rpm/ghostscript
SHA256
1
0
Fork 0
forked from pool/ghostscript
Code Pull Requests Activity

Accepting request 435738 from home:jsmeix:branches:Printing

Browse Source 
Ghostscript security update that fixes (CVE-2013-5653 is already fixed in the 9.20 sources) CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 CVE-2016-7979 (all bsc#1001951) and CVE-2016-8602 (bsc#1004237)

OBS-URL: https://build.opensuse.org/request/show/435738
OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=72
This commit is contained in:
Johannes Meixner 2016-10-17 12:34:08 +00:00 committed by Git OBS Bridge
parent 7572456c4d
commit 2e708fde52
9 changed files with 455 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

171
CVE-2016-7976.patch Normal file
View File

@ -0,0 +1,171 @@
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 5 Oct 2016 08:55:55 +0000 (+0100)
Subject: Bug 697178: Add a file permissions callback
X-Git-Url: http://git.ghostscript.com/?p=user%2Fchrisl%2Fghostpdl.git;a=commitdiff_plain;h=71ac87493b1e445d6c07554d4246cf7d4f44875c;hp=cf046d2f0fa2c6973c6ca8d582a9b185cc4bd280
Bug 697178: Add a file permissions callback
For the rare occasions when the graphics library directly opens a file
(currently for reading), this allows us to apply any restrictions on
file access normally applied in the interpteter.
---
diff --git a/base/gsicc_manage.c b/base/gsicc_manage.c
index 931c2a6..e9c09c3 100644
--- a/base/gsicc_manage.c
+++ b/base/gsicc_manage.c
@@ -1124,10 +1124,12 @@ gsicc_open_search(const char* pname, int namelen, gs_memory_t *mem_gc,
}
/* First just try it like it is */
- str = sfopen(pname, "r", mem_gc);
- if (str != NULL) {
- *strp = str;
- return 0;
+ if (gs_check_file_permission(mem_gc, pname, namelen, "r") >= 0) {
+ str = sfopen(pname, "r", mem_gc);
+ if (str != NULL) {
+ *strp = str;
+ return 0;
+ }
}
/* If that fails, try %rom% */ /* FIXME: Not sure this is needed or correct */
diff --git a/base/gslibctx.c b/base/gslibctx.c
index eaa0458..37ce1ca 100644
--- a/base/gslibctx.c
+++ b/base/gslibctx.c
@@ -189,7 +189,7 @@ Failure:
mem->gs_lib_ctx = NULL;
return -1;
}
-
+ pio->client_check_file_permission = NULL;
gp_get_realtime(pio->real_time_0);
/* Set scanconverter to 1 (default) */
@@ -343,3 +343,13 @@ void errflush(const gs_memory_t *mem)
fflush(mem->gs_lib_ctx->fstderr);
/* else nothing to flush */
}
+
+int
+gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission)
+{
+ int code = 0;
+ if (mem->gs_lib_ctx->client_check_file_permission != NULL) {
+ code = mem->gs_lib_ctx->client_check_file_permission(mem, fname, len, permission);
+ }
+ return code;
+}
diff --git a/base/gslibctx.h b/base/gslibctx.h
index 7a4e110..020e2d9 100644
--- a/base/gslibctx.h
+++ b/base/gslibctx.h
@@ -32,6 +32,9 @@ typedef struct gs_fapi_server_s gs_fapi_server;
# define gs_font_dir_DEFINED
typedef struct gs_font_dir_s gs_font_dir;
#endif
+
+typedef int (*client_check_file_permission_t) (gs_memory_t *mem, const char *fname, const int len, const char *permission);
+
typedef struct gs_lib_ctx_s
{
gs_memory_t *memory; /* mem->gs_lib_ctx->memory == mem */
@@ -61,6 +64,7 @@ typedef struct gs_lib_ctx_s
struct gx_io_device_s **io_device_table;
int io_device_table_count;
int io_device_table_size;
