From 3a994f1a9484194cc40104e39ce4df53b62104a1 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 04 2017 09:04:13 +0000 Subject: import ghostscript-9.07-20.el7_3.1 --- diff --git a/SOURCES/ghostscript-cve-2013-5653.patch b/SOURCES/ghostscript-cve-2013-5653.patch new file mode 100644 index 0000000..affca36 --- /dev/null +++ b/SOURCES/ghostscript-cve-2013-5653.patch @@ -0,0 +1,72 @@ +From 950c602dc2dbbcbf5a856e85dba99bc8ac8420b9 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Sat, 5 Mar 2016 14:56:03 -0800 +Subject: [PATCH 1/1] Bug 694724: Have filenameforall and getenv honor SAFER + +--- + Resource/Init/gs_init.ps | 1 + + psi/zfile.c | 36 ++++++++++++++++++++---------------- + 2 files changed, 21 insertions(+), 16 deletions(-) + +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index c3f567d..abb9489 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -2019,6 +2019,7 @@ readonly def + /LockFilePermissions //true + >> setuserparams + } ++ systemdict /getenv {pop //false} put + if + % setpagedevice has the side effect of clearing the page, but + % we will just document that. Using setpagedevice keeps the device +diff --git a/psi/zfile.c b/psi/zfile.c +index 4011789..dd05919 100644 +--- a/psi/zfile.c ++++ b/psi/zfile.c +@@ -371,22 +371,26 @@ file_continue(i_ctx_t *i_ctx_p) + + if (len < devlen) + return_error(e_rangecheck); /* not even room for device len */ +- memcpy((char *)pscratch->value.bytes, iodev->dname, devlen); +- code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen, +- len - devlen); +- if (code == ~(uint) 0) { /* all done */ +- esp -= 5; /* pop proc, pfen, devlen, iodev , mark */ +- return o_pop_estack; +- } else if (code > len) /* overran string */ +- return_error(e_rangecheck); +- else { +- push(1); +- ref_assign(op, pscratch); +- r_set_size(op, code + devlen); +- push_op_estack(file_continue); /* come again */ +- *++esp = pscratch[2]; /* proc */ +- return o_push_estack; +- } ++ ++ do { ++ memcpy((char *)pscratch->value.bytes, iodev->dname, devlen); ++ code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen, ++ len - devlen); ++ if (code == ~(uint) 0) { /* all done */ ++ esp -= 5; /* pop proc, pfen, devlen, iodev , mark */ ++ return o_pop_estack; ++ } else if (code > len) /* overran string */ ++ return_error(gs_error_rangecheck); ++ else if (iodev != iodev_default(imemory) ++ || (check_file_permissions_reduced(i_ctx_p, (char *)pscratch->value.bytes, code + devlen, "PermitFileReading")) == 0) { ++ push(1); ++ ref_assign(op, pscratch); ++ r_set_size(op, code + devlen); ++ push_op_estack(file_continue); /* come again */ ++ *++esp = pscratch[2]; /* proc */ ++ return o_push_estack; ++ } ++ } while(1); + } + /* Cleanup procedure for enumerating files */ + static int +-- +2.7.4 + diff --git a/SOURCES/ghostscript-cve-2016-7977.patch b/SOURCES/ghostscript-cve-2016-7977.patch new file mode 100644 index 0000000..43a0cae --- /dev/null +++ b/SOURCES/ghostscript-cve-2016-7977.patch @@ -0,0 +1,28 @@ +From bd7fcaf389a56179281324d8c7b90e90bb3ee4ac Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Mon, 3 Oct 2016 01:46:28 +0100 +Subject: [PATCH] Bug 697169: Be rigorous with SAFER permissions + +Once we've opened our input file from the command line, enforce the SAFER +rules. +--- + psi/zfile.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/psi/zfile.c b/psi/zfile.c +index dd05919..2f13259 100644 +--- a/psi/zfile.c ++++ b/psi/zfile.c +@@ -1002,6 +1002,9 @@ lib_file_open(gs_file_path_ptr lib_path, const gs_memory_t *mem, i_ctx_t *i_ctx + gs_main_instance *minst = get_minst_from_memory(mem); + int code; + ++ if (i_ctx_p && starting_arg_file) ++ i_ctx_p->starting_arg_file = false; ++ + /* when starting arg files (@ files) iodev_default is not yet set */ + if (iodev == 0) + iodev = (gx_io_device *)gx_io_device_table[0]; +-- +2.7.4 + diff --git a/SOURCES/ghostscript-cve-2016-7978.patch b/SOURCES/ghostscript-cve-2016-7978.patch new file mode 100644 index 0000000..c19cd8b --- /dev/null +++ b/SOURCES/ghostscript-cve-2016-7978.patch @@ -0,0 +1,25 @@ +From fc3f0de2d6cd6f74ae94fc340e4d5fe8ac165314 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Wed, 5 Oct 2016 09:59:25 +0100 +Subject: [PATCH] Bug 697179: Reference count device icc profile + +when copying a device +--- + base/gsdevice.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/base/gsdevice.c b/base/gsdevice.c +index 37fcc7e..b52581c 100644 +--- a/base/gsdevice.c ++++ b/base/gsdevice.c +@@ -536,6 +536,7 @@ gx_device_init(gx_device * dev, const gx_device * proto, gs_memory_t * mem, + dev->memory = mem; + dev->retained = !internal; + rc_init(dev, mem, (internal ? 0 : 1)); ++ rc_increment(dev->icc_struct); + } + + void +-- +2.7.4 + diff --git a/SOURCES/ghostscript-cve-2016-7979.patch b/SOURCES/ghostscript-cve-2016-7979.patch new file mode 100644 index 0000000..33d0404 --- /dev/null +++ b/SOURCES/ghostscript-cve-2016-7979.patch @@ -0,0 +1,43 @@ +From b80fc8cd2469fcdab0630cd507f42b410bb96fda Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Wed, 5 Oct 2016 10:10:58 +0100 +Subject: [PATCH] DSC parser - validate parameters + +Bug #697190 ".initialize_dsc_parser doesn't validate the parameter is a dict type before using it." + +Regardless of any security implications, its simply wrong for a PostScript +operator not to validate its parameter(s). + +No differences expected. +--- + psi/zdscpars.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/psi/zdscpars.c b/psi/zdscpars.c +index a6f8fc9..fa61d88 100644 +--- a/psi/zdscpars.c ++++ b/psi/zdscpars.c +@@ -132,11 +132,16 @@ zinitialize_dsc_parser(i_ctx_t *i_ctx_p) + ref local_ref; + int code; + os_ptr const op = osp; +- dict * const pdict = op->value.pdict; +- gs_memory_t * const mem = (gs_memory_t *)dict_memory(pdict); +- dsc_data_t * const data = +- gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init"); ++ dict *pdict; ++ gs_memory_t *mem; ++ dsc_data_t *data; + ++ check_read_type(*op, t_dictionary); ++ ++ pdict = op->value.pdict; ++ mem = (gs_memory_t *)dict_memory(pdict); ++ ++ data = gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init"); + if (!data) + return_error(e_VMerror); + data->document_level = 0; +-- +2.7.4 + diff --git a/SOURCES/ghostscript-cve-2016-8602.patch b/SOURCES/ghostscript-cve-2016-8602.patch new file mode 100644 index 0000000..91785dc --- /dev/null +++ b/SOURCES/ghostscript-cve-2016-8602.patch @@ -0,0 +1,55 @@ +From 30d5e341367002ca5b853b6b651f63e97ba580d1 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Sat, 8 Oct 2016 16:10:27 +0100 +Subject: [PATCH] Bug 697203: check for sufficient params in .sethalftone5 + +and param types +--- + base/gserrors.h | 1 + + psi/zht2.c | 12 ++++++++++-- + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/base/gserrors.h b/base/gserrors.h +index 24b5eb4..c7dbe18 100644 +--- a/base/gserrors.h ++++ b/base/gserrors.h +@@ -33,6 +33,7 @@ + #define gs_error_limitcheck (-13) + #define gs_error_nocurrentpoint (-14) + #define gs_error_rangecheck (-15) ++#define gs_error_stackunderflow (-17) + #define gs_error_typecheck (-20) + #define gs_error_undefined (-21) + #define gs_error_undefinedfilename (-22) +diff --git a/psi/zht2.c b/psi/zht2.c +index a53b71b..95fef4b 100644 +--- a/psi/zht2.c ++++ b/psi/zht2.c +@@ -81,14 +81,22 @@ zsethalftone5(i_ctx_t *i_ctx_p) + gs_memory_t *mem; + uint edepth = ref_stack_count(&e_stack); + int npop = 2; +- int dict_enum = dict_first(op); ++ int dict_enum; + ref rvalue[2]; + int cname, colorant_number; + byte * pname; + uint name_size; + int halftonetype, type = 0; + gs_state *pgs = igs; +- int space_index = r_space_index(op - 1); ++ int space_index; ++ ++ if (ref_stack_count(&o_stack) < 2) ++ return_error(gs_error_stackunderflow); ++ check_type(*op, t_dictionary); ++ check_type(*(op - 1), t_dictionary); ++ ++ dict_enum = dict_first(op); ++ space_index = r_space_index(op - 1); + + mem = (gs_memory_t *) idmemory->spaces_indexed[space_index]; + +-- +2.7.4 + diff --git a/SPECS/ghostscript.spec b/SPECS/ghostscript.spec index 727df65..7327831 100644 --- a/SPECS/ghostscript.spec +++ b/SPECS/ghostscript.spec @@ -5,7 +5,7 @@ Summary: A PostScript interpreter and renderer Name: ghostscript Version: %{gs_ver} -Release: 20%{?dist} +Release: 20%{?dist}.1 # Included CMap data is Redistributable, no modification permitted, # see http://bugzilla.redhat.com/487510 @@ -44,6 +44,14 @@ Patch20: ghostscript-hanging-in-convert.patch Patch21: ghostscript-check-icc-profile-errors.patch Patch22: ghostscript-cups-icc-profile.patch +# Security patches: +# ----------------- +Patch23: ghostscript-cve-2013-5653.patch +Patch24: ghostscript-cve-2016-7977.patch +Patch25: ghostscript-cve-2016-7978.patch +Patch26: ghostscript-cve-2016-7979.patch +Patch27: ghostscript-cve-2016-8602.patch + Requires: urw-fonts >= 1.1, ghostscript-fonts Requires: poppler-data BuildRequires: xz @@ -191,6 +199,21 @@ rm -rf expat freetype icclib jasper jpeg lcms lcms2 libpng openjpeg zlib cups/li # Fix the color printing on HP InkJet printers (bug #1225858) %patch22 -p1 +# getenv and filenameforall: do not ignore -dSAFER (bug #1380327) +%patch23 -p1 + +# .libfile: honor -dSAFER (bug #1380415) +%patch24 -p1 + +# Avoid reference leak in .setdevice (bug #1382300) +%patch25 -p1 + +# DSC parser - validate parameters (bug #1382305) +%patch26 -p1 + +# check for sufficient params in .sethalftone5 (bug #1383940) +%patch27 -p1 + # Remove pdfopt man pages which were mistakenly left in (bug #963882). rm man/{de/,}pdfopt.1 @@ -390,6 +413,14 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libgs.so %changelog +* Thu Nov 3 2016 David Kaspar [Dee'Kej] - 9.07-20_1 +- Added security fixes for: + - CVE-2013-5653 (bug #1380327) + - CVE-2016-7977 (bug #1380415) + - CVE-2016-7978 (bug #1382300) + - CVE-2016-7979 (bug #1382305) + - CVE-2016-8602 (bug #1383940) + * Wed Jul 13 2016 David Kaspar [Dee'Kej] - 9.07-20 - Fixed some complains of CovScan in ghostscript-hanging-in-convert.patch