Accepting request 501328 from Printing

- CVE-2017-7207.patch fixes a NULL pointer dereference in mem_get_bits_rectangle
  see https://bugs.ghostscript.com/show_bug.cgi?id=697676
  (bsc#1030263)
- CVE-2017-9216.patch fixes a NULL pointer dereference in jbig2_huffman_get
  see https://bugs.ghostscript.com/show_bug.cgi?id=697934
  (bsc#1040643) (forwarded request 501324 from dmolkentin)

OBS-URL: https://build.opensuse.org/request/show/501328
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ghostscript?expand=0&rev=28

CVE-2017-7207.patch

@@ -0,0 +1,30 @@
+From 309eca4e0a31ea70dcc844812691439312dad091 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Mon, 20 Mar 2017 09:34:11 +0000
+Subject: [PATCH] Ensure a device has raster memory, before trying to read it.
+
+Bug #697676 "Null pointer dereference in mem_get_bits_rectangle()"
+
+This is only possible by abusing/mis-using Ghostscript-specific
+language extensions, so cannot happen in a general PostScript program.
+
+Nevertheless, Ghostscript should not crash. So this commit checks the
+memory device to see if raster memory has been allocated, before trying
+to read from it.
+---
+ base/gdevmem.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+Index: ghostscript-9.15/base/gdevmem.c
+===================================================================
+--- ghostscript-9.15.orig/base/gdevmem.c	2014-09-22 12:17:33.000000000 +0200
++++ ghostscript-9.15/base/gdevmem.c	2017-04-28 10:55:17.479490151 +0200
+@@ -590,6 +590,8 @@ mem_get_bits_rectangle(gx_device * dev,
+             GB_PACKING_CHUNKY | GB_COLORS_NATIVE | GB_ALPHA_NONE;
+         return_error(gs_error_rangecheck);
+     }
++    if (mdev->line_ptrs == 0x00)
++        return_error(gs_error_rangecheck);
+     if ((w <= 0) | (h <= 0)) {
+         if ((w | h) < 0)
+             return_error(gs_error_rangecheck);

CVE-2017-9216.patch

@@ -0,0 +1,31 @@
+From 3ebffb1d96ba0cacec23016eccb4047dab365853 Mon Sep 17 00:00:00 2001
+From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
+Date: Wed, 24 May 2017 19:29:57 +0100
+Subject: [PATCH] Bug 697934: Fix SEGV due to error code being ignored.
+
+The return code from jbig2_decode_text_region was being ignored so the
+code continued to try and parse the invalid file using incomplete/empty
+structures.
+---
+ jbig2dec/jbig2_symbol_dict.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/jbig2dec/jbig2_symbol_dict.c b/jbig2dec/jbig2_symbol_dict.c
+index 3cc17316f..672425d98 100644
+--- a/jbig2dec/jbig2_symbol_dict.c
++++ b/jbig2dec/jbig2_symbol_dict.c
+@@ -493,8 +493,10 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+                         }
+ 
+                         /* multiple symbols are handled as a text region */
+-                        jbig2_decode_text_region(ctx, segment, tparams, (const Jbig2SymbolDict * const *)refagg_dicts,
++                        code = jbig2_decode_text_region(ctx, segment, tparams, (const Jbig2SymbolDict * const *)refagg_dicts,
+                                                  n_refagg_dicts, image, data, size, GR_stats, as, ws);
++                        if (code < 0)
++                            goto cleanup4;
+ 
+                         SDNEWSYMS->glyphs[NSYMSDECODED] = image;
+                         refagg_dicts[0]->glyphs[params->SDNUMINSYMS + NSYMSDECODED] = jbig2_image_clone(ctx, SDNEWSYMS->glyphs[NSYMSDECODED]);
+-- 
+2.12.3
+

ghostscript-mini.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Fri Jun  2 09:12:45 UTC 2017 - daniel.molkentin@suse.com
+
+- CVE-2017-7207.patch fixes a NULL pointer dereference in mem_get_bits_rectangle
+  see https://bugs.ghostscript.com/show_bug.cgi?id=697676
+  (bsc#1030263)
+- CVE-2017-9216.patch fixes a NULL pointer dereference in jbig2_huffman_get
+  see https://bugs.ghostscript.com/show_bug.cgi?id=697934
+  (bsc#1040643)
+
 -------------------------------------------------------------------
 Tue May  2 14:27:22 CEST 2017 - jsmeix@suse.de
 

ghostscript-mini.spec

@@ -88,6 +88,15 @@ Patch101:       CVE-2017-5951.patch
 # and https://bugs.ghostscript.com/show_bug.cgi?id=697799
 # and https://bugzilla.opensuse.org/show_bug.cgi?id=1036453
 Patch102:       CVE-2017-8291.patch
+# Patch103 fixes NULL pointer dereference in the jbig2_huffman_get function
+# see https://bugs.ghostscript.com/show_bug.cgi?id=697934
+# and https://bugzilla.suse.com/show_bug.cgi?id=1040643
+Patch103:       CVE-2017-9216.patch
+# Patch104 CVE-2017-7207.patch fixes a NULL pointer dereference in mem_get_bits_rectangle
+# see https://bugs.ghostscript.com/show_bug.cgi?id=697676
+# and https://bugzilla.suse.com/show_bug.cgi?id=1030263
+Patch104:       CVE-2017-7207.patch
+
 # RPM dependencies:
 Conflicts:      ghostscript
 Conflicts:      ghostscript-x11
@@ -183,7 +192,14 @@ rm -rf freetype jpeg libpng tiff
 # and https://bugs.ghostscript.com/show_bug.cgi?id=697799
 # and https://bugzilla.opensuse.org/show_bug.cgi?id=1036453
 %patch102 -p1 -b .CVE-2017-8291.orig
-
+# Patch103 fixes NULL pointer dereference in the jbig2_huffman_get function
+# see https://bugs.ghostscript.com/show_bug.cgi?id=697934
+# and https://bugzilla.suse.com/show_bug.cgi?id=1040643
+%patch103 -p1 -b .CVE-2017-9216.orig
+# Patch104 CVE-2017-7207.patch fixes a NULL pointer dereference in mem_get_bits_rectangle
+# see https://bugs.ghostscript.com/show_bug.cgi?id=697676
+# and https://bugzilla.suse.com/show_bug.cgi?id=1030263
+%patch104 -p1 -b .CVE-2017-7207.orig
 %build
 # Derive build timestamp from latest changelog entry
 export SOURCE_DATE_EPOCH=$(date -d "$(head -n 2 %{_sourcedir}/%{name}.changes | tail -n 1 | cut -d- -f1 )" +%s)

ghostscript.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Fri Jun  2 09:12:45 UTC 2017 - daniel.molkentin@suse.com
+
+- CVE-2017-7207.patch fixes a NULL pointer dereference in mem_get_bits_rectangle
+  see https://bugs.ghostscript.com/show_bug.cgi?id=697676
+  (bsc#1030263)
+- CVE-2017-9216.patch fixes a NULL pointer dereference in jbig2_huffman_get
+  see https://bugs.ghostscript.com/show_bug.cgi?id=697934
+  (bsc#1040643)
+
 -------------------------------------------------------------------
 Tue May  2 14:27:22 CEST 2017 - jsmeix@suse.de
 

ghostscript.spec

@@ -108,6 +108,15 @@ Patch101:       CVE-2017-5951.patch
 # and https://bugs.ghostscript.com/show_bug.cgi?id=697799
 # and https://bugzilla.opensuse.org/show_bug.cgi?id=1036453
 Patch102:       CVE-2017-8291.patch
+# Patch103 fixes NULL pointer dereference in the jbig2_huffman_get function
+# see https://bugs.ghostscript.com/show_bug.cgi?id=697934
+# and https://bugzilla.suse.com/show_bug.cgi?id=1040643
+Patch103:       CVE-2017-9216.patch
+# Patch104 CVE-2017-7207.patch fixes a NULL pointer dereference in mem_get_bits_rectangle
+# see https://bugs.ghostscript.com/show_bug.cgi?id=697676
+# and https://bugzilla.suse.com/show_bug.cgi?id=1030263
+Patch104:       CVE-2017-7207.patch
+
 # RPM dependencies:
 # Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from
 # "rpm -q --provides ghostscript-library" and "rpm -q --provides ghostscript-x11":
@@ -234,7 +243,6 @@ For information how to use Ghostscript see
 
 %package x11
 Summary:        X11 library for Ghostscript
-Group:          Productivity/Publishing/PS
 # Require the exact matching version-release of the ghostscript main-package because
 # a non-matching ghostscript main-package may let it fail or even crash (e.g. segfault)
 # because all Ghostscript software is built from one same Ghostscript source tar ball
@@ -242,6 +250,7 @@ Group:          Productivity/Publishing/PS
 # The exact matching version-release of the ghostscript main-package is available
 # on the same package repository where the ghostscript-x11 sub-package is because
 # all are built simulaneously from the same Ghostscript source package:
+Group:          Productivity/Publishing/PS
 Requires:       ghostscript = %{version}-%{release}
 # Unfortunately ghostscript-library.spec and ghostscript-mini.spec have
 # an unversioned "Provides: ghostscript" and for RPM this means that both
@@ -319,6 +328,14 @@ rm -rf freetype jpeg libpng tiff
 # and https://bugs.ghostscript.com/show_bug.cgi?id=697799
 # and https://bugzilla.opensuse.org/show_bug.cgi?id=1036453
 %patch102 -p1 -b .CVE-2017-8291.orig
+# Patch103 fixes NULL pointer dereference in the jbig2_huffman_get function
+# see https://bugs.ghostscript.com/show_bug.cgi?id=697934
+# and https://bugzilla.suse.com/show_bug.cgi?id=1040643
+%patch103 -p1 -b .CVE-2017-9216.orig
+# Patch104 CVE-2017-7207.patch fixes a NULL pointer dereference in mem_get_bits_rectangle
+# see https://bugs.ghostscript.com/show_bug.cgi?id=697676
+# and https://bugzilla.suse.com/show_bug.cgi?id=1030263
+%patch104 -p1 -b .CVE-2017-7207.orig
 
 %build
 # Derive build timestamp from latest changelog entry