ghostscript : CVE-2016-10219, CVE-2016-10220, CVE-2017-5951

The intersect function in base/gxfill.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted file. The gs_makewordimagedevice function in base/gsdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file that is mishandled in the PDF Transparency module. The mem_get_bits_rectangle function in base/gdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10219 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10220 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5951 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;h=4bef1a1d32e29b68855616020dbff574b9cda08f http://git.ghostscript.com/?p=ghostpdl.git;h=daf85701dab05f17e924a48a81edc9195b4a04e8 http://git.ghostscript.com/?p=ghostpdl.git;h=bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 (From OE-Core rev: 6679a4d4379f6f18554ed0042546cce94d5d0b19) Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Catalin Enache <catalin.enache@windriver.com> 2017-04-21 15:04:17 +0300
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-04-29 11:17:23 +0100
commit: 5970acb3fe28d4af59834b5cacb2d8d4d3511506 (patch)
tree: 0c53e13118b56cf279e4037459e6a9d581948187 /meta
parent: 8913e94511812c44a9847bb9ea17af2469923187 (diff)
download: poky-5970acb3fe28d4af59834b5cacb2d8d4d3511506.tar.gz
4 files changed, 151 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10219.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10219.patch
new file mode 100644
index 0000000000..574abe0e42
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10219.patch
@@ -0,0 +1,49 @@
+From 4bef1a1d32e29b68855616020dbff574b9cda08f Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Thu, 29 Dec 2016 15:57:43 +0000
+Subject: [PATCH] Bug 697453: Avoid divide by 0 in scan conversion code.
+Arithmetic overflow due to extreme values in the scan conversion
+code can cause a division by 0.
+Avoid this with a simple extra check.
+  dx_old=cf814d81
+  endp->x_next=b0e859b9
+  alp->x_next=8069a73a
+leads to dx_den = 0
+Upstream-Status: Backport
+CVE: CVE-2016-10219
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ base/gxfill.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/base/gxfill.c b/base/gxfill.c
+index 99196c0..2f81bb0 100644
+--- a/base/gxfill.c
+++ b/base/gxfill.c
+@@ -1741,7 +1741,7 @@ intersect(active_line *endp, active_line *alp, fixed y, fixed y1, fixed *p_y_new
+     fixed dx_old = alp->x_current - endp->x_current;
+     fixed dx_den = dx_old + endp->x_next - alp->x_next;
+ 
+-    if (dx_den <= dx_old)
+    if (dx_den <= dx_old || dx_den == 0)
+         return false; /* Intersection isn't possible. */
+     dy = y1 - y;
+     if_debug3('F', "[F]cross: dy=%g, dx_old=%g, dx_new=%g\n",
+@@ -1750,7 +1750,7 @@ intersect(active_line *endp, active_line *alp, fixed y, fixed y1, fixed *p_y_new
+     /* Do the computation in single precision */
+     /* if the values are small enough. */
+     y_new =
+-        ((dy | dx_old) < 1L << (size_of(fixed) * 4 - 1) ?
+        (((ufixed)(dy | dx_old)) < (1L << (size_of(fixed) * 4 - 1)) ?
+          dy * dx_old / dx_den :
+          (INCR_EXPR(mq_cross), fixed_mult_quo(dy, dx_old, dx_den)))
+         + y;
+-- 
+2.10.2
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch
new file mode 100644
index 0000000000..5e1e8ba10c
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch
@@ -0,0 +1,55 @@
+From daf85701dab05f17e924a48a81edc9195b4a04e8 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Wed, 21 Dec 2016 16:54:14 +0000
+Subject: [PATCH] fix crash with bad data supplied to makeimagedevice
+Bug #697450 "Null pointer dereference in gx_device_finalize()"
+The problem here is that the code to finalise a device unconditionally
+frees the icc_struct member of the device structure. However this
+particular (weird) device is not setup as a normal device, probably
+because its very, very ancient. Its possible for the initialisation
+of the device to abort with an error before calling gs_make_mem_device()
+which is where the icc_struct member gets allocated (or set to NULL).
+If that happens, then the cleanup code tries to free the device, which
+calls finalize() which tries to free a garbage pointer.
+Setting the device memory to 0x00 after we allocate it means that the
+icc_struct member will be NULL< and our memory manager allows for that
+happily enough, which avoids the problem.
