Control: tags 859662 + patch Control: tags 859662 + pending Control: tags 859666 + pending Control: tags 859694 + pending Control: tags 859696 + pending Control: tags 861295 + patch Control: tags 861295 + pending
Dear maintainer, I've prepared an NMU for ghostscript (versioned as 9.20~dfsg-3.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Actually if possible and you agree on the debdiff/patchset an upload earlier than the delay would be good in the light of #861295. Regards, Salvatore
diff -Nru ghostscript-9.20~dfsg/debian/changelog ghostscript-9.20~dfsg/debian/changelog --- ghostscript-9.20~dfsg/debian/changelog 2017-03-21 17:20:00.000000000 +0100 +++ ghostscript-9.20~dfsg/debian/changelog 2017-04-28 06:50:05.000000000 +0200 @@ -1,3 +1,18 @@ +ghostscript (9.20~dfsg-3.1) unstable; urgency=high + + * Non-maintainer upload. + * -dSAFER bypass and remote command execution via a "/OutputFile (%pipe%" + substring (CVE-2017-8291) (Closes: #861295) + * use the correct param list enumerator (CVE-2017-5951) (Closes: #859696) + * fix crash with bad data supplied to makeimagedevice (CVE-2016-10220) + (Closes: #859694) + * Avoid divide by 0 in scan conversion code (CVE-2016-10219) + (Closes: #859666) + * Dont create new ctx when pdf14 device reenabled (CVE-2016-10217) + (Closes: #859662) + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 28 Apr 2017 06:50:05 +0200 + ghostscript (9.20~dfsg-3) unstable; urgency=medium * Fix NULL pointer dereference in mem_get_bits_rectangle(). diff -Nru ghostscript-9.20~dfsg/debian/patches/0001-Bug-697799-have-.eqproc-check-its-parameters.patch ghostscript-9.20~dfsg/debian/patches/0001-Bug-697799-have-.eqproc-check-its-parameters.patch --- ghostscript-9.20~dfsg/debian/patches/0001-Bug-697799-have-.eqproc-check-its-parameters.patch 1970-01-01 01:00:00.000000000 +0100 +++ ghostscript-9.20~dfsg/debian/patches/0001-Bug-697799-have-.eqproc-check-its-parameters.patch 2017-04-28 06:50:05.000000000 +0200 @@ -0,0 +1,31 @@ +From 4f83478c88c2e05d6e8d79ca4557eb039354d2f3 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.lidd...@artifex.com> +Date: Thu, 27 Apr 2017 13:03:33 +0100 +Subject: [PATCH 1/2] Bug 697799: have .eqproc check its parameters + +The Ghostscript custom operator .eqproc was not check the number or type of +the parameters it was given. +--- + psi/zmisc3.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/psi/zmisc3.c b/psi/zmisc3.c +index 54b3042..37293ff 100644 +--- a/psi/zmisc3.c ++++ b/psi/zmisc3.c +@@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p) + ref2_t stack[MAX_DEPTH + 1]; + ref2_t *top = stack; + ++ if (ref_stack_count(&o_stack) < 2) ++ return_error(gs_error_stackunderflow); ++ if (!r_is_array(op - 1) || !r_is_array(op)) { ++ return_error(gs_error_typecheck); ++ } ++ + make_array(&stack[0].proc1, 0, 1, op - 1); + make_array(&stack[0].proc2, 0, 1, op); + for (;;) { +-- +2.1.4 + diff -Nru ghostscript-9.20~dfsg/debian/patches/0002-Bug-697799-have-.rsdparams-check-its-parameters.patch ghostscript-9.20~dfsg/debian/patches/0002-Bug-697799-have-.rsdparams-check-its-parameters.patch --- ghostscript-9.20~dfsg/debian/patches/0002-Bug-697799-have-.rsdparams-check-its-parameters.patch 1970-01-01 01:00:00.000000000 +0100 +++ ghostscript-9.20~dfsg/debian/patches/0002-Bug-697799-have-.rsdparams-check-its-parameters.patch 2017-04-28 06:50:05.000000000 +0200 @@ -0,0 +1,60 @@ +From 04b37bbce174eed24edec7ad5b920eb93db4d47d Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.lidd...