Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ghostscript for openSUSE:Factory checked in at 2022-01-14 23:12:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ghostscript (Old) and /work/SRC/openSUSE:Factory/.ghostscript.new.1892 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghostscript" Fri Jan 14 23:12:43 2022 rev:53 rq:945779 version:9.54.0 Changes: -------- --- /work/SRC/openSUSE:Factory/ghostscript/ghostscript-mini.changes 2021-09-13 16:25:10.582789466 +0200 +++ /work/SRC/openSUSE:Factory/.ghostscript.new.1892/ghostscript-mini.changes 2022-01-14 23:13:15.826632685 +0100 @@ -1,0 +2,11 @@ +Tue Jan 11 13:40:10 CET 2022 - jsm...@suse.de + +- CVE-2021-45949.patch fixes CVE-2021-45949 + heap-based buffer overflow in sampled_data_finish + cf. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-803.yaml + (bsc#1194304) +- CVE-2021-45944 use-after-free in sampled_data_sample + is already fixed in the Ghostscript 9.54.0 upstream sources + (bsc#1194303) + +------------------------------------------------------------------- ghostscript.changes: same change New: ---- CVE-2021-45949.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ghostscript-mini.spec ++++++ --- /var/tmp/diff_new_pack.yrTocG/_old 2022-01-14 23:13:16.566633162 +0100 +++ /var/tmp/diff_new_pack.yrTocG/_new 2022-01-14 23:13:16.570633165 +0100 @@ -1,7 +1,7 @@ # # spec file for package ghostscript-mini # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -89,6 +89,12 @@ # cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342 # and https://bugzilla.suse.com/show_bug.cgi?id=1190381 Patch102: CVE-2021-3781.patch +# Patch103 CVE-2021-45949.patch was derived for Ghostscript-9.54 from +# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7 +# that fixes CVE-2021-45949 heap-based buffer overflow in sampled_data_finish +# cf. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-803.yaml +# and https://bugzilla.suse.com/show_bug.cgi?id=1194304 +Patch103: CVE-2021-45949.patch # RPM dependencies: # The "Provides: ghostscript_any" is there to support "BuildRequires: ghostscript_any" # so other packages can build with any available Ghostscript implementation, @@ -172,6 +178,12 @@ # cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342 # and https://bugzilla.suse.com/show_bug.cgi?id=1190381 %patch102 -p1 +# Patch103 CVE-2021-45949.patch was derived for Ghostscript-9.54 from +# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7 +# that fixes CVE-2021-45949 heap-based buffer overflow in sampled_data_finish +# cf. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-803.yaml +# and https://bugzilla.suse.com/show_bug.cgi?id=1194304 +%patch103 # Remove patch backup files to avoid packaging # cf. https://build.opensuse.org/request/show/581052 rm -f Resource/Init/*.ps.orig ++++++ ghostscript.spec ++++++ --- /var/tmp/diff_new_pack.yrTocG/_old 2022-01-14 23:13:16.586633175 +0100 +++ /var/tmp/diff_new_pack.yrTocG/_new 2022-01-14 23:13:16.590633178 +0100 @@ -1,7 +1,7 @@ # # spec file for package ghostscript # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -118,6 +118,12 @@ # cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342 # and https://bugzilla.suse.com/show_bug.cgi?id=1190381 Patch102: CVE-2021-3781.patch +# Patch103 CVE-2021-45949.patch was derived for Ghostscript-9.54 from +# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7 +# that fixes CVE-2021-45949 heap-based buffer overflow in sampled_data_finish +# cf. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-803.yaml +# and https://bugzilla.suse.com/show_bug.cgi?id=1194304 +Patch103: CVE-2021-45949.patch # RPM dependencies: # Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from # "rpm -q --provides ghostscript-library" and "rpm -q --provides ghostscript-x11": @@ -313,6 +319,12 @@ # cf. https://bugs.ghostscript.com/show_bug.cgi?id=704342 # and https://bugzilla.suse.com/show_bug.cgi?id=1190381 %patch102 -p1 +# Patch103 CVE-2021-45949.patch was derived for Ghostscript-9.54 from +# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7 +# that fixes CVE-2021-45949 heap-based buffer overflow in sampled_data_finish +# cf. https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-803.yaml +# and https://bugzilla.suse.com/show_bug.cgi?id=1194304 +%patch103 # Remove patch backup files to avoid packaging # cf. https://build.opensuse.org/request/show/581052 rm -f Resource/Init/*.ps.orig ++++++ CVE-2021-45949.patch ++++++ --- psi/zfsample.c.orig 2022-01-12 09:16:07.639604741 +0100 +++ psi/zfsample.c 2022-01-12 09:21:45.187952236 +0100 @@ -535,13 +535,16 @@ sampled_data_continue(i_ctx_t *i_ctx_p) } pop(num_out); /* Move op to base of result values */ + /* From here on, we have to use ref_stack_pop() rather than pop() + so that it handles stack extension blocks properly, before calling + sampled_data_sample() which also uses the op stack. + */ /* Check if we are done collecting data. */ - if (increment_cube_indexes(params, penum->indexes)) { if (stack_depth_adjust == 0) - pop(O_STACK_PAD); /* Remove spare stack space */ + ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */ else - pop(stack_depth_adjust - num_out); + ref_stack_pop(&o_stack, stack_depth_adjust - num_out); /* Execute the closing procedure, if given */ code = 0; if (esp_finish_proc != 0) @@ -554,11 +557,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p) if ((O_STACK_PAD - stack_depth_adjust) < 0) { stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust); check_op(stack_depth_adjust); - pop(stack_depth_adjust); + ref_stack_pop(&o_stack, stack_depth_adjust); } else { check_ostack(O_STACK_PAD - stack_depth_adjust); - push(O_STACK_PAD - stack_depth_adjust); + ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust); for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++) make_null(op - i); }
