Bug#860869: ghostscript: diff for NMU version 9.22~dfsg-2.1

2018-04-20 Thread Salvatore Bonaccorso 
Hi Jonas,

On Fri, Apr 20, 2018 at 07:23:22PM +0200, Jonas Smedegaard wrote:
> Excerpts from Salvatore Bonaccorso's message of april 20, 2018 6:49 pm:
> > Control: tags 860869 + patch
> > Control: tags 860869 + pending
> > Control: tags 896069 + pending
> > 
> > Dear maintainer,
> > 
> > I've prepared an NMU for ghostscript (versioned as 9.22~dfsg-2.1) and
> > uploaded it to DELAYED/2. Please feel free to tell me if I
> > should delay it longer.
> 
> Great, Thanks a lot!
> 
> You need not delay it at all - please feel free to drop the delay.

Thanks, rescheduled. I always appreciate a peer-review evne though
ghostscript is on the LowNMU list.

Can you import the changes into the archive once it is accepted into
the archive?

Regards,
Salvatore

Bug#860869: ghostscript: diff for NMU version 9.22~dfsg-2.1

2018-04-20 Thread Jonas Smedegaard 

Excerpts from Salvatore Bonaccorso's message of april 20, 2018 6:49 pm:

Control: tags 860869 + patch
Control: tags 860869 + pending
Control: tags 896069 + pending

Dear maintainer,

I've prepared an NMU for ghostscript (versioned as 9.22~dfsg-2.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.


Great, Thanks a lot!

You need not delay it at all - please feel free to drop the delay.

- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

[x] quote me freely  [ ] ask before reusing  [ ] keep private


pgp0WiaWCni2W.pgp
Description: PGP signature

Bug#860869: ghostscript: diff for NMU version 9.22~dfsg-2.1

2018-04-20 Thread Salvatore Bonaccorso 
Control: tags 860869 + patch
Control: tags 860869 + pending
Control: tags 896069 + pending

Dear maintainer,

I've prepared an NMU for ghostscript (versioned as 9.22~dfsg-2.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore
diff -Nru ghostscript-9.22~dfsg/debian/changelog ghostscript-9.22~dfsg/debian/changelog
--- ghostscript-9.22~dfsg/debian/changelog	2018-02-10 17:41:31.0 +0100
+++ ghostscript-9.22~dfsg/debian/changelog	2018-04-20 12:28:29.0 +0200
@@ -1,3 +1,13 @@
+ghostscript (9.22~dfsg-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Buffer overflow in fill_threshold_buffer (CVE-2016-10317)
+(Closes: #860869)
+  * pdfwrite - Guard against trying to output an infinite number
+(CVE-2018-10194) (Closes: #896069)
+
+ -- Salvatore Bonaccorso   Fri, 20 Apr 2018 12:28:29 +0200
+
 ghostscript (9.22~dfsg-2) unstable; urgency=medium
 
   * Update Vcs-* fields for the move to salsa.d.o
diff -Nru ghostscript-9.22~dfsg/debian/patches/0001-Fix-bug-697459-Buffer-overflow-in-fill_threshold_buf.patch ghostscript-9.22~dfsg/debian/patches/0001-Fix-bug-697459-Buffer-overflow-in-fill_threshold_buf.patch
--- ghostscript-9.22~dfsg/debian/patches/0001-Fix-bug-697459-Buffer-overflow-in-fill_threshold_buf.patch	1970-01-01 01:00:00.0 +0100
+++ ghostscript-9.22~dfsg/debian/patches/0001-Fix-bug-697459-Buffer-overflow-in-fill_threshold_buf.patch	2018-04-20 12:28:29.0 +0200
@@ -0,0 +1,78 @@
+From: Ray Johnston 
+Date: Tue, 21 Nov 2017 12:48:54 -0800
+Subject: Fix bug 697459 Buffer overflow in fill_threshold_buffer
+Origin: http://git.ghostscript.com/?p=ghostpdl.git;h=362ec9daadb9992b0def3520cd1dc6fa52edd1c4
+Bug-Debian: https://bugs.debian.org/860869
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=697459
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-10317
+
+There was an overflow check for ht_buffer size, but none for the larger
+threshold_buffer. Note that this file didn't fail on Windows because the
+combination of the ht_buffer and the size of the (miscalculated due to
+overflow) threshold_buffer would have exceeded the 2Gb limit.
+---
+ base/gxht_thresh.c | 13 ++---
+ base/gxipixel.c|  2 +-
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/base/gxht_thresh.c b/base/gxht_thresh.c
+index 3fb840213..726861685 100644
+--- a/base/gxht_thresh.c
 b/base/gxht_thresh.c
+@@ -711,7 +711,9 @@ gxht_thresh_image_init(gx_image_enum *penum)
+space */
+ max_height = (int) ceil(fixed2float(any_abs(penum->dst_height)) /
+ (float) penum->Height);
+-if ((max_height > 0) && (penum->ht_stride * spp_out > max_int / max_height))
++if (max_height <= 0)
++return -1;		/* shouldn't happen, but check so we don't div by zero */
++if (penum->ht_stride * spp_out > max_int / max_height)
+ return -1; /* overflow */
+ 
+ penum->ht_buffer =
+@@ -734,6 +736,11 @@ gxht_thresh_image_init(gx_image_enum *penum)
+Also allow a 15 sample over run during the execution.  */
+ temp = (int) ceil((float) ((dev_width + 15.0) + 15.0)/16.0);
+ penum->line_size = bitmap_raster(temp * 16 * 8);  /* The stride */
++if (penum->line_size > max_int / max_height) {
++gs_free_object(penum->memory, penum->ht_buffer, "gxht_thresh");
++penum->ht_buffer = NULL;
++return -1; /* thresh_buffer size overflow */
++}
+ penum->line = gs_alloc_bytes(penum->memory, penum->line_size * spp_out,
+  "gxht_thresh");
+ penum->thresh_buffer = gs_alloc_bytes(penum->memory,
+@@ -754,7 +761,7 @@ gxht_thresh_image_init(gx_image_enum *penum)
+ }
+ 
+ static void
+-fill_threshhold_buffer(byte *dest_strip, byte *src_strip, int src_width,
++fill_threshold_buffer(byte *dest_strip, byte *src_strip, int src_width,
+int left_offset, int left_width, int num_tiles,
+int right_width)
+ {
+@@ -908,7 +915,7 @@ gxht_thresh_planes(gx_image_enum *penum, fixed xrun,
+to update with stride */
+ position = contone_stride * k;
+ /* Tile into the 128 bit aligned threshold strip */
+-fill_threshhold_buffer(&(thresh_align[position]),
++fill_threshold_buffer(&(thresh_align[position]),
+thresh_tile, thresh_width, dx, left_width,
+num_full_tiles, right_tile_width);
+ }
+diff --git a/base/gxipixel.c b/base/gxipixel.c
+index edd40c52d..cb4f02a09 100644
+--- a/base/gxipixel.c
 b/base/gxipixel.c
+@@ -758,7 +758,7 @@ gx_image_enum_begin(gx_device * dev, const gs_gstate * pgs,
+ penum->memory = mem;
+ penum->buffer = buffer;
+ penum->buf