ports/opt
4
3
Fork 1
Code Issues 1 Pull Requests Activity

[notify] ghostscript: security fix for CVE-2017-{5951,7207,8291}

Browse Source
This commit is contained in:
Juergen Daubert 2017-04-28 18:24:53 +02:00
parent 6770bdee73
commit 108ec6ca15
6 changed files with 167 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ghostscript/.md5sum
View File

@ -1,2 +1,5 @@
beaa36aa16eb106f887d82e79c6a2a8e CVE-2017-5951.patch
d4d9df9208e82d0acb281902207c96ba CVE-2017-7207.patch
f11a4eb98c9509bbffedbcdc49897d7b CVE-2017-8291.patch
631beea7aa1f70f2cdca14e0308b8801 ghostscript-9.21.tar.xz
6865682b095f8c4500c54b285ff05ef6 ghostscript-fonts-std-8.11.tar.gz

7
ghostscript/.signature
View File

@ -1,6 +1,9 @@
untrusted comment: verify with /etc/ports/opt.pub
RWSE3ohX2g5d/XupFnAOzCWOVK6hjneL+ca49i27wsc31kgyf+4S9fTuTEs0xkSdAl3DTsQibRDRwg/Pcu4gpwa1vTOmld4n4wE=
SHA256 (Pkgfile) = e361dcbebd28da381e99d941b1b32bee86b7651912320cd935833c70f572946a
RWSE3ohX2g5d/Rk1akQWsf9+QYM6accX0vBc2uhyN+5kdiy5PhssYjtGc9bCC/GX+hmTVXjhuoebKkR4hQfZ6Y5ed1VQj/w9mAw=
SHA256 (Pkgfile) = 3a98afbb46c99ef4845ee8d815cdb2d2f82fb103bffccaf45ede771b7cff08f1
SHA256 (.footprint) = e854d143e199c879f19edfb91138e4b9741952099d12819fd068599f3719c351
SHA256 (ghostscript-9.21.tar.xz) = 2be1d014888a34187ad4bbec19ab5692cc943bd1cb14886065aeb43a3393d053
SHA256 (ghostscript-fonts-std-8.11.tar.gz) = 0eb6f356119f2e49b2563210852e17f57f9dcc5755f350a69a46a0d641a0c401
SHA256 (CVE-2017-5951.patch) = bab355f618437dc24ca9cd464ffdd9dd3a00e336164027878d638e5530f85494
SHA256 (CVE-2017-7207.patch) = 956c6702b14cf7370b4f4fca484e1fd3c042a427733d384177ecbb6ee3e56f5e
SHA256 (CVE-2017-8291.patch) = d7932b6f149b88b9daad6ffe2d7cf85b98e5ef7698205b03301ef3002e6de7e2

37
ghostscript/CVE-2017-5951.patch Normal file
View File

@ -0,0 +1,37 @@
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5951
# https://bugs.ghostscript.com/show_bug.cgi?id=697548
commit bfa6b2ecbe48edc69a7d9d22a12419aed25960b8
Author: Chris Liddell <chris.liddell@artifex.com>
Date: Thu Apr 6 16:44:54 2017 +0100
Bug 697548: use the correct param list enumerator
When we encountered dictionary in a ref_param_list, we were using the enumerator
for the "parent" param_list, rather than the enumerator for the param_list
we just created for the dictionary. That parent was usually the stack
list enumerator, and caused a segfault.
Using the correct enumerator works better.
diff --git a/psi/iparam.c b/psi/iparam.c
index 4e63b6d25..b2fa85fa2 100644
--- a/psi/iparam.c
+++ b/psi/iparam.c
@@ -770,12 +770,13 @@ ref_param_read_typed(gs_param_list * plist, gs_param_name pkey,
gs_param_enumerator_t enumr;
gs_param_key_t key;
ref_type keytype;
+ dict_param_list *dlist = (dict_param_list *) pvalue->value.d.list;
param_init_enumerator(&enumr);
- if (!(*((iparam_list *) plist)->enumerate)
- ((iparam_list *) pvalue->value.d.list, &enumr, &key, &keytype)
+ if (!(*(dlist->enumerate))
+ ((iparam_list *) dlist, &enumr, &key, &keytype)
&& keytype == t_integer) {
- ((dict_param_list *) pvalue->value.d.list)->int_keys = 1;
+ dlist->int_keys = 1;
pvalue->type = gs_param_type_dict_int_keys;
}
}

