From 5e3250a567c922edd31edcde9b117a3b38073b14de0a9d523104a4eeea9caa8e Mon Sep 17 00:00:00 2001
From: Johannes Meixner <jsmeix@suse.com>
Date: Tue, 28 Jul 2020 08:03:20 +0000
Subject: [PATCH] Accepting request 823076 from home:jsmeix:branches:Printing

Ghostscript security fix CVE-2020-15900 (bsc#1174415)

OBS-URL: https://build.opensuse.org/request/show/823076
OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=128
---
 CVE-2020-15900.patch     | 27 +++++++++++++++++++++++++++
 ghostscript-mini.changes |  7 +++++++
 ghostscript-mini.spec    | 14 ++++++++++++++
 ghostscript.changes      |  7 +++++++
 ghostscript.spec         | 14 ++++++++++++++
 5 files changed, 69 insertions(+)
 create mode 100644 CVE-2020-15900.patch

diff --git a/CVE-2020-15900.patch b/CVE-2020-15900.patch
new file mode 100644
index 0000000..614bb99
--- /dev/null
+++ b/CVE-2020-15900.patch
@@ -0,0 +1,27 @@
+--- psi/zstring.c.orig	2020-03-19 09:21:42.000000000 +0100
++++ psi/zstring.c	2020-07-27 08:25:08.963425295 +0200
+@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forwa
+     return 0;
+ found:
+     op->tas.type_attrs = op1->tas.type_attrs;
+-    op->value.bytes = ptr;
+-    r_set_size(op, size);
++    op->value.bytes = ptr;				/* match */
++    op->tas.rsize = size;				/* match */
+     push(2);
+-    op[-1] = *op1;
+-    r_set_size(op - 1, ptr - op[-1].value.bytes);
+-    op1->value.bytes = ptr + size;
+-    r_set_size(op1, count + (!forward ? (size - 1) : 0));
++    op[-1] = *op1;					/* pre */
++    op[-3].value.bytes = ptr + size;			/* post */
++    if (forward) {
++        op[-1].tas.rsize = ptr - op[-1].value.bytes;	/* pre */
++        op[-3].tas.rsize = count;			/* post */
++    } else {
++        op[-1].tas.rsize = count;			/* pre */
++        op[-3].tas.rsize -= count + size;		/* post */
++    }
+     make_true(op);
+     return 0;
+ }
diff --git a/ghostscript-mini.changes b/ghostscript-mini.changes
index 3413783..32dd643 100644
--- a/ghostscript-mini.changes
+++ b/ghostscript-mini.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Jul 28 09:15:30 CEST 2020 - jsmeix@suse.de
+
+- CVE-2020-15900.patch fixes CVE-2020-15900 Memory Corruption
+  cf. https://bugs.ghostscript.com/show_bug.cgi?id=702582
+  (bsc#1174415)
+
 -------------------------------------------------------------------
 Wed Apr 29 12:09:39 CEST 2020 - jsmeix@suse.de
 
diff --git a/ghostscript-mini.spec b/ghostscript-mini.spec
index b207ae1..6e55a80 100644
--- a/ghostscript-mini.spec
+++ b/ghostscript-mini.spec
@@ -78,6 +78,13 @@ Release:        0
 Source0:        ghostscript-%{version}.tar.gz
 Source1:        apparmor_ghostscript
 # Patch0...Patch9 is for patches from upstream:
+# Patch1 CVE-2020-15900.patch is
+# https://github.com/ArtifexSoftware/ghostpdl/commit/5d499272b95a6b890a1397e11d20937de000d31b
+# that fixes CVE-2020-15900 Memory Corruption
+# in the rsearch PostScript function that is implemented as search_impl() in psi/zstring.c
+# cf. https://bugs.ghostscript.com/show_bug.cgi?id=702582
+# and https://bugzilla.suse.com/show_bug.cgi?id=1174415
+Patch1:         CVE-2020-15900.patch
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
 # Patch10...Patch99 is for patches from SUSE which are intended for upstream:
 # Source100...Source999 is for sources from SUSE which are not intended for upstream:
@@ -146,6 +153,13 @@ This package contains the development files for Minimal Ghostscript.
 # Be quiet when unpacking and
 # use a directory name matching Source0 to make it work also for ghostscript-mini:
 %setup -q -n ghostscript-%{tarball_version}
+# Patch1 CVE-2020-15900.patch is
+# https://github.com/ArtifexSoftware/ghostpdl/commit/5d499272b95a6b890a1397e11d20937de000d31b
+# that fixes CVE-2020-15900 Memory Corruption
+# in the rsearch PostScript function that is implemented as search_impl() in psi/zstring.c
+# cf. https://bugs.ghostscript.com/show_bug.cgi?id=702582
+# and https://bugzilla.suse.com/show_bug.cgi?id=1174415
+%patch1
 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
 # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball.
 # Again use the zlib sources from Ghostscript upstream
diff --git a/ghostscript.changes b/ghostscript.changes
index 090e920..1b3787e 100644
--- a/ghostscript.changes
+++ b/ghostscript.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Jul 28 09:15:30 CEST 2020 - jsmeix@suse.de
+
+- CVE-2020-15900.patch fixes CVE-2020-15900 Memory Corruption
+  cf. https://bugs.ghostscript.com/show_bug.cgi?id=702582
+  (bsc#1174415)
+
 -------------------------------------------------------------------
 Wed Apr 29 12:09:39 CEST 2020 - jsmeix@suse.de
 
diff --git a/ghostscript.spec b/ghostscript.spec
index 61565fb..0767f13 100644
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -102,6 +102,13 @@ Release:        0
 Source0:        ghostscript-%{version}.tar.gz
 Source1:        apparmor_ghostscript
 # Patch0...Patch9 is for patches from upstream:
+# Patch1 CVE-2020-15900.patch is
+# https://github.com/ArtifexSoftware/ghostpdl/commit/5d499272b95a6b890a1397e11d20937de000d31b
+# that fixes CVE-2020-15900 Memory Corruption
+# in the rsearch PostScript function that is implemented as search_impl() in psi/zstring.c
+# cf. https://bugs.ghostscript.com/show_bug.cgi?id=702582
+# and https://bugzilla.suse.com/show_bug.cgi?id=1174415
+Patch1:         CVE-2020-15900.patch
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
 # Patch10...Patch99 is for patches from SUSE which are intended for upstream:
 # Source100...Source999 is for sources from SUSE which are not intended for upstream:
@@ -283,6 +290,13 @@ This package contains the development files for Ghostscript.
 # Be quiet when unpacking and
 # use a directory name matching Source0 to make it work also for ghostscript-mini:
 %setup -q -n ghostscript-%{tarball_version}
+# Patch1 CVE-2020-15900.patch is
+# https://github.com/ArtifexSoftware/ghostpdl/commit/5d499272b95a6b890a1397e11d20937de000d31b
+# that fixes CVE-2020-15900 Memory Corruption
+# in the rsearch PostScript function that is implemented as search_impl() in psi/zstring.c
+# cf. https://bugs.ghostscript.com/show_bug.cgi?id=702582
+# and https://bugzilla.suse.com/show_bug.cgi?id=1174415
+%patch1
 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
 # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball.
 # Again use the zlib sources from Ghostscript upstream