4 files changed, 224 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch
new file mode 100644
index 0000000000..84983c5aea
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch
@@ -0,0 +1,61 @@
+From 671fd59eb657743aa86fbc1895cb15872a317caa Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Thu, 6 Jul 2017 14:54:02 +0100
+Subject: [PATCH] Bug 698158: prevent trying to reloc a freed object
+In the token reader, we pass the scanner state structure around as a
+t_struct ref on the Postscript operand stack.
+But we explicitly free the scanner state when we're done, which leaves a
+dangling reference on the operand stack and, unless that reference gets
+overwritten before the next garbager run, we can end up with the garbager
+trying to deal with an already freed object - that can cause a crash, or
+memory corruption.
+---
+ psi/ztoken.c |   14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+--- end of original header
+CVE: CVE-2017-11714
+Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+diff --git a/psi/ztoken.c b/psi/ztoken.c
+index 4dba7c5..af1ceeb 100644
+--- a/psi/ztoken.c
+++ b/psi/ztoken.c
+@@ -107,6 +107,12 @@ token_continue(i_ctx_t *i_ctx_p, scanner_state * pstate, bool save)
+     int code;
+     ref token;
+ 
+    /* Since we might free pstate below, and we're dealing with
+     * gc memory referenced by the stack, we need to explicitly
+     * remove the reference to pstate from the stack, otherwise
+     * the garbager will fall over
+     */
+    make_null(osp);
+     /* Note that gs_scan_token may change osp! */
+     pop(1);                     /* remove the file or scanner state */
+ again:
+@@ -183,8 +189,14 @@ ztokenexec_continue(i_ctx_t *i_ctx_p)
+ static int
+ tokenexec_continue(i_ctx_t *i_ctx_p, scanner_state * pstate, bool save)
+ {
+-    os_ptr op;
+    os_ptr op = osp;
+     int code;
+    /* Since we might free pstate below, and we're dealing with
+     * gc memory referenced by the stack, we need to explicitly
+     * remove the reference to pstate from the stack, otherwise
+     * the garbager will fall over
+     */
+    make_null(osp);
+     /* Note that gs_scan_token may change osp! */
+     pop(1);
+ again:
+-- 
+1.7.9.5
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9727.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9727.patch
new file mode 100644
index 0000000000..a2f7bfa506
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9727.patch
@@ -0,0 +1,35 @@
+From 937ccd17ac65935633b2ebc06cb7089b91e17e6b Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Thu, 15 Jun 2017 09:05:20 +0100
+Subject: [PATCH] Bug 698056: make bounds check in gx_ttfReader__Read more
+ robust
+---
+ base/gxttfb.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+--- end of original header
+CVE: CVE-2017-9727
+Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+diff --git a/base/gxttfb.c b/base/gxttfb.c
+index 0e9a444..e1561af 100644
+--- a/base/gxttfb.c
+++ b/base/gxttfb.c
+@@ -79,7 +79,8 @@ static void gx_ttfReader__Read(ttfReader *self, void *p, int n)
+     if (!r->error) {
+         if (r->extra_glyph_index != -1) {
+             q = r->glyph_data.bits.data + r->pos;
+-            r->error = (r->glyph_data.bits.size - r->pos < n ?
+            r->error = ((r->pos >= r->glyph_data.bits.size ||
+                        r->glyph_data.bits.size - r->pos < n) ?
+                             gs_note_error(gs_error_invalidfont) : 0);
+             if (r->error == 0)
+                 memcpy(p, q, n);
+-- 
+1.7.9.5
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9835.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9835.patch
new file mode 100644
index 0000000000..7c65690c65
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9835.patch
@@ -0,0 +1,125 @@
+From cfde94be1d4286bc47633c6e6eaf4e659bd78066 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 7 Jun 2017 14:55:12 +0100
+Subject: [PATCH] Bug 697985: bounds check the array allocations methods
+The clump allocator has four allocation functions that use 'number of elements'
+and 'size of elements' parameters (rather than a simple 'number of bytes').
+Those need specific bounds checking.
