From 31e9be198160dbeb3d6ab10a3324457f9e502537 Mon Sep 17 00:00:00 2001 From: Catalin Enache Date: Mon, 8 May 2017 16:42:59 +0300 Subject: ghostscript: CVE-2016-8602, CVE-2017-7975 The .sethalftone5 function in psi/zht2.c in Ghostscript before 9.21 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Postscript document that calls .sethalftone5 with an empty operand stack. Artifex jbig2dec 0.13, as used in Ghostscript, allows out-of-bounds writes because of an integer overflow in the jbig2_build_huffman_table function in jbig2_huffman.c during operations on a crafted JBIG2 file, leading to a denial of service (application crash) or possibly execution of arbitrary code. References: https://nvd.nist.gov/vuln/detail/CVE-2016-8602 https://nvd.nist.gov/vuln/detail/CVE-2017-7975 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=f5c7555c303 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e57e483298 (From OE-Core rev: 8f919c2df47ca93132f21160d919b6ee2207d9a6) (From OE-Core rev: 6040b8735b79397bf49a2154f81e9aab34c15413) Signed-off-by: Catalin Enache Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- .../ghostscript/ghostscript/CVE-2016-8602.patch | 47 ++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2016-8602.patch (limited to 'meta/recipes-extended/ghostscript/ghostscript/CVE-2016-8602.patch') diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-8602.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-8602.patch new file mode 100644 index 0000000000..e58567cfec --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-8602.patch @@ -0,0 +1,47 @@ +From f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Sat, 8 Oct 2016 16:10:27 +0100 +Subject: [PATCH] Bug 697203: check for sufficient params in .sethalftone5 + +and param types + +Upstream-Status: Backport +CVE: CVE-2016-8602 + +Signed-off-by: Catalin Enache +--- + psi/zht2.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/psi/zht2.c b/psi/zht2.c +index fb4a264..dfa27a4 100644 +--- a/psi/zht2.c ++++ b/psi/zht2.c +@@ -82,14 +82,22 @@ zsethalftone5(i_ctx_t *i_ctx_p) + gs_memory_t *mem; + uint edepth = ref_stack_count(&e_stack); + int npop = 2; +- int dict_enum = dict_first(op); ++ int dict_enum; + ref rvalue[2]; + int cname, colorant_number; + byte * pname; + uint name_size; + int halftonetype, type = 0; + gs_gstate *pgs = igs; +- int space_index = r_space_index(op - 1); ++ int space_index; ++ ++ if (ref_stack_count(&o_stack) < 2) ++ return_error(gs_error_stackunderflow); ++ check_type(*op, t_dictionary); ++ check_type(*(op - 1), t_dictionary); ++ ++ dict_enum = dict_first(op); ++ space_index = r_space_index(op - 1); + + mem = (gs_memory_t *) idmemory->spaces_indexed[space_index]; + +-- +2.10.2 + -- cgit v1.2.3-54-g00ecf