Control: tags 862779 + pending Hi Jonas,
I've prepared an NMU for ghostscript (versioned as 9.20~dfsg-3.2) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru ghostscript-9.20~dfsg/debian/changelog ghostscript-9.20~dfsg/debian/changelog --- ghostscript-9.20~dfsg/debian/changelog 2017-04-28 06:50:05.000000000 +0200 +++ ghostscript-9.20~dfsg/debian/changelog 2017-05-21 19:22:52.000000000 +0200 @@ -1,3 +1,14 @@ +ghostscript (9.20~dfsg-3.2) unstable; urgency=medium + + * Non-maintainer upload. + * Fix regression introduced by CVE-2017-8291 fix. + When using the "DELAYBIND" feature, it turns out that .eqproc can be + called with parameters that are not both procedures. In this case, it + turns out, the expectation is for the operator to return 'false', rather + than throw an error. (Closes: #862779) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 21 May 2017 19:22:52 +0200 + ghostscript (9.20~dfsg-3.1) unstable; urgency=high * Non-maintainer upload. diff -Nru ghostscript-9.20~dfsg/debian/patches/020170503~57f2071.patch ghostscript-9.20~dfsg/debian/patches/020170503~57f2071.patch --- ghostscript-9.20~dfsg/debian/patches/020170503~57f2071.patch 1970-01-01 01:00:00.000000000 +0100 +++ ghostscript-9.20~dfsg/debian/patches/020170503~57f2071.patch 2017-05-21 19:22:52.000000000 +0200 @@ -0,0 +1,51 @@ +Description: Bug 697846: revision to commit 4f83478c88 (.eqproc) + When using the "DELAYBIND" feature, it turns out that .eqproc can be called with + parameters that are not both procedures. In this case, it turns out, the + expectation is for the operator to return 'false', rather than throw an error. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=57f20719 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=697846 +Bug-Debian: https://bugs.debian.org/862779 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ghostscript/+bug/1687614 +Forwarded: not-needed +Author: Chris Liddell <chris.lidd...@artifex.com> +Last-Update: 2017-05-21 +--- + psi/zmisc3.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/psi/zmisc3.c b/psi/zmisc3.c +index 37293ff..3f01d39 100644 +--- a/psi/zmisc3.c ++++ b/psi/zmisc3.c +@@ -38,6 +38,15 @@ zcliprestore(i_ctx_t *i_ctx_p) + return gs_cliprestore(igs); + } + ++static inline bool ++eqproc_check_type(ref *r) ++{ ++ return r_has_type(r, t_array) ++ || r_has_type(r, t_mixedarray) ++ || r_has_type(r, t_shortarray) ++ || r_has_type(r, t_oparray); ++} ++ + /* <proc1> <proc2> .eqproc <bool> */ + /* + * Test whether two procedures are equal to depth 10. +@@ -58,8 +67,10 @@ zeqproc(i_ctx_t *i_ctx_p) + + if (ref_stack_count(&o_stack) < 2) + return_error(gs_error_stackunderflow); +- if (!r_is_array(op - 1) || !r_is_array(op)) { +- return_error(gs_error_typecheck); ++ if (!eqproc_check_type(op -1) || !eqproc_check_type(op)) { ++ make_false(op - 1); ++ pop(1); ++ return 0; + } + + make_array(&stack[0].proc1, 0, 1, op - 1); +-- +2.1.4 + diff -Nru ghostscript-9.20~dfsg/debian/patches/series ghostscript-9.20~dfsg/debian/patches/series --- ghostscript-9.20~dfsg/debian/patches/series 2017-04-28 06:50:05.000000000 +0200 +++ ghostscript-9.20~dfsg/debian/patches/series 2017-05-21 19:22:52.000000000 +0200 @@ -13,6 +13,7 @@ 0004-fix-crash-with-bad-data-supplied-to-makeimagedevice.patch 0005-Bug-697453-Avoid-divide-by-0-in-scan-conversion-code.patch 0006-Bug-697456.-Dont-create-new-ctx-when-pdf14-device-re.patch +020170503~57f2071.patch 1001_fix_openjp2_dynamic_linking.patch 2001_docdir_fix_for_debian.patch 2002_gs_man_fix_debian.patch