GNU bug report logs -
#26704
[PATCH 1/1] gnu: ghostscript: Fix CVE-2017-8291.
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Fri, 28 Apr 2017 20:54:01 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 26704 in the body.
You can then email your comments to 26704 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org
:
bug#26704
; Package
guix-patches
.
(Fri, 28 Apr 2017 20:54:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>
:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org
.
(Fri, 28 Apr 2017 20:54:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/patches/ghostscript-CVE-2017-8291.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/ghostscript.scm (ghostscript)[replacement]: New field.
(ghostscript/fixed): New variable.
(ghostscript-with-x)[replacement]: New field.
---
gnu/local.mk | 1 +
gnu/packages/ghostscript.scm | 13 ++++
.../patches/ghostscript-CVE-2017-8291.patch | 73 ++++++++++++++++++++++
3 files changed, 87 insertions(+)
create mode 100644 gnu/packages/patches/ghostscript-CVE-2017-8291.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 40fd0f061..117da28fb 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -603,6 +603,7 @@ dist_patch_DATA = \
%D%/packages/patches/ghostscript-CVE-2016-7978.patch \
%D%/packages/patches/ghostscript-CVE-2016-7979.patch \
%D%/packages/patches/ghostscript-CVE-2016-8602.patch \
+ %D%/packages/patches/ghostscript-CVE-2017-8291.patch \
%D%/packages/patches/ghostscript-runpath.patch \
%D%/packages/patches/glib-networking-ssl-cert-file.patch \
%D%/packages/patches/glib-tests-timer.patch \
diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm
index 076046e72..5340107f9 100644
--- a/gnu/packages/ghostscript.scm
+++ b/gnu/packages/ghostscript.scm
@@ -130,6 +130,7 @@ printing, and psresize, for adjusting page sizes.")
(define-public ghostscript
(package
(name "ghostscript")
+ (replacement ghostscript/fixed)
(version "9.14.0")
(source (origin
(method url-fetch)
@@ -209,11 +210,23 @@ output file formats and printers.")
(define-public ghostscript/x
(package (inherit ghostscript)
+ (replacement #f)
(name (string-append (package-name ghostscript) "-with-x"))
(inputs `(("libxext" ,libxext)
("libxt" ,libxt)
,@(package-inputs ghostscript)))))
+(define ghostscript/fixed
+ (package
+ (inherit ghostscript)
+ (source
+ (origin
+ (inherit (package-source ghostscript))
+ (patches
+ (append
+ (origin-patches (package-source ghostscript))
+ (search-patches "ghostscript-CVE-2017-8291.patch")))))))
+
(define-public ijs
(package
(name "ijs")
diff --git a/gnu/packages/patches/ghostscript-CVE-2017-8291.patch b/gnu/packages/patches/ghostscript-CVE-2017-8291.patch
new file mode 100644
index 000000000..db80b6dde
--- /dev/null
+++ b/gnu/packages/patches/ghostscript-CVE-2017-8291.patch
@@ -0,0 +1,73 @@
+Fix CVE-2017-8291:
+
+https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8291
+
+This patch is adapted from these two Artifex Ghostscript commits by Leo
+Famulari <leo <at> famulari.name>:
+
+https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=04b37bbce174eed24edec7ad5b920eb93db4d47d;hp=4f83478c88c2e05d6e8d79ca4557eb039354d2f3
+https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3;hp=5603e8fc3e59c435318877efe627967ee6baebb8
+
+diff --git a/psi/zfrsd.c b/psi/zfrsd.c
+index fb4bce9..2629afa 100644
+--- a/psi/zfrsd.c
++++ b/psi/zfrsd.c
+@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p)
+ ref *pFilter;
+ ref *pDecodeParms;
+ int Intent = 0;
+- bool AsyncRead;
++ bool AsyncRead = false;
+ ref empty_array, filter1_array, parms1_array;
+ uint i;
+- int code;
++ int code = 0;
++
++ if (ref_stack_count(&o_stack) < 1)
++ return_error(e_stackunderflow);
++ if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {
++ return_error(e_typecheck);
++ }
+
+ make_empty_array(&empty_array, a_readonly);
+- if (dict_find_string(op, "Filter", &pFilter) > 0) {
++ if (r_has_type(op, t_dictionary)
++ && dict_find_string(op, "Filter", &pFilter) > 0) {
+ if (!r_is_array(pFilter)) {
+ if (!r_has_type(pFilter, t_name))
+ return_error(e_typecheck);
+@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p)
+ return_error(e_typecheck);
+ }
+ }
+- code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
++ if (r_has_type(op, t_dictionary))
++ code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
+ if (code < 0 && code != e_rangecheck) /* out-of-range int is ok, use 0 */
+ return code;
+- if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
+- )
+- return code;
++ if (r_has_type(op, t_dictionary))
++ if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
++ return code;
+ push(1);
+ op[-1] = *pFilter;
+ if (pDecodeParms)
+diff --git a/psi/zmisc3.c b/psi/zmisc3.c
+index 54b3042..0d357f1 100644
+--- a/psi/zmisc3.c
++++ b/psi/zmisc3.c
+@@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p)
+ ref2_t stack[MAX_DEPTH + 1];
+ ref2_t *top = stack;
+
++ if (ref_stack_count(&o_stack) < 2)
++ return_error(e_stackunderflow);
++ if (!r_is_array(op - 1) || !r_is_array(op)) {
++ return_error(e_typecheck);
++ }
++
+ make_array(&stack[0].proc1, 0, 1, op - 1);
+ make_array(&stack[0].proc2, 0, 1, op);
+ for (;;) {
--
2.12.2
Reply sent
to
Leo Famulari <leo <at> famulari.name>
:
You have taken responsibility.
(Fri, 28 Apr 2017 21:06:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>
:
bug acknowledged by developer.
(Fri, 28 Apr 2017 21:06:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 26704-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Fri, Apr 28, 2017 at 04:52:47PM -0400, Leo Famulari wrote:
> * gnu/packages/patches/ghostscript-CVE-2017-8291.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/ghostscript.scm (ghostscript)[replacement]: New field.
> (ghostscript/fixed): New variable.
> (ghostscript-with-x)[replacement]: New field.
I pushed this as a01f15759a00503101baa23af87cbd6095a1fbd6. Thanks to
Eric for reviewing (I pinged him on IRC #guix)!
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Sat, 27 May 2017 11:24:03 GMT)
Full text and
rfc822 format available.
This bug report was last modified 6 years and 345 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.