@artifex.com> +Date: Thu, 27 Apr 2017 13:21:31 +0100 +Subject: [PATCH 2/2] Bug 697799: have .rsdparams check its parameters + +The Ghostscript internal operator .rsdparams wasn't checking the number or +type of the operands it was being passed. Do so. +--- + psi/zfrsd.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/psi/zfrsd.c b/psi/zfrsd.c +index 191107d..950588d 100644 +--- a/psi/zfrsd.c ++++ b/psi/zfrsd.c +@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p) + ref *pFilter; + ref *pDecodeParms; + int Intent = 0; +- bool AsyncRead; ++ bool AsyncRead = false; + ref empty_array, filter1_array, parms1_array; + uint i; +- int code; ++ int code = 0; ++ ++ if (ref_stack_count(&o_stack) < 1) ++ return_error(gs_error_stackunderflow); ++ if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) { ++ return_error(gs_error_typecheck); ++ } + + make_empty_array(&empty_array, a_readonly); +- if (dict_find_string(op, "Filter", &pFilter) > 0) { ++ if (r_has_type(op, t_dictionary) ++ && dict_find_string(op, "Filter", &pFilter) > 0) { + if (!r_is_array(pFilter)) { + if (!r_has_type(pFilter, t_name)) + return_error(gs_error_typecheck); +@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p) + return_error(gs_error_typecheck); + } + } +- code = dict_int_param(op, "Intent", 0, 3, 0, &Intent); ++ if (r_has_type(op, t_dictionary)) ++ code = dict_int_param(op, "Intent", 0, 3, 0, &Intent); + if (code < 0 && code != gs_error_rangecheck) /* out-of-range int is ok, use 0 */ + return code; +- if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0 +- ) +- return code; ++ if (r_has_type(op, t_dictionary)) ++ if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0) ++ return code; + push(1); + op[-1] = *pFilter; + if (pDecodeParms) +-- +2.1.4 + diff -Nru ghostscript-9.20~dfsg/debian/patches/0003-Bug-697548-use-the-correct-param-list-enumerator.patch ghostscript-9.20~dfsg/debian/patches/0003-Bug-697548-use-the-correct-param-list-enumerator.patch --- ghostscript-9.20~dfsg/debian/patches/0003-Bug-697548-use-the-correct-param-list-enumerator.patch 1970-01-01 01:00:00.000000000 +0100 +++ ghostscript-9.20~dfsg/debian/patches/0003-Bug-697548-use-the-correct-param-list-enumerator.patch 2017-04-28 06:50:05.000000000 +0200 @@ -0,0 +1,39 @@ +From bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.lidd...@artifex.com> +Date: Thu, 6 Apr 2017 16:44:54 +0100 +Subject: [PATCH] Bug 697548: use the correct param list enumerator + +When we encountered dictionary in a ref_param_list, we were using the enumerator +for the "parent" param_list, rather than the enumerator for the param_list +we just created for the dictionary. That parent was usually the stack +list enumerator, and caused a segfault. + +Using the correct enumerator works better. +--- + psi/iparam.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/psi/iparam.c b/psi/iparam.c +index 4e63b6d..b2fa85f 100644 +--- a/psi/iparam.c ++++ b/psi/iparam.c +@@ -770,12 +770,13 @@ ref_param_read_typed(gs_param_list * plist, gs_param_name pkey, + gs_param_enumerator_t enumr; + gs_param_key_t key; + ref_type keytype; ++ dict_param_list *dlist = (dict_param_list *) pvalue->value.d.list; + + param_init_enumerator(&enumr); +- if (!(*((iparam_list *) plist)->enumerate) +- ((iparam_list *) pvalue->value.d.list, &enumr, &key, &keytype) ++ if (!(*(dlist->enumerate)) ++ ((iparam_list *) dlist, &enumr, &key, &keytype) + && keytype == t_integer) { +- ((dict_param_list *) pvalue->value.d.list)->int_keys = 1; ++ dlist->int_keys = 1; + pvalue->type = gs_param_type_dict_int_keys; + } + } +-- +2.1.4 + diff -Nru ghostscript-9.20~dfsg/debian/patches/0004-fix-crash-with-bad-data-supplied-to-makeimagedevice.patch ghostscript-9.20~dfsg/debian/patches/0004-fix-crash-with-bad-data-supplied-to-makeimagedevice.patch --- ghostscript-9.20~dfsg/debian/patches/0004-fix-crash-with-bad-data-supplied-to-makeimagedevice.patch 1970-01-01 01:00:00.000000000 +0100 +++ ghostscript-9.20~dfsg/debian/patches/0004-fix-crash-with-bad-data-supplied-to-makeimagedevice.patch 2017-04-28 06:50:05.000000000 +0200 @@ -0,0 +1,50 @@ +From daf85701dab05f17e924a48a81edc9195b4a04e8 Mon Sep 17 00:00:00 2001 +From: Ken Sharp <ken.sh...@artifex.com> +Date: Wed, 21 Dec 2016 16:54:14 +0000 +Subject: [PATCH] fix crash with bad data supplied to makeimagedevice + +Bug #697450 "Null pointer dereference in gx_device_finalize()" + +The problem here is that the code to finalise a device unconditionally +frees the icc_struct member of the device structure. However this +particular (weird) device is not setup as a normal device, probably +because its very, very ancient. Its possible for the initialisation +of the device to abort with an error before calling gs_make_mem_device() +which is where the icc_struct member gets allocated (or set to NULL). + +If that happens, then the cleanup code tries to free the device, which +calls finalize() which tries to free a garbage pointer. + +Setting the device memory to 0x00 after we allocate it means that the +icc_struct member will be NULL< and our memory manager allows for that +happily enough, which avoids the problem. +--- + base/gsdevmem.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/base/gsdevmem.c b/base/gsdevmem.c +index 97b9cf4..fe75bcc 100644 +--- a/base/gsdevmem.c ++++ b/base/gsdevmem.c +@@ -225,6 +225,18 @@ gs_makewordimagedevice(gx_device ** pnew_dev, const gs_matrix * pmat, + + if (pnew == 0) + return_error(gs_error_VMerror); ++ ++ /* Bug #697450 "Null pointer dereference in gx_device_finalize()" ++ * If we have incorrect data passed to gs_initialise_wordimagedevice() then the ++ * initialisation will fail, crucially it will fail *before* it calls ++ * gs_make_mem_device() which initialises the device. This means that the ++ * icc_struct member will be uninitialsed, but the device finalise method ++ * will unconditionally free that memory. Since its a garbage pointer, bad things happen. ++ * Apparently we do still need makeimagedevice to be available from ++ * PostScript, so in here just zero the device memory, which means that ++ * the finalise routine won't have a problem. ++ */ ++ memset(pnew, 0x00, st_device_memory.ssize); + code = gs_initialize_wordimagedevice(pnew, pmat, width, height, + colors, num_colors, word_oriented, + page_device, mem); +-- +2.1.4 + diff -Nru ghostscript-9.20~dfsg/debian/patches/0005-Bug-697453-Avoid-divide-by-0-in-scan-conversion-code.patch ghostscript-9.20~dfsg/debian/patches/0005-Bug-697453-Avoid-divide-by-0-in-scan-conversion-code.patch --- ghostscript-9.20~dfsg/debian/patches/0005-Bug-697453-Avoid-divide-by-0-in-scan-conversion-code.patch 1970-01-01 01:00:00.000000000 +0100 +++ ghostscript-9.20~dfsg/debian/patches/0005-Bug-697453-Avoid-divide-by-0-in-scan-conversion-code.patch 2017-04-28 06:50:05.000000000 +0200 @@ -0,0 +1,44 @@ +From 4bef1a1d32e29b68855616020dbff574b9cda08f Mon Sep 17 00:00:00 2001 +From: Robin Watts <robin.wa...@artifex.com> +Date: Thu, 29 Dec 2016 15:57:43 +0000 +Subject: [PATCH] Bug 697453: Avoid divide by 0 in scan conversion code. + +Arithmetic overflow due to extreme values in the scan conversion +code can cause a division by 0. + +Avoid this with a simple extra check. + + dx_old=cf814d81 + endp->x_next=b0e859b9 + alp->x_next=8069a73a + +leads to dx_den = 0 +--- + base/gxfill.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/base/gxfill.c b/base/gxfill.c +index 99196c0..2f81bb0 100644 +--- a/base/gxfill.c ++++ b/base/gxfill.c +@@ -1741,7 +1741,7 @@ intersect(active_line *endp, active_line *alp, fixed y, fixed y1, fixed *p_y_new + fixed dx_old = alp->x_current - endp->x_current; + fixed dx_den = dx_old + endp->x_next - alp->x_next; + +- if (dx_den <= dx_old) ++ if (dx_den <= dx_old || dx_den == 0) + return false; /* Intersection isn't possible. */ + dy = y1 - y; + if_debug3('F', "[F]cross: dy=%g, dx_old=%g, dx_new=%g\n", +@@ -1750,7 +1750,7 @@ intersect(active_line *endp, active_line *alp, fixed y, fixed y1, fixed *p_y_new + /* Do the computation in single precision */ + /* if the values are small enough. */ + y_new = +- ((dy | dx_old) < 1L << (size_of(fixed) * 4 - 1) ? ++ (((ufixed)(dy | dx_old)) < (1L << (size_of(fixed) * 4 - 1)) ? + dy * dx_old / dx_den : + (INCR_EXPR(mq_cross), fixed_mult_quo(dy, dx_old, dx_den))) + + y; +-- +2.1.4 + diff -Nru ghostscript-9.20~dfsg/debian/patches/0006-Bug-697456.-Dont-create-new-ctx-when-pdf14-device-re.patch ghostscript-9.20~dfsg/debian/patches/0006-Bug-697456.-Dont-create-new-ctx-when-pdf14-device-re.patch --- ghostscript-9.20~dfsg/debian/patches/0006-Bug-697456.-Dont-create-new-ctx-when-pdf14-device-re.patch 1970-01-01 01:00:00.000000000 +0100 +++ ghostscript-9.20~dfsg/debian/patches/0006-Bug-697456.-Dont-create-new-ctx-when-pdf14-device-re.patch 2017-04-28 06:50:05.000000000 +0200 @@ -0,0 +1,33 @@ +From 90fd0c7ca3efc1ddff64a86f4104b13b3ac969eb Mon Sep 17 00:00:00 2001 +From: Michael Vrhel <michael.vr...@artifex.com> +Date: Thu, 29 Dec 2016 14:00:21 -0800 +Subject: [PATCH] Bug 697456. Dont create new ctx when pdf14 device reenabled + +This bug had yet another weird case where the user created a +file that pushed the pdf14 device twice. We were in that case, +creating a new ctx and blowing away the original one with out +proper clean up. To avoid, only create a new one when we need it. +--- + base/gdevp14.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/base/gdevp14.c b/base/gdevp14.c +index fd56ec9..f19318e 100644 +--- a/base/gdevp14.c ++++ b/base/gdevp14.c +@@ -1669,8 +1669,10 @@ pdf14_open(gx_device *dev) + rect.p.y = 0; + rect.q.x = dev->width; + rect.q.y = dev->height; +- pdev->ctx = pdf14_ctx_new(&rect, dev->color_info.num_components, +- pdev->color_info.polarity != GX_CINFO_POLARITY_SUBTRACTIVE, dev); ++ /* If we are reenabling the device dont create a new ctx. Bug 697456 */ ++ if (pdev->ctx == NULL) ++ pdev->ctx = pdf14_ctx_new(&rect, dev->color_info.num_components, ++ pdev->color_info.polarity != GX_CINFO_POLARITY_SUBTRACTIVE, dev); + if (pdev->ctx == NULL) + return_error(gs_error_VMerror); + pdev->free_devicen = true; +-- +2.1.4 + diff -Nru ghostscript-9.20~dfsg/debian/patches/series ghostscript-9.20~dfsg/debian/patches/series --- ghostscript-9.20~dfsg/debian/patches/series 2017-03-21 17:14:17.000000000 +0100 +++ ghostscript-9.20~dfsg/debian/patches/series 2017-04-28 06:50:05.000000000 +0200 @@ -7,6 +7,12 @@ 020161008~f5c7555.patch 020161026~0726780.patch 020170317~309eca4.patch +0001-Bug-697799-have-.eqproc-check-its-parameters.patch +0002-Bug-697799-have-.rsdparams-check-its-parameters.patch +0003-Bug-697548-use-the-correct-param-list-enumerator.patch +0004-fix-crash-with-bad-data-supplied-to-makeimagedevice.patch +0005-Bug-697453-Avoid-divide-by-0-in-scan-conversion-code.patch +0006-Bug-697456.-Dont-create-new-ctx-when-pdf14-device-re.patch 1001_fix_openjp2_dynamic_linking.patch 2001_docdir_fix_for_debian.patch 2002_gs_man_fix_debian.patch