+ client_check_file_permission_t client_check_file_permission;
/* Define the default value of AccurateScreens that affects setscreen
and setcolorscreen. */
bool screen_accurate_screens;
@@ -133,6 +137,9 @@ int
gs_lib_ctx_get_default_device_list(const gs_memory_t *mem, char** dev_list_str,
int *list_str_len);
+int
+gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission);
+
#define IS_LIBCTX_STDOUT(mem, f) (f == mem->gs_lib_ctx->fstdout)
#define IS_LIBCTX_STDERR(mem, f) (f == mem->gs_lib_ctx->fstderr)
diff --git a/psi/imain.c b/psi/imain.c
index 9a9bb5d..6874128 100644
--- a/psi/imain.c
+++ b/psi/imain.c
@@ -57,6 +57,7 @@
#include "ivmspace.h"
#include "idisp.h" /* for setting display device callback */
#include "iplugin.h"
+#include "zfile.h"
#ifdef PACIFY_VALGRIND
#include "valgrind.h"
@@ -212,6 +213,7 @@ gs_main_init1(gs_main_instance * minst)
"the_gs_name_table");
if (code < 0)
return code;
+ mem->gs_lib_ctx->client_check_file_permission = z_check_file_permissions;
}
code = obj_init(&minst->i_ctx_p, &idmem); /* requires name_init */
if (code < 0)
diff --git a/psi/int.mak b/psi/int.mak
index 4654afc..bb30d51 100644
--- a/psi/int.mak
+++ b/psi/int.mak
@@ -2024,7 +2024,7 @@ $(PSOBJ)imain.$(OBJ) : $(PSSRC)imain.c $(GH) $(memory__h) $(string__h)\
$(ialloc_h) $(iconf_h) $(idebug_h) $(idict_h) $(idisp_h) $(iinit_h)\
$(iname_h) $(interp_h) $(iplugin_h) $(isave_h) $(iscan_h) $(ivmspace_h)\
$(iinit_h) $(main_h) $(oper_h) $(ostack_h)\
- $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h)\
+ $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h) $(zfile_h)\
$(INT_MAK) $(MAKEDIRS)
$(PSCC) $(PSO_)imain.$(OBJ) $(C_) $(PSSRC)imain.c
diff --git a/psi/zfile.c b/psi/zfile.c
index 2c6c958..bc6c70f 100644
--- a/psi/zfile.c
+++ b/psi/zfile.c
@@ -197,6 +197,25 @@ check_file_permissions(i_ctx_t *i_ctx_p, const char *fname, int len,
return check_file_permissions_reduced(i_ctx_p, fname_reduced, rlen, permitgroup);
}
+/* z_check_file_permissions: see zfile.h for explanation
+ */
+int
+z_check_file_permissions(gs_memory_t *mem, const char *fname, const int len, const char *permission)
+{
+ i_ctx_t *i_ctx_p = get_minst_from_memory(mem)->i_ctx_p;
+ gs_parsed_file_name_t pname;
+ char *permitgroup = permission[0] == 'r' ? "PermitFileReading" : "PermitFileWriting";
+ int code = gs_parse_file_name(&pname, fname, len, imemory);
+ if (code < 0)
+ return code;
+
+ if (pname.iodev && i_ctx_p->LockFilePermissions && strcmp(pname.iodev->dname, "%pipe%") == 0)
+ return gs_error_invalidfileaccess;
+
+ code = check_file_permissions(i_ctx_p, fname, len, permitgroup);
+ return code;
+}
+
/* <name_string> <access_string> file <file> */
int /* exported for zsysvm.c */
zfile(i_ctx_t *i_ctx_p)
diff --git a/psi/zfile.h b/psi/zfile.h
index fdf1373..a9399c7 100644
--- a/psi/zfile.h
+++ b/psi/zfile.h
@@ -22,4 +22,11 @@
int zopen_file(i_ctx_t *i_ctx_p, const gs_parsed_file_name_t *pfn,
const char *file_access, stream **ps, gs_memory_t *mem);
+/* z_check_file_permissions: a callback (via mem->gs_lib_ctx->client_check_file_permission)
+ * to allow applying the above permissions checks when opening file(s) from
+ * the graphics library
+ */
+int
+z_check_file_permissions(gs_memory_t *mem, const char *fname,
+ const int len, const char *permission);
#endif

