diff options
author | Leo Famulari <leo@famulari.name> | 2017-04-28 16:34:05 -0400 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2017-04-28 17:02:42 -0400 |
commit | a01f15759a00503101baa23af87cbd6095a1fbd6 (patch) | |
tree | 3301316e57c14e54cd812e2120052c842b7a7ae7 | |
parent | 73749ae9f1e4f1102fe5c1824840ee6574874fd9 (diff) | |
download | patches-a01f15759a00503101baa23af87cbd6095a1fbd6.tar patches-a01f15759a00503101baa23af87cbd6095a1fbd6.tar.gz |
gnu: ghostscript: Fix CVE-2017-8291.
* gnu/packages/patches/ghostscript-CVE-2017-8291.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/ghostscript.scm (ghostscript)[replacement]: New field.
(ghostscript/fixed): New variable.
(ghostscript-with-x)[replacement]: New field.
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/ghostscript.scm | 13 | ||||
-rw-r--r-- | gnu/packages/patches/ghostscript-CVE-2017-8291.patch | 73 |
3 files changed, 87 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 40fd0f0619..117da28fb3 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -603,6 +603,7 @@ dist_patch_DATA = \ %D%/packages/patches/ghostscript-CVE-2016-7978.patch \ %D%/packages/patches/ghostscript-CVE-2016-7979.patch \ %D%/packages/patches/ghostscript-CVE-2016-8602.patch \ + %D%/packages/patches/ghostscript-CVE-2017-8291.patch \ %D%/packages/patches/ghostscript-runpath.patch \ %D%/packages/patches/glib-networking-ssl-cert-file.patch \ %D%/packages/patches/glib-tests-timer.patch \ diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm index 076046e721..5340107f99 100644 --- a/gnu/packages/ghostscript.scm +++ b/gnu/packages/ghostscript.scm @@ -130,6 +130,7 @@ printing, and psresize, for adjusting page sizes.") (define-public ghostscript (package (name "ghostscript") + (replacement ghostscript/fixed) (version "9.14.0") (source (origin (method url-fetch) @@ -209,11 +210,23 @@ output file formats and printers.") (define-public ghostscript/x (package (inherit ghostscript) + (replacement #f) (name (string-append (package-name ghostscript) "-with-x")) (inputs `(("libxext" ,libxext) ("libxt" ,libxt) ,@(package-inputs ghostscript))))) +(define ghostscript/fixed + (package + (inherit ghostscript) + (source + (origin + (inherit (package-source ghostscript)) + (patches + (append + (origin-patches (package-source ghostscript)) + (search-patches "ghostscript-CVE-2017-8291.patch"))))))) + (define-public ijs (package (name "ijs") diff --git a/gnu/packages/patches/ghostscript-CVE-2017-8291.patch b/gnu/packages/patches/ghostscript-CVE-2017-8291.patch new file mode 100644 index 0000000000..db80b6ddec --- /dev/null +++ b/gnu/packages/patches/ghostscript-CVE-2017-8291.patch @@ -0,0 +1,73 @@ +Fix CVE-2017-8291: + +https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8291 + +This patch is adapted from these two Artifex Ghostscript commits by Leo +Famulari <leo@famulari.name>: + +https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=04b37bbce174eed24edec7ad5b920eb93db4d47d;hp=4f83478c88c2e05d6e8d79ca4557eb039354d2f3 +https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3;hp=5603e8fc3e59c435318877efe627967ee6baebb8 + +diff --git a/psi/zfrsd.c b/psi/zfrsd.c +index fb4bce9..2629afa 100644 +--- a/psi/zfrsd.c ++++ b/psi/zfrsd.c +@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p) + ref *pFilter; + ref *pDecodeParms; + int Intent = 0; +- bool AsyncRead; ++ bool AsyncRead = false; + ref empty_array, filter1_array, parms1_array; + uint i; +- int code; ++ int code = 0; ++ ++ if (ref_stack_count(&o_stack) < 1) ++ return_error(e_stackunderflow); ++ if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) { ++ return_error(e_typecheck); ++ } + + make_empty_array(&empty_array, a_readonly); +- if (dict_find_string(op, "Filter", &pFilter) > 0) { ++ if (r_has_type(op, t_dictionary) ++ && dict_find_string(op, "Filter", &pFilter) > 0) { + if (!r_is_array(pFilter)) { + if (!r_has_type(pFilter, t_name)) + return_error(e_typecheck); +@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p) + return_error(e_typecheck); + } + } +- code = dict_int_param(op, "Intent", 0, 3, 0, &Intent); ++ if (r_has_type(op, t_dictionary)) ++ code = dict_int_param(op, "Intent", 0, 3, 0, &Intent); + if (code < 0 && code != e_rangecheck) /* out-of-range int is ok, use 0 */ + return code; +- if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0 +- ) +- return code; ++ if (r_has_type(op, t_dictionary)) ++ if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0) ++ return code; + push(1); + op[-1] = *pFilter; + if (pDecodeParms) +diff --git a/psi/zmisc3.c b/psi/zmisc3.c +index 54b3042..0d357f1 100644 +--- a/psi/zmisc3.c ++++ b/psi/zmisc3.c +@@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p) + ref2_t stack[MAX_DEPTH + 1]; + ref2_t *top = stack; + ++ if (ref_stack_count(&o_stack) < 2) ++ return_error(e_stackunderflow); ++ if (!r_is_array(op - 1) || !r_is_array(op)) { ++ return_error(e_typecheck); ++ } ++ + make_array(&stack[0].proc1, 0, 1, op - 1); + make_array(&stack[0].proc2, 0, 1, op); + for (;;) { |