summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended/ghostscript
diff options
context:
space:
mode:
authorJoe Slater <jslater@windriver.com>2017-08-22 13:18:19 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-08-23 08:47:03 +0100
commit8efe72508002772df08664d9bb0d5f8b25497ce5 (patch)
tree9ca8eed5119a447cec5e875cdf06b6641c9d04f8 /meta/recipes-extended/ghostscript
parented52aa9e79d713c79aff787bcf3ac9168970f4ac (diff)
downloadpoky-8efe72508002772df08664d9bb0d5f8b25497ce5.tar.gz
ghostscript: fix several CVEs by adding bounds checking
CVE-2017-9611 CVE-2017-9612 CVE-2017-9739 CVE-2017-9726 (From OE-Core rev: 3e5d80c84f4c141bc3f3193d1db899b0e56993cf) Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/ghostscript')
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9611.patch34
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9612.patch35
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9726.patch33
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9739.patch37
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript_9.21.bb4
5 files changed, 143 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9611.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9611.patch
new file mode 100644
index 0000000000..58ef04d1fd
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9611.patch
@@ -0,0 +1,34 @@
1From c7c55972758a93350882c32147801a3485b010fe Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Mon, 12 Jun 2017 13:08:40 +0100
4Subject: [PATCH] Bug 698024: bounds check zone pointer in Ins_MIRP()
5
6---
7 base/ttinterp.c | 3 ++-
8 1 file changed, 2 insertions(+), 1 deletion(-)
9
10--- end of original header
11
12CVE: CVE-2017-9611
13
14Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
15
16Signed-off-by: Joe Slater <joe.slater@windriver.com>
17
18diff --git a/base/ttinterp.c b/base/ttinterp.c
19index e56aec6..f6a6d95 100644
20--- a/base/ttinterp.c
21+++ b/base/ttinterp.c
22@@ -3858,7 +3858,8 @@ static int nInstrCount=0;
23 /* XXX: UNDOCUMENTED! cvt[-1] = 0 always */
24
25 if ( BOUNDS( args[0], CUR.zp1.n_points ) ||
26- BOUNDS( args[1]+1, CUR.cvtSize+1 ) )
27+ BOUNDS( args[1]+1, CUR.cvtSize+1 ) ||
28+ BOUNDS(CUR.GS.rp0, CUR.zp0.n_points) )
29 {
30 CUR.error = TT_Err_Invalid_Reference;
31 return;
32--
331.7.9.5
34
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9612.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9612.patch
new file mode 100644
index 0000000000..b737cc56bb
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9612.patch
@@ -0,0 +1,35 @@
1From 98f6da60b9d463c617e631fc254cf6d66f2e8e3c Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Mon, 12 Jun 2017 13:15:17 +0100
4Subject: [PATCH] Bug 698026: bounds check zone pointers in Ins_IP()
5
6---
7 base/ttinterp.c | 4 +++-
8 1 file changed, 3 insertions(+), 1 deletion(-)
9
10--- end of original header
11
12CVE: CVE-2017-9612
13
14Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
15
16Signed-off-by: Joe Slater <joe.slater@windriver.com>
17
18diff --git a/base/ttinterp.c b/base/ttinterp.c
19index f6a6d95..e7c9d68 100644
20--- a/base/ttinterp.c
21+++ b/base/ttinterp.c
22@@ -4129,7 +4129,9 @@ static int nInstrCount=0;
23 Int point;
24 (void)args;
25
26- if ( CUR.top < CUR.GS.loop )
27+ if ( CUR.top < CUR.GS.loop ||
28+ BOUNDS(CUR.GS.rp1, CUR.zp0.n_points) ||
29+ BOUNDS(CUR.GS.rp2, CUR.zp1.n_points))
30 {
31 CUR.error = TT_Err_Invalid_Reference;
32 return;
33--
341.7.9.5
35
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9726.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9726.patch
new file mode 100644
index 0000000000..3e6c65699d
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9726.patch
@@ -0,0 +1,33 @@
1From 7755e67116e8973ee0e3b22d653df026a84fa01b Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Thu, 15 Jun 2017 08:58:31 +0100
4Subject: [PATCH] Bug 698055: bounds check zone pointer in Ins_MDRP
5
6---
7 base/ttinterp.c | 3 ++-
8 1 file changed, 2 insertions(+), 1 deletion(-)
9
10--- end of original header
11
12CVE: CVE-2017-9726
13
14Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
15
16Signed-off-by: Joe Slater <joe.slater@windriver.com>
17diff --git a/base/ttinterp.c b/base/ttinterp.c
18index e7c9d68..af457e8 100644
19--- a/base/ttinterp.c
20+++ b/base/ttinterp.c
21@@ -3770,7 +3770,8 @@ static int nInstrCount=0;
22
23 point = (Int)args[0];
24
25- if ( BOUNDS( args[0], CUR.zp1.n_points ) )
26+ if ( BOUNDS( args[0], CUR.zp1.n_points ) ||
27+ BOUNDS( CUR.GS.rp0, CUR.zp0.n_points) )
28 {
29 /* Current version of FreeType silently ignores this out of bounds error
30 * and drops the instruction, see bug #691121
31--
321.7.9.5
33
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9739.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9739.patch
new file mode 100644
index 0000000000..69a94df7b9
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9739.patch
@@ -0,0 +1,37 @@
1From c501a58f8d5650c8ba21d447c0d6f07eafcb0f15 Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Fri, 16 Jun 2017 08:29:25 +0100
4Subject: [PATCH] Bug 698063: Bounds check Ins_JMPR
5
6---
7 base/ttinterp.c | 6 ++++++
8 1 file changed, 6 insertions(+)
9
10--- end of original header
11
12CVE: CVE-2017-9739
13
14Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
15
16Signed-off-by: Joe Slater <joe.slater@windriver.com>
17
18diff --git a/base/ttinterp.c b/base/ttinterp.c
19index af457e8..adf3f0c 100644
20--- a/base/ttinterp.c
21+++ b/base/ttinterp.c
22@@ -1794,6 +1794,12 @@ static int nInstrCount=0;
23
24 static void Ins_JMPR( INS_ARG )
25 {
26+ if ( BOUNDS(CUR.IP + args[0], CUR.codeSize ) )
27+ {
28+ CUR.error = TT_Err_Invalid_Reference;
29+ return;
30+ }
31+
32 CUR.IP += (Int)(args[0]);
33 CUR.step_ins = FALSE;
34
35--
361.7.9.5
37
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.21.bb b/meta/recipes-extended/ghostscript/ghostscript_9.21.bb
index adad9fdbd2..93589cc2b9 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.21.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.21.bb
@@ -37,6 +37,10 @@ SRC_URI = "${SRC_URI_BASE} \
37 file://CVE-2017-5951.patch \ 37 file://CVE-2017-5951.patch \
38 file://CVE-2017-7975.patch \ 38 file://CVE-2017-7975.patch \
39 file://CVE-2017-9216.patch \ 39 file://CVE-2017-9216.patch \
40 file://CVE-2017-9611.patch \
41 file://CVE-2017-9612.patch \
42 file://CVE-2017-9739.patch \
43 file://CVE-2017-9726.patch \
40 " 44 "
41 45
42SRC_URI_class-native = "${SRC_URI_BASE} \ 46SRC_URI_class-native = "${SRC_URI_BASE} \