From 9db58690583929ffe4badb3081e6c9b7d1fc40a9c94314390b86927f0ad769c4 Mon Sep 17 00:00:00 2001
From: "Dr. Werner Fink" <werner@suse.com>
Date: Mon, 16 Sep 2019 13:20:05 +0000
Subject: [PATCH] Add overseen fix for CVE-2019-10216

OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=120
---
 CVE-2019-10216.patch     | 44 ++++++++++++++++++++++++++++++++++++++++
 ghostscript-mini.changes |  8 ++++++++
 ghostscript-mini.spec    | 12 +++++++----
 ghostscript.changes      |  8 ++++++++
 ghostscript.spec         | 12 +++++++----
 5 files changed, 76 insertions(+), 8 deletions(-)
 create mode 100644 CVE-2019-10216.patch

diff --git a/CVE-2019-10216.patch b/CVE-2019-10216.patch
new file mode 100644
index 0000000..7b6b488
--- /dev/null
+++ b/CVE-2019-10216.patch
@@ -0,0 +1,44 @@
+From 5b85ddd19a8420a1bd2d5529325be35d78e94234 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Fri, 2 Aug 2019 15:18:26 +0100
+Subject: [PATCH] Bug 701394: protect use of .forceput with executeonly
+
+---
+ Resource/Init/gs_type1.ps |   14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- Resource/Init/gs_type1.ps
++++ Resource/Init/gs_type1.ps	2019-09-16 13:09:12.277074046 +0000
+@@ -118,25 +118,25 @@
+                          ( to be the same as glyph: ) print 1 index //== exec } if
+                    3 index exch 3 index .forceput
+                                                                  % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
+-                 }
++                 }executeonly
+                  {pop} ifelse
+-               } forall
++               } executeonly forall
+                pop pop
+-             }
++             } executeonly
+              {
+                pop pop pop
+              } ifelse
+-           }
++           } executeonly
+            {
+                                                                % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
+              pop pop
+            } ifelse
+-         } forall
++         } executeonly forall
+          3 1 roll pop pop
+-     } if
++     } executeonly if
+      pop
+      dup /.AGLprocessed~GS //true .forceput
+-   } if
++   } executeonly if
+ 
+    %% We need to excute the C .buildfont1 in a stopped context so that, if there
+    %% are errors we can put the stack back sanely and exit. Otherwise callers won't
diff --git a/ghostscript-mini.changes b/ghostscript-mini.changes
index fcc6206..649c74c 100644
--- a/ghostscript-mini.changes
+++ b/ghostscript-mini.changes
@@ -24,6 +24,14 @@ Tue Aug 13 12:38:45 UTC 2019 - Dr. Werner Fink <werner@suse.de>
   /usr/bin/gs to /usr/bin/gs.bin and allow the gswrap package to
   use this with its wrapper script
 
+-------------------------------------------------------------------
+Mon Aug 12 11:32:08 UTC 2019 - Dr. Werner Fink <werner@suse.de>
+
+- CVE-2019-10216.patch fixes CVE-2019-10216
+  forceput/superexec in .buildfont1 is still accessible
+  https://bugzilla.suse.com/show_bug.cgi?id=1144621 bsc#1144621
+  https://bugs.ghostscript.com/show_bug.cgi?id=701394
+
 -------------------------------------------------------------------
 Thu Apr  4 14:37:09 CEST 2019 - jsmeix@suse.de
 
diff --git a/ghostscript-mini.spec b/ghostscript-mini.spec
index d72ddc3..1fd2e66 100644
--- a/ghostscript-mini.spec
+++ b/ghostscript-mini.spec
@@ -80,10 +80,12 @@ Source1:        apparmor_ghostscript
 # Patch0...Patch9 is for patches from upstream:
 # Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616
 Patch0:         openjpeg4gs-CVE-2018-6616-8ee33522.patch
+# Patch1 Add commit from of upstream to fix CVE-2019-10216
+Patch1:         CVE-2019-10216.patch
 # Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
-Patch1:         gs-CVE-2019-14811-885444fc.patch
+Patch2:         gs-CVE-2019-14811-885444fc.patch
 # Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817
-Patch2:         gs-CVE-2019-14817-cd1b1cac.patch
+Patch3:         gs-CVE-2019-14817-cd1b1cac.patch
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
 # Patch10...Patch99 is for patches from SUSE which are intended for upstream:
 # Source100...Source999 is for sources from SUSE which are not intended for upstream:
@@ -153,10 +155,12 @@ This package contains the development files for Minimal Ghostscript.
 # Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616
 # openjpeg4gs-CVE-2018-6616-8ee33522.patch
 %patch0
+# Patch1 Add commit from of upstream to fix CVE-2019-10216
+%patch1 -p0
 # Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
-%patch1 -p1
-# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817
 %patch2 -p1
+# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817
+%patch3 -p1
 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
 # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball.
 # Again use the zlib sources from Ghostscript upstream
diff --git a/ghostscript.changes b/ghostscript.changes
index a9b1c50..124a712 100644
--- a/ghostscript.changes
+++ b/ghostscript.changes
@@ -24,6 +24,14 @@ Tue Aug 13 12:38:45 UTC 2019 - Dr. Werner Fink <werner@suse.de>
   /usr/bin/gs to /usr/bin/gs.bin and allow the gswrap package to
   use this with its wrapper script 
 
+-------------------------------------------------------------------
+Mon Aug 12 11:32:08 UTC 2019 - Dr. Werner Fink <werner@suse.de>
+
+- CVE-2019-10216.patch fixes CVE-2019-10216
+  forceput/superexec in .buildfont1 is still accessible
+  https://bugzilla.suse.com/show_bug.cgi?id=1144621 bsc#1144621
+  https://bugs.ghostscript.com/show_bug.cgi?id=701394
+
 -------------------------------------------------------------------
 Wed May  8 08:46:43 UTC 2019 - jsegitz@suse.com
 
diff --git a/ghostscript.spec b/ghostscript.spec
index 5401438..16cb20b 100644
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -102,10 +102,12 @@ Source1:        apparmor_ghostscript
 # Patch0...Patch9 is for patches from upstream:
 # Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616
 Patch0:         openjpeg4gs-CVE-2018-6616-8ee33522.patch
+# Patch1 Add commit from of upstream to fix CVE-2019-10216
+Patch1:         CVE-2019-10216.patch
 # Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
-Patch1:         gs-CVE-2019-14811-885444fc.patch
+Patch2:         gs-CVE-2019-14811-885444fc.patch
 # Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817
-Patch2:         gs-CVE-2019-14817-cd1b1cac.patch
+Patch3:         gs-CVE-2019-14817-cd1b1cac.patch
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
 # Patch10...Patch99 is for patches from SUSE which are intended for upstream:
 # Source100...Source999 is for sources from SUSE which are not intended for upstream:
@@ -288,10 +290,12 @@ This package contains the development files for Ghostscript.
 # Patch0 Add commit from openjpeg upstream to fix CVE-2018-6616
 # openjpeg4gs-CVE-2018-6616-8ee33522.patch
 %patch0
+# Patch1 Add commit from of upstream to fix CVE-2019-10216
+%patch1 -p0
 # Patch1 Add commit from ghostscript upstream to fix CVE-2019-14811,CVE-2019-14812,CVE-2019-14813
-%patch1 -p1
-# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817
 %patch2 -p1
+# Patch2 Add commit from ghostscript upstream to fix CVE-2019-14817
+%patch3 -p1
 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
 # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball.
 # Again use the zlib sources from Ghostscript upstream