summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorCatalin Enache <catalin.enache@windriver.com>2017-04-05 15:06:51 +0300
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-04-10 23:00:42 +0100
commit6df3fde8e952799b91f3812b4f7929d7a34cddfe (patch)
tree379da18a1bd83a76fcb4fe23ee0158a4bd8dd2d6 /meta
parent77de4e58bfd291ea98c20609c5524c6983d29d89 (diff)
downloadpoky-6df3fde8e952799b91f3812b4f7929d7a34cddfe.tar.gz
ghostscript: CVE-2017-7207
The mem_get_bits_rectangle function in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted PostScript document. Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7207 Upstream patch: http://git.ghostscript.com/?p=ghostpdl.git;h=309eca4e0a31ea70dcc844812691439312dad091 (From OE-Core rev: 0f22a27c2abd2f2dd9119681f139dd85dcb6479d) Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2017-7207.patch39
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript_9.20.bb1
2 files changed, 40 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-7207.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-7207.patch
new file mode 100644
index 0000000000..a05dc02c6c
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-7207.patch
@@ -0,0 +1,39 @@
1From 0e88bee1304993668fede72498d656a2dd33a35e Mon Sep 17 00:00:00 2001
2From: Ken Sharp <ken.sharp@artifex.com>
3Date: Mon, 20 Mar 2017 09:34:11 +0000
4Subject: [PATCH] Ensure a device has raster memory, before trying to read it.
5
6Bug #697676 "Null pointer dereference in mem_get_bits_rectangle()"
7
8This is only possible by abusing/mis-using Ghostscript-specific
9language extensions, so cannot happen in a general PostScript program.
10
11Nevertheless, Ghostscript should not crash. So this commit checks the
12memory device to see if raster memory has been allocated, before trying
13to read from it.
14
15Upstream-Status: Backport
16CVE: CVE-2017-7207
17
18Author: Ken Sharp <ken.sharp@artifex.com>
19Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
20---
21 base/gdevmem.c | 2 ++
22 1 file changed, 2 insertions(+)
23
24diff --git a/base/gdevmem.c b/base/gdevmem.c
25index 41108ba..183f96d 100644
26--- a/base/gdevmem.c
27+++ b/base/gdevmem.c
28@@ -605,6 +605,8 @@ mem_get_bits_rectangle(gx_device * dev, const gs_int_rect * prect,
29 GB_PACKING_CHUNKY | GB_COLORS_NATIVE | GB_ALPHA_NONE;
30 return_error(gs_error_rangecheck);
31 }
32+ if (mdev->line_ptrs == 0x00)
33+ return_error(gs_error_rangecheck);
34 if ((w <= 0) | (h <= 0)) {
35 if ((w | h) < 0)
36 return_error(gs_error_rangecheck);
37--
382.10.2
39
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.20.bb b/meta/recipes-extended/ghostscript/ghostscript_9.20.bb
index 210e9a73b9..e8fc5dfbb6 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.20.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.20.bb
@@ -31,6 +31,7 @@ SRC_URI = "${SRC_URI_BASE} \
31 file://ghostscript-9.02-genarch.patch \ 31 file://ghostscript-9.02-genarch.patch \
32 file://objarch.h \ 32 file://objarch.h \
33 file://cups-no-gcrypt.patch \ 33 file://cups-no-gcrypt.patch \
34 file://CVE-2017-7207.patch \
34 " 35 "
35 36
36SRC_URI_class-native = "${SRC_URI_BASE} \ 37SRC_URI_class-native = "${SRC_URI_BASE} \