diff --git a/CVE-2017-7207.patch b/CVE-2017-7207.patch new file mode 100644 index 0000000..c072653 --- /dev/null +++ b/CVE-2017-7207.patch @@ -0,0 +1,30 @@ +From 309eca4e0a31ea70dcc844812691439312dad091 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Mon, 20 Mar 2017 09:34:11 +0000 +Subject: [PATCH] Ensure a device has raster memory, before trying to read it. + +Bug #697676 "Null pointer dereference in mem_get_bits_rectangle()" + +This is only possible by abusing/mis-using Ghostscript-specific +language extensions, so cannot happen in a general PostScript program. + +Nevertheless, Ghostscript should not crash. So this commit checks the +memory device to see if raster memory has been allocated, before trying +to read from it. +--- + base/gdevmem.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: ghostscript-9.15/base/gdevmem.c +=================================================================== +--- ghostscript-9.15.orig/base/gdevmem.c 2014-09-22 12:17:33.000000000 +0200 ++++ ghostscript-9.15/base/gdevmem.c 2017-04-28 10:55:17.479490151 +0200 +@@ -590,6 +590,8 @@ mem_get_bits_rectangle(gx_device * dev, + GB_PACKING_CHUNKY | GB_COLORS_NATIVE | GB_ALPHA_NONE; + return_error(gs_error_rangecheck); + } ++ if (mdev->line_ptrs == 0x00) ++ return_error(gs_error_rangecheck); + if ((w <= 0) | (h <= 0)) { + if ((w | h) < 0) + return_error(gs_error_rangecheck); diff --git a/CVE-2017-9216.patch b/CVE-2017-9216.patch new file mode 100644 index 0000000..1e4f2d4 --- /dev/null +++ b/CVE-2017-9216.patch @@ -0,0 +1,31 @@ +From 3ebffb1d96ba0cacec23016eccb4047dab365853 Mon Sep 17 00:00:00 2001 +From: Shailesh Mistry +Date: Wed, 24 May 2017 19:29:57 +0100 +Subject: [PATCH] Bug 697934: Fix SEGV due to error code being ignored. + +The return code from jbig2_decode_text_region was being ignored so the +code continued to try and parse the invalid file using incomplete/empty +structures. +--- + jbig2dec/jbig2_symbol_dict.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/jbig2dec/jbig2_symbol_dict.c b/jbig2dec/jbig2_symbol_dict.c +index 3cc17316f..672425d98 100644 +--- a/jbig2dec/jbig2_symbol_dict.c ++++ b/jbig2dec/jbig2_symbol_dict.c +@@ -493,8 +493,10 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, + } + + /* multiple symbols are handled as a text region */ +- jbig2_decode_text_region(ctx, segment, tparams, (const Jbig2SymbolDict * const *)refagg_dicts, ++ code = jbig2_decode_text_region(ctx, segment, tparams, (const Jbig2SymbolDict * const *)refagg_dicts, + n_refagg_dicts, image, data, size, GR_stats, as, ws); ++ if (code < 0) ++ goto cleanup4; + + SDNEWSYMS->glyphs[NSYMSDECODED] = image; + refagg_dicts[0]->glyphs[params->SDNUMINSYMS + NSYMSDECODED] = jbig2_image_clone(ctx, SDNEWSYMS->glyphs[NSYMSDECODED]); +-- +2.12.3 + diff --git a/ghostscript-mini.changes b/ghostscript-mini.changes index 54ef497..80afe06 100644 --- a/ghostscript-mini.changes +++ b/ghostscript-mini.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Fri Jun 2 09:12:45 UTC 2017 - daniel.molkentin@suse.com + +- CVE-2017-7207.patch fixes a NULL pointer dereference in mem_get_bits_rectangle + see https://bugs.ghostscript.com/show_bug.cgi?id=697676 + (bsc#1030263) +- CVE-2017-9216.patch fixes a NULL pointer dereference in jbig2_huffman_get + see https://bugs.ghostscript.com/show_bug.cgi?id=697934 + (bsc#1040643) + ------------------------------------------------------------------- Tue May 2 14:27:22 CEST 2017 - jsmeix@suse.de diff --git a/ghostscript-mini.spec b/ghostscript-mini.spec index e609e48..f6088cd 100644 --- a/ghostscript-mini.spec +++ b/ghostscript-mini.spec @@ -88,6 +88,15 @@ Patch101: CVE-2017-5951.patch # and https://bugs.ghostscript.com/show_bug.cgi?id=697799 # and https://bugzilla.opensuse.org/show_bug.cgi?id=1036453 Patch102: CVE-2017-8291.patch +# Patch103 fixes NULL pointer dereference in the jbig2_huffman_get function +# see https://bugs.ghostscript.com/show_bug.cgi?id=697934 +# and https://bugzilla.suse.com/show_bug.cgi?id=1040643 +Patch103: CVE-2017-9216.patch +# Patch104 CVE-2017-7207.patch fixes a NULL pointer dereference in mem_get_bits_rectangle +# see https://bugs.ghostscript.com/show_bug.cgi?id=697676 +# and https://bugzilla.suse.com/show_bug.cgi?id=1030263 +Patch104: CVE-2017-7207.patch + # RPM dependencies: Conflicts: ghostscript Conflicts: ghostscript-x11 @@ -183,7 +192,14 @@ rm -rf freetype jpeg libpng tiff # and https://bugs.ghostscript.com/show_bug.cgi?id=697799 # and https://bugzilla.opensuse.org/show_bug.cgi?id=1036453 %patch102 -p1 -b .CVE-2017-8291.orig - +# Patch103 fixes NULL pointer dereference in the jbig2_huffman_get function +# see https://bugs.ghostscript.com/show_bug.cgi?id=697934 +# and https://bugzilla.suse.com/show_bug.cgi?id=1040643 +%patch103 -p1 -b .CVE-2017-9216.orig +# Patch104 CVE-2017-7207.patch fixes a NULL pointer dereference in mem_get_bits_rectangle +# see https://bugs.ghostscript.com/show_bug.cgi?id=697676 +# and https://bugzilla.suse.com/show_bug.cgi?id=1030263 +%patch104 -p1 -b .CVE-2017-7207.orig %build # Derive build timestamp from latest changelog entry export SOURCE_DATE_EPOCH=$(date -d "$(head -n 2 %{_sourcedir}/%{name}.changes | tail -n 1 | cut -d- -f1 )" +%s) diff --git a/ghostscript.changes b/ghostscript.changes index 6a9bd70..80968b4 100644 --- a/ghostscript.changes +++ b/ghostscript.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Fri Jun 2 09:12:45 UTC 2017 - daniel.molkentin@suse.com + +- CVE-2017-7207.patch fixes a NULL pointer dereference in mem_get_bits_rectangle + see https://bugs.ghostscript.com/show_bug.cgi?id=697676 + (bsc#1030263) +- CVE-2017-9216.patch fixes a NULL pointer dereference in jbig2_huffman_get + see https://bugs.ghostscript.com/show_bug.cgi?id=697934 + (bsc#1040643) + ------------------------------------------------------------------- Tue May 2 14:27:22 CEST 2017 - jsmeix@suse.de diff --git a/ghostscript.spec b/ghostscript.spec index e8ee670..ebd31e9 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -108,6 +108,15 @@ Patch101: CVE-2017-5951.patch # and https://bugs.ghostscript.com/show_bug.cgi?id=697799 # and https://bugzilla.opensuse.org/show_bug.cgi?id=1036453 Patch102: CVE-2017-8291.patch +# Patch103 fixes NULL pointer dereference in the jbig2_huffman_get function +# see https://bugs.ghostscript.com/show_bug.cgi?id=697934 +# and https://bugzilla.suse.com/show_bug.cgi?id=1040643 +Patch103: CVE-2017-9216.patch +# Patch104 CVE-2017-7207.patch fixes a NULL pointer dereference in mem_get_bits_rectangle +# see https://bugs.ghostscript.com/show_bug.cgi?id=697676 +# and https://bugzilla.suse.com/show_bug.cgi?id=1030263 +Patch104: CVE-2017-7207.patch + # RPM dependencies: # Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from # "rpm -q --provides ghostscript-library" and "rpm -q --provides ghostscript-x11": @@ -234,7 +243,6 @@ For information how to use Ghostscript see %package x11 Summary: X11 library for Ghostscript -Group: Productivity/Publishing/PS # Require the exact matching version-release of the ghostscript main-package because # a non-matching ghostscript main-package may let it fail or even crash (e.g. segfault) # because all Ghostscript software is built from one same Ghostscript source tar ball @@ -242,6 +250,7 @@ Group: Productivity/Publishing/PS # The exact matching version-release of the ghostscript main-package is available # on the same package repository where the ghostscript-x11 sub-package is because # all are built simulaneously from the same Ghostscript source package: +Group: Productivity/Publishing/PS Requires: ghostscript = %{version}-%{release} # Unfortunately ghostscript-library.spec and ghostscript-mini.spec have # an unversioned "Provides: ghostscript" and for RPM this means that both @@ -319,6 +328,14 @@ rm -rf freetype jpeg libpng tiff # and https://bugs.ghostscript.com/show_bug.cgi?id=697799 # and https://bugzilla.opensuse.org/show_bug.cgi?id=1036453 %patch102 -p1 -b .CVE-2017-8291.orig +# Patch103 fixes NULL pointer dereference in the jbig2_huffman_get function +# see https://bugs.ghostscript.com/show_bug.cgi?id=697934 +# and https://bugzilla.suse.com/show_bug.cgi?id=1040643 +%patch103 -p1 -b .CVE-2017-9216.orig +# Patch104 CVE-2017-7207.patch fixes a NULL pointer dereference in mem_get_bits_rectangle +# see https://bugs.ghostscript.com/show_bug.cgi?id=697676 +# and https://bugzilla.suse.com/show_bug.cgi?id=1030263 +%patch104 -p1 -b .CVE-2017-7207.orig %build # Derive build timestamp from latest changelog entry