31
ghostscript/CVE-2017-7207.patch Normal file
View File

@ -0,0 +1,31 @@
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7207
# https://bugs.ghostscript.com/show_bug.cgi?id=697676
commit 309eca4e0a31ea70dcc844812691439312dad091
Author: Ken Sharp <ken.sharp@artifex.com>
Date: Mon Mar 20 09:34:11 2017 +0000
Ensure a device has raster memory, before trying to read it.
Bug #697676 "Null pointer dereference in mem_get_bits_rectangle()"
This is only possible by abusing/mis-using Ghostscript-specific
language extensions, so cannot happen in a general PostScript program.
Nevertheless, Ghostscript should not crash. So this commit checks the
memory device to see if raster memory has been allocated, before trying
to read from it.
diff --git a/base/gdevmem.c b/base/gdevmem.c
index afd05bdb3..d52d68414 100644
--- a/base/gdevmem.c
+++ b/base/gdevmem.c
@@ -606,6 +606,8 @@ mem_get_bits_rectangle(gx_device * dev, const gs_int_rect * prect,
GB_PACKING_CHUNKY | GB_COLORS_NATIVE | GB_ALPHA_NONE;
return_error(gs_error_rangecheck);
}
+ if (mdev->line_ptrs == 0x00)
+ return_error(gs_error_rangecheck);
if ((w <= 0) | (h <= 0)) {
if ((w | h) < 0)
return_error(gs_error_rangecheck);

84
ghostscript/CVE-2017-8291.patch Normal file
View File

@ -0,0 +1,84 @@
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8291
# https://bugs.ghostscript.com/show_bug.cgi?id=697799
commit 4f83478c88c2e05d6e8d79ca4557eb039354d2f3
Author: Chris Liddell <chris.liddell@artifex.com>
Date: Thu Apr 27 13:03:33 2017 +0100
Bug 697799: have .eqproc check its parameters
The Ghostscript custom operator .eqproc was not check the number or type of
the parameters it was given.
diff --git a/psi/zmisc3.c b/psi/zmisc3.c
index 54b304246..37293ff4b 100644
--- a/psi/zmisc3.c
+++ b/psi/zmisc3.c
@@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p)
ref2_t stack[MAX_DEPTH + 1];
ref2_t *top = stack;
+ if (ref_stack_count(&o_stack) < 2)
+ return_error(gs_error_stackunderflow);
+ if (!r_is_array(op - 1) || !r_is_array(op)) {
+ return_error(gs_error_typecheck);
+ }
+
make_array(&stack[0].proc1, 0, 1, op - 1);
make_array(&stack[0].proc2, 0, 1, op);
for (;;) {
commit 04b37bbce174eed24edec7ad5b920eb93db4d47d
Author: Chris Liddell <chris.liddell@artifex.com>
Date: Thu Apr 27 13:21:31 2017 +0100
Bug 697799: have .rsdparams check its parameters
The Ghostscript internal operator .rsdparams wasn't checking the number or
type of the operands it was being passed. Do so.
diff --git a/psi/zfrsd.c b/psi/zfrsd.c
index 191107d8a..950588d69 100644
--- a/psi/zfrsd.c
+++ b/psi/zfrsd.c
@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p)
ref *pFilter;
ref *pDecodeParms;
int Intent = 0;
- bool AsyncRead;
+ bool AsyncRead = false;
ref empty_array, filter1_array, parms1_array;
uint i;
- int code;
+ int code = 0;
+
+ if (ref_stack_count(&o_stack) < 1)
+ return_error(gs_error_stackunderflow);
+ if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {
+ return_error(gs_error_typecheck);
+ }
make_empty_array(&empty_array, a_readonly);
- if (dict_find_string(op, "Filter", &pFilter) > 0) {
+ if (r_has_type(op, t_dictionary)
+ && dict_find_string(op, "Filter", &pFilter) > 0) {
if (!r_is_array(pFilter)) {
if (!r_has_type(pFilter, t_name))
return_error(gs_error_typecheck);
@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p)
return_error(gs_error_typecheck);
}
}
- code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
+ if (r_has_type(op, t_dictionary))
+ code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
if (code < 0 && code != gs_error_rangecheck) /* out-of-range int is ok, use 0 */
return code;
- if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
- )
- return code;
+ if (r_has_type(op, t_dictionary))
+ if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
+ return code;
push(1);
op[-1] = *pFilter;
if (pDecodeParms)

9
ghostscript/Pkgfile
View File

@ -5,13 +5,18 @@
name=ghostscript
version=9.21
release=1
release=2
source=(https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${version/./}/$name-$version.tar.xz
http://downloads.sourceforge.net/sourceforge/gs-fonts/$name-fonts-std-8.11.tar.gz)
http://downloads.sourceforge.net/sourceforge/gs-fonts/$name-fonts-std-8.11.tar.gz
CVE-2017-5951.patch CVE-2017-7207.patch CVE-2017-8291.patch)
build () {
cd $name-$version
patch -p1 -i $SRC/CVE-2017-5951.patch
patch -p1 -i $SRC/CVE-2017-7207.patch
patch -p1 -i $SRC/CVE-2017-8291.patch
./configure --prefix=/usr \
--enable-cups \
--disable-gtk \