ghostscript : CVE-2016-10219, CVE-2016-10220, CVE-2017-5951

The intersect function in base/gxfill.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted file. The gs_makewordimagedevice function in base/gsdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file that is mishandled in the PDF Transparency module. The mem_get_bits_rectangle function in base/gdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10219 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10220 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5951 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;h=4bef1a1d32e29b68855616020dbff574b9cda08f http://git.ghostscript.com/?p=ghostpdl.git;h=daf85701dab05f17e924a48a81edc9195b4a04e8 http://git.ghostscript.com/?p=ghostpdl.git;h=bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 (From OE-Core rev: 6679a4d4379f6f18554ed0042546cce94d5d0b19) Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Catalin Enache <catalin.enache@windriver.com> 2017-04-21 15:04:17 +0300
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-04-29 11:17:23 +0100
commit: 5970acb3fe28d4af59834b5cacb2d8d4d3511506 (patch)
tree: 0c53e13118b56cf279e4037459e6a9d581948187 /meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch
parent: 8913e94511812c44a9847bb9ea17af2469923187 (diff)
download: poky-5970acb3fe28d4af59834b5cacb2d8d4d3511506.tar.gz
1 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch
new file mode 100644
index 0000000000..5e1e8ba10c
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch
@@ -0,0 +1,55 @@
+From daf85701dab05f17e924a48a81edc9195b4a04e8 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Wed, 21 Dec 2016 16:54:14 +0000
+Subject: [PATCH] fix crash with bad data supplied to makeimagedevice
+Bug #697450 "Null pointer dereference in gx_device_finalize()"
+The problem here is that the code to finalise a device unconditionally
+frees the icc_struct member of the device structure. However this
+particular (weird) device is not setup as a normal device, probably
+because its very, very ancient. Its possible for the initialisation
+of the device to abort with an error before calling gs_make_mem_device()
+which is where the icc_struct member gets allocated (or set to NULL).
+If that happens, then the cleanup code tries to free the device, which
+calls finalize() which tries to free a garbage pointer.
+Setting the device memory to 0x00 after we allocate it means that the
+icc_struct member will be NULL< and our memory manager allows for that
+happily enough, which avoids the problem.
+Upstream-Status: Backport
+CVE: CVE-2016-10220
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ base/gsdevmem.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+diff --git a/base/gsdevmem.c b/base/gsdevmem.c
+index 97b9cf4..fe75bcc 100644
+--- a/base/gsdevmem.c
+++ b/base/gsdevmem.c
+@@ -225,6 +225,18 @@ gs_makewordimagedevice(gx_device ** pnew_dev, const gs_matrix * pmat,
+ 
+     if (pnew == 0)
+         return_error(gs_error_VMerror);
+
+    /* Bug #697450 "Null pointer dereference in gx_device_finalize()"
+     * If we have incorrect data passed to gs_initialise_wordimagedevice() then the
+     * initialisation will fail, crucially it will fail *before* it calls
+     * gs_make_mem_device() which initialises the device. This means that the
+     * icc_struct member will be uninitialsed, but the device finalise method
+     * will unconditionally free that memory. Since its a garbage pointer, bad things happen.
+     * Apparently we do still need makeimagedevice to be available from
+     * PostScript, so in here just zero the device memory, which means that
+     * the finalise routine won't have a problem.
+     */
+    memset(pnew, 0x00, st_device_memory.ssize);
+     code = gs_initialize_wordimagedevice(pnew, pmat, width, height,
+                                          colors, num_colors, word_oriented,
+                                          page_device, mem);
+-- 
+2.10.2
author	Catalin Enache <catalin.enache@windriver.com>	2017-04-21 15:04:17 +0300
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-04-29 11:17:23 +0100
commit	5970acb3fe28d4af59834b5cacb2d8d4d3511506 (patch)
tree	0c53e13118b56cf279e4037459e6a9d581948187 /meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch
parent	8913e94511812c44a9847bb9ea17af2469923187 (diff)
download	poky-5970acb3fe28d4af59834b5cacb2d8d4d3511506.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch new file mode 100644 index 0000000000..5e1e8ba10c --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch
@@ -0,0 +1,55 @@
	1	From daf85701dab05f17e924a48a81edc9195b4a04e8 Mon Sep 17 00:00:00 2001
	2	From: Ken Sharp <ken.sharp@artifex.com>
	3	Date: Wed, 21 Dec 2016 16:54:14 +0000
	4	Subject: [PATCH] fix crash with bad data supplied to makeimagedevice
	5
	6	Bug #697450 "Null pointer dereference in gx_device_finalize()"
	7
	8	The problem here is that the code to finalise a device unconditionally
	9	frees the icc_struct member of the device structure. However this
	10	particular (weird) device is not setup as a normal device, probably
	11	because its very, very ancient. Its possible for the initialisation
	12	of the device to abort with an error before calling gs_make_mem_device()
	13	which is where the icc_struct member gets allocated (or set to NULL).
	14
	15	If that happens, then the cleanup code tries to free the device, which
	16	calls finalize() which tries to free a garbage pointer.
	17
	18	Setting the device memory to 0x00 after we allocate it means that the
	19	icc_struct member will be NULL< and our memory manager allows for that
	20	happily enough, which avoids the problem.
	21
	22	Upstream-Status: Backport
	23	CVE: CVE-2016-10220
	24
	25	Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
	26	---
	27	base/gsdevmem.c \| 12 ++++++++++++
	28	1 file changed, 12 insertions(+)
	29
	30	diff --git a/base/gsdevmem.c b/base/gsdevmem.c
	31	index 97b9cf4..fe75bcc 100644
	32	--- a/base/gsdevmem.c
	33	+++ b/base/gsdevmem.c
	34	@@ -225,6 +225,18 @@ gs_makewordimagedevice(gx_device ** pnew_dev, const gs_matrix * pmat,
	35
	36	if (pnew == 0)
	37	return_error(gs_error_VMerror);
	38	+
	39	+ /* Bug #697450 "Null pointer dereference in gx_device_finalize()"
	40	+ * If we have incorrect data passed to gs_initialise_wordimagedevice() then the
	41	+ * initialisation will fail, crucially it will fail before it calls
	42	+ * gs_make_mem_device() which initialises the device. This means that the
	43	+ * icc_struct member will be uninitialsed, but the device finalise method
	44	+ * will unconditionally free that memory. Since its a garbage pointer, bad things happen.
	45	+ * Apparently we do still need makeimagedevice to be available from
	46	+ * PostScript, so in here just zero the device memory, which means that
	47	+ * the finalise routine won't have a problem.
	48	+ */
	49	+ memset(pnew, 0x00, st_device_memory.ssize);
	50	code = gs_initialize_wordimagedevice(pnew, pmat, width, height,
	51	colors, num_colors, word_oriented,
	52	page_device, mem);
	53	--
	54	2.10.2
	55