+---
+ base/gsalloc.c |   42 ++++++++++++++++++++++++++++--------------
+ 1 file changed, 28 insertions(+), 14 deletions(-)
+--- end of original header
+CVE: CVE-2017-9835
+Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+diff --git a/base/gsalloc.c b/base/gsalloc.c
+index 741ba00..10c04dd 100644
+--- a/base/gsalloc.c
+++ b/base/gsalloc.c
+@@ -1248,19 +1248,32 @@ i_alloc_struct_immovable(gs_memory_t * mem, gs_memory_type_ptr_t pstype,
+     alloc_trace("|+<.", imem, cname, pstype, size, obj);
+     return obj;
+ }
+
+static inline bool
+alloc_array_check_size(ulong num_elements, ulong elt_size, ulong *lsize)
+{
+    int64_t s = (int64_t)num_elements * elt_size;
+    if (s > max_uint) {
+        return false;
+    }
+    *lsize = (ulong)s;
+    return true;
+}
+
+ static byte *
+ i_alloc_byte_array(gs_memory_t * mem, uint num_elements, uint elt_size,
+                    client_name_t cname)
+ {
+     gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem;
+     obj_header_t *obj;
+-
+    ulong lsize;
+ #ifdef MEMENTO
+     if (Memento_failThisEvent())
+         return NULL;
+ #endif
+-
+-    obj = alloc_obj(imem, (ulong) num_elements * elt_size,
+    if (alloc_array_check_size(num_elements, elt_size, &lsize) == false)
+        return NULL;
+    obj = alloc_obj(imem, lsize,
+                     &st_bytes, ALLOC_DIRECT, cname);
+ 
+     if_debug6m('A', mem, "[a%d:+b.]%s -bytes-*(%lu=%u*%u) = 0x%lx\n",
+@@ -1275,13 +1288,14 @@ i_alloc_byte_array_immovable(gs_memory_t * mem, uint num_elements,
+ {
+     gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem;
+     obj_header_t *obj;
+-
+    ulong lsize;
+ #ifdef MEMENTO
+     if (Memento_failThisEvent())
+         return NULL;
+ #endif
+-
+-    obj = alloc_obj(imem, (ulong) num_elements * elt_size,
+    if (alloc_array_check_size(num_elements, elt_size, &lsize) == false)
+        return NULL;
+    obj = alloc_obj(imem, lsize,
+                     &st_bytes, ALLOC_IMMOVABLE | ALLOC_DIRECT,
+                     cname);
+ 
+@@ -1297,7 +1311,7 @@ i_alloc_struct_array(gs_memory_t * mem, uint num_elements,
+ {
+     gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem;
+     obj_header_t *obj;
+-
+    ulong lsize;
+ #ifdef MEMENTO
+     if (Memento_failThisEvent())
+         return NULL;
+@@ -1311,9 +1325,9 @@ i_alloc_struct_array(gs_memory_t * mem, uint num_elements,
+         return NULL;           /* fail */
+     }
+ #endif
+-    obj = alloc_obj(imem,
+-                    (ulong) num_elements * pstype->ssize,
+-                    pstype, ALLOC_DIRECT, cname);
+    if (alloc_array_check_size(num_elements, pstype->ssize, &lsize) == false)
+        return NULL;
+    obj = alloc_obj(imem, lsize, pstype, ALLOC_DIRECT, cname);
+     if_debug7m('A', mem, "[a%d:+<.]%s %s*(%lu=%u*%u) = 0x%lx\n",
+                alloc_trace_space(imem), client_name_string(cname),
+                struct_type_name_string(pstype),
+@@ -1327,16 +1341,16 @@ i_alloc_struct_array_immovable(gs_memory_t * mem, uint num_elements,
+ {
+     gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem;
+     obj_header_t *obj;
+-
+    ulong lsize;
+ #ifdef MEMENTO
+     if (Memento_failThisEvent())
+         return NULL;
+ #endif
+ 
+     ALLOC_CHECK_SIZE(mem,pstype);
+-    obj = alloc_obj(imem,
+-                    (ulong) num_elements * pstype->ssize,
+-                    pstype, ALLOC_IMMOVABLE | ALLOC_DIRECT, cname);
+    if (alloc_array_check_size(num_elements, pstype->ssize, &lsize) == false)
+        return NULL;
+    obj = alloc_obj(imem, lsize, pstype, ALLOC_IMMOVABLE | ALLOC_DIRECT, cname);
+     if_debug7m('A', mem, "[a%d|+<.]%s %s*(%lu=%u*%u) = 0x%lx\n",
+                alloc_trace_space(imem), client_name_string(cname),
+                struct_type_name_string(pstype),
+-- 
+1.7.9.5
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.21.bb b/meta/recipes-extended/ghostscript/ghostscript_9.21.bb
index 93589cc2b9..bf985c44a3 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.21.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.21.bb
@@ -41,6 +41,9 @@ SRC_URI = "${SRC_URI_BASE} \
           file://CVE-2017-9612.patch \
           file://CVE-2017-9739.patch \
           file://CVE-2017-9726.patch \
+           file://CVE-2017-9727.patch \
+           file://CVE-2017-9835.patch \
+           file://CVE-2017-11714.patch \
           "
 SRC_URI_class-native = "${SRC_URI_BASE} \

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch new file mode 100644 index 0000000000..84983c5aea --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch
@@ -0,0 +1,61 @@
		1	From 671fd59eb657743aa86fbc1895cb15872a317caa Mon Sep 17 00:00:00 2001
		2	From: Chris Liddell <chris.liddell@artifex.com>
		3	Date: Thu, 6 Jul 2017 14:54:02 +0100
		4	Subject: [PATCH] Bug 698158: prevent trying to reloc a freed object
		5
		6	In the token reader, we pass the scanner state structure around as a
		7	t_struct ref on the Postscript operand stack.
		8
		9	But we explicitly free the scanner state when we're done, which leaves a
		10	dangling reference on the operand stack and, unless that reference gets
		11	overwritten before the next garbager run, we can end up with the garbager
		12	trying to deal with an already freed object - that can cause a crash, or
		13	memory corruption.
		14	---
		15	psi/ztoken.c \| 14 +++++++++++++-
		16	1 file changed, 13 insertions(+), 1 deletion(-)
		17
		18	--- end of original header
		19
		20	CVE: CVE-2017-11714
		21
		22	Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
		23
		24	Signed-off-by: Joe Slater <joe.slater@windriver.com>
		25
		26	diff --git a/psi/ztoken.c b/psi/ztoken.c
		27	index 4dba7c5..af1ceeb 100644
		28	--- a/psi/ztoken.c
		29	+++ b/psi/ztoken.c
		30	@@ -107,6 +107,12 @@ token_continue(i_ctx_t i_ctx_p, scanner_state pstate, bool save)
		31	int code;
		32	ref token;
		33
		34	+ /* Since we might free pstate below, and we're dealing with
		35	+ * gc memory referenced by the stack, we need to explicitly
		36	+ * remove the reference to pstate from the stack, otherwise
		37	+ * the garbager will fall over
		38	+ */
		39	+ make_null(osp);
		40	/* Note that gs_scan_token may change osp! */
		41	pop(1); /* remove the file or scanner state */
		42	again:
		43	@@ -183,8 +189,14 @@ ztokenexec_continue(i_ctx_t *i_ctx_p)
		44	static int
		45	tokenexec_continue(i_ctx_t i_ctx_p, scanner_state pstate, bool save)
		46	{
		47	- os_ptr op;
		48	+ os_ptr op = osp;
		49	int code;
		50	+ /* Since we might free pstate below, and we're dealing with
		51	+ * gc memory referenced by the stack, we need to explicitly
		52	+ * remove the reference to pstate from the stack, otherwise
		53	+ * the garbager will fall over
		54	+ */
		55	+ make_null(osp);
		56	/* Note that gs_scan_token may change osp! */
		57	pop(1);
		58	again:
		59	--
		60	1.7.9.5
		61


diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9727.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9727.patch new file mode 100644 index 0000000000..a2f7bfa506 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9727.patch
@@ -0,0 +1,35 @@
		1	From 937ccd17ac65935633b2ebc06cb7089b91e17e6b Mon Sep 17 00:00:00 2001
		2	From: Chris Liddell <chris.liddell@artifex.com>
		3	Date: Thu, 15 Jun 2017 09:05:20 +0100
		4	Subject: [PATCH] Bug 698056: make bounds check in gx_ttfReader__Read more
		5	robust
		6
		7	---
		8	base/gxttfb.c \| 3 ++-
		9	1 file changed, 2 insertions(+), 1 deletion(-)
		10
		11	--- end of original header
		12
		13	CVE: CVE-2017-9727
		14
		15	Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
		16
		17	Signed-off-by: Joe Slater <joe.slater@windriver.com>
		18
		19	diff --git a/base/gxttfb.c b/base/gxttfb.c
		20	index 0e9a444..e1561af 100644
		21	--- a/base/gxttfb.c
		22	+++ b/base/gxttfb.c
		23	@@ -79,7 +79,8 @@ static void gx_ttfReader__Read(ttfReader self, void p, int n)
		24	if (!r->error) {
		25	if (r->extra_glyph_index != -1) {
		26	q = r->glyph_data.bits.data + r->pos;
		27	- r->error = (r->glyph_data.bits.size - r->pos < n ?
