diff options
author | Joe Slater <jslater@windriver.com> | 2017-08-22 13:18:19 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-08-23 08:47:03 +0100 |
commit | 8efe72508002772df08664d9bb0d5f8b25497ce5 (patch) | |
tree | 9ca8eed5119a447cec5e875cdf06b6641c9d04f8 /meta/recipes-extended | |
parent | ed52aa9e79d713c79aff787bcf3ac9168970f4ac (diff) | |
download | poky-8efe72508002772df08664d9bb0d5f8b25497ce5.tar.gz |
ghostscript: fix several CVEs by adding bounds checking
CVE-2017-9611
CVE-2017-9612
CVE-2017-9739
CVE-2017-9726
(From OE-Core rev: 3e5d80c84f4c141bc3f3193d1db899b0e56993cf)
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended')
5 files changed, 143 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9611.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9611.patch new file mode 100644 index 0000000000..58ef04d1fd --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9611.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From c7c55972758a93350882c32147801a3485b010fe Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Mon, 12 Jun 2017 13:08:40 +0100 | ||
4 | Subject: [PATCH] Bug 698024: bounds check zone pointer in Ins_MIRP() | ||
5 | |||
6 | --- | ||
7 | base/ttinterp.c | 3 ++- | ||
8 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
9 | |||
10 | --- end of original header | ||
11 | |||
12 | CVE: CVE-2017-9611 | ||
13 | |||
14 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
15 | |||
16 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
17 | |||
18 | diff --git a/base/ttinterp.c b/base/ttinterp.c | ||
19 | index e56aec6..f6a6d95 100644 | ||
20 | --- a/base/ttinterp.c | ||
21 | +++ b/base/ttinterp.c | ||
22 | @@ -3858,7 +3858,8 @@ static int nInstrCount=0; | ||
23 | /* XXX: UNDOCUMENTED! cvt[-1] = 0 always */ | ||
24 | |||
25 | if ( BOUNDS( args[0], CUR.zp1.n_points ) || | ||
26 | - BOUNDS( args[1]+1, CUR.cvtSize+1 ) ) | ||
27 | + BOUNDS( args[1]+1, CUR.cvtSize+1 ) || | ||
28 | + BOUNDS(CUR.GS.rp0, CUR.zp0.n_points) ) | ||
29 | { | ||
30 | CUR.error = TT_Err_Invalid_Reference; | ||
31 | return; | ||
32 | -- | ||
33 | 1.7.9.5 | ||
34 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9612.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9612.patch new file mode 100644 index 0000000000..b737cc56bb --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9612.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From 98f6da60b9d463c617e631fc254cf6d66f2e8e3c Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Mon, 12 Jun 2017 13:15:17 +0100 | ||
4 | Subject: [PATCH] Bug 698026: bounds check zone pointers in Ins_IP() | ||
5 | |||
6 | --- | ||
7 | base/ttinterp.c | 4 +++- | ||
8 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
9 | |||
10 | --- end of original header | ||
11 | |||
12 | CVE: CVE-2017-9612 | ||
13 | |||
14 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
15 | |||
16 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
17 | |||
18 | diff --git a/base/ttinterp.c b/base/ttinterp.c | ||
19 | index f6a6d95..e7c9d68 100644 | ||
20 | --- a/base/ttinterp.c | ||
21 | +++ b/base/ttinterp.c | ||
22 | @@ -4129,7 +4129,9 @@ static int nInstrCount=0; | ||
23 | Int point; | ||
24 | (void)args; | ||
25 | |||
26 | - if ( CUR.top < CUR.GS.loop ) | ||
27 | + if ( CUR.top < CUR.GS.loop || | ||
28 | + BOUNDS(CUR.GS.rp1, CUR.zp0.n_points) || | ||
29 | + BOUNDS(CUR.GS.rp2, CUR.zp1.n_points)) | ||
30 | { | ||
31 | CUR.error = TT_Err_Invalid_Reference; | ||
32 | return; | ||
33 | -- | ||
34 | 1.7.9.5 | ||