25
CVE-2016-7977.patch Normal file
View File

@ -0,0 +1,25 @@
From: Chris Liddell <chris.liddell@artifex.com>
Date: Mon, 3 Oct 2016 00:46:28 +0000 (+0100)
Subject: Bug 697169: Be rigorous with SAFER permissions
X-Git-Url: http://git.ghostscript.com/?p=user%2Fchrisl%2Fghostpdl.git;a=commitdiff_plain;h=cf046d2f0fa2c6973c6ca8d582a9b185cc4bd280;hp=3826c0c7a4fc781c8222ef458b706360600f1711
Bug 697169: Be rigorous with SAFER permissions
Once we've opened our input file from the command line, enforce the SAFER
rules.
---
diff --git a/psi/zfile.c b/psi/zfile.c
index b6caea2..2c6c958 100644
--- a/psi/zfile.c
+++ b/psi/zfile.c
@@ -1081,6 +1081,9 @@ lib_file_open(gs_file_path_ptr lib_path, const gs_memory_t *mem, i_ctx_t *i_ctx
gs_main_instance *minst = get_minst_from_memory(mem);
int code;
+ if (i_ctx_p && starting_arg_file)
+ i_ctx_p->starting_arg_file = false;
+
/* when starting arg files (@ files) iodev_default is not yet set */
if (iodev == 0)
iodev = (gx_io_device *)gx_io_device_table[0];

22
CVE-2016-7978.patch Normal file
View File

@ -0,0 +1,22 @@
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 5 Oct 2016 08:59:25 +0000 (+0100)
Subject: Bug 697179: Reference count device icc profile
X-Git-Url: http://git.ghostscript.com/?p=user%2Fchrisl%2Fghostpdl.git;a=commitdiff_plain;h=d5ad1e0298e1c193087c824eb4f79628b182e28b;hp=71ac87493b1e445d6c07554d4246cf7d4f44875c
Bug 697179: Reference count device icc profile
when copying a device
---
diff --git a/base/gsdevice.c b/base/gsdevice.c
index 778106f..aea986a 100644
--- a/base/gsdevice.c
+++ b/base/gsdevice.c
@@ -614,6 +614,7 @@ gx_device_init(gx_device * dev, const gx_device * proto, gs_memory_t * mem,
dev->memory = mem;
dev->retained = !internal;
rc_init(dev, mem, (internal ? 0 : 1));
+ rc_increment(dev->icc_struct);
}
void

40
CVE-2016-7979.patch Normal file
View File

@ -0,0 +1,40 @@
From: Ken Sharp <ken.sharp@artifex.com>
Date: Wed, 5 Oct 2016 09:10:58 +0000 (+0100)
Subject: DSC parser - validate parameters
X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=875a0095f37626a721c7ff57d606a0f95af03913;hp=aef8f6cfbff9080e4b9c54053bc909875c09a2be
DSC parser - validate parameters
Bug #697190 ".initialize_dsc_parser doesn't validate the parameter is a dict type before using it."
Regardless of any security implications, its simply wrong for a PostScript
operator not to validate its parameter(s).
No differences expected.
---
diff --git a/psi/zdscpars.c b/psi/zdscpars.c
index c05e154..9b4b605 100644
--- a/psi/zdscpars.c
+++ b/psi/zdscpars.c
@@ -150,11 +150,16 @@ zinitialize_dsc_parser(i_ctx_t *i_ctx_p)
ref local_ref;
int code;
os_ptr const op = osp;
- dict * const pdict = op->value.pdict;
- gs_memory_t * const mem = (gs_memory_t *)dict_memory(pdict);
- dsc_data_t * const data =
- gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init");
+ dict *pdict;
+ gs_memory_t *mem;
+ dsc_data_t *data;
+ check_read_type(*op, t_dictionary);
+
+ pdict = op->value.pdict;
+ mem = (gs_memory_t *)dict_memory(pdict);
+
+ data = gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init");
if (!data)
return_error(gs_error_VMerror);
data->document_level = 0;

39
CVE-2016-8602.patch Normal file
View File

@ -0,0 +1,39 @@
From: Chris Liddell <chris.liddell@artifex.com>
Date: Sat, 8 Oct 2016 15:10:27 +0000 (+0100)
Subject: Bug 697203: check for sufficient params in .sethalftone5
X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78;hp=a5360401495654e89301b2516703c1d2877fc5ba
Bug 697203: check for sufficient params in .sethalftone5
and param types
---
diff --git a/psi/zht2.c b/psi/zht2.c
index fb4a264..dfa27a4 100644
--- a/psi/zht2.c
+++ b/psi/zht2.c
@@ -82,14 +82,22 @@ zsethalftone5(i_ctx_t *i_ctx_p)
gs_memory_t *mem;
uint edepth = ref_stack_count(&e_stack);
int npop = 2;
- int dict_enum = dict_first(op);
+ int dict_enum;
ref rvalue[2];
int cname, colorant_number;
byte * pname;
uint name_size;
int halftonetype, type = 0;
gs_gstate *pgs = igs;
- int space_index = r_space_index(op - 1);
+ int space_index;
+
+ if (ref_stack_count(&o_stack) < 2)
+ return_error(gs_error_stackunderflow);
+ check_type(*op, t_dictionary);
+ check_type(*(op - 1), t_dictionary);
+
+ dict_enum = dict_first(op);
+ space_index = r_space_index(op - 1);
mem = (gs_memory_t *) idmemory->spaces_indexed[space_index];

