Control: tags 860869 + patch Control: tags 860869 + pending Control: tags 896069 + pending
Dear maintainer, I've prepared an NMU for ghostscript (versioned as 9.22~dfsg-2.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru ghostscript-9.22~dfsg/debian/changelog ghostscript-9.22~dfsg/debian/changelog --- ghostscript-9.22~dfsg/debian/changelog 2018-02-10 17:41:31.000000000 +0100 +++ ghostscript-9.22~dfsg/debian/changelog 2018-04-20 12:28:29.000000000 +0200 @@ -1,3 +1,13 @@ +ghostscript (9.22~dfsg-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Buffer overflow in fill_threshold_buffer (CVE-2016-10317) + (Closes: #860869) + * pdfwrite - Guard against trying to output an infinite number + (CVE-2018-10194) (Closes: #896069) + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 20 Apr 2018 12:28:29 +0200 + ghostscript (9.22~dfsg-2) unstable; urgency=medium * Update Vcs-* fields for the move to salsa.d.o diff -Nru ghostscript-9.22~dfsg/debian/patches/0001-Fix-bug-697459-Buffer-overflow-in-fill_threshold_buf.patch ghostscript-9.22~dfsg/debian/patches/0001-Fix-bug-697459-Buffer-overflow-in-fill_threshold_buf.patch --- ghostscript-9.22~dfsg/debian/patches/0001-Fix-bug-697459-Buffer-overflow-in-fill_threshold_buf.patch 1970-01-01 01:00:00.000000000 +0100 +++ ghostscript-9.22~dfsg/debian/patches/0001-Fix-bug-697459-Buffer-overflow-in-fill_threshold_buf.patch 2018-04-20 12:28:29.000000000 +0200 @@ -0,0 +1,78 @@ +From: Ray Johnston <ray.johns...@artifex.com> +Date: Tue, 21 Nov 2017 12:48:54 -0800 +Subject: Fix bug 697459 Buffer overflow in fill_threshold_buffer +Origin: http://git.ghostscript.com/?p=ghostpdl.git;h=362ec9daadb9992b0def3520cd1dc6fa52edd1c4 +Bug-Debian: https://bugs.debian.org/860869 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=697459 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-10317 + +There was an overflow check for ht_buffer size, but none for the larger +threshold_buffer. Note that this file didn't fail on Windows because the +combination of the ht_buffer and the size of the (miscalculated due to +overflow) threshold_buffer would have exceeded the 2Gb limit. +--- + base/gxht_thresh.c | 13 ++++++++++--- + base/gxipixel.c | 2 +- + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/base/gxht_thresh.c b/base/gxht_thresh.c +index 3fb840213..726861685 100644 +--- a/base/gxht_thresh.c ++++ b/base/gxht_thresh.c +@@ -711,7 +711,9 @@ gxht_thresh_image_init(gx_image_enum *penum) + space */ + max_height = (int) ceil(fixed2float(any_abs(penum->dst_height)) / + (float) penum->Height); +- if ((max_height > 0) && (penum->ht_stride * spp_out > max_int / max_height)) ++ if (max_height <= 0) ++ return -1; /* shouldn't happen, but check so we don't div by zero */ ++ if (penum->ht_stride * spp_out > max_int / max_height) + return -1; /* overflow */ + + penum->ht_buffer = +@@ -734,6 +736,11 @@ gxht_thresh_image_init(gx_image_enum *penum) + Also allow a 15 sample over run during the execution. */ + temp = (int) ceil((float) ((dev_width + 15.0) + 15.0)/16.0); + penum->line_size = bitmap_raster(temp * 16 * 8); /* The stride */ ++ if (penum->line_size > max_int / max_height) { ++ gs_free_object(penum->memory, penum->ht_buffer, "gxht_thresh"); ++ penum->ht_buffer = NULL; ++ return -1; /* thresh_buffer size overflow */ ++ } + penum->line = gs_alloc_bytes(penum->memory, penum->line_size * spp_out, + "gxht_thresh"); + penum->thresh_buffer = gs_alloc_bytes(penum->memory, +@@ -754,7 +761,7 @@ gxht_thresh_image_init(gx_image_enum *penum) + } + + static void +-fill_threshhold_buffer(byte *dest_strip, byte *src_strip, int src_width, ++fill_threshold_buffer(byte *dest_strip, byte *src_strip, int src_width, + int left_offset, int left_width, int num_tiles, + int right_width) + { +@@ -908,7 +915,7 @@ gxht_thresh_planes(gx_image_enum *penum, fixed xrun, + to update with stride */ + position = contone_stride * k; + /* Tile into the 128 bit aligned threshold strip */ +- fill_threshhold_buffer(&(thresh_align[position]), ++ fill_threshold_buffer(&(thresh_align[position]), + thresh_tile, thresh_width, dx, left_width, + num_full_tiles, right_tile_width); + } +diff --git a/base/gxipixel.c b/base/gxipixel.c +index edd40c52d..cb4f02a09 100644 +--- a/base/gxipixel.c ++++ b/base/gxipixel.c +@@ -758,7 +758,7 @@ gx_image_enum_begin(gx_device * dev, const gs_gstate * pgs, + penum->memory = mem; + penum->buffer = buffer; + penum->buffer_size = bsize; +- penum->line = 0; ++ penum->line = NULL; + penum->icc_link = NULL; + penum->color_cache = NULL; + penum->ht_buffer = NULL; +-- +2.17.0 + diff -Nru ghostscript-9.22~dfsg/debian/patches/0002-pdfwrite-Guard-against-trying-to-output-an-infinite-.patch ghostscript-9.22~dfsg/debian/patches/0002-pdfwrite-Guard-against-trying-to-output-an-infinite-.patch --- ghostscript-9.22~dfsg/debian/patches/0002-pdfwrite-Guard-against-trying-to-output-an-infinite-.patch 1970-01-01 01:00:00.000000000 +0100 +++ ghostscript-9.22~dfsg/debian/patches/0002-pdfwrite-Guard-against-trying-to-output-an-infinite-.patch 2018-04-20 12:28:29.000000000 +0200 @@ -0,0 +1,46 @@ +From: Ken Sharp <ken.sh...@artifex.com> +Date: Wed, 18 Apr 2018 15:46:32 +0100 +Subject: pdfwrite - Guard against trying to output an infinite number +Origin: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879 +Bug-Debian: https://bugs.debian.org/896069 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=699255 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10194 + +Bug #699255 " Buffer overflow on pprintg1 due to mishandle postscript file data to pdf" + +The file uses an enormous parameter to xyxhow, causing an overflow in +the calculation of text positioning (value > 1e39). + +Since this is basically a nonsense value, and PostScript only supports +real values up to 1e38, this patch follows the same approach as for +a degenerate CTM, and treats it as 0. + +Adobe Acrobat Distiller throws a limitcheck error, so we could do that +instead if this approach proves to be a problem. +--- + devices/vector/gdevpdts.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/devices/vector/gdevpdts.c b/devices/vector/gdevpdts.c +index 848ad781f..172fe6bc3 100644 +--- a/devices/vector/gdevpdts.c ++++ b/devices/vector/gdevpdts.c +@@ -103,9 +103,14 @@ append_text_move(pdf_text_state_t *pts, double dw) + static int + set_text_distance(gs_point *pdist, double dx, double dy, const gs_matrix *pmat) + { +- int code = gs_distance_transform_inverse(dx, dy, pmat, pdist); ++ int code; + double rounded; + ++ if (dx > 1e38 || dy > 1e38) ++ code = gs_error_undefinedresult; ++ else ++ code = gs_distance_transform_inverse(dx, dy, pmat, pdist); ++ + if (code == gs_error_undefinedresult) { + /* The CTM is degenerate. + Can't know the distance in user space. +-- +2.17.0 + diff -Nru ghostscript-9.22~dfsg/debian/patches/series ghostscript-9.22~dfsg/debian/patches/series --- ghostscript-9.22~dfsg/debian/patches/series 2018-02-10 17:40:08.000000000 +0100 +++ ghostscript-9.22~dfsg/debian/patches/series 2018-04-20 12:28:29.000000000 +0200 @@ -1,3 +1,5 @@ +0001-Fix-bug-697459-Buffer-overflow-in-fill_threshold_buf.patch +0002-pdfwrite-Guard-against-trying-to-output-an-infinite-.patch 2001_docdir_fix_for_debian.patch 2002_gs_man_fix_debian.patch 2003_support_multiarch.patch
