Bug#859662: ghostscript: diff for NMU version 9.20~dfsg-3.1
Control: tags 859662 + patch
Control: tags 859662 + pending
Control: tags 859666 + pending
Control: tags 859694 + pending
Control: tags 859696 + pending
Control: tags 861295 + patch
Control: tags 861295 + pending
Dear maintainer,
I've prepared an NMU for ghostscript (versioned as 9.20~dfsg-3.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Actually if possible and you agree on the debdiff/patchset an upload
earlier than the delay would be good in the light of #861295.
Regards,
Salvatore
diff -Nru ghostscript-9.20~dfsg/debian/changelog ghostscript-9.20~dfsg/debian/changelog
--- ghostscript-9.20~dfsg/debian/changelog 2017-03-21 17:20:00.000000000 +0100
+++ ghostscript-9.20~dfsg/debian/changelog 2017-04-28 06:50:05.000000000 +0200
@@ -1,3 +1,18 @@
+ghostscript (9.20~dfsg-3.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * -dSAFER bypass and remote command execution via a "/OutputFile (%pipe%"
+ substring (CVE-2017-8291) (Closes: #861295)
+ * use the correct param list enumerator (CVE-2017-5951) (Closes: #859696)
+ * fix crash with bad data supplied to makeimagedevice (CVE-2016-10220)
+ (Closes: #859694)
+ * Avoid divide by 0 in scan conversion code (CVE-2016-10219)
+ (Closes: #859666)
+ * Dont create new ctx when pdf14 device reenabled (CVE-2016-10217)
+ (Closes: #859662)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 28 Apr 2017 06:50:05 +0200
+
ghostscript (9.20~dfsg-3) unstable; urgency=medium
* Fix NULL pointer dereference in mem_get_bits_rectangle().
diff -Nru ghostscript-9.20~dfsg/debian/patches/0001-Bug-697799-have-.eqproc-check-its-parameters.patch ghostscript-9.20~dfsg/debian/patches/0001-Bug-697799-have-.eqproc-check-its-parameters.patch
--- ghostscript-9.20~dfsg/debian/patches/0001-Bug-697799-have-.eqproc-check-its-parameters.patch 1970-01-01 01:00:00.000000000 +0100
+++ ghostscript-9.20~dfsg/debian/patches/0001-Bug-697799-have-.eqproc-check-its-parameters.patch 2017-04-28 06:50:05.000000000 +0200
@@ -0,0 +1,31 @@
+From 4f83478c88c2e05d6e8d79ca4557eb039354d2f3 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Thu, 27 Apr 2017 13:03:33 +0100
+Subject: [PATCH 1/2] Bug 697799: have .eqproc check its parameters
+
+The Ghostscript custom operator .eqproc was not check the number or type of
+the parameters it was given.
+---
+ psi/zmisc3.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/psi/zmisc3.c b/psi/zmisc3.c
+index 54b3042..37293ff 100644
+--- a/psi/zmisc3.c
++++ b/psi/zmisc3.c
+@@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p)
+ ref2_t stack[MAX_DEPTH + 1];
+ ref2_t *top = stack;
+
++ if (ref_stack_count(&o_stack) < 2)
++ return_error(gs_error_stackunderflow);
++ if (!r_is_array(op - 1) || !r_is_array(op)) {
++ return_error(gs_error_typecheck);
++ }
++
+ make_array(&stack[0].proc1, 0, 1, op - 1);
+ make_array(&stack[0].proc2, 0, 1, op);
+ for (;;) {
+--
+2.1.4
+
diff -Nru ghostscript-9.20~dfsg/debian/patches/0002-Bug-697799-have-.rsdparams-check-its-parameters.patch ghostscript-9.20~dfsg/debian/patches/0002-Bug-697799-have-.rsdparams-check-its-parameters.patch
--- ghostscript-9.20~dfsg/debian/patches/0002-Bug-697799-have-.rsdparams-check-its-parameters.patch 1970-01-01 01:00:00.000000000 +0100
+++ ghostscript-9.20~dfsg/debian/patches/0002-Bug-697799-have-.rsdparams-check-its-parameters.patch 2017-04-28 06:50:05.000000000 +0200
@@ -0,0 +1,60 @@
+From 04b37bbce174eed24edec7ad5b920eb93db4d47d Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Thu, 27 Apr 2017 13:21:31 +0100
+Subject: [PATCH 2/2] Bug 697799: have .rsdparams check its parameters
+
+The Ghostscript internal operator .rsdparams wasn't checking the number or
+type of the operands it was being passed. Do so.