		28	+ r->error = ((r->pos >= r->glyph_data.bits.size \|\|
		29	+ r->glyph_data.bits.size - r->pos < n) ?
		30	gs_note_error(gs_error_invalidfont) : 0);
		31	if (r->error == 0)
		32	memcpy(p, q, n);
		33	--
		34	1.7.9.5
		35


diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9835.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9835.patch new file mode 100644 index 0000000000..7c65690c65 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9835.patch
@@ -0,0 +1,125 @@
		1	From cfde94be1d4286bc47633c6e6eaf4e659bd78066 Mon Sep 17 00:00:00 2001
		2	From: Chris Liddell <chris.liddell@artifex.com>
		3	Date: Wed, 7 Jun 2017 14:55:12 +0100
		4	Subject: [PATCH] Bug 697985: bounds check the array allocations methods
		5
		6	The clump allocator has four allocation functions that use 'number of elements'
		7	and 'size of elements' parameters (rather than a simple 'number of bytes').
		8
		9	Those need specific bounds checking.
		10	---
		11	base/gsalloc.c \| 42 ++++++++++++++++++++++++++++--------------
		12	1 file changed, 28 insertions(+), 14 deletions(-)
		13
		14	--- end of original header
		15
		16	CVE: CVE-2017-9835
		17
		18	Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
		19
		20	Signed-off-by: Joe Slater <joe.slater@windriver.com>
		21
		22	diff --git a/base/gsalloc.c b/base/gsalloc.c
		23	index 741ba00..10c04dd 100644
		24	--- a/base/gsalloc.c
		25	+++ b/base/gsalloc.c
		26	@@ -1248,19 +1248,32 @@ i_alloc_struct_immovable(gs_memory_t * mem, gs_memory_type_ptr_t pstype,
		27	alloc_trace("\|+<.", imem, cname, pstype, size, obj);
		28	return obj;
		29	}
		30	+
		31	+static inline bool
		32	+alloc_array_check_size(ulong num_elements, ulong elt_size, ulong *lsize)
		33	+{
		34	+ int64_t s = (int64_t)num_elements * elt_size;
		35	+ if (s > max_uint) {
		36	+ return false;
		37	+ }
		38	+ *lsize = (ulong)s;
		39	+ return true;
		40	+}
		41	+
		42	static byte *
		43	i_alloc_byte_array(gs_memory_t * mem, uint num_elements, uint elt_size,
		44	client_name_t cname)
		45	{
		46	gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem;
		47	obj_header_t *obj;
		48	-
		49	+ ulong lsize;
		50	#ifdef MEMENTO
		51	if (Memento_failThisEvent())
		52	return NULL;
		53	#endif
		54	-
		55	- obj = alloc_obj(imem, (ulong) num_elements * elt_size,
		56	+ if (alloc_array_check_size(num_elements, elt_size, &lsize) == false)
		57	+ return NULL;
		58	+ obj = alloc_obj(imem, lsize,
		59	&st_bytes, ALLOC_DIRECT, cname);
		60
		61	if_debug6m('A', mem, "[a%d:+b.]%s -bytes-(%lu=%u%u) = 0x%lx\n",
		62	@@ -1275,13 +1288,14 @@ i_alloc_byte_array_immovable(gs_memory_t * mem, uint num_elements,
		63	{
		64	gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem;
		65	obj_header_t *obj;
		66	-
		67	+ ulong lsize;
		68	#ifdef MEMENTO