31
ghostscript-mini.changes
View File

@ -1,3 +1,34 @@
-------------------------------------------------------------------
Mon Oct 17 13:36:57 CEST 2016 - jsmeix@suse.de
- CVE-2013-5653 (getenv and filenameforall ignore -dSAFER)
is fixed in the Ghostscript 9.20 upstream sources
see http://bugs.ghostscript.com/show_bug.cgi?id=694724
(bsc#1001951).
- CVE-2016-7976.patch fixes that
various userparams allow %pipe% in paths, allowing
remote shell command execution
see http://bugs.ghostscript.com/show_bug.cgi?id=697178
(bsc#1001951).
- CVE-2016-7977.patch fixes that
.libfile doesn't check PermitFileReading array, allowing
remote file disclosure
see http://bugs.ghostscript.com/show_bug.cgi?id=697169
(bsc#1001951).
- CVE-2016-7978.patch fixes that
reference leak in .setdevice allows
use-after-free and remote code execution
see http://bugs.ghostscript.com/show_bug.cgi?id=697179
(bsc#1001951).
- CVE-2016-7979.patch fixes that
type confusion in .initialize_dsc_parser allows
remote code execution
see http://bugs.ghostscript.com/show_bug.cgi?id=697190
(bsc#1001951).
- CVE-2016-8602.patch fixes a NULL dereference in .sethalftone5
see http://bugs.ghostscript.com/show_bug.cgi?id=697203
(bsc#1004237).
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Sep 29 14:40:38 CEST 2016 - jsmeix@suse.de Thu Sep 29 14:40:38 CEST 2016 - jsmeix@suse.de