+Upstream-Status: Backport
+CVE: CVE-2016-10220
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ base/gsdevmem.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+diff --git a/base/gsdevmem.c b/base/gsdevmem.c
+index 97b9cf4..fe75bcc 100644
+--- a/base/gsdevmem.c
+++ b/base/gsdevmem.c
+@@ -225,6 +225,18 @@ gs_makewordimagedevice(gx_device ** pnew_dev, const gs_matrix * pmat,
+ 
+     if (pnew == 0)
+         return_error(gs_error_VMerror);
+
+    /* Bug #697450 "Null pointer dereference in gx_device_finalize()"
+     * If we have incorrect data passed to gs_initialise_wordimagedevice() then the
+     * initialisation will fail, crucially it will fail *before* it calls
+     * gs_make_mem_device() which initialises the device. This means that the
+     * icc_struct member will be uninitialsed, but the device finalise method
+     * will unconditionally free that memory. Since its a garbage pointer, bad things happen.
+     * Apparently we do still need makeimagedevice to be available from
+     * PostScript, so in here just zero the device memory, which means that
+     * the finalise routine won't have a problem.
+     */
+    memset(pnew, 0x00, st_device_memory.ssize);
+     code = gs_initialize_wordimagedevice(pnew, pmat, width, height,
+                                          colors, num_colors, word_oriented,
+                                          page_device, mem);
+-- 
+2.10.2
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-5951.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-5951.patch
new file mode 100644
index 0000000000..62cc1342ad
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-5951.patch
@@ -0,0 +1,44 @@
+From bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Thu, 6 Apr 2017 16:44:54 +0100
+Subject: [PATCH] Bug 697548: use the correct param list enumerator
+When we encountered dictionary in a ref_param_list, we were using the enumerator
+for the "parent" param_list, rather than the enumerator for the param_list
+we just created for the dictionary. That parent was usually the stack
+list enumerator, and caused a segfault.
+Using the correct enumerator works better.
+Upstream-Status: Backport
+CVE: CVE-2017-5951
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ psi/iparam.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+diff --git a/psi/iparam.c b/psi/iparam.c
+index 4e63b6d..b2fa85f 100644
+--- a/psi/iparam.c
+++ b/psi/iparam.c
+@@ -770,12 +770,13 @@ ref_param_read_typed(gs_param_list * plist, gs_param_name pkey,
+                 gs_param_enumerator_t enumr;
+                 gs_param_key_t key;
+                 ref_type keytype;
+                dict_param_list *dlist = (dict_param_list *) pvalue->value.d.list;
+ 
+                 param_init_enumerator(&enumr);
+-                if (!(*((iparam_list *) plist)->enumerate)
+-                    ((iparam_list *) pvalue->value.d.list, &enumr, &key, &keytype)
+                if (!(*(dlist->enumerate))
+                    ((iparam_list *) dlist, &enumr, &key, &keytype)
+                     && keytype == t_integer) {
+-                    ((dict_param_list *) pvalue->value.d.list)->int_keys = 1;
+                    dlist->int_keys = 1;
+                     pvalue->type = gs_param_type_dict_int_keys;
+                 }
+             }
+-- 
+2.10.2
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.20.bb b/meta/recipes-extended/ghostscript/ghostscript_9.20.bb
index e8fc5dfbb6..3c8a2e6d3c 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.20.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.20.bb
@@ -32,6 +32,9 @@ SRC_URI = "${SRC_URI_BASE} \
           file://objarch.h \
           file://cups-no-gcrypt.patch \
           file://CVE-2017-7207.patch \
+           file://CVE-2016-10219.patch \
+           file://CVE-2016-10220.patch \
+           file://CVE-2017-5951.patch \
           "
 SRC_URI_class-native = "${SRC_URI_BASE} \
author	Catalin Enache <catalin.enache@windriver.com>	2017-04-21 15:04:17 +0300
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-04-29 11:17:23 +0100
commit	5970acb3fe28d4af59834b5cacb2d8d4d3511506 (patch)
tree	0c53e13118b56cf279e4037459e6a9d581948187 /meta
parent	8913e94511812c44a9847bb9ea17af2469923187 (diff)
download	poky-5970acb3fe28d4af59834b5cacb2d8d4d3511506.tar.gz

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10219.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10219.patch new file mode 100644 index 0000000000..574abe0e42 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10219.patch
