From 8efe72508002772df08664d9bb0d5f8b25497ce5 Mon Sep 17 00:00:00 2001 From: Joe Slater Date: Tue, 22 Aug 2017 13:18:19 -0700 Subject: ghostscript: fix several CVEs by adding bounds checking CVE-2017-9611 CVE-2017-9612 CVE-2017-9739 CVE-2017-9726 (From OE-Core rev: 3e5d80c84f4c141bc3f3193d1db899b0e56993cf) Signed-off-by: Joe Slater Signed-off-by: Richard Purdie --- .../ghostscript/ghostscript/CVE-2017-9611.patch | 34 ++++++++++++++++++++ .../ghostscript/ghostscript/CVE-2017-9612.patch | 35 ++++++++++++++++++++ .../ghostscript/ghostscript/CVE-2017-9726.patch | 33 +++++++++++++++++++ .../ghostscript/ghostscript/CVE-2017-9739.patch | 37 ++++++++++++++++++++++ .../ghostscript/ghostscript_9.21.bb | 4 +++ 5 files changed, 143 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9611.patch create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9612.patch create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9726.patch create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9739.patch (limited to 'meta/recipes-extended') diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9611.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9611.patch new file mode 100644 index 0000000000..58ef04d1fd --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9611.patch @@ -0,0 +1,34 @@ +From c7c55972758a93350882c32147801a3485b010fe Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Mon, 12 Jun 2017 13:08:40 +0100 +Subject: [PATCH] Bug 698024: bounds check zone pointer in Ins_MIRP() + +--- + base/ttinterp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- end of original header + +CVE: CVE-2017-9611 + +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] + +Signed-off-by: Joe Slater + +diff --git a/base/ttinterp.c b/base/ttinterp.c +index e56aec6..f6a6d95 100644 +--- a/base/ttinterp.c ++++ b/base/ttinterp.c +@@ -3858,7 +3858,8 @@ static int nInstrCount=0; + /* XXX: UNDOCUMENTED! cvt[-1] = 0 always */ + + if ( BOUNDS( args[0], CUR.zp1.n_points ) || +- BOUNDS( args[1]+1, CUR.cvtSize+1 ) ) ++ BOUNDS( args[1]+1, CUR.cvtSize+1 ) || ++ BOUNDS(CUR.GS.rp0, CUR.zp0.n_points) ) + { + CUR.error = TT_Err_Invalid_Reference; + return; +-- +1.7.9.5 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9612.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9612.patch new file mode 100644 index 0000000000..b737cc56bb --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9612.patch @@ -0,0 +1,35 @@ +From 98f6da60b9d463c617e631fc254cf6d66f2e8e3c Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Mon, 12 Jun 2017 13:15:17 +0100 +Subject: [PATCH] Bug 698026: bounds check zone pointers in Ins_IP() + +--- + base/ttinterp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- end of original header + +CVE: CVE-2017-9612 + +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] + +Signed-off-by: Joe Slater + +diff --git a/base/ttinterp.c b/base/ttinterp.c +index f6a6d95..e7c9d68 100644 +--- a/base/ttinterp.c ++++ b/base/ttinterp.c +@@ -4129,7 +4129,9 @@ static int nInstrCount=0; + Int point; + (void)args; + +- if ( CUR.top < CUR.GS.loop ) ++ if ( CUR.top < CUR.GS.loop || ++ BOUNDS(CUR.GS.rp1, CUR.zp0.n_points) || ++ BOUNDS(CUR.GS.rp2, CUR.zp1.n_points)) + { + CUR.error = TT_Err_Invalid_Reference; + return; +-- +1.7.9.5 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9726.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9726.patch new file mode 100644 index 0000000000..3e6c65699d --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9726.patch @@ -0,0 +1,33 @@ +From 7755e67116e8973ee0e3b22d653df026a84fa01b Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Thu, 15 Jun 2017 08:58:31 +0100 +Subject: [PATCH] Bug 698055: bounds check zone pointer in Ins_MDRP + +--- + base/ttinterp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- end of original header + +CVE: CVE-2017-9726 + +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] + +Signed-off-by: Joe Slater +diff --git a/base/ttinterp.c b/base/ttinterp.c +index e7c9d68..af457e8 100644 +--- a/base/ttinterp.c ++++ b/base/ttinterp.c +@@ -3770,7 +3770,8 @@ static int nInstrCount=0; + + point = (Int)args[0]; + +- if ( BOUNDS( args[0], CUR.zp1.n_points ) ) ++ if ( BOUNDS( args[0], CUR.zp1.n_points ) || ++ BOUNDS( CUR.GS.rp0, CUR.zp0.n_points) ) + { + /* Current version of FreeType silently ignores this out of bounds error + * and drops the instruction, see bug #691121 +-- +1.7.9.5 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9739.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9739.patch new file mode 100644 index 0000000000..69a94df7b9 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9739.patch @@ -0,0 +1,37 @@ +From c501a58f8d5650c8ba21d447c0d6f07eafcb0f15 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Fri, 16 Jun 2017 08:29:25 +0100 +Subject: [PATCH] Bug 698063: Bounds check Ins_JMPR + +--- + base/ttinterp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- end of original header + +CVE: CVE-2017-9739 + +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] + +Signed-off-by: Joe Slater + +diff --git a/base/ttinterp.c b/base/ttinterp.c +index af457e8..adf3f0c 100644 +--- a/base/ttinterp.c ++++ b/base/ttinterp.c +@@ -1794,6 +1794,12 @@ static int nInstrCount=0; + + static void Ins_JMPR( INS_ARG ) + { ++ if ( BOUNDS(CUR.IP + args[0], CUR.codeSize ) ) ++ { ++ CUR.error = TT_Err_Invalid_Reference; ++ return; ++ } ++ + CUR.IP += (Int)(args[0]); + CUR.step_ins = FALSE; + +-- +1.7.9.5 + diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.21.bb b/meta/recipes-extended/ghostscript/ghostscript_9.21.bb index adad9fdbd2..93589cc2b9 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.21.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.21.bb @@ -37,6 +37,10 @@ SRC_URI = "${SRC_URI_BASE} \ file://CVE-2017-5951.patch \ file://CVE-2017-7975.patch \ file://CVE-2017-9216.patch \ + file://CVE-2017-9611.patch \ + file://CVE-2017-9612.patch \ + file://CVE-2017-9739.patch \ + file://CVE-2017-9726.patch \ " SRC_URI_class-native = "${SRC_URI_BASE} \ -- cgit v1.2.3-54-g00ecf