GNU bug report logs - #26704
[PATCH 1/1] gnu: ghostscript: Fix CVE-2017-8291.

Previous Next

Package: guix-patches;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Fri, 28 Apr 2017 20:54:01 UTC

Severity: normal

Tags: patch

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 26704 in the body.
You can then email your comments to 26704 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#26704; Package guix-patches. (Fri, 28 Apr 2017 20:54:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Fri, 28 Apr 2017 20:54:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [PATCH 1/1] gnu: ghostscript: Fix CVE-2017-8291.
Date: Fri, 28 Apr 2017 16:52:47 -0400

* gnu/packages/patches/ghostscript-CVE-2017-8291.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/ghostscript.scm (ghostscript)[replacement]: New field.
(ghostscript/fixed): New variable.
(ghostscript-with-x)[replacement]: New field.
---
 gnu/local.mk                                       |  1 +
 gnu/packages/ghostscript.scm                       | 13 ++++
 .../patches/ghostscript-CVE-2017-8291.patch        | 73 ++++++++++++++++++++++
 3 files changed, 87 insertions(+)
 create mode 100644 gnu/packages/patches/ghostscript-CVE-2017-8291.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 40fd0f061..117da28fb 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -603,6 +603,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/ghostscript-CVE-2016-7978.patch		\
   %D%/packages/patches/ghostscript-CVE-2016-7979.patch		\
   %D%/packages/patches/ghostscript-CVE-2016-8602.patch		\
+  %D%/packages/patches/ghostscript-CVE-2017-8291.patch		\
   %D%/packages/patches/ghostscript-runpath.patch		\
   %D%/packages/patches/glib-networking-ssl-cert-file.patch	\
   %D%/packages/patches/glib-tests-timer.patch			\
diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm
index 076046e72..5340107f9 100644
--- a/gnu/packages/ghostscript.scm
+++ b/gnu/packages/ghostscript.scm
@@ -130,6 +130,7 @@ printing, and psresize, for adjusting page sizes.")
 (define-public ghostscript
   (package
    (name "ghostscript")
+   (replacement ghostscript/fixed)
    (version "9.14.0")
    (source (origin
             (method url-fetch)
@@ -209,11 +210,23 @@ output file formats and printers.")
 
 (define-public ghostscript/x
   (package (inherit ghostscript)
+    (replacement #f)
     (name (string-append (package-name ghostscript) "-with-x"))
     (inputs `(("libxext" ,libxext)
               ("libxt" ,libxt)
               ,@(package-inputs ghostscript)))))
 
+(define ghostscript/fixed
+  (package
+    (inherit ghostscript)
+    (source
+      (origin
+        (inherit (package-source ghostscript))
+        (patches
+          (append
+            (origin-patches (package-source ghostscript))
+            (search-patches "ghostscript-CVE-2017-8291.patch")))))))
+
 (define-public ijs
   (package
    (name "ijs")
diff --git a/gnu/packages/patches/ghostscript-CVE-2017-8291.patch b/gnu/packages/patches/ghostscript-CVE-2017-8291.patch
new file mode 100644
index 000000000..db80b6dde
--- /dev/null
+++ b/gnu/packages/patches/ghostscript-CVE-2017-8291.patch
@@ -0,0 +1,73 @@
+Fix CVE-2017-8291:
+
+https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8291
+
+This patch is adapted from these two Artifex Ghostscript commits by Leo
+Famulari <leo <at> famulari.name>:
+
+https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=04b37bbce174eed24edec7ad5b920eb93db4d47d;hp=4f83478c88c2e05d6e8d79ca4557eb039354d2f3
+https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3;hp=5603e8fc3e59c435318877efe627967ee6baebb8
+
+diff --git a/psi/zfrsd.c b/psi/zfrsd.c
+index fb4bce9..2629afa 100644
+--- a/psi/zfrsd.c
++++ b/psi/zfrsd.c
+@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p)
+     ref *pFilter;
+     ref *pDecodeParms;
+     int Intent = 0;
+-    bool AsyncRead;
++    bool AsyncRead = false;
+     ref empty_array, filter1_array, parms1_array;
+     uint i;
+-    int code;
++    int code = 0;
++
++    if (ref_stack_count(&o_stack) < 1)
++        return_error(e_stackunderflow);
++    if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {
++        return_error(e_typecheck);
++    }
+ 
+     make_empty_array(&empty_array, a_readonly);
+-    if (dict_find_string(op, "Filter", &pFilter) > 0) {
++    if (r_has_type(op, t_dictionary)
++        && dict_find_string(op, "Filter", &pFilter) > 0) {
+         if (!r_is_array(pFilter)) {
+             if (!r_has_type(pFilter, t_name))
+                 return_error(e_typecheck);
+@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p)
+                 return_error(e_typecheck);
+         }
+     }
+-    code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
++    if (r_has_type(op, t_dictionary))
++        code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
+     if (code < 0 && code != e_rangecheck) /* out-of-range int is ok, use 0 */
+         return code;
+-    if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
+-        )
+-        return code;
++    if (r_has_type(op, t_dictionary))
++        if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
++            return code;
+     push(1);
+     op[-1] = *pFilter;
+     if (pDecodeParms)
+diff --git a/psi/zmisc3.c b/psi/zmisc3.c
+index 54b3042..0d357f1 100644
+--- a/psi/zmisc3.c
++++ b/psi/zmisc3.c
+@@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p)
+     ref2_t stack[MAX_DEPTH + 1];
+     ref2_t *top = stack;
+ 
++    if (ref_stack_count(&o_stack) < 2)
++        return_error(e_stackunderflow);
++    if (!r_is_array(op - 1) || !r_is_array(op)) {
++        return_error(e_typecheck);
++    }
++
+     make_array(&stack[0].proc1, 0, 1, op - 1);
+     make_array(&stack[0].proc2, 0, 1, op);
+     for (;;) {
-- 
2.12.2
Reply sent to Leo Famulari <leo <at> famulari.name>:
You have taken responsibility. (Fri, 28 Apr 2017 21:06:02 GMT) Full text and rfc822 format available.
Notification sent to Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer. (Fri, 28 Apr 2017 21:06:02 GMT) Full text and rfc822 format available.

Message #10 received at 26704-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 26704-done <at> debbugs.gnu.org
Subject: Re: [PATCH 1/1] gnu: ghostscript: Fix CVE-2017-8291.
Date: Fri, 28 Apr 2017 17:05:10 -0400

[Message part 1 (text/plain, inline)]
On Fri, Apr 28, 2017 at 04:52:47PM -0400, Leo Famulari wrote:
> * gnu/packages/patches/ghostscript-CVE-2017-8291.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/ghostscript.scm (ghostscript)[replacement]: New field.
> (ghostscript/fixed): New variable.
> (ghostscript-with-x)[replacement]: New field.

I pushed this as a01f15759a00503101baa23af87cbd6095a1fbd6. Thanks to
Eric for reviewing (I pinged him on IRC #guix)!

[signature.asc (application/pgp-signature, inline)]
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sat, 27 May 2017 11:24:03 GMT) Full text and rfc822 format available.
This bug report was last modified 6 years and 345 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.