Accepting request 319420 from Printing

Fixed CVE-2015-3228 (bsc#939342) (forwarded request 319418 from jsmeix)

OBS-URL: https://build.opensuse.org/request/show/319420
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ghostscript?expand=0&rev=20

CVE-2015-3228.patch

@@ -0,0 +1,11 @@
+--- base/gsmalloc.c
++++ base/gsmalloc.c
+@@ -178,7 +178,7 @@ gs_heap_alloc_bytes(gs_memory_t * mem, uint size, client_name_t cname)
+     } else {
+         uint added = size + sizeof(gs_malloc_block_t);
+ 
+-        if (mmem->limit - added < mmem->used)
++        if (added <= size || mmem->limit - added < mmem->used)
+             set_msg("exceeded limit");
+         else if ((ptr = (byte *) Memento_label(malloc(added), cname)) == 0)
+             set_msg("failed");

ghostscript-mini.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Jul 29 15:20:46 CEST 2015 - jsmeix@suse.de
+
+- CVE-2015-3228.patch fixes out of bound read/write cause
+  by integer overflow in gsmalloc.c (boo#939342).
+
 -------------------------------------------------------------------
 Tue Mar 31 10:18:06 CEST 2015 - jsmeix@suse.de
 

ghostscript-mini.spec

@@ -76,6 +76,9 @@ Patch11:        ppc64le-support.patch
 # Source100...Source999 is for sources from SUSE which are not intended for upstream:
 #
 # Patch100...Patch999 is for patches from SUSE which are not intended for upstream:
+# Patch101 CVE-2015-3228.patch fixes out of bound read/write cause by integer overflow
+# in gsmalloc.c (see https://bugzilla.opensuse.org/show_bug.cgi?id=939342):
+Patch101:       CVE-2015-3228.patch
 #
 Conflicts:      ghostscript
 Conflicts:      ghostscript-x11
@@ -149,7 +152,10 @@ This package contains the development files for Minimal Ghostscript.
 # because LCMS 1.x is removed since Ghostscript 9.16
 # but the hunk for LCMS2 (lcms2/include/lcms2.h) is still needed
 # see http://bugs.ghostscript.com/show_bug.cgi?id=695544
-%patch11 -p1
+%patch11 -p1 -b ppc64le-support.orig
+# Patch101 CVE-2015-3228.patch fixes out of bound read/write cause by integer overflow
+# in gsmalloc.c (see https://bugzilla.opensuse.org/show_bug.cgi?id=939342):
+%patch101 -b .CVE-2015-3228.orig
 
 %build
 # Set our preferred architecture-specific flags for the compiler and linker:

ghostscript.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Jul 29 15:20:46 CEST 2015 - jsmeix@suse.de
+
+- CVE-2015-3228.patch fixes out of bound read/write cause
+  by integer overflow in gsmalloc.c (boo#939342).
+
 -------------------------------------------------------------------
 Tue Mar 31 10:18:06 CEST 2015 - jsmeix@suse.de
 

ghostscript.spec

@@ -96,6 +96,9 @@ Patch11:        ppc64le-support.patch
 # Source100...Source999 is for sources from SUSE which are not intended for upstream:
 #
 # Patch100...Patch999 is for patches from SUSE which are not intended for upstream:
+# Patch101 CVE-2015-3228.patch fixes out of bound read/write cause by integer overflow
+# in gsmalloc.c (see https://bugzilla.opensuse.org/show_bug.cgi?id=939342):
+Patch101:       CVE-2015-3228.patch
 #
 # RPM dependencies:
 # Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from
@@ -286,7 +289,10 @@ This package contains the development files for Ghostscript.
 # because LCMS 1.x is removed since Ghostscript 9.16
 # but the hunk for LCMS2 (lcms2/include/lcms2.h) is still needed
 # see http://bugs.ghostscript.com/show_bug.cgi?id=695544
-%patch11 -p1
+%patch11 -p1 -b ppc64le-support.orig
+# Patch101 CVE-2015-3228.patch fixes out of bound read/write cause by integer overflow
+# in gsmalloc.c (see https://bugzilla.opensuse.org/show_bug.cgi?id=939342):
+%patch101 -b .CVE-2015-3228.orig
 
 %build
 # Set our preferred architecture-specific flags for the compiler and linker: