subject:"Bug#897188\: stretch\-pu\: package ghostscript\/9.20\~dfsg\-3.2\+deb9u2"

Bug#897188: stretch-pu: package ghostscript/9.20~dfsg-3.2+deb9u2

2018-05-28 Thread Adam D. Barratt

Control: tags -1 + pending

On Sat, 2018-05-26 at 11:09 +0200, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Sat, May 26, 2018 at 09:39:12AM +0100, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Sun, 2018-04-29 at 20:43 +0200, Salvatore Bonaccorso wrote:
> > > I would like to propose the following ghostscript update via a
> > > stretch
> > > point release. It adresses two CVEs which do not warrant a DSA on
> > > it's
> > > own but would still be good to be adressed in stable.
> > > 
> > > It adresses: 
> > >  - CVE-2018-10194 / 896069. Triggering the poc was not possible
> > > here
> > >    but the fix consist of doing an additional check in
> > >    set_text_distance function.
> > >  - CVE-2016-10317, testing happened with the fixed version
> > > against
> > > the
> > >    provided poc. The fix requires a previous prerequisite change.
> > > 
> > 
> > Please go ahead; sorry for the delay.
> 
> Thank you! Uploaded.

Flagged for acceptance; thanks.

Regards,

Adam

Bug#897188: stretch-pu: package ghostscript/9.20~dfsg-3.2+deb9u2

2018-05-26 Thread Salvatore Bonaccorso

Hi,

On Sat, May 26, 2018 at 09:39:12AM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sun, 2018-04-29 at 20:43 +0200, Salvatore Bonaccorso wrote:
> > I would like to propose the following ghostscript update via a
> > stretch
> > point release. It adresses two CVEs which do not warrant a DSA on
> > it's
> > own but would still be good to be adressed in stable.
> > 
> > It adresses: 
> >  - CVE-2018-10194 / 896069. Triggering the poc was not possible here
> >    but the fix consist of doing an additional check in
> >    set_text_distance function.
> >  - CVE-2016-10317, testing happened with the fixed version against
> > the
> >    provided poc. The fix requires a previous prerequisite change.
> > 
> 
> Please go ahead; sorry for the delay.

Thank you! Uploaded.

Regards,
Salvatore

Bug#897188: stretch-pu: package ghostscript/9.20~dfsg-3.2+deb9u2

2018-05-26 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Sun, 2018-04-29 at 20:43 +0200, Salvatore Bonaccorso wrote:
> I would like to propose the following ghostscript update via a
> stretch
> point release. It adresses two CVEs which do not warrant a DSA on
> it's
> own but would still be good to be adressed in stable.
> 
> It adresses: 
>  - CVE-2018-10194 / 896069. Triggering the poc was not possible here
>    but the fix consist of doing an additional check in
>    set_text_distance function.
>  - CVE-2016-10317, testing happened with the fixed version against
> the
>    provided poc. The fix requires a previous prerequisite change.
> 

Please go ahead; sorry for the delay.

Regards,

Adam

Bug#897188: stretch-pu: package ghostscript/9.20~dfsg-3.2+deb9u2

2018-04-29 Thread Salvatore Bonaccorso

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi

I would like to propose the following ghostscript update via a stretch
point release. It adresses two CVEs which do not warrant a DSA on it's
own but would still be good to be adressed in stable.

It adresses: 
 - CVE-2018-10194 / 896069. Triggering the poc was not possible here
   but the fix consist of doing an additional check in
   set_text_distance function.
 - CVE-2016-10317, testing happened with the fixed version against the
   provided poc. The fix requires a previous prerequisite change.

Given
https://lists.debian.org/debian-devel-announce/2018/04/msg7.html I
still prefered to get a peer an explicit ack before the upload.

Regards,
Salvatore
diff -Nru ghostscript-9.20~dfsg/debian/changelog 
ghostscript-9.20~dfsg/debian/changelog
--- ghostscript-9.20~dfsg/debian/changelog  2017-09-28 21:47:33.0 
+0200
+++ ghostscript-9.20~dfsg/debian/changelog  2018-04-29 10:58:15.0 
+0200
@@ -1,3 +1,14 @@
+ghostscript (9.20~dfsg-3.2+deb9u2) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Segfault with fuzzing file in gxht_thresh_image_init
+  * Buffer overflow in fill_threshold_buffer (CVE-2016-10317)
+(Closes: #860869)
+  * pdfwrite - Guard against trying to output an infinite number
+(CVE-2018-10194) (Closes: #896069)
+
+ -- Salvatore Bonaccorso   Sun, 29 Apr 2018 10:58:15 +0200
+
 ghostscript (9.20~dfsg-3.2+deb9u1) stretch-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru 
ghostscript-9.20~dfsg/debian/patches/Fix-Bug-696398-Segfault-with-fuzzing-file.patch
 
ghostscript-9.20~dfsg/debian/patches/Fix-Bug-696398-Segfault-with-fuzzing-file.patch
--- 
ghostscript-9.20~dfsg/debian/patches/Fix-Bug-696398-Segfault-with-fuzzing-file.patch
1970-01-01 01:00:00.0 +0100
+++ 
ghostscript-9.20~dfsg/debian/patches/Fix-Bug-696398-Segfault-with-fuzzing-file.patch
2018-04-29 10:58:15.0 +0200
@@ -0,0 +1,29 @@
+From: Ray Johnston 
+Date: Wed, 19 Jul 2017 22:05:33 -0700
+Subject: Fix Bug 696398: Segfault with fuzzing file.
+Origin: 
http://git.ghostscript.com/?p=ghostpdl.git;h=983e56cb679768fe5a048fbb33a43259efb9afbf
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=696398
+
+Oveflow of integer caused later failure even if allocation of the
+ht_buffer succeeded.  Detect overflow, return error.
+---
+ base/gxht_thresh.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/base/gxht_thresh.c b/base/gxht_thresh.c
+index 35f8e3f57..3fb840213 100644
+--- a/base/gxht_thresh.c
 b/base/gxht_thresh.c
+@@ -711,6 +711,9 @@ gxht_thresh_image_init(gx_image_enum *penum)
+space */
+ max_height = (int) ceil(fixed2float(any_abs(penum->dst_height)) /
+ (float) penum->Height);
++if ((max_height > 0) && (penum->ht_stride * spp_out > max_int / 
max_height))
++return -1; /* overflow */
++
+ penum->ht_buffer =
+ gs_alloc_bytes(penum->memory,
+penum->ht_stride * max_height * spp_out,
+-- 
+2.17.0
+
diff -Nru 
ghostscript-9.20~dfsg/debian/patches/Fix-bug-697459-Buffer-overflow-in-fill_threshold_buf.patch
 
ghostscript-9.20~dfsg/debian/patches/Fix-bug-697459-Buffer-overflow-in-fill_threshold_buf.patch
--- 
ghostscript-9.20~dfsg/debian/patches/Fix-bug-697459-Buffer-overflow-in-fill_threshold_buf.patch
 1970-01-01 01:00:00.0 +0100
+++ 
ghostscript-9.20~dfsg/debian/patches/Fix-bug-697459-Buffer-overflow-in-fill_threshold_buf.patch
 2018-04-29 10:58:15.0 +0200
@@ -0,0 +1,78 @@
+From: Ray Johnston 
+Date: Tue, 21 Nov 2017 12:48:54 -0800
+Subject: Fix bug 697459 Buffer overflow in fill_threshold_buffer
+Origin: 
http://git.ghostscript.com/?p=ghostpdl.git;h=362ec9daadb9992b0def3520cd1dc6fa52edd1c4
+Bug-Debian: https://bugs.debian.org/860869
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=697459
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-10317
+
+There was an overflow check for ht_buffer size, but none for the larger
+threshold_buffer. Note that this file didn't fail on Windows because the
+combination of the ht_buffer and the size of the (miscalculated due to
+overflow) threshold_buffer would have exceeded the 2Gb limit.
+---
+ base/gxht_thresh.c | 13 ++---
+ base/gxipixel.c|  2 +-
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/base/gxht_thresh.c b/base/gxht_thresh.c
+index 3fb840213..726861685 100644
+--- a/base/gxht_thresh.c
 b/base/gxht_thresh.c
+@@ -711,7 +711,9 @@ gxht_thresh_image_init(gx_image_enum *penum)
+space */
+ max_height = (int) ceil(fixed2float(any_abs(penum->dst_height)) /
+ (float) penum->Height);
+-if ((max_height > 0)

Bug#897188: stretch-pu: package ghostscript/9.20~dfsg-3.2+deb9u2

Bug#897188: stretch-pu: package ghostscript/9.20~dfsg-3.2+deb9u2

Bug#897188: stretch-pu: package ghostscript/9.20~dfsg-3.2+deb9u2

Bug#897188: stretch-pu: package ghostscript/9.20~dfsg-3.2+deb9u2

4 matches

Site Navigation

Mail list logo

Footer information