diff options
| author | Joe Slater <jslater@windriver.com> | 2017-08-22 13:18:19 -0700 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-08-23 08:47:03 +0100 |
| commit | 8efe72508002772df08664d9bb0d5f8b25497ce5 (patch) | |
| tree | 9ca8eed5119a447cec5e875cdf06b6641c9d04f8 /meta/recipes-extended | |
| parent | ed52aa9e79d713c79aff787bcf3ac9168970f4ac (diff) | |
| download | poky-8efe72508002772df08664d9bb0d5f8b25497ce5.tar.gz | |
ghostscript: fix several CVEs by adding bounds checking
CVE-2017-9611
CVE-2017-9612
CVE-2017-9739
CVE-2017-9726
(From OE-Core rev: 3e5d80c84f4c141bc3f3193d1db899b0e56993cf)
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended')
5 files changed, 143 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9611.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9611.patch new file mode 100644 index 0000000000..58ef04d1fd --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9611.patch | |||
| @@ -0,0 +1,34 @@ | |||
| 1 | From c7c55972758a93350882c32147801a3485b010fe Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
| 3 | Date: Mon, 12 Jun 2017 13:08:40 +0100 | ||
| 4 | Subject: [PATCH] Bug 698024: bounds check zone pointer in Ins_MIRP() | ||
| 5 | |||
| 6 | --- | ||
| 7 | base/ttinterp.c | 3 ++- | ||
| 8 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
| 9 | |||
| 10 | --- end of original header | ||
| 11 | |||
| 12 | CVE: CVE-2017-9611 | ||
| 13 | |||
| 14 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
| 15 | |||
| 16 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
| 17 | |||
| 18 | diff --git a/base/ttinterp.c b/base/ttinterp.c | ||
| 19 | index e56aec6..f6a6d95 100644 | ||
| 20 | --- a/base/ttinterp.c | ||
| 21 | +++ b/base/ttinterp.c | ||
| 22 | @@ -3858,7 +3858,8 @@ static int nInstrCount=0; | ||
| 23 | /* XXX: UNDOCUMENTED! cvt[-1] = 0 always */ | ||
| 24 | |||
| 25 | if ( BOUNDS( args[0], CUR.zp1.n_points ) || | ||
| 26 | - BOUNDS( args[1]+1, CUR.cvtSize+1 ) ) | ||
| 27 | + BOUNDS( args[1]+1, CUR.cvtSize+1 ) || | ||
| 28 | + BOUNDS(CUR.GS.rp0, CUR.zp0.n_points) ) | ||
| 29 | { | ||
| 30 | CUR.error = TT_Err_Invalid_Reference; | ||
| 31 | return; | ||
| 32 | -- | ||
| 33 | 1.7.9.5 | ||
| 34 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9612.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9612.patch new file mode 100644 index 0000000000..b737cc56bb --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9612.patch | |||
| @@ -0,0 +1,35 @@ | |||
| 1 | From 98f6da60b9d463c617e631fc254cf6d66f2e8e3c Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
| 3 | Date: Mon, 12 Jun 2017 13:15:17 +0100 | ||
| 4 | Subject: [PATCH] Bug 698026: bounds check zone pointers in Ins_IP() | ||
| 5 | |||
| 6 | --- | ||
| 7 | base/ttinterp.c | 4 +++- | ||
| 8 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
| 9 | |||
| 10 | --- end of original header | ||
| 11 | |||
| 12 | CVE: CVE-2017-9612 | ||
| 13 | |||
| 14 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
| 15 | |||
| 16 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
| 17 | |||
| 18 | diff --git a/base/ttinterp.c b/base/ttinterp.c | ||
| 19 | index f6a6d95..e7c9d68 100644 | ||
| 20 | --- a/base/ttinterp.c | ||
| 21 | +++ b/base/ttinterp.c | ||
| 22 | @@ -4129,7 +4129,9 @@ static int nInstrCount=0; | ||
| 23 | Int point; | ||
| 24 | (void)args; | ||
| 25 | |||
| 26 | - if ( CUR.top < CUR.GS.loop ) | ||
| 27 | + if ( CUR.top < CUR.GS.loop || | ||
| 28 | + BOUNDS(CUR.GS.rp1, CUR.zp0.n_points) || | ||
| 29 | + BOUNDS(CUR.GS.rp2, CUR.zp1.n_points)) | ||
| 30 | { | ||
| 31 | CUR.error = TT_Err_Invalid_Reference; | ||
| 32 | return; | ||
| 33 | -- | ||
| 34 | 1.7.9.5 | ||
