diff options
Diffstat (limited to 'meta')
5 files changed, 151 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-7977.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-7977.patch new file mode 100644 index 0000000000..b7eed1241e --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-7977.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 8abd22010eb4db0fb1b10e430d5f5d83e015ef70 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Mon, 3 Oct 2016 01:46:28 +0100 | ||
4 | Subject: [PATCH] Bug 697169: Be rigorous with SAFER permissions | ||
5 | |||
6 | Once we've opened our input file from the command line, enforce the SAFER | ||
7 | rules. | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | CVE: CVE-2016-7977 | ||
11 | |||
12 | Signed-off-by: Catalin Enache <catalin.enache@windriver.com> | ||
13 | --- | ||
14 | psi/zfile.c | 3 +++ | ||
15 | 1 file changed, 3 insertions(+) | ||
16 | |||
17 | diff --git a/psi/zfile.c b/psi/zfile.c | ||
18 | index b6caea2..2c6c958 100644 | ||
19 | --- a/psi/zfile.c | ||
20 | +++ b/psi/zfile.c | ||
21 | @@ -1081,6 +1081,9 @@ lib_file_open(gs_file_path_ptr lib_path, const gs_memory_t *mem, i_ctx_t *i_ctx | ||
22 | gs_main_instance *minst = get_minst_from_memory(mem); | ||
23 | int code; | ||
24 | |||
25 | + if (i_ctx_p && starting_arg_file) | ||
26 | + i_ctx_p->starting_arg_file = false; | ||
27 | + | ||
28 | /* when starting arg files (@ files) iodev_default is not yet set */ | ||
29 | if (iodev == 0) | ||
30 | iodev = (gx_io_device *)gx_io_device_table[0]; | ||
31 | -- | ||
32 | 2.10.2 | ||
33 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-7978.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-7978.patch new file mode 100644 index 0000000000..668f205968 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-7978.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | From 6f749c0c44e7b9e09737b9f29edf29925a34f0cf Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Wed, 5 Oct 2016 09:59:25 +0100 | ||
4 | Subject: [PATCH] Bug 697179: Reference count device icc profile | ||
5 | |||
6 | when copying a device | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | CVE: CVE-2016-7978 | ||
10 | |||
11 | Signed-off-by: Catalin Enache <catalin.enache@windriver.com> | ||
12 | --- | ||
13 | base/gsdevice.c | 1 + | ||
14 | 1 file changed, 1 insertion(+) | ||
15 | |||
16 | diff --git a/base/gsdevice.c b/base/gsdevice.c | ||
17 | index 778106f..aea986a 100644 | ||
18 | --- a/base/gsdevice.c | ||
19 | +++ b/base/gsdevice.c | ||
20 | @@ -614,6 +614,7 @@ gx_device_init(gx_device * dev, const gx_device * proto, gs_memory_t * mem, | ||
21 | dev->memory = mem; | ||
22 | dev->retained = !internal; | ||
23 | rc_init(dev, mem, (internal ? 0 : 1)); | ||
24 | + rc_increment(dev->icc_struct); | ||
25 | } | ||
26 | |||
27 | void | ||
28 | -- | ||
29 | 2.10.2 | ||
30 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-7979.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-7979.patch new file mode 100644 index 0000000000..9e930d3a42 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-7979.patch | |||
@@ -0,0 +1,48 @@ | |||
1 | From 875a0095f37626a721c7ff57d606a0f95af03913 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ken Sharp <ken.sharp@artifex.com> | ||
3 | Date: Wed, 5 Oct 2016 10:10:58 +0100 | ||
4 | Subject: [PATCH] DSC parser - validate parameters | ||
5 | |||
6 | Bug #697190 ".initialize_dsc_parser doesn't validate the parameter is a dict type before using it." | ||
7 | |||
8 | Regardless of any security implications, its simply wrong for a PostScript | ||
9 | operator not to validate its parameter(s). | ||
10 | |||
11 | No differences expected. | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | CVE: CVE-2016-7979 | ||
15 | |||
16 | Signed-off-by: Catalin Enache <catalin.enache@windriver.com> | ||
17 | --- | ||
18 | psi/zdscpars.c | 13 +++++++++---- | ||
