From 064397ec60f9c0ccabd9dfdea604c82c7cc102d52d969d9307754213af2ae186 Mon Sep 17 00:00:00 2001
From: Johannes Meixner <jsmeix@suse.com>
Date: Wed, 12 Jan 2022 09:39:16 +0000
Subject: [PATCH] Accepting request 945778 from home:jsmeix:branches:Printing

Ghostscript security fix CVE-2021-45949 (bsc#1194304) including CVE-2021-45944 (bsc#1194303)

OBS-URL: https://build.opensuse.org/request/show/945778
OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=148
---
 CVE-2021-45949.patch     | 36 ++++++++++++++++++++++++++++++++++++
 ghostscript-mini.changes | 11 +++++++++++
 ghostscript-mini.spec    | 14 +++++++++++++-
 ghostscript.changes      | 11 +++++++++++
 ghostscript.spec         | 14 +++++++++++++-
 5 files changed, 84 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2021-45949.patch

diff --git a/CVE-2021-45949.patch b/CVE-2021-45949.patch
new file mode 100644
index 0000000..dd17e10
--- /dev/null
+++ b/CVE-2021-45949.patch
@@ -0,0 +1,36 @@
+--- psi/zfsample.c.orig	2022-01-12 09:16:07.639604741 +0100
++++ psi/zfsample.c	2022-01-12 09:21:45.187952236 +0100
+@@ -535,13 +535,16 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
+     }
+     pop(num_out);		    /* Move op to base of result values */
+ 
++    /* From here on, we have to use ref_stack_pop() rather than pop()
++       so that it handles stack extension blocks properly, before calling
++       sampled_data_sample() which also uses the op stack.
++     */
+     /* Check if we are done collecting data. */
+-
+     if (increment_cube_indexes(params, penum->indexes)) {
+         if (stack_depth_adjust == 0)
+-            pop(O_STACK_PAD);	    /* Remove spare stack space */
++            ref_stack_pop(&o_stack, O_STACK_PAD);	    /* Remove spare stack space */
+         else
+-            pop(stack_depth_adjust - num_out);
++            ref_stack_pop(&o_stack, stack_depth_adjust - num_out);
+         /* Execute the closing procedure, if given */
+         code = 0;
+         if (esp_finish_proc != 0)
+@@ -554,11 +557,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
+             if ((O_STACK_PAD - stack_depth_adjust) < 0) {
+                 stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
+                 check_op(stack_depth_adjust);
+-                pop(stack_depth_adjust);
++                ref_stack_pop(&o_stack, stack_depth_adjust);
+             }
+             else {
+                 check_ostack(O_STACK_PAD - stack_depth_adjust);
+-                push(O_STACK_PAD - stack_depth_adjust);
++                ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust);
+                 for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
+                     make_null(op - i);
+             }
diff --git a/ghostscript-mini.changes b/ghostscript-mini.changes
index cf566a6..9411af8 100644
--- a/ghostscript-mini.changes
+++ b/ghostscript-mini.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Tue Jan 11 13:40:10 CET 2022 - jsmeix@suse.de
+
+- CVE-2021-45949.patch fixes CVE-2021-45949
+  heap-based buffer overflow in sampled_data_finish
+  cf. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-803.yaml
+  (bsc#1194304)
+- CVE-2021-45944 use-after-free in sampled_data_sample
+  is already fixed in the Ghostscript 9.54.0 upstream sources
+  (bsc#1194303)
+
 -------------------------------------------------------------------
 Fri Sep 10 09:37:46 CEST 2021 - jsmeix@suse.de
 
diff --git a/ghostscript-mini.spec b/ghostscript-mini.spec
index dc3f181..897e9f1 100644
--- a/ghostscript-mini.spec
+++ b/ghostscript-mini.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package ghostscript-mini
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -89,6 +89,12 @@ Patch101:       ijs_exec_server_dont_use_sh.patch
 # cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342
 # and https://bugzilla.suse.com/show_bug.cgi?id=1190381
 Patch102:       CVE-2021-3781.patch
+# Patch103 CVE-2021-45949.patch was derived for Ghostscript-9.54 from
+# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7
+# that fixes CVE-2021-45949 heap-based buffer overflow in sampled_data_finish
+# cf. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-803.yaml
+# and https://bugzilla.suse.com/show_bug.cgi?id=1194304
+Patch103:       CVE-2021-45949.patch
 # RPM dependencies:
 # The "Provides: ghostscript_any" is there to support "BuildRequires: ghostscript_any"
 # so other packages can build with any available Ghostscript implementation,
@@ -172,6 +178,12 @@ This package contains the development files for Minimal Ghostscript.
 # cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342
 # and https://bugzilla.suse.com/show_bug.cgi?id=1190381
 %patch102 -p1
+# Patch103 CVE-2021-45949.patch was derived for Ghostscript-9.54 from
+# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7
+# that fixes CVE-2021-45949 heap-based buffer overflow in sampled_data_finish
+# cf. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-803.yaml
+# and https://bugzilla.suse.com/show_bug.cgi?id=1194304
+%patch103
 # Remove patch backup files to avoid packaging
 # cf. https://build.opensuse.org/request/show/581052
 rm -f Resource/Init/*.ps.orig
diff --git a/ghostscript.changes b/ghostscript.changes
index 3314d21..a1b997e 100644
--- a/ghostscript.changes
+++ b/ghostscript.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Tue Jan 11 13:40:10 CET 2022 - jsmeix@suse.de
+
+- CVE-2021-45949.patch fixes CVE-2021-45949
+  heap-based buffer overflow in sampled_data_finish
+  cf. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-803.yaml
+  (bsc#1194304)
+- CVE-2021-45944 use-after-free in sampled_data_sample
+  is already fixed in the Ghostscript 9.54.0 upstream sources
+  (bsc#1194303)
+
 -------------------------------------------------------------------
 Fri Sep 10 09:37:46 CEST 2021 - jsmeix@suse.de
 
diff --git a/ghostscript.spec b/ghostscript.spec
index e55746a..d0a568c 100644
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package ghostscript
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -118,6 +118,12 @@ Patch101:       ijs_exec_server_dont_use_sh.patch
 # cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342
 # and https://bugzilla.suse.com/show_bug.cgi?id=1190381
 Patch102:       CVE-2021-3781.patch
+# Patch103 CVE-2021-45949.patch was derived for Ghostscript-9.54 from
+# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7
+# that fixes CVE-2021-45949 heap-based buffer overflow in sampled_data_finish
+# cf. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-803.yaml
+# and https://bugzilla.suse.com/show_bug.cgi?id=1194304
+Patch103:       CVE-2021-45949.patch
 # RPM dependencies:
 # Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from
 # "rpm -q --provides ghostscript-library" and "rpm -q --provides ghostscript-x11":
@@ -313,6 +319,12 @@ This package contains the development files for Ghostscript.
 # cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342
 # and https://bugzilla.suse.com/show_bug.cgi?id=1190381
 %patch102 -p1
+# Patch103 CVE-2021-45949.patch was derived for Ghostscript-9.54 from
+# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7
+# that fixes CVE-2021-45949 heap-based buffer overflow in sampled_data_finish
+# cf. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-803.yaml
+# and https://bugzilla.suse.com/show_bug.cgi?id=1194304
+%patch103
 # Remove patch backup files to avoid packaging
 # cf. https://build.opensuse.org/request/show/581052
 rm -f Resource/Init/*.ps.orig