		69	if (Memento_failThisEvent())
		70	return NULL;
		71	#endif
		72	-
		73	- obj = alloc_obj(imem, (ulong) num_elements * elt_size,
		74	+ if (alloc_array_check_size(num_elements, elt_size, &lsize) == false)
		75	+ return NULL;
		76	+ obj = alloc_obj(imem, lsize,
		77	&st_bytes, ALLOC_IMMOVABLE \| ALLOC_DIRECT,
		78	cname);
		79
		80	@@ -1297,7 +1311,7 @@ i_alloc_struct_array(gs_memory_t * mem, uint num_elements,
		81	{
		82	gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem;
		83	obj_header_t *obj;
		84	-
		85	+ ulong lsize;
		86	#ifdef MEMENTO
		87	if (Memento_failThisEvent())
		88	return NULL;
		89	@@ -1311,9 +1325,9 @@ i_alloc_struct_array(gs_memory_t * mem, uint num_elements,
		90	return NULL; /* fail */
		91	}
		92	#endif
		93	- obj = alloc_obj(imem,
		94	- (ulong) num_elements * pstype->ssize,
		95	- pstype, ALLOC_DIRECT, cname);
		96	+ if (alloc_array_check_size(num_elements, pstype->ssize, &lsize) == false)
		97	+ return NULL;
		98	+ obj = alloc_obj(imem, lsize, pstype, ALLOC_DIRECT, cname);
		99	if_debug7m('A', mem, "[a%d:+<.]%s %s(%lu=%u%u) = 0x%lx\n",
		100	alloc_trace_space(imem), client_name_string(cname),
		101	struct_type_name_string(pstype),
		102	@@ -1327,16 +1341,16 @@ i_alloc_struct_array_immovable(gs_memory_t * mem, uint num_elements,
		103	{
		104	gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem;
		105	obj_header_t *obj;
		106	-
		107	+ ulong lsize;
		108	#ifdef MEMENTO
		109	if (Memento_failThisEvent())
		110	return NULL;
		111	#endif
		112
		113	ALLOC_CHECK_SIZE(mem,pstype);
		114	- obj = alloc_obj(imem,
		115	- (ulong) num_elements * pstype->ssize,
		116	- pstype, ALLOC_IMMOVABLE \| ALLOC_DIRECT, cname);
		117	+ if (alloc_array_check_size(num_elements, pstype->ssize, &lsize) == false)
		118	+ return NULL;
		119	+ obj = alloc_obj(imem, lsize, pstype, ALLOC_IMMOVABLE \| ALLOC_DIRECT, cname);
		120	if_debug7m('A', mem, "[a%d\|+<.]%s %s(%lu=%u%u) = 0x%lx\n",
		121	alloc_trace_space(imem), client_name_string(cname),
		122	struct_type_name_string(pstype),
		123	--
		124	1.7.9.5
		125


diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.21.bb b/meta/recipes-extended/ghostscript/ghostscript_9.21.bb index 93589cc2b9..bf985c44a3 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.21.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.21.bb
@@ -41,6 +41,9 @@ SRC_URI = "${SRC_URI_BASE} \
41	file://CVE-2017-9612.patch \	41	file://CVE-2017-9612.patch \
42	file://CVE-2017-9739.patch \	42	file://CVE-2017-9739.patch \
43	file://CVE-2017-9726.patch \	43	file://CVE-2017-9726.patch \
		44	file://CVE-2017-9727.patch \
		45	file://CVE-2017-9835.patch \
		46	file://CVE-2017-11714.patch \
44	"	47	"
45		48
46	SRC_URI_class-native = "${SRC_URI_BASE} \	49	SRC_URI_class-native = "${SRC_URI_BASE} \