@@ -0,0 +1,49 @@
		1	From 4bef1a1d32e29b68855616020dbff574b9cda08f Mon Sep 17 00:00:00 2001
		2	From: Robin Watts <Robin.Watts@artifex.com>
		3	Date: Thu, 29 Dec 2016 15:57:43 +0000
		4	Subject: [PATCH] Bug 697453: Avoid divide by 0 in scan conversion code.
		5
		6	Arithmetic overflow due to extreme values in the scan conversion
		7	code can cause a division by 0.
		8
		9	Avoid this with a simple extra check.
		10
		11	dx_old=cf814d81
		12	endp->x_next=b0e859b9
		13	alp->x_next=8069a73a
		14
		15	leads to dx_den = 0
		16
		17	Upstream-Status: Backport
		18	CVE: CVE-2016-10219
		19
		20	Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
		21	---
		22	base/gxfill.c \| 4 ++--
		23	1 file changed, 2 insertions(+), 2 deletions(-)
		24
		25	diff --git a/base/gxfill.c b/base/gxfill.c
		26	index 99196c0..2f81bb0 100644
		27	--- a/base/gxfill.c
		28	+++ b/base/gxfill.c
		29	@@ -1741,7 +1741,7 @@ intersect(active_line endp, active_line alp, fixed y, fixed y1, fixed *p_y_new
		30	fixed dx_old = alp->x_current - endp->x_current;
		31	fixed dx_den = dx_old + endp->x_next - alp->x_next;
		32
		33	- if (dx_den <= dx_old)
		34	+ if (dx_den <= dx_old \|\| dx_den == 0)
		35	return false; /* Intersection isn't possible. */
		36	dy = y1 - y;
		37	if_debug3('F', "[F]cross: dy=%g, dx_old=%g, dx_new=%g\n",
		38	@@ -1750,7 +1750,7 @@ intersect(active_line endp, active_line alp, fixed y, fixed y1, fixed *p_y_new
		39	/* Do the computation in single precision */
		40	/* if the values are small enough. */
		41	y_new =
		42	- ((dy \| dx_old) < 1L << (size_of(fixed) * 4 - 1) ?
		43	+ (((ufixed)(dy \| dx_old)) < (1L << (size_of(fixed) * 4 - 1)) ?
		44	dy * dx_old / dx_den :
		45	(INCR_EXPR(mq_cross), fixed_mult_quo(dy, dx_old, dx_den)))
		46	+ y;
		47	--
		48	2.10.2
		49


diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch new file mode 100644 index 0000000000..5e1e8ba10c --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch
@@ -0,0 +1,55 @@
		1	From daf85701dab05f17e924a48a81edc9195b4a04e8 Mon Sep 17 00:00:00 2001
		2	From: Ken Sharp <ken.sharp@artifex.com>
		3	Date: Wed, 21 Dec 2016 16:54:14 +0000
		4	Subject: [PATCH] fix crash with bad data supplied to makeimagedevice
		5
		6	Bug #697450 "Null pointer dereference in gx_device_finalize()"
		7
		8	The problem here is that the code to finalise a device unconditionally
		9	frees the icc_struct member of the device structure. However this
		10	particular (weird) device is not setup as a normal device, probably
		11	because its very, very ancient. Its possible for the initialisation
		12	of the device to abort with an error before calling gs_make_mem_device()
		13	which is where the icc_struct member gets allocated (or set to NULL).
		14
		15	If that happens, then the cleanup code tries to free the device, which
		16	calls finalize() which tries to free a garbage pointer.
		17
		18	Setting the device memory to 0x00 after we allocate it means that the
		19	icc_struct member will be NULL< and our memory manager allows for that
		20	happily enough, which avoids the problem.
