Control: tags 934638 + patch Control: tags 934638 + pending Dear Jonas,
I've prepared an NMU for ghostscript (versioned as 9.27~dfsg-3.1) and uploaded it to according to your ack. Merge request is as well in https://salsa.debian.org/printing-team/ghostscript/merge_requests/7 (as the others for the respective versions in buster- and stretch-security). Regards, Salvatore
diff -Nru ghostscript-9.27~dfsg/debian/changelog ghostscript-9.27~dfsg/debian/changelog --- ghostscript-9.27~dfsg/debian/changelog 2019-07-24 17:45:28.000000000 +0200 +++ ghostscript-9.27~dfsg/debian/changelog 2019-08-13 09:49:11.000000000 +0200 @@ -1,3 +1,11 @@ +ghostscript (9.27~dfsg-3.1) unstable; urgency=medium + + * Non-maintainer upload (with maintainers approval). + * protect use of .forceput with executeonly (CVE-2019-10216) + (Closes: #934638) + + -- Salvatore Bonaccorso <car...@debian.org> Tue, 13 Aug 2019 09:49:11 +0200 + ghostscript (9.27~dfsg-3) unstable; urgency=medium * Declare compliance with Debian Policy 4.4.0. diff -Nru ghostscript-9.27~dfsg/debian/patches/020190802~5b85ddd.patch ghostscript-9.27~dfsg/debian/patches/020190802~5b85ddd.patch --- ghostscript-9.27~dfsg/debian/patches/020190802~5b85ddd.patch 1970-01-01 01:00:00.000000000 +0100 +++ ghostscript-9.27~dfsg/debian/patches/020190802~5b85ddd.patch 2019-08-13 09:49:11.000000000 +0200 @@ -0,0 +1,52 @@ +From: Chris Liddell <chris.lidd...@artifex.com> +Date: Fri, 2 Aug 2019 15:18:26 +0100 +Subject: Bug 701394: protect use of .forceput with executeonly +Origin: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19a8420a1bd2d5529325be35d78e94234 +Bug-Debian: https://bugs.debian.org/934638 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-10216 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701394 + +--- + Resource/Init/gs_type1.ps | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps +index 6c7735bc0cc3..a039ccee3590 100644 +--- a/Resource/Init/gs_type1.ps ++++ b/Resource/Init/gs_type1.ps +@@ -118,25 +118,25 @@ + ( to be the same as glyph: ) print 1 index //== exec } if + 3 index exch 3 index .forceput + % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname +- } ++ }executeonly + {pop} ifelse +- } forall ++ } executeonly forall + pop pop +- } ++ } executeonly + { + pop pop pop + } ifelse +- } ++ } executeonly + { + % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname + pop pop + } ifelse +- } forall ++ } executeonly forall + 3 1 roll pop pop +- } if ++ } executeonly if + pop + dup /.AGLprocessed~GS //true .forceput +- } if ++ } executeonly if + + %% We need to excute the C .buildfont1 in a stopped context so that, if there + %% are errors we can put the stack back sanely and exit. Otherwise callers won't +-- +2.20.1 + diff -Nru ghostscript-9.27~dfsg/debian/patches/series ghostscript-9.27~dfsg/debian/patches/series --- ghostscript-9.27~dfsg/debian/patches/series 2019-04-20 10:09:53.000000000 +0200 +++ ghostscript-9.27~dfsg/debian/patches/series 2019-08-13 09:49:11.000000000 +0200 @@ -1,4 +1,5 @@ 020190410~06c9207.patch +020190802~5b85ddd.patch 2001_docdir_fix_for_debian.patch 2002_gs_man_fix_debian.patch 2003_support_multiarch.patch