48
ghostscript-mini.spec
View File

@ -64,6 +64,30 @@ Release: 0
# MD5 checksum for Source0: 93c5987cd3ab341108be1ebbaadc24fe # MD5 checksum for Source0: 93c5987cd3ab341108be1ebbaadc24fe
Source0: ghostscript-%{version}.tar.gz Source0: ghostscript-%{version}.tar.gz
# Patch0...Patch9 is for patches from upstream: # Patch0...Patch9 is for patches from upstream:
# Patch1 CVE-2016-7976.patch fixes that
# various userparams allow %pipe% in paths, allowing remote shell command execution
# see http://bugs.ghostscript.com/show_bug.cgi?id=697178
# and https://bugzilla.suse.com/show_bug.cgi?id=1001951
Patch1: CVE-2016-7976.patch
# Patch2 CVE-2016-7977.patch fixes that
# .libfile doesn't check PermitFileReading array, allowing remote file disclosure
# see http://bugs.ghostscript.com/show_bug.cgi?id=697169
# and https://bugzilla.suse.com/show_bug.cgi?id=1001951
Patch2: CVE-2016-7977.patch
# Patch3 CVE-2016-7978.patch fixes that
# reference leak in .setdevice allows use-after-free and remote code execution
# see http://bugs.ghostscript.com/show_bug.cgi?id=697179
# and https://bugzilla.suse.com/show_bug.cgi?id=1001951
Patch3: CVE-2016-7978.patch
# Patch4 CVE-2016-7979.patch fixes that
# type confusion in .initialize_dsc_parser allows remote code execution
# see http://bugs.ghostscript.com/show_bug.cgi?id=697190
# and https://bugzilla.suse.com/show_bug.cgi?id=1001951
Patch4: CVE-2016-7979.patch
# Patch5 CVE-2016-8602.patch fixes a NULL dereference in .sethalftone5
# see http://bugs.ghostscript.com/show_bug.cgi?id=697203
# and https://bugzilla.suse.com/show_bug.cgi?id=1004237
Patch5: CVE-2016-8602.patch
# Source10...Source99 is for sources from SUSE which are intended for upstream: # Source10...Source99 is for sources from SUSE which are intended for upstream:
# Patch10...Patch99 is for patches from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream:
# Patch11 ppc64le-support.patch is a remainder of the previous patch # Patch11 ppc64le-support.patch is a remainder of the previous patch
@ -145,6 +169,30 @@ This package contains the development files for Minimal Ghostscript.
# Be quiet when unpacking and # Be quiet when unpacking and
# use a directory name matching Source0 to make it work also for ghostscript-mini: # use a directory name matching Source0 to make it work also for ghostscript-mini:
%setup -q -n ghostscript-%{tarball_version} %setup -q -n ghostscript-%{tarball_version}
# Patch1 CVE-2016-7976.patch fixes that
# various userparams allow %pipe% in paths, allowing remote shell command execution
# see http://bugs.ghostscript.com/show_bug.cgi?id=697178
# and https://bugzilla.suse.com/show_bug.cgi?id=1001951
%patch1 -p1 -b CVE-2016-7976.orig
# Patch2 CVE-2016-7977.patch fixes that
# .libfile doesn't check PermitFileReading array, allowing remote file disclosure
# see http://bugs.ghostscript.com/show_bug.cgi?id=697169
# and https://bugzilla.suse.com/show_bug.cgi?id=1001951
%patch2 -p1 -b CVE-2016-7977.orig
# Patch3 CVE-2016-7978.patch fixes that
# reference leak in .setdevice allows use-after-free and remote code execution
# see http://bugs.ghostscript.com/show_bug.cgi?id=697179
# and https://bugzilla.suse.com/show_bug.cgi?id=1001951
%patch3 -p1 -b CVE-2016-7978.orig
# Patch4 CVE-2016-7979.patch fixes that
# type confusion in .initialize_dsc_parser allows remote code execution
# see http://bugs.ghostscript.com/show_bug.cgi?id=697190
# and https://bugzilla.suse.com/show_bug.cgi?id=1001951
%patch4 -p1 -b CVE-2016-7979.orig
# Patch5 CVE-2016-8602.patch fixes a NULL dereference in .sethalftone5
# see http://bugs.ghostscript.com/show_bug.cgi?id=697203
# and https://bugzilla.suse.com/show_bug.cgi?id=1004237
%patch5 -p1 -b CVE-2016-8602.orig
# Patch11 ppc64le-support.patch is a remainder of the previous patch # Patch11 ppc64le-support.patch is a remainder of the previous patch
# now the hunk for LCMS (lcms/include/lcms.h) is removed # now the hunk for LCMS (lcms/include/lcms.h) is removed
# because LCMS 1.x is removed since Ghostscript 9.16 # because LCMS 1.x is removed since Ghostscript 9.16

31
ghostscript.changes
View File

@ -1,3 +1,34 @@
-------------------------------------------------------------------
Mon Oct 17 13:36:57 CEST 2016 - jsmeix@suse.de
- CVE-2013-5653 (getenv and filenameforall ignore -dSAFER)
is fixed in the Ghostscript 9.20 upstream sources
see http://bugs.ghostscript.com/show_bug.cgi?id=694724
(bsc#1001951).
- CVE-2016-7976.patch fixes that
various userparams allow %pipe% in paths, allowing
remote shell command execution
see http://bugs.ghostscript.com/show_bug.cgi?id=697178
(bsc#1001951).
- CVE-2016-7977.patch fixes that
.libfile doesn't check PermitFileReading array, allowing
remote file disclosure
see http://bugs.ghostscript.com/show_bug.cgi?id=697169
(bsc#1001951).
- CVE-2016-7978.patch fixes that
reference leak in .setdevice allows
use-after-free and remote code execution
see http://bugs.ghostscript.com/show_bug.cgi?id=697179
(bsc#1001951).
- CVE-2016-7979.patch fixes that
type confusion in .initialize_dsc_parser allows
remote code execution
see http://bugs.ghostscript.com/show_bug.cgi?id=697190
(bsc#1001951).
- CVE-2016-8602.patch fixes a NULL dereference in .sethalftone5
see http://bugs.ghostscript.com/show_bug.cgi?id=697203
(bsc#1004237).
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Sep 29 14:40:38 CEST 2016 - jsmeix@suse.de Thu Sep 29 14:40:38 CEST 2016 - jsmeix@suse.de

