summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch54
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript_9.52.bb1
2 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch
new file mode 100644
index 0000000000..d7c5f034e5
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-15900.patch
@@ -0,0 +1,54 @@
1From 5d499272b95a6b890a1397e11d20937de000d31b Mon Sep 17 00:00:00 2001
2From: Ray Johnston <ray.johnston@artifex.com>
3Date: Wed, 22 Jul 2020 09:57:54 -0700
4Subject: [PATCH] Bug 702582, CVE 2020-15900 Memory Corruption in Ghostscript
5 9.52
6
7Fix the 'rsearch' calculation for the 'post' size to give the correct
8size. Previous calculation would result in a size that was too large,
9and could underflow to max uint32_t. Also fix 'rsearch' to return the
10correct 'pre' string with empty string match.
11
12A future change may 'undefine' this undocumented, non-standard operator
13during initialization as we do with the many other non-standard internal
14PostScript operators and procedures.
15
16Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b]
17CVE: CVE-2020-15900
18Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
19---
20 psi/zstring.c | 17 +++++++++++------
21 1 file changed, 11 insertions(+), 6 deletions(-)
22
23diff --git a/psi/zstring.c b/psi/zstring.c
24index 33662dafa..58e1af2b3 100644
25--- a/psi/zstring.c
26+++ b/psi/zstring.c
27@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
28 return 0;
29 found:
30 op->tas.type_attrs = op1->tas.type_attrs;
31- op->value.bytes = ptr;
32- r_set_size(op, size);
33+ op->value.bytes = ptr; /* match */
34+ op->tas.rsize = size; /* match */
35 push(2);
36- op[-1] = *op1;
37- r_set_size(op - 1, ptr - op[-1].value.bytes);
38- op1->value.bytes = ptr + size;
39- r_set_size(op1, count + (!forward ? (size - 1) : 0));
40+ op[-1] = *op1; /* pre */
41+ op[-3].value.bytes = ptr + size; /* post */
42+ if (forward) {
43+ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */
44+ op[-3].tas.rsize = count; /* post */
45+ } else {
46+ op[-1].tas.rsize = count; /* pre */
47+ op[-3].tas.rsize -= count + size; /* post */
48+ }
49 make_true(op);
50 return 0;
51 }
52--
532.17.1
54
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
index 4cdb6e00d8..65135f5821 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
@@ -34,6 +34,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
34SRC_URI = "${SRC_URI_BASE} \ 34SRC_URI = "${SRC_URI_BASE} \
35 file://ghostscript-9.21-prevent_recompiling.patch \ 35 file://ghostscript-9.21-prevent_recompiling.patch \
36 file://cups-no-gcrypt.patch \ 36 file://cups-no-gcrypt.patch \
37 file://CVE-2020-15900.patch \
37 " 38 "
38 39
39SRC_URI_class-native = "${SRC_URI_BASE} \ 40SRC_URI_class-native = "${SRC_URI_BASE} \