diff options
| author | Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> | 2018-09-17 22:14:50 +0530 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-09-20 05:41:32 -0700 |
| commit | ebecaa5f4814fa30d0b304c495ed4533bbffd5a6 (patch) | |
| tree | c99267c1711cf17a9b6dcac7089506a697b4d8ba /meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch | |
| parent | 8a839b7e2bb1f19025a8dab388019697c7512500 (diff) | |
| download | poky-ebecaa5f4814fa30d0b304c495ed4533bbffd5a6.tar.gz | |
ghostscript: upgrade to 9.25
Removed below patches, as v9.25 source already has those
changes/security fixes:
0001-Bug-699665-memory-corruption-in-aesdecode.patch
0001-pdfwrite-Guard-against-trying-to-output-an-infinite-.patch
0002-Bug-699656-Handle-LockDistillerParams-not-being-a-bo.patch
0003-Fix-Bug-699660-shading_param-incomplete-type-checkin.patch
0004-Hide-the-.shfill-operator.patch
0005-Bug-699657-properly-apply-file-permissions-to-.tempf.patch
remove-direct-symlink.patch
Re-worked ghostscript-9.21-native-fix-disable-system-libtiff.patch
and ghostscript-9.21-prevent_recompiling.patch
to fix warnings in do_patch task of ghostscript v9.25 recipe.
Highlights of ghostscript v9.25 release:
---------------------------------------
- This release fixes problems with argument handling, some unintended results
of the security fixes to the SAFER file access restrictions
(specifically accessing ICC profile files), and some additional security
issues over the recent 9.24 release.
- Note: The ps2epsi utility does not, and cannot call Ghostscript with
the -dSAFER command line option. It should never be called with input
from untrusted sources.
- Security issues have been the primary focus of this release, including
solving several (well publicised) real and potential exploits.
- As well as Ghostscript itself, jbig2dec has had a significant amount of work
improving its robustness in the face of out specification files.
- IMPORTANT: We are in the process of forking LittleCMS. LCMS2 is not thread
safe, and cannot be made thread safe without breaking the ABI.
Our fork will be thread safe, and include performance enhancements
(these changes have all be been offered and rejected upstream). We will
maintain compatibility between Ghostscript and LCMS2 for a time, but not in
perpetuity. Our fork will be available as its own package separately from
Ghostscript (and MuPDF).
- The usual round of bug fixes, compatibility changes, and incremental
improvements.
(From OE-Core rev: 4340928b8878b91b5a2750eb6bc87918740511ca)
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch')
| -rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch | 56 |
1 files changed, 0 insertions, 56 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch deleted file mode 100644 index df654f721d..0000000000 --- a/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-699665-memory-corruption-in-aesdecode.patch +++ /dev/null | |||
| @@ -1,56 +0,0 @@ | |||
| 1 | From b9fa1157e1f4982d42241146c9b7c6c789d6f076 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Ken Sharp <ken.sharp@artifex.com> | ||
| 3 | Date: Thu, 23 Aug 2018 15:42:02 +0100 | ||
| 4 | Subject: [PATCH 1/5] Bug 699665 "memory corruption in aesdecode" | ||
| 5 | |||
| 6 | The specimen file calls aesdecode without specifying the key to be | ||
| 7 | used, though it does manage to do enough work with the PDF interpreter | ||
| 8 | routines to get access to aesdecode (which isn't normally available). | ||
| 9 | |||
| 10 | This causes us to read uninitialised memory, which can (and often does) | ||
| 11 | lead to a segmentation fault. | ||
| 12 | |||
| 13 | In this commit we set the key to NULL explicitly during intialisation | ||
| 14 | and then check it before we read it. If its NULL we just return. | ||
| 15 | |||
| 16 | It seems bizarre that we don't return error codes, we should probably | ||
| 17 | look into that at some point, but this prevents the code trying to | ||
| 18 | read uninitialised memory. | ||
| 19 | |||
| 20 | CVE: CVE-2018-15911 | ||
| 21 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
| 22 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
| 23 | --- | ||
| 24 | base/aes.c | 3 +++ | ||
| 25 | base/saes.c | 1 + | ||
| 26 | 2 files changed, 4 insertions(+) | ||
| 27 | |||
| 28 | diff --git a/base/aes.c b/base/aes.c | ||
| 29 | index a6bce93..e86f000 100644 | ||
| 30 | --- a/base/aes.c | ||
| 31 | +++ b/base/aes.c | ||
| 32 | @@ -662,6 +662,9 @@ void aes_crypt_ecb( aes_context *ctx, | ||
| 33 | } | ||
| 34 | #endif | ||
| 35 | |||
| 36 | + if (ctx == NULL || ctx->rk == NULL) | ||
| 37 | + return; | ||
| 38 | + | ||
| 39 | RK = ctx->rk; | ||
| 40 | |||
| 41 | GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++; | ||
| 42 | diff --git a/base/saes.c b/base/saes.c | ||
| 43 | index 6db0e8b..307ed74 100644 | ||
| 44 | --- a/base/saes.c | ||
| 45 | +++ b/base/saes.c | ||
| 46 | @@ -120,6 +120,7 @@ s_aes_process(stream_state * ss, stream_cursor_read * pr, | ||
| 47 | gs_throw(gs_error_VMerror, "could not allocate aes context"); | ||
| 48 | return ERRC; | ||
| 49 | } | ||
| 50 | + memset(state->ctx, 0x00, sizeof(aes_context)); | ||
| 51 | if (state->keylength < 1 || state->keylength > SAES_MAX_KEYLENGTH) { | ||
| 52 | gs_throw1(gs_error_rangecheck, "invalid aes key length (%d bytes)", | ||
| 53 | state->keylength); | ||
| 54 | -- | ||
| 55 | 2.8.1 | ||
| 56 | |||