+---
+ psi/zfrsd.c | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/psi/zfrsd.c b/psi/zfrsd.c
+index 191107d..950588d 100644
+--- a/psi/zfrsd.c
++++ b/psi/zfrsd.c
+@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p)
+ ref *pFilter;
+ ref *pDecodeParms;
+ int Intent = 0;
+- bool AsyncRead;
++ bool AsyncRead = false;
+ ref empty_array, filter1_array, parms1_array;
+ uint i;
+- int code;
++ int code = 0;
++
++ if (ref_stack_count(&o_stack) < 1)
++ return_error(gs_error_stackunderflow);
++ if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {
++ return_error(gs_error_typecheck);
++ }
+
+ make_empty_array(&empty_array, a_readonly);
+- if (dict_find_string(op, "Filter", &pFilter) > 0) {
++ if (r_has_type(op, t_dictionary)
++ && dict_find_string(op, "Filter", &pFilter) > 0) {
+ if (!r_is_array(pFilter)) {
+ if (!r_has_type(pFilter, t_name))
+ return_error(gs_error_typecheck);
+@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p)
+ return_error(gs_error_typecheck);
+ }
+ }
+- code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
++ if (r_has_type(op, t_dictionary))
++ code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
+ if (code < 0 && code != gs_error_rangecheck) /* out-of-range int is ok, use 0 */
+ return code;
+- if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
+- )
+- return code;
++ if (r_has_type(op, t_dictionary))
++ if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
++ return code;
+ push(1);
+ op[-1] = *pFilter;
+ if (pDecodeParms)
+--
+2.1.4
+
diff -Nru ghostscript-9.20~dfsg/debian/patches/0003-Bug-697548-use-the-correct-param-list-enumerator.patch ghostscript-9.20~dfsg/debian/patches/0003-Bug-697548-use-the-correct-param-list-enumerator.patch
--- ghostscript-9.20~dfsg/debian/patches/0003-Bug-697548-use-the-correct-param-list-enumerator.patch 1970-01-01 01:00:00.000000000 +0100
+++ ghostscript-9.20~dfsg/debian/patches/0003-Bug-697548-use-the-correct-param-list-enumerator.patch 2017-04-28 06:50:05.000000000 +0200
@@ -0,0 +1,39 @@
+From bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Thu, 6 Apr 2017 16:44:54 +0100
+Subject: [PATCH] Bug 697548: use the correct param list enumerator
+
+When we encountered dictionary in a ref_param_list, we were using the enumerator
+for the "parent" param_list, rather than the enumerator for the param_list
+we just created for the dictionary. That parent was usually the stack
+list enumerator, and caused a segfault.
+
+Using the correct enumerator works better.
+---
+ psi/iparam.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/psi/iparam.c b/psi/iparam.c
+index 4e63b6d..b2fa85f 100644
+--- a/psi/iparam.c
++++ b/psi/iparam.c
+@@ -770,12 +770,13 @@ ref_param_read_typed(gs_param_list * plist, gs_param_name pkey,
+ gs_param_enumerator_t enumr;
+ gs_param_key_t key;
+ ref_type keytype;
++ dict_param_list *dlist = (dict_param_list *) pvalue->value.d.list;
+
+ param_init_enumerator(&enumr);
+- if (!(*((iparam_list *) plist)->enumerate)
+- ((iparam_list *) pvalue->value.d.list, &enumr, &key, &keytype)
++ if (!(*(dlist->enumerate))
++ ((iparam_list *) dlist, &enumr, &key, &keytype)
+ && keytype == t_integer) {
+- ((dict_param_list *) pvalue->value.d.list)->int_keys = 1;
++ dlist->int_keys = 1;
+ pvalue->type = gs_param_type_dict_int_keys;
+ }
+ }
+--
+2.1.4
+
diff -Nru ghostscript-9.20~dfsg/debian/patches/0004-fix-crash-with-bad-data-supplied-to-makeimagedevice.patch ghostscript-9.20~dfsg/debian/patches/0004-fix-crash-with-bad-data-supplied-to-makeimagedevice.patch
--- ghostscript-9.20~dfsg/debian/patches/0004-fix-crash-with-bad-data-supplied-to-makeimagedevice.patch 1970-01-01 01:00:00.000000000 +0100
+++ ghostscript-9.20~dfsg/debian/patches/0004-fix-crash-with-bad-data-supplied-to-makeimagedevice.patch 2017-04-28 06:50:05.000000000 +0200
@@ -0,0 +1,50 @@
+From daf85701dab05f17e924a48a81edc9195b4a04e8 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Wed, 21 Dec 2016 16:54:14 +0000
+Subject: [PATCH] fix crash with bad data supplied to makeimagedevice
+
+Bug #697450 "Null pointer dereference in gx_device_finalize()"
+
+The problem here is that the code to finalise a device unconditionally
+frees the icc_struct member of the device structure. However this
+particular (weird) device is not setup as a normal device, probably
+because its very, very ancient. Its possible for the initialisation
+of the device to abort with an error before calling gs_make_mem_device()
+which is where the icc_struct member gets allocated (or set to NULL).
