@@ -0,0 +1,39 @@
+From 0e88bee1304993668fede72498d656a2dd33a35e Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Mon, 20 Mar 2017 09:34:11 +0000
+Subject: [PATCH] Ensure a device has raster memory, before trying to read it.
+Bug #697676 "Null pointer dereference in mem_get_bits_rectangle()"
+This is only possible by abusing/mis-using Ghostscript-specific
+language extensions, so cannot happen in a general PostScript program.
+Nevertheless, Ghostscript should not crash. So this commit checks the
+memory device to see if raster memory has been allocated, before trying
+to read from it.
+Upstream-Status: Backport
+CVE: CVE-2017-7207
+Author: Ken Sharp <ken.sharp@artifex.com>
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ base/gdevmem.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/base/gdevmem.c b/base/gdevmem.c
+index 41108ba..183f96d 100644
+--- a/base/gdevmem.c
+++ b/base/gdevmem.c
+@@ -605,6 +605,8 @@ mem_get_bits_rectangle(gx_device * dev, const gs_int_rect * prect,
+             GB_PACKING_CHUNKY | GB_COLORS_NATIVE | GB_ALPHA_NONE;
+         return_error(gs_error_rangecheck);
+     }
+    if (mdev->line_ptrs == 0x00)
+        return_error(gs_error_rangecheck);
+     if ((w <= 0) | (h <= 0)) {
+         if ((w | h) < 0)
+             return_error(gs_error_rangecheck);
+-- 
+2.10.2
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.20.bb b/meta/recipes-extended/ghostscript/ghostscript_9.20.bb
index 210e9a73b9..e8fc5dfbb6 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.20.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.20.bb
@@ -31,6 +31,7 @@ SRC_URI = "${SRC_URI_BASE} \
           file://ghostscript-9.02-genarch.patch \
           file://objarch.h \
           file://cups-no-gcrypt.patch \
+           file://CVE-2017-7207.patch \
           "
 SRC_URI_class-native = "${SRC_URI_BASE} \
author	Catalin Enache <catalin.enache@windriver.com>	2017-04-05 15:06:51 +0300
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-04-10 23:00:42 +0100
commit	6df3fde8e952799b91f3812b4f7929d7a34cddfe (patch)
tree	379da18a1bd83a76fcb4fe23ee0158a4bd8dd2d6
parent	77de4e58bfd291ea98c20609c5524c6983d29d89 (diff)
download	poky-6df3fde8e952799b91f3812b4f7929d7a34cddfe.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-7207.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-7207.patch new file mode 100644 index 0000000000..a05dc02c6c --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-7207.patch
@@ -0,0 +1,39 @@
		1	From 0e88bee1304993668fede72498d656a2dd33a35e Mon Sep 17 00:00:00 2001
		2	From: Ken Sharp <ken.sharp@artifex.com>
		3	Date: Mon, 20 Mar 2017 09:34:11 +0000
		4	Subject: [PATCH] Ensure a device has raster memory, before trying to read it.
		5
		6	Bug #697676 "Null pointer dereference in mem_get_bits_rectangle()"
		7
		8	This is only possible by abusing/mis-using Ghostscript-specific
		9	language extensions, so cannot happen in a general PostScript program.
		10
		11	Nevertheless, Ghostscript should not crash. So this commit checks the
		12	memory device to see if raster memory has been allocated, before trying
		13	to read from it.
		14
		15	Upstream-Status: Backport
		16	CVE: CVE-2017-7207
		17
		18	Author: Ken Sharp <ken.sharp@artifex.com>
		19	Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
		20	---
		21	base/gdevmem.c \| 2 ++
		22	1 file changed, 2 insertions(+)
		23
		24	diff --git a/base/gdevmem.c b/base/gdevmem.c
		25	index 41108ba..183f96d 100644
		26	--- a/base/gdevmem.c
		27	+++ b/base/gdevmem.c
		28	@@ -605,6 +605,8 @@ mem_get_bits_rectangle(gx_device * dev, const gs_int_rect * prect,
		29	GB_PACKING_CHUNKY \| GB_COLORS_NATIVE \| GB_ALPHA_NONE;
		30	return_error(gs_error_rangecheck);
		31	}
		32	+ if (mdev->line_ptrs == 0x00)
		33	+ return_error(gs_error_rangecheck);
		34	if ((w <= 0) \| (h <= 0)) {
		35	if ((w \| h) < 0)
		36	return_error(gs_error_rangecheck);
		37	--
		38	2.10.2
		39


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.20.bb b/meta/recipes-extended/ghostscript/ghostscript_9.20.bb index 210e9a73b9..e8fc5dfbb6 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.20.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.20.bb
@@ -31,6 +31,7 @@ SRC_URI = "${SRC_URI_BASE} \
31	file://ghostscript-9.02-genarch.patch \	31	file://ghostscript-9.02-genarch.patch \
32	file://objarch.h \	32	file://objarch.h \
33	file://cups-no-gcrypt.patch \	33	file://cups-no-gcrypt.patch \
		34	file://CVE-2017-7207.patch \
34	"	35	"
35		36
36	SRC_URI_class-native = "${SRC_URI_BASE} \	37	SRC_URI_class-native = "${SRC_URI_BASE} \