| 35 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9726.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9726.patch new file mode 100644 index 0000000000..3e6c65699d --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9726.patch | |||
| @@ -0,0 +1,33 @@ | |||
| 1 | From 7755e67116e8973ee0e3b22d653df026a84fa01b Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
| 3 | Date: Thu, 15 Jun 2017 08:58:31 +0100 | ||
| 4 | Subject: [PATCH] Bug 698055: bounds check zone pointer in Ins_MDRP | ||
| 5 | |||
| 6 | --- | ||
| 7 | base/ttinterp.c | 3 ++- | ||
| 8 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
| 9 | |||
| 10 | --- end of original header | ||
| 11 | |||
| 12 | CVE: CVE-2017-9726 | ||
| 13 | |||
| 14 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
| 15 | |||
| 16 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
| 17 | diff --git a/base/ttinterp.c b/base/ttinterp.c | ||
| 18 | index e7c9d68..af457e8 100644 | ||
| 19 | --- a/base/ttinterp.c | ||
| 20 | +++ b/base/ttinterp.c | ||
| 21 | @@ -3770,7 +3770,8 @@ static int nInstrCount=0; | ||
| 22 | |||
| 23 | point = (Int)args[0]; | ||
| 24 | |||
| 25 | - if ( BOUNDS( args[0], CUR.zp1.n_points ) ) | ||
| 26 | + if ( BOUNDS( args[0], CUR.zp1.n_points ) || | ||
| 27 | + BOUNDS( CUR.GS.rp0, CUR.zp0.n_points) ) | ||
| 28 | { | ||
| 29 | /* Current version of FreeType silently ignores this out of bounds error | ||
| 30 | * and drops the instruction, see bug #691121 | ||
| 31 | -- | ||
| 32 | 1.7.9.5 | ||
| 33 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9739.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9739.patch new file mode 100644 index 0000000000..69a94df7b9 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9739.patch | |||
| @@ -0,0 +1,37 @@ | |||
| 1 | From c501a58f8d5650c8ba21d447c0d6f07eafcb0f15 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
| 3 | Date: Fri, 16 Jun 2017 08:29:25 +0100 | ||
| 4 | Subject: [PATCH] Bug 698063: Bounds check Ins_JMPR | ||
| 5 | |||
| 6 | --- | ||
| 7 | base/ttinterp.c | 6 ++++++ | ||
| 8 | 1 file changed, 6 insertions(+) | ||
| 9 | |||
| 10 | --- end of original header | ||
| 11 | |||
| 12 | CVE: CVE-2017-9739 | ||
| 13 | |||
| 14 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
| 15 | |||
| 16 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
| 17 | |||
| 18 | diff --git a/base/ttinterp.c b/base/ttinterp.c | ||
| 19 | index af457e8..adf3f0c 100644 | ||
| 20 | --- a/base/ttinterp.c | ||
| 21 | +++ b/base/ttinterp.c | ||
| 22 | @@ -1794,6 +1794,12 @@ static int nInstrCount=0; | ||
| 23 | |||
| 24 | static void Ins_JMPR( INS_ARG ) | ||
| 25 | { | ||
| 26 | + if ( BOUNDS(CUR.IP + args[0], CUR.codeSize ) ) | ||
| 27 | + { | ||
| 28 | + CUR.error = TT_Err_Invalid_Reference; | ||
| 29 | + return; | ||
| 30 | + } | ||
| 31 | + | ||
| 32 | CUR.IP += (Int)(args[0]); | ||
| 33 | CUR.step_ins = FALSE; | ||
| 34 | |||
| 35 | -- | ||
| 36 | 1.7.9.5 | ||
| 37 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.21.bb b/meta/recipes-extended/ghostscript/ghostscript_9.21.bb index adad9fdbd2..93589cc2b9 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.21.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.21.bb | |||
| @@ -37,6 +37,10 @@ SRC_URI = "${SRC_URI_BASE} \ | |||
| 37 | file://CVE-2017-5951.patch \ | 37 | file://CVE-2017-5951.patch \ |
| 38 | file://CVE-2017-7975.patch \ | 38 | file://CVE-2017-7975.patch \ |
| 39 | file://CVE-2017-9216.patch \ | 39 | file://CVE-2017-9216.patch \ |
| 40 | file://CVE-2017-9611.patch \ | ||
| 41 | file://CVE-2017-9612.patch \ | ||
| 42 | file://CVE-2017-9739.patch \ | ||
| 43 | file://CVE-2017-9726.patch \ | ||
| 40 | " | 44 | " |
| 41 | 45 | ||
| 42 | SRC_URI_class-native = "${SRC_URI_BASE} \ | 46 | SRC_URI_class-native = "${SRC_URI_BASE} \ |