+
+If that happens, then the cleanup code tries to free the device, which
+calls finalize() which tries to free a garbage pointer.
+
+Setting the device memory to 0x00 after we allocate it means that the
+icc_struct member will be NULL< and our memory manager allows for that
+happily enough, which avoids the problem.
+---
+ base/gsdevmem.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/base/gsdevmem.c b/base/gsdevmem.c
+index 97b9cf4..fe75bcc 100644
+--- a/base/gsdevmem.c
++++ b/base/gsdevmem.c
+@@ -225,6 +225,18 @@ gs_makewordimagedevice(gx_device ** pnew_dev, const gs_matrix * pmat,
+
+ if (pnew == 0)
+ return_error(gs_error_VMerror);
++
++ /* Bug #697450 "Null pointer dereference in gx_device_finalize()"
++ * If we have incorrect data passed to gs_initialise_wordimagedevice() then the
++ * initialisation will fail, crucially it will fail *before* it calls
++ * gs_make_mem_device() which initialises the device. This means that the
++ * icc_struct member will be uninitialsed, but the device finalise method
++ * will unconditionally free that memory. Since its a garbage pointer, bad things happen.
++ * Apparently we do still need makeimagedevice to be available from
++ * PostScript, so in here just zero the device memory, which means that
++ * the finalise routine won't have a problem.
++ */
++ memset(pnew, 0x00, st_device_memory.ssize);
+ code = gs_initialize_wordimagedevice(pnew, pmat, width, height,
+ colors, num_colors, word_oriented,
+ page_device, mem);
+--
+2.1.4
+
diff -Nru ghostscript-9.20~dfsg/debian/patches/0005-Bug-697453-Avoid-divide-by-0-in-scan-conversion-code.patch ghostscript-9.20~dfsg/debian/patches/0005-Bug-697453-Avoid-divide-by-0-in-scan-conversion-code.patch
--- ghostscript-9.20~dfsg/debian/patches/0005-Bug-697453-Avoid-divide-by-0-in-scan-conversion-code.patch 1970-01-01 01:00:00.000000000 +0100
+++ ghostscript-9.20~dfsg/debian/patches/0005-Bug-697453-Avoid-divide-by-0-in-scan-conversion-code.patch 2017-04-28 06:50:05.000000000 +0200
@@ -0,0 +1,44 @@
+From 4bef1a1d32e29b68855616020dbff574b9cda08f Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Thu, 29 Dec 2016 15:57:43 +0000
+Subject: [PATCH] Bug 697453: Avoid divide by 0 in scan conversion code.
+
+Arithmetic overflow due to extreme values in the scan conversion
+code can cause a division by 0.
+
+Avoid this with a simple extra check.
+
+ dx_old=cf814d81
+ endp->x_next=b0e859b9
+ alp->x_next=8069a73a
+
+leads to dx_den = 0
+---
+ base/gxfill.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/base/gxfill.c b/base/gxfill.c
+index 99196c0..2f81bb0 100644
+--- a/base/gxfill.c
++++ b/base/gxfill.c
+@@ -1741,7 +1741,7 @@ intersect(active_line *endp, active_line *alp, fixed y, fixed y1, fixed *p_y_new
+ fixed dx_old = alp->x_current - endp->x_current;
+ fixed dx_den = dx_old + endp->x_next - alp->x_next;
+
+- if (dx_den <= dx_old)
++ if (dx_den <= dx_old || dx_den == 0)
+ return false; /* Intersection isn't possible. */
+ dy = y1 - y;
+ if_debug3('F', "[F]cross: dy=%g, dx_old=%g, dx_new=%g\n",
+@@ -1750,7 +1750,7 @@ intersect(active_line *endp, active_line *alp, fixed y, fixed y1, fixed *p_y_new
+ /* Do the computation in single precision */
+ /* if the values are small enough. */
+ y_new =
+- ((dy | dx_old) < 1L << (size_of(fixed) * 4 - 1) ?
