diff options
author | Catalin Enache <catalin.enache@windriver.com> | 2017-04-21 15:04:17 +0300 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-04-29 11:17:23 +0100 |
commit | 5970acb3fe28d4af59834b5cacb2d8d4d3511506 (patch) | |
tree | 0c53e13118b56cf279e4037459e6a9d581948187 /meta/recipes-extended | |
parent | 8913e94511812c44a9847bb9ea17af2469923187 (diff) | |
download | poky-5970acb3fe28d4af59834b5cacb2d8d4d3511506.tar.gz |
ghostscript : CVE-2016-10219, CVE-2016-10220, CVE-2017-5951
The intersect function in base/gxfill.c in Artifex Software, Inc. Ghostscript
9.20 allows remote attackers to cause a denial of service (divide-by-zero
error and application crash) via a crafted file.
The gs_makewordimagedevice function in base/gsdevmem.c in Artifex Software, Inc.
Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted file that is
mishandled in the PDF Transparency module.
The mem_get_bits_rectangle function in base/gdevmem.c in Artifex Software, Inc.
Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted file.
References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10219
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10220
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5951
Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;h=4bef1a1d32e29b68855616020dbff574b9cda08f
http://git.ghostscript.com/?p=ghostpdl.git;h=daf85701dab05f17e924a48a81edc9195b4a04e8
http://git.ghostscript.com/?p=ghostpdl.git;h=bfa6b2ecbe48edc69a7d9d22a12419aed25960b8
(From OE-Core rev: 6679a4d4379f6f18554ed0042546cce94d5d0b19)
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended')
4 files changed, 151 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10219.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10219.patch new file mode 100644 index 0000000000..574abe0e42 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10219.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 4bef1a1d32e29b68855616020dbff574b9cda08f Mon Sep 17 00:00:00 2001 | ||
2 | From: Robin Watts <Robin.Watts@artifex.com> | ||
3 | Date: Thu, 29 Dec 2016 15:57:43 +0000 | ||
4 | Subject: [PATCH] Bug 697453: Avoid divide by 0 in scan conversion code. | ||
5 | |||
6 | Arithmetic overflow due to extreme values in the scan conversion | ||
7 | code can cause a division by 0. | ||
8 | |||
9 | Avoid this with a simple extra check. | ||
10 | |||
11 | dx_old=cf814d81 | ||
12 | endp->x_next=b0e859b9 | ||
13 | alp->x_next=8069a73a | ||
14 | |||
15 | leads to dx_den = 0 | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | CVE: CVE-2016-10219 | ||
19 | |||
20 | Signed-off-by: Catalin Enache <catalin.enache@windriver.com> | ||
21 | --- | ||
22 | base/gxfill.c | 4 ++-- | ||
23 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
24 | |||
25 | diff --git a/base/gxfill.c b/base/gxfill.c | ||
26 | index 99196c0..2f81bb0 100644 | ||
27 | --- a/base/gxfill.c | ||
28 | +++ b/base/gxfill.c | ||
29 | @@ -1741,7 +1741,7 @@ intersect(active_line *endp, active_line *alp, fixed y, fixed y1, fixed *p_y_new | ||
30 | fixed dx_old = alp->x_current - endp->x_current; | ||
31 | fixed dx_den = dx_old + endp->x_next - alp->x_next; | ||
32 | |||
33 | - if (dx_den <= dx_old) | ||
34 | + if (dx_den <= dx_old || dx_den == 0) | ||
35 | return false; /* Intersection isn't possible. */ | ||
36 | dy = y1 - y; | ||
37 | if_debug3('F', "[F]cross: dy=%g, dx_old=%g, dx_new=%g\n", | ||
38 | @@ -1750,7 +1750,7 @@ intersect(active_line *endp, active_line *alp, fixed y, fixed y1, fixed *p_y_new | ||
39 | /* Do the computation in single precision */ | ||
40 | /* if the values are small enough. */ | ||
41 | y_new = | ||
42 | - ((dy | dx_old) < 1L << (size_of(fixed) * 4 - 1) ? | ||
43 | + (((ufixed)(dy | dx_old)) < (1L << (size_of(fixed) * 4 - 1)) ? | ||
44 | dy * dx_old / dx_den : | ||
45 | (INCR_EXPR(mq_cross), fixed_mult_quo(dy, dx_old, dx_den))) | ||
46 | + y; | ||
47 | -- | ||
48 | 2.10.2 | ||
49 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch new file mode 100644 index 0000000000..5e1e8ba10c --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From daf85701dab05f17e924a48a81edc9195b4a04e8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ken Sharp <ken.sharp@artifex.com> | ||
3 | Date: Wed, 21 Dec 2016 16:54:14 +0000 | ||
4 | Subject: [PATCH] fix crash with bad data supplied to makeimagedevice | ||
5 | |||
6 | Bug #697450 "Null pointer dereference in gx_device_finalize()" | ||
7 | |||
8 | The problem here is that the code to finalise a device unconditionally | ||
9 | frees the icc_struct member of the device structure. However this | ||
10 | particular (weird) device is not setup as a normal device, probably | ||
11 | because its very, very ancient. Its possible for the initialisation | ||
12 | of the device to abort with an error before calling gs_make_mem_device() | ||