48
ghostscript.spec
View File

@ -84,6 +84,30 @@ Release: 0
# MD5 checksum for Source0: 93c5987cd3ab341108be1ebbaadc24fe # MD5 checksum for Source0: 93c5987cd3ab341108be1ebbaadc24fe
Source0: ghostscript-%{version}.tar.gz Source0: ghostscript-%{version}.tar.gz
# Patch0...Patch9 is for patches from upstream: # Patch0...Patch9 is for patches from upstream:
# Patch1 CVE-2016-7976.patch fixes that
# various userparams allow %pipe% in paths, allowing remote shell command execution
# see http://bugs.ghostscript.com/show_bug.cgi?id=697178
# and https://bugzilla.suse.com/show_bug.cgi?id=1001951
Patch1: CVE-2016-7976.patch
# Patch2 CVE-2016-7977.patch fixes that
# .libfile doesn't check PermitFileReading array, allowing remote file disclosure
# see http://bugs.ghostscript.com/show_bug.cgi?id=697169
# and https://bugzilla.suse.com/show_bug.cgi?id=1001951
Patch2: CVE-2016-7977.patch
# Patch3 CVE-2016-7978.patch fixes that
# reference leak in .setdevice allows use-after-free and remote code execution
# see http://bugs.ghostscript.com/show_bug.cgi?id=697179
# and https://bugzilla.suse.com/show_bug.cgi?id=1001951
Patch3: CVE-2016-7978.patch
# Patch4 CVE-2016-7979.patch fixes that
# type confusion in .initialize_dsc_parser allows remote code execution
# see http://bugs.ghostscript.com/show_bug.cgi?id=697190
# and https://bugzilla.suse.com/show_bug.cgi?id=1001951
Patch4: CVE-2016-7979.patch
# Patch5 CVE-2016-8602.patch fixes a NULL dereference in .sethalftone5
# see http://bugs.ghostscript.com/show_bug.cgi?id=697203
# and https://bugzilla.suse.com/show_bug.cgi?id=1004237
Patch5: CVE-2016-8602.patch
# Source10...Source99 is for sources from SUSE which are intended for upstream: # Source10...Source99 is for sources from SUSE which are intended for upstream:
# Patch10...Patch99 is for patches from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream:
# Patch11 ppc64le-support.patch is a remainder of the previous patch # Patch11 ppc64le-support.patch is a remainder of the previous patch
@ -281,6 +305,30 @@ This package contains the development files for Ghostscript.
# Be quiet when unpacking and # Be quiet when unpacking and
# use a directory name matching Source0 to make it work also for ghostscript-mini: # use a directory name matching Source0 to make it work also for ghostscript-mini:
%setup -q -n ghostscript-%{tarball_version} %setup -q -n ghostscript-%{tarball_version}
# Patch1 CVE-2016-7976.patch fixes that
# various userparams allow %pipe% in paths, allowing remote shell command execution
# see http://bugs.ghostscript.com/show_bug.cgi?id=697178
# and https://bugzilla.suse.com/show_bug.cgi?id=1001951
%patch1 -p1 -b CVE-2016-7976.orig
# Patch2 CVE-2016-7977.patch fixes that
# .libfile doesn't check PermitFileReading array, allowing remote file disclosure
# see http://bugs.ghostscript.com/show_bug.cgi?id=697169
# and https://bugzilla.suse.com/show_bug.cgi?id=1001951
%patch2 -p1 -b CVE-2016-7977.orig
# Patch3 CVE-2016-7978.patch fixes that
# reference leak in .setdevice allows use-after-free and remote code execution
# see http://bugs.ghostscript.com/show_bug.cgi?id=697179
# and https://bugzilla.suse.com/show_bug.cgi?id=1001951
%patch3 -p1 -b CVE-2016-7978.orig
# Patch4 CVE-2016-7979.patch fixes that
# type confusion in .initialize_dsc_parser allows remote code execution
# see http://bugs.ghostscript.com/show_bug.cgi?id=697190
# and https://bugzilla.suse.com/show_bug.cgi?id=1001951
%patch4 -p1 -b CVE-2016-7979.orig
# Patch5 CVE-2016-8602.patch fixes a NULL dereference in .sethalftone5
# see http://bugs.ghostscript.com/show_bug.cgi?id=697203
# and https://bugzilla.suse.com/show_bug.cgi?id=1004237
%patch5 -p1 -b CVE-2016-8602.orig
# Patch11 ppc64le-support.patch is a remainder of the previous patch # Patch11 ppc64le-support.patch is a remainder of the previous patch
# now the hunk for LCMS (lcms/include/lcms.h) is removed # now the hunk for LCMS (lcms/include/lcms.h) is removed
# because LCMS 1.x is removed since Ghostscript 9.16 # because LCMS 1.x is removed since Ghostscript 9.16