35 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9726.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9726.patch new file mode 100644 index 0000000000..3e6c65699d --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9726.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 7755e67116e8973ee0e3b22d653df026a84fa01b Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Thu, 15 Jun 2017 08:58:31 +0100 | ||
4 | Subject: [PATCH] Bug 698055: bounds check zone pointer in Ins_MDRP | ||
5 | |||
6 | --- | ||
7 | base/ttinterp.c | 3 ++- | ||
8 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
9 | |||
10 | --- end of original header | ||
11 | |||
12 | CVE: CVE-2017-9726 | ||
13 | |||
14 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
15 | |||
16 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
17 | diff --git a/base/ttinterp.c b/base/ttinterp.c | ||
18 | index e7c9d68..af457e8 100644 | ||
19 | --- a/base/ttinterp.c | ||
20 | +++ b/base/ttinterp.c | ||
21 | @@ -3770,7 +3770,8 @@ static int nInstrCount=0; | ||
22 | |||
23 | point = (Int)args[0]; | ||
24 | |||
25 | - if ( BOUNDS( args[0], CUR.zp1.n_points ) ) | ||
26 | + if ( BOUNDS( args[0], CUR.zp1.n_points ) || | ||
27 | + BOUNDS( CUR.GS.rp0, CUR.zp0.n_points) ) | ||
28 | { | ||
29 | /* Current version of FreeType silently ignores this out of bounds error | ||
30 | * and drops the instruction, see bug #691121 | ||
31 | -- | ||
32 | 1.7.9.5 | ||
33 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9739.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9739.patch new file mode 100644 index 0000000000..69a94df7b9 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9739.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From c501a58f8d5650c8ba21d447c0d6f07eafcb0f15 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Fri, 16 Jun 2017 08:29:25 +0100 | ||
4 | Subject: [PATCH] Bug 698063: Bounds check Ins_JMPR | ||
5 | |||
6 | --- | ||
7 | base/ttinterp.c | 6 ++++++ | ||
8 | 1 file changed, 6 insertions(+) | ||
9 | |||
10 | --- end of original header | ||
11 | |||
12 | CVE: CVE-2017-9739 | ||
13 | |||
14 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
15 | |||
16 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
17 | |||
18 | diff --git a/base/ttinterp.c b/base/ttinterp.c | ||
19 | index af457e8..adf3f0c 100644 | ||
20 | --- a/base/ttinterp.c | ||
21 | +++ b/base/ttinterp.c | ||
22 | @@ -1794,6 +1794,12 @@ static int nInstrCount=0; | ||
23 | |||
24 | static void Ins_JMPR( INS_ARG ) | ||
25 | { | ||
26 | + if ( BOUNDS(CUR.IP + args[0], CUR.codeSize ) ) | ||
27 | + { | ||
28 | + CUR.error = TT_Err_Invalid_Reference; | ||
29 | + return; | ||
30 | + } | ||
31 | + | ||
32 | CUR.IP += (Int)(args[0]); | ||
33 | CUR.step_ins = FALSE; | ||
34 | |||
35 | -- | ||
36 | 1.7.9.5 | ||
37 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.21.bb b/meta/recipes-extended/ghostscript/ghostscript_9.21.bb index adad9fdbd2..93589cc2b9 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.21.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.21.bb | |||
@@ -37,6 +37,10 @@ SRC_URI = "${SRC_URI_BASE} \ | |||
37 | file://CVE-2017-5951.patch \ | 37 | file://CVE-2017-5951.patch \ |
38 | file://CVE-2017-7975.patch \ | 38 | file://CVE-2017-7975.patch \ |
39 | file://CVE-2017-9216.patch \ | 39 | file://CVE-2017-9216.patch \ |
40 | file://CVE-2017-9611.patch \ | ||
41 | file://CVE-2017-9612.patch \ | ||
42 | file://CVE-2017-9739.patch \ | ||
43 | file://CVE-2017-9726.patch \ | ||
40 | " | 44 | " |
41 | 45 | ||
42 | SRC_URI_class-native = "${SRC_URI_BASE} \ | 46 | SRC_URI_class-native = "${SRC_URI_BASE} \ |