13 | which is where the icc_struct member gets allocated (or set to NULL). | ||
14 | |||
15 | If that happens, then the cleanup code tries to free the device, which | ||
16 | calls finalize() which tries to free a garbage pointer. | ||
17 | |||
18 | Setting the device memory to 0x00 after we allocate it means that the | ||
19 | icc_struct member will be NULL< and our memory manager allows for that | ||
20 | happily enough, which avoids the problem. | ||
21 | |||
22 | Upstream-Status: Backport | ||
23 | CVE: CVE-2016-10220 | ||
24 | |||
25 | Signed-off-by: Catalin Enache <catalin.enache@windriver.com> | ||
26 | --- | ||
27 | base/gsdevmem.c | 12 ++++++++++++ | ||
28 | 1 file changed, 12 insertions(+) | ||
29 | |||
30 | diff --git a/base/gsdevmem.c b/base/gsdevmem.c | ||
31 | index 97b9cf4..fe75bcc 100644 | ||
32 | --- a/base/gsdevmem.c | ||
33 | +++ b/base/gsdevmem.c | ||
34 | @@ -225,6 +225,18 @@ gs_makewordimagedevice(gx_device ** pnew_dev, const gs_matrix * pmat, | ||
35 | |||
36 | if (pnew == 0) | ||
37 | return_error(gs_error_VMerror); | ||
38 | + | ||
39 | + /* Bug #697450 "Null pointer dereference in gx_device_finalize()" | ||
40 | + * If we have incorrect data passed to gs_initialise_wordimagedevice() then the | ||
41 | + * initialisation will fail, crucially it will fail *before* it calls | ||
42 | + * gs_make_mem_device() which initialises the device. This means that the | ||
43 | + * icc_struct member will be uninitialsed, but the device finalise method | ||
44 | + * will unconditionally free that memory. Since its a garbage pointer, bad things happen. | ||
45 | + * Apparently we do still need makeimagedevice to be available from | ||
46 | + * PostScript, so in here just zero the device memory, which means that | ||
47 | + * the finalise routine won't have a problem. | ||
48 | + */ | ||
49 | + memset(pnew, 0x00, st_device_memory.ssize); | ||
50 | code = gs_initialize_wordimagedevice(pnew, pmat, width, height, | ||
51 | colors, num_colors, word_oriented, | ||
52 | page_device, mem); | ||
53 | -- | ||
54 | 2.10.2 | ||
55 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-5951.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-5951.patch new file mode 100644 index 0000000000..62cc1342ad --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-5951.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Thu, 6 Apr 2017 16:44:54 +0100 | ||
4 | Subject: [PATCH] Bug 697548: use the correct param list enumerator | ||
5 | |||
6 | When we encountered dictionary in a ref_param_list, we were using the enumerator | ||
7 | for the "parent" param_list, rather than the enumerator for the param_list | ||
8 | we just created for the dictionary. That parent was usually the stack | ||
9 | list enumerator, and caused a segfault. | ||
10 | |||
11 | Using the correct enumerator works better. | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | CVE: CVE-2017-5951 | ||
15 | |||
16 | Signed-off-by: Catalin Enache <catalin.enache@windriver.com> | ||
17 | --- | ||
18 | psi/iparam.c | 7 ++++--- | ||
19 | 1 file changed, 4 insertions(+), 3 deletions(-) | ||
20 | |||
21 | diff --git a/psi/iparam.c b/psi/iparam.c | ||
22 | index 4e63b6d..b2fa85f 100644 | ||
23 | --- a/psi/iparam.c | ||
24 | +++ b/psi/iparam.c | ||
25 | @@ -770,12 +770,13 @@ ref_param_read_typed(gs_param_list * plist, gs_param_name pkey, | ||
26 | gs_param_enumerator_t enumr; | ||
27 | gs_param_key_t key; | ||
28 | ref_type keytype; | ||
29 | + dict_param_list *dlist = (dict_param_list *) pvalue->value.d.list; | ||
30 | |||
31 | param_init_enumerator(&enumr); | ||
32 | - if (!(*((iparam_list *) plist)->enumerate) | ||
33 | - ((iparam_list *) pvalue->value.d.list, &enumr, &key, &keytype) | ||
34 | + if (!(*(dlist->enumerate)) | ||
35 | + ((iparam_list *) dlist, &enumr, &key, &keytype) | ||
36 | && keytype == t_integer) { | ||
37 | - ((dict_param_list *) pvalue->value.d.list)->int_keys = 1; | ||
38 | + dlist->int_keys = 1; | ||
39 | pvalue->type = gs_param_type_dict_int_keys; | ||
40 | } | ||
41 | } | ||
42 | -- | ||
43 | 2.10.2 | ||
44 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.20.bb b/meta/recipes-extended/ghostscript/ghostscript_9.20.bb index e8fc5dfbb6..3c8a2e6d3c 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.20.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.20.bb | |||
@@ -32,6 +32,9 @@ SRC_URI = "${SRC_URI_BASE} \ | |||
32 | file://objarch.h \ | 32 | file://objarch.h \ |
33 | file://cups-no-gcrypt.patch \ | 33 | file://cups-no-gcrypt.patch \ |
34 | file://CVE-2017-7207.patch \ | 34 | file://CVE-2017-7207.patch \ |
35 | file://CVE-2016-10219.patch \ | ||
36 | file://CVE-2016-10220.patch \ | ||
37 | file://CVE-2017-5951.patch \ | ||
35 | " | 38 | " |
36 | 39 | ||
37 | SRC_URI_class-native = "${SRC_URI_BASE} \ | 40 | SRC_URI_class-native = "${SRC_URI_BASE} \ |