From cd3fc12dcff0a71c1ffedcca5d2f54a52c52018d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 01 2017 03:19:48 +0000 Subject: import ghostscript-9.07-28.el7 --- diff --git a/SOURCES/ghostscript-cve-2017-7207.patch b/SOURCES/ghostscript-cve-2017-7207.patch new file mode 100644 index 0000000..ebe83fe --- /dev/null +++ b/SOURCES/ghostscript-cve-2017-7207.patch @@ -0,0 +1,33 @@ +From 309eca4e0a31ea70dcc844812691439312dad091 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Mon, 20 Mar 2017 09:34:11 +0000 +Subject: [PATCH] Ensure a device has raster memory, before trying to read it. + +Bug #697676 "Null pointer dereference in mem_get_bits_rectangle()" + +This is only possible by abusing/mis-using Ghostscript-specific +language extensions, so cannot happen in a general PostScript program. + +Nevertheless, Ghostscript should not crash. So this commit checks the +memory device to see if raster memory has been allocated, before trying +to read from it. +--- + base/gdevmem.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/base/gdevmem.c b/base/gdevmem.c +index afd05bd..d52d684 100644 +--- a/base/gdevmem.c ++++ b/base/gdevmem.c +@@ -606,6 +606,8 @@ mem_get_bits_rectangle(gx_device * dev, const gs_int_rect * prect, + GB_PACKING_CHUNKY | GB_COLORS_NATIVE | GB_ALPHA_NONE; + return_error(gs_error_rangecheck); + } ++ if (mdev->line_ptrs == 0x00) ++ return_error(gs_error_rangecheck); + if ((w <= 0) | (h <= 0)) { + if ((w | h) < 0) + return_error(gs_error_rangecheck); +-- +2.9.3 + diff --git a/SOURCES/ghostscript-cve-2017-8291.patch b/SOURCES/ghostscript-cve-2017-8291.patch index ec91360..41289a3 100644 --- a/SOURCES/ghostscript-cve-2017-8291.patch +++ b/SOURCES/ghostscript-cve-2017-8291.patch @@ -1,4 +1,4 @@ -From a8b6d9b56b2e17990aa2cce23022e9196e487154 Mon Sep 17 00:00:00 2001 +From 3a0439ded9a206060f560bd6784942adeab759ff Mon Sep 17 00:00:00 2001 From: Chris Liddell Date: Thu, 27 Apr 2017 13:03:33 +0100 Subject: [PATCH 1/4] Bug 697799: have .eqproc check its parameters @@ -30,7 +30,7 @@ index 54b3042..0d357f1 100644 2.9.3 -From d316ce788996a2cb2a1a6210bebb1000b8744a20 Mon Sep 17 00:00:00 2001 +From 9040e08c62422937c27fa5179657fbe3690809f3 Mon Sep 17 00:00:00 2001 From: Chris Liddell Date: Thu, 27 Apr 2017 13:21:31 +0100 Subject: [PATCH 2/4] Bug 697799: have .rsdparams check its parameters @@ -91,7 +91,7 @@ index fb4bce9..2629afa 100644 2.9.3 -From 3e1daaa70bd5ed08d7627494e7497457ad3fec99 Mon Sep 17 00:00:00 2001 +From ba6c38c25e8c0ece91c47d96578f3f7a0e6c4e6c Mon Sep 17 00:00:00 2001 From: Chris Liddell Date: Wed, 3 May 2017 12:05:45 +0100 Subject: [PATCH 3/4] Bug 697846: revision to commit 4f83478c88 (.eqproc) @@ -140,7 +140,7 @@ index 0d357f1..9042908 100644 2.9.3 -From 46c6f168d42e1d3d7d5a514a69cdba572466c638 Mon Sep 17 00:00:00 2001 +From ae3fdbd05b0e654273402e7391288a091a1c0a9e Mon Sep 17 00:00:00 2001 From: Chris Liddell Date: Thu, 11 May 2017 14:07:48 +0100 Subject: [PATCH 4/4] Bug 697892: fix check for op stack underflow. @@ -149,8 +149,8 @@ In the original fix, I used the wrong method to check for stack underflow, this is using the correct method. --- psi/zfrsd.c | 3 +-- - psi/zmisc3.c | 1 + - 2 files changed, 2 insertions(+), 2 deletions(-) + psi/zmisc3.c | 3 +-- + 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/psi/zfrsd.c b/psi/zfrsd.c index 2629afa..fd9872e 100644 @@ -167,13 +167,15 @@ index 2629afa..fd9872e 100644 return_error(e_typecheck); } diff --git a/psi/zmisc3.c b/psi/zmisc3.c -index 9042908..5d73d94 100644 +index 9042908..43803b5 100644 --- a/psi/zmisc3.c +++ b/psi/zmisc3.c -@@ -67,6 +67,7 @@ zeqproc(i_ctx_t *i_ctx_p) +@@ -65,8 +65,7 @@ zeqproc(i_ctx_t *i_ctx_p) + ref2_t stack[MAX_DEPTH + 1]; + ref2_t *top = stack; - if (ref_stack_count(&o_stack) < 2) - return_error(e_stackunderflow); +- if (ref_stack_count(&o_stack) < 2) +- return_error(e_stackunderflow); + check_op(2); if (!eqproc_check_type(op -1) || !eqproc_check_type(op)) { make_false(op - 1); diff --git a/SPECS/ghostscript.spec b/SPECS/ghostscript.spec index 031fea9..a6338ac 100644 --- a/SPECS/ghostscript.spec +++ b/SPECS/ghostscript.spec @@ -5,7 +5,7 @@ Summary: A PostScript interpreter and renderer Name: ghostscript Version: %{gs_ver} -Release: 20%{?dist}.7 +Release: 28%{?dist} # Included CMap data is Redistributable, no modification permitted, # see http://bugzilla.redhat.com/487510 @@ -54,8 +54,15 @@ Patch24: ghostscript-cve-2016-7977.patch Patch25: ghostscript-cve-2016-7978.patch Patch26: ghostscript-cve-2016-7979.patch Patch27: ghostscript-cve-2016-8602.patch +Patch31: ghostscript-cve-2017-7207.patch Patch32: ghostscript-cve-2017-8291.patch +# Upstream is not versioning the SONAME correctly, thus the rpmbuild is unable +# to recognize we need a newer version of lcms2. This 'hackish' workaround +# will make ghostscript to require at least the version we are built with. (bug #1436273) +%global lcms2_version %(pkg-config --modversion lcms2 2>/dev/null || echo 0) +Requires: lcms2 >= %{lcms2_version} + Requires: urw-fonts >= 1.1, ghostscript-fonts Requires: poppler-data BuildRequires: xz @@ -70,7 +77,7 @@ BuildRequires: libtool BuildRequires: jasper-devel BuildRequires: dbus-devel BuildRequires: poppler-data -BuildRequires: lcms2-devel >= 2.4-5 +BuildRequires: lcms2-devel BuildRequires: openjpeg-devel %{?_with_freetype:BuildRequires: freetype-devel} BuildRoot: %{_tmppath}/%{name}-%{gs_ver}-root @@ -227,6 +234,9 @@ rm -rf expat freetype icclib jasper jpeg lcms lcms2 libpng openjpeg zlib cups/li # Fix infinite 'for' loop in gdevp14.c file (bug #1424752) %patch30 -p1 +# Check for null-pointer dereference in mem_get_bits_rectangle() (bug #1435546): +%patch31 -p1 + # Fix for corruption of operand stack (bug #1446063): %patch32 -p1 @@ -429,25 +439,29 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libgs.so %changelog -* Wed May 24 2017 David Kaspar [Dee'Kej] - 9.07-20.el7_3.7 -- Fix infinite 'for' loop in gdevp14.c file (bug #1455084) - -* Tue May 23 2017 David Kaspar [Dee'Kej] - 9.07-20.el7_3.6 -- Fix for regression caused by previous CVE fixes (bug #1411725) - -* Thu May 11 2017 David Kaspar [Dee'Kej] - 9.07-20.el7_3.5 +* Thu May 11 2017 David Kaspar [Dee'Kej] - 9.07-28 - Security fix for CVE-2017-8291 updated to address SIGSEGV -* Wed May 03 2017 David Kaspar [Dee'Kej] - 9.07-20.el7_3.4 +* Wed May 03 2017 David Kaspar [Dee'Kej] - 9.07-27 - Added security fix for CVE-2017-8291 (bug #1446063) -* Fri Jan 20 2017 David Kaspar [Dee'Kej] - 9.07-20.el7_3.3 -- bogus date in previous changelog entry fixed +* Tue Apr 11 2017 David Kaspar [Dee'Kej] - 9.07-26 +- Updated requirements for lcms2 to avoid possible issues in the future + +* Thu Apr 06 2017 David Kaspar [Dee'Kej] - 9.07-25 +- Added security fix for CVE-2017-7207 (bug #1434353) +- Added explicit requirement for lcms2 version we are build with (bug #1436273) + +* Tue Mar 21 2017 David Kaspar [Dee'Kej] - 9.07-24 +- Fix infinite 'for' loop in gdevp14.c file (bug #1424752) + +* Wed Feb 15 2017 David Kaspar [Dee'Kej] - 9.07-23 +- Fix for regression caused by previous CVE fixes (bug #1411725) -* Mon Jan 16 2017 David Kaspar [Dee'Kej] - 9.07-20.el7_3.2 -- Fix of SIGSEGV in cid_font_data_param when using ps2pdf (bug #1412606) +* Tue Jan 10 2017 David Kaspar [Dee'Kej] - 9.07-22 +- Fix of SIGSEGV in cid_font_data_param when using ps2pdf (bug #1390847) -* Thu Nov 3 2016 David Kaspar [Dee'Kej] - 9.07-20.el7_3.1 +* Thu Nov 3 2016 David Kaspar [Dee'Kej] - 9.07-21 - Added security fixes for: - CVE-2013-5653 (bug #1380327) - CVE-2016-7977 (bug #1380415)