++ (((ufixed)(dy | dx_old)) < (1L << (size_of(fixed) * 4 - 1)) ?
+ dy * dx_old / dx_den :
+ (INCR_EXPR(mq_cross), fixed_mult_quo(dy, dx_old, dx_den)))
+ + y;
+--
+2.1.4
+
diff -Nru ghostscript-9.20~dfsg/debian/patches/0006-Bug-697456.-Dont-create-new-ctx-when-pdf14-device-re.patch ghostscript-9.20~dfsg/debian/patches/0006-Bug-697456.-Dont-create-new-ctx-when-pdf14-device-re.patch
--- ghostscript-9.20~dfsg/debian/patches/0006-Bug-697456.-Dont-create-new-ctx-when-pdf14-device-re.patch 1970-01-01 01:00:00.000000000 +0100
+++ ghostscript-9.20~dfsg/debian/patches/0006-Bug-697456.-Dont-create-new-ctx-when-pdf14-device-re.patch 2017-04-28 06:50:05.000000000 +0200
@@ -0,0 +1,33 @@
+From 90fd0c7ca3efc1ddff64a86f4104b13b3ac969eb Mon Sep 17 00:00:00 2001
+From: Michael Vrhel <michael.vrhel@artifex.com>
+Date: Thu, 29 Dec 2016 14:00:21 -0800
+Subject: [PATCH] Bug 697456. Dont create new ctx when pdf14 device reenabled
+
+This bug had yet another weird case where the user created a
+file that pushed the pdf14 device twice. We were in that case,
+creating a new ctx and blowing away the original one with out
+proper clean up. To avoid, only create a new one when we need it.
+---
+ base/gdevp14.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/base/gdevp14.c b/base/gdevp14.c
+index fd56ec9..f19318e 100644
+--- a/base/gdevp14.c
++++ b/base/gdevp14.c
+@@ -1669,8 +1669,10 @@ pdf14_open(gx_device *dev)
+ rect.p.y = 0;
+ rect.q.x = dev->width;
+ rect.q.y = dev->height;
+- pdev->ctx = pdf14_ctx_new(&rect, dev->color_info.num_components,
+- pdev->color_info.polarity != GX_CINFO_POLARITY_SUBTRACTIVE, dev);
++ /* If we are reenabling the device dont create a new ctx. Bug 697456 */
++ if (pdev->ctx == NULL)
++ pdev->ctx = pdf14_ctx_new(&rect, dev->color_info.num_components,
++ pdev->color_info.polarity != GX_CINFO_POLARITY_SUBTRACTIVE, dev);
+ if (pdev->ctx == NULL)
+ return_error(gs_error_VMerror);
+ pdev->free_devicen = true;
+--
+2.1.4
+
diff -Nru ghostscript-9.20~dfsg/debian/patches/series ghostscript-9.20~dfsg/debian/patches/series
--- ghostscript-9.20~dfsg/debian/patches/series 2017-03-21 17:14:17.000000000 +0100
+++ ghostscript-9.20~dfsg/debian/patches/series 2017-04-28 06:50:05.000000000 +0200
@@ -7,6 +7,12 @@
020161008~f5c7555.patch
020161026~0726780.patch
020170317~309eca4.patch
+0001-Bug-697799-have-.eqproc-check-its-parameters.patch
+0002-Bug-697799-have-.rsdparams-check-its-parameters.patch
+0003-Bug-697548-use-the-correct-param-list-enumerator.patch
+0004-fix-crash-with-bad-data-supplied-to-makeimagedevice.patch
+0005-Bug-697453-Avoid-divide-by-0-in-scan-conversion-code.patch
+0006-Bug-697456.-Dont-create-new-ctx-when-pdf14-device-re.patch
1001_fix_openjp2_dynamic_linking.patch
2001_docdir_fix_for_debian.patch
2002_gs_man_fix_debian.patch
Reply to: