Control: tags -1 + patch Attached proposed debdiff (not yet uploaded, neither to a delayed queue).
Regards, Salvatore
diff -Nru ghostscript-9.20~dfsg/debian/changelog ghostscript-9.20~dfsg/debian/changelog --- ghostscript-9.20~dfsg/debian/changelog 2017-01-25 05:26:10.000000000 +0100 +++ ghostscript-9.20~dfsg/debian/changelog 2017-02-26 21:03:15.000000000 +0100 @@ -1,3 +1,11 @@ +ghostscript (9.20~dfsg-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Resolve image enumerator ownership on error (CVE-2017-6196) + (Closes: #856142) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 26 Feb 2017 21:03:15 +0100 + ghostscript (9.20~dfsg-2) unstable; urgency=medium * Add patch cherry-picked upstream to always print full PWG Raster diff -Nru ghostscript-9.20~dfsg/debian/patches/1002-Resolve-image-enumerator-ownership-on-error.patch ghostscript-9.20~dfsg/debian/patches/1002-Resolve-image-enumerator-ownership-on-error.patch --- ghostscript-9.20~dfsg/debian/patches/1002-Resolve-image-enumerator-ownership-on-error.patch 1970-01-01 01:00:00.000000000 +0100 +++ ghostscript-9.20~dfsg/debian/patches/1002-Resolve-image-enumerator-ownership-on-error.patch 2017-02-26 21:03:15.000000000 +0100 @@ -0,0 +1,63 @@ +From ecceafe3abba2714ef9b432035fe0739d9b1a283 Mon Sep 17 00:00:00 2001 +From: Ken Sharp <ken.sh...@artifex.com> +Date: Mon, 20 Feb 2017 09:45:18 +0000 +Subject: [PATCH] Resolve image enumerator ownership on error + +Bug #697596 "Use-After-Free in i_free_object()" + +There is confusion over ownership of 'penum' between gx_begin_image1(), +gx_begin_image4() and gx_image_enum_begin() which is called from these +two functions (and only from these two functions). + +The enumerator is allocated in gx_begin_image?() and freed there if +gx_image_enum_begin() returns an error. However, gx_image_enum_begin() +also frees the enumerator on an error; except that it doesn't always do +so. Its a large function and there are at least 9 ways to exit it, only +4 of which free the enumerator. + +This commit removes the 'free' instances from gx_image_enum_begin() +leaving the cleanup as the responsibility of the calling code, which +performed the allocation. +--- + base/gxipixel.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/base/gxipixel.c b/base/gxipixel.c +index c41d3b885..4eb654844 100644 +--- a/base/gxipixel.c ++++ b/base/gxipixel.c +@@ -290,7 +290,6 @@ gx_image_enum_begin(gx_device * dev, const gs_gstate * pgs, + penum->Height = height; + + if ((code = gx_image_compute_mat(pgs, pmat, &(pim->ImageMatrix), &mat)) < 0) { +- gs_free_object(mem, penum, "gx_default_begin_image"); + return code; + } + /* Grid fit: A common construction in postscript/PDF files is for images +@@ -587,7 +586,6 @@ gx_image_enum_begin(gx_device * dev, const gs_gstate * pgs, + } + if (masked) { /* This is imagemask. */ + if (bps != 1 || pcs != NULL || penum->alpha || decode[0] == decode[1]) { +- gs_free_object(mem, penum, "gx_default_begin_image"); + return_error(gs_error_rangecheck); + } + /* Initialize color entries 0 and 255. */ +@@ -607,7 +605,6 @@ gx_image_enum_begin(gx_device * dev, const gs_gstate * pgs, + + spp = cs_num_components(pcs); + if (spp < 0) { /* Pattern not allowed */ +- gs_free_object(mem, penum, "gx_default_begin_image"); + return_error(gs_error_rangecheck); + } + if (penum->alpha) +@@ -715,7 +712,6 @@ gx_image_enum_begin(gx_device * dev, const gs_gstate * pgs, + bsize = ((bps > 8 ? width * 2 : width) + 15) * spp; + buffer = gs_alloc_bytes(mem, bsize, "image buffer"); + if (buffer == 0) { +- gs_free_object(mem, penum, "gx_default_begin_image"); + return_error(gs_error_VMerror); + } + penum->bps = bps; +-- +2.11.0 + diff -Nru ghostscript-9.20~dfsg/debian/patches/series ghostscript-9.20~dfsg/debian/patches/series --- ghostscript-9.20~dfsg/debian/patches/series 2017-01-25 05:04:25.000000000 +0100 +++ ghostscript-9.20~dfsg/debian/patches/series 2017-02-26 21:03:15.000000000 +0100 @@ -7,6 +7,7 @@ 020161008~f5c7555.patch 020161026~0726780.patch 1001_fix_openjp2_dynamic_linking.patch +1002-Resolve-image-enumerator-ownership-on-error.patch 2001_docdir_fix_for_debian.patch 2002_gs_man_fix_debian.patch 2003_support_multiarch.patch