diff options
| author | Peter Korsgaard <peter@korsgaard.com> | 2017-04-28 09:49:30 +0200 |
|---|---|---|
| committer | Peter Korsgaard <peter@korsgaard.com> | 2017-04-28 14:15:32 +0200 |
| commit | 874becfd019bc8f4e126684d08c4164e984b11c3 (patch) | |
| tree | fdc537e46077a033dd5058e1a8ba8ba77e10b978 | |
| parent | 051e9851f499fb2982591531e210c91563232c63 (diff) | |
| download | buildroot-874becfd019bc8f4e126684d08c4164e984b11c3.tar.gz buildroot-874becfd019bc8f4e126684d08c4164e984b11c3.zip | |
ghostscript: add upstream security fixes for CVE-2017-8291
CVE-2017-8291 - Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass
and remote command execution via a "/OutputFile (%pipe%" substring in a
crafted .eps document that is an input to the gs program, as exploited in
the wild in April 2017.
For more details, see https://bugzilla.suse.com/show_bug.cgi?id=1036453
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
| -rw-r--r-- | package/ghostscript/0003-Bug-697799-have-.eqproc-check-its-parameters.patch | 33 | ||||
| -rw-r--r-- | package/ghostscript/0004-Bug-697799-have-.rsdparams-check-its-parameters.patch | 62 |
2 files changed, 95 insertions, 0 deletions
diff --git a/package/ghostscript/0003-Bug-697799-have-.eqproc-check-its-parameters.patch b/package/ghostscript/0003-Bug-697799-have-.eqproc-check-its-parameters.patch new file mode 100644 index 0000000000..becdc66054 --- /dev/null +++ b/package/ghostscript/0003-Bug-697799-have-.eqproc-check-its-parameters.patch @@ -0,0 +1,33 @@ +From 4f83478c88c2e05d6e8d79ca4557eb039354d2f3 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Thu, 27 Apr 2017 13:03:33 +0100 +Subject: [PATCH] Bug 697799: have .eqproc check its parameters + +The Ghostscript custom operator .eqproc was not check the number or type of +the parameters it was given. + +Signed-off-by: Peter Korsgaard <peter@korsgaard.com> +--- + psi/zmisc3.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/psi/zmisc3.c b/psi/zmisc3.c +index 54b304246..37293ff4b 100644 +--- a/psi/zmisc3.c ++++ b/psi/zmisc3.c +@@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p) + ref2_t stack[MAX_DEPTH + 1]; + ref2_t *top = stack; + ++ if (ref_stack_count(&o_stack) < 2) ++ return_error(gs_error_stackunderflow); ++ if (!r_is_array(op - 1) || !r_is_array(op)) { ++ return_error(gs_error_typecheck); ++ } ++ + make_array(&stack[0].proc1, 0, 1, op - 1); + make_array(&stack[0].proc2, 0, 1, op); + for (;;) { +-- +2.11.0 + diff --git a/package/ghostscript/0004-Bug-697799-have-.rsdparams-check-its-parameters.patch b/package/ghostscript/0004-Bug-697799-have-.rsdparams-check-its-parameters.patch new file mode 100644 index 0000000000..9ba170b316 --- /dev/null +++ b/package/ghostscript/0004-Bug-697799-have-.rsdparams-check-its-parameters.patch @@ -0,0 +1,62 @@ +From 04b37bbce174eed24edec7ad5b920eb93db4d47d Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Thu, 27 Apr 2017 13:21:31 +0100 +Subject: [PATCH] Bug 697799: have .rsdparams check its parameters + +The Ghostscript internal operator .rsdparams wasn't checking the number or +type of the operands it was being passed. Do so. + +Signed-off-by: Peter Korsgaard <peter@korsgaard.com> +--- + psi/zfrsd.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/psi/zfrsd.c b/psi/zfrsd.c +index 191107d8a..950588d69 100644 +--- a/psi/zfrsd.c ++++ b/psi/zfrsd.c +@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p) + ref *pFilter; + ref *pDecodeParms; + int Intent = 0; +- bool AsyncRead; ++ bool AsyncRead = false; + ref empty_array, filter1_array, parms1_array; + uint i; +- int code; ++ int code = 0; ++ ++ if (ref_stack_count(&o_stack) < 1) ++ return_error(gs_error_stackunderflow); ++ if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) { ++ return_error(gs_error_typecheck); ++ } + + make_empty_array(&empty_array, a_readonly); +- if (dict_find_string(op, "Filter", &pFilter) > 0) { ++ if (r_has_type(op, t_dictionary) ++ && dict_find_string(op, "Filter", &pFilter) > 0) { + if (!r_is_array(pFilter)) { + if (!r_has_type(pFilter, t_name)) + return_error(gs_error_typecheck); +@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p) + return_error(gs_error_typecheck); + } + } +- code = dict_int_param(op, "Intent", 0, 3, 0, &Intent); ++ if (r_has_type(op, t_dictionary)) ++ code = dict_int_param(op, "Intent", 0, 3, 0, &Intent); + if (code < 0 && code != gs_error_rangecheck) /* out-of-range int is ok, use 0 */ + return code; +- if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0 +- ) +- return code; ++ if (r_has_type(op, t_dictionary)) ++ if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0) ++ return code; + push(1); + op[-1] = *pFilter; + if (pDecodeParms) +-- +2.11.0 + |