19 | 1 file changed, 9 insertions(+), 4 deletions(-) | ||
20 | |||
21 | diff --git a/psi/zdscpars.c b/psi/zdscpars.c | ||
22 | index c05e154..9b4b605 100644 | ||
23 | --- a/psi/zdscpars.c | ||
24 | +++ b/psi/zdscpars.c | ||
25 | @@ -150,11 +150,16 @@ zinitialize_dsc_parser(i_ctx_t *i_ctx_p) | ||
26 | ref local_ref; | ||
27 | int code; | ||
28 | os_ptr const op = osp; | ||
29 | - dict * const pdict = op->value.pdict; | ||
30 | - gs_memory_t * const mem = (gs_memory_t *)dict_memory(pdict); | ||
31 | - dsc_data_t * const data = | ||
32 | - gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init"); | ||
33 | + dict *pdict; | ||
34 | + gs_memory_t *mem; | ||
35 | + dsc_data_t *data; | ||
36 | |||
37 | + check_read_type(*op, t_dictionary); | ||
38 | + | ||
39 | + pdict = op->value.pdict; | ||
40 | + mem = (gs_memory_t *)dict_memory(pdict); | ||
41 | + | ||
42 | + data = gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init"); | ||
43 | if (!data) | ||
44 | return_error(gs_error_VMerror); | ||
45 | data->document_level = 0; | ||
46 | -- | ||
47 | 2.10.2 | ||
48 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9216.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9216.patch new file mode 100644 index 0000000000..1caeb3ef51 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9216.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From 3ebffb1d96ba0cacec23016eccb4047dab365853 Mon Sep 17 00:00:00 2001 | ||
2 | From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk> | ||
3 | Date: Wed, 24 May 2017 19:29:57 +0100 | ||
4 | Subject: [PATCH] Bug 697934: Fix SEGV due to error code being ignored. | ||
5 | |||
6 | The return code from jbig2_decode_text_region was being ignored so the | ||
7 | code continued to try and parse the invalid file using incomplete/empty | ||
8 | structures. | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | CVE: CVE-2017-9216 | ||
12 | |||
13 | Signed-off-by: Catalin Enache <catalin.enache@windriver.com> | ||
14 | --- | ||
15 | jbig2dec/jbig2_symbol_dict.c | 4 +++- | ||
16 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/jbig2dec/jbig2_symbol_dict.c b/jbig2dec/jbig2_symbol_dict.c | ||
19 | index 3cc1731..672425d 100644 | ||
20 | --- a/jbig2dec/jbig2_symbol_dict.c | ||
21 | +++ b/jbig2dec/jbig2_symbol_dict.c | ||
22 | @@ -493,8 +493,10 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, | ||
23 | } | ||
24 | |||
25 | /* multiple symbols are handled as a text region */ | ||
26 | - jbig2_decode_text_region(ctx, segment, tparams, (const Jbig2SymbolDict * const *)refagg_dicts, | ||
27 | + code = jbig2_decode_text_region(ctx, segment, tparams, (const Jbig2SymbolDict * const *)refagg_dicts, | ||
28 | n_refagg_dicts, image, data, size, GR_stats, as, ws); | ||
29 | + if (code < 0) | ||
30 | + goto cleanup4; | ||
31 | |||
32 | SDNEWSYMS->glyphs[NSYMSDECODED] = image; | ||
33 | refagg_dicts[0]->glyphs[params->SDNUMINSYMS + NSYMSDECODED] = jbig2_image_clone(ctx, SDNEWSYMS->glyphs[NSYMSDECODED]); | ||
34 | -- | ||
35 | 2.10.2 | ||
36 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.20.bb b/meta/recipes-extended/ghostscript/ghostscript_9.20.bb index 30591c9d76..2e6fefff3c 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.20.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.20.bb | |||
@@ -37,6 +37,10 @@ SRC_URI = "${SRC_URI_BASE} \ | |||
37 | file://CVE-2017-5951.patch \ | 37 | file://CVE-2017-5951.patch \ |
38 | file://CVE-2016-8602.patch \ | 38 | file://CVE-2016-8602.patch \ |
39 | file://CVE-2017-7975.patch \ | 39 | file://CVE-2017-7975.patch \ |
40 | file://CVE-2016-7977.patch \ | ||
41 | file://CVE-2016-7978.patch \ | ||
42 | file://CVE-2016-7979.patch \ | ||
43 | file://CVE-2017-9216.patch \ | ||
40 | " | 44 | " |
41 | 45 | ||
42 | SRC_URI_class-native = "${SRC_URI_BASE} \ | 46 | SRC_URI_class-native = "${SRC_URI_BASE} \ |