		21
		22	Upstream-Status: Backport
		23	CVE: CVE-2016-10220
		24
		25	Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
		26	---
		27	base/gsdevmem.c \| 12 ++++++++++++
		28	1 file changed, 12 insertions(+)
		29
		30	diff --git a/base/gsdevmem.c b/base/gsdevmem.c
		31	index 97b9cf4..fe75bcc 100644
		32	--- a/base/gsdevmem.c
		33	+++ b/base/gsdevmem.c
		34	@@ -225,6 +225,18 @@ gs_makewordimagedevice(gx_device ** pnew_dev, const gs_matrix * pmat,
		35
		36	if (pnew == 0)
		37	return_error(gs_error_VMerror);
		38	+
		39	+ /* Bug #697450 "Null pointer dereference in gx_device_finalize()"
		40	+ * If we have incorrect data passed to gs_initialise_wordimagedevice() then the
		41	+ * initialisation will fail, crucially it will fail before it calls
		42	+ * gs_make_mem_device() which initialises the device. This means that the
		43	+ * icc_struct member will be uninitialsed, but the device finalise method
		44	+ * will unconditionally free that memory. Since its a garbage pointer, bad things happen.
		45	+ * Apparently we do still need makeimagedevice to be available from
		46	+ * PostScript, so in here just zero the device memory, which means that
		47	+ * the finalise routine won't have a problem.
		48	+ */
		49	+ memset(pnew, 0x00, st_device_memory.ssize);
		50	code = gs_initialize_wordimagedevice(pnew, pmat, width, height,
		51	colors, num_colors, word_oriented,
		52	page_device, mem);
		53	--
		54	2.10.2
		55


diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-5951.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-5951.patch new file mode 100644 index 0000000000..62cc1342ad --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-5951.patch
@@ -0,0 +1,44 @@
		1	From bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 Mon Sep 17 00:00:00 2001
		2	From: Chris Liddell <chris.liddell@artifex.com>
		3	Date: Thu, 6 Apr 2017 16:44:54 +0100
		4	Subject: [PATCH] Bug 697548: use the correct param list enumerator
		5
		6	When we encountered dictionary in a ref_param_list, we were using the enumerator
		7	for the "parent" param_list, rather than the enumerator for the param_list
		8	we just created for the dictionary. That parent was usually the stack
		9	list enumerator, and caused a segfault.
		10
		11	Using the correct enumerator works better.
		12
		13	Upstream-Status: Backport
		14	CVE: CVE-2017-5951
		15
		16	Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
		17	---
		18	psi/iparam.c \| 7 ++++---
		19	1 file changed, 4 insertions(+), 3 deletions(-)
		20
		21	diff --git a/psi/iparam.c b/psi/iparam.c
		22	index 4e63b6d..b2fa85f 100644
		23	--- a/psi/iparam.c
		24	+++ b/psi/iparam.c
		25	@@ -770,12 +770,13 @@ ref_param_read_typed(gs_param_list * plist, gs_param_name pkey,
		26	gs_param_enumerator_t enumr;
		27	gs_param_key_t key;
		28	ref_type keytype;
		29	+ dict_param_list dlist = (dict_param_list ) pvalue->value.d.list;
		30
		31	param_init_enumerator(&enumr);
		32	- if (!(((iparam_list ) plist)->enumerate)
		33	- ((iparam_list *) pvalue->value.d.list, &enumr, &key, &keytype)
		34	+ if (!(*(dlist->enumerate))
		35	+ ((iparam_list *) dlist, &enumr, &key, &keytype)
		36	&& keytype == t_integer) {
		37	- ((dict_param_list *) pvalue->value.d.list)->int_keys = 1;
		38	+ dlist->int_keys = 1;
		39	pvalue->type = gs_param_type_dict_int_keys;
		40	}
		41	}
		42	--
		43	2.10.2
		44


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.20.bb b/meta/recipes-extended/ghostscript/ghostscript_9.20.bb index e8fc5dfbb6..3c8a2e6d3c 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.20.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.20.bb
@@ -32,6 +32,9 @@ SRC_URI = "${SRC_URI_BASE} \
32	file://objarch.h \	32	file://objarch.h \
33	file://cups-no-gcrypt.patch \	33	file://cups-no-gcrypt.patch \
34	file://CVE-2017-7207.patch \	34	file://CVE-2017-7207.patch \
		35	file://CVE-2016-10219.patch \
		36	file://CVE-2016-10220.patch \
		37	file://CVE-2017-5951.patch \
35	"	38	"
36		39
37	SRC_URI_class-native = "${SRC_URI_BASE} \	40	SRC_URI_class-native = "${SRC_URI_BASE} \