main/ghostscript: security fixes (CVE-2018-17961, CVE-2018-18073, CVE-2018-18284)

9ce86c9b · J0WI · Natanael Copa · 55ef7390 · 9ce86c9b · 55ef7390
Commit 9ce86c9b authored Nov 12, 2018 by J0WI Committed by Natanael Copa Dec 07, 2018
5 changed files
--- a/main/ghostscript/APKBUILD
+++ b/main/ghostscript/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Cameron Banta <cbanta@gmail.com>
 pkgname=ghostscript
 pkgver=9.25
-pkgrel=0
+pkgrel=1
 pkgdesc="An interpreter for the PostScript language and for PDF"
 url="https://ghostscript.com/"
 arch="all"
@@ -14,10 +14,15 @@ subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev $pkgname-gtk"
 source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${pkgver/./}/ghostscript-$pkgver.tar.gz
 	ghostscript-system-zlib.patch
 	fix-sprintf.patch
+	ghostscript-9.25-security_fixes-2.patch
 	"
 builddir="$srcdir/$pkgname-$pkgver"

 # secfixes:
+#   9.25-r1:
+#     - CVE-2018-17961
+#     - CVE-2018-18073
+#     - CVE-2018-18284
 #   9.25-r0:
 #     - CVE-2018-16802
 #   9.24-r0:
@@ -116,4 +121,5 @@ gtk() {

 sha512sums="6710bf00e6246bf07173d4012c7742dd2315b6888b883d63372c0dc2fef76e8be5672f10e4c529244ba153f4ae8ab713403209365a3f7a76c469d69d797761b1  ghostscript-9.25.tar.gz
 70721e3a335afa5e21d4e6cf919119010bd4544a03ab8f53f5325c173902221ad9b88c118b4bfeee80b3e1956bcdbaf4c53f64ae7fb81f5ba57dbc956750c482  ghostscript-system-zlib.patch
-beefcf395f7f828e1b81c088022c08a506e218f27535b9de01e0f0edf7979b435316c318fa676771630f6ad16ff1ab059cd68aa128ed97e5a9f2f3fa840200c4  fix-sprintf.patch"
+beefcf395f7f828e1b81c088022c08a506e218f27535b9de01e0f0edf7979b435316c318fa676771630f6ad16ff1ab059cd68aa128ed97e5a9f2f3fa840200c4  fix-sprintf.patch
+f3d225a913780364df04588ba08afb9a9547082a801ad23ff3429e117c6c9f511c4c0f35c464710c7d503fa8b80c3a2cbc77bf50bf0c2e846db2a6ec15f77e2e  ghostscript-9.25-security_fixes-2.patch"
--- a/main/ghostscript/CVE-2017-5951.patch
+++ b/main/ghostscript/CVE-2017-5951.patch
-From bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 Mon Sep 17 00:00:00 2001
-From: Chris Liddell <chris.liddell@artifex.com>
-Date: Thu, 6 Apr 2017 16:44:54 +0100
-Subject: [PATCH] Bug 697548: use the correct param list enumerator
-
-When we encountered dictionary in a ref_param_list, we were using the enumerator
-for the "parent" param_list, rather than the enumerator for the param_list
-we just created for the dictionary. That parent was usually the stack
-list enumerator, and caused a segfault.
-
-Using the correct enumerator works better.
---
- psi/iparam.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/psi/iparam.c b/psi/iparam.c
-index 4e63b6d..b2fa85f 100644
--- a/psi/iparam.c
-+++ b/psi/iparam.c
-@@ -770,12 +770,13 @@ ref_param_read_typed(gs_param_list * plist, gs_param_name pkey,
-                 gs_param_enumerator_t enumr;
-                 gs_param_key_t key;
-                 ref_type keytype;
-+                dict_param_list *dlist = (dict_param_list *) pvalue->value.d.list;
- 
-                 param_init_enumerator(&enumr);
-                if (!(*((iparam_list *) plist)->enumerate)
-                    ((iparam_list *) pvalue->value.d.list, &enumr, &key, &keytype)
-+                if (!(*(dlist->enumerate))
-+                    ((iparam_list *) dlist, &enumr, &key, &keytype)
-                     && keytype == t_integer) {
-                    ((dict_param_list *) pvalue->value.d.list)->int_keys = 1;
-+                    dlist->int_keys = 1;
-                     pvalue->type = gs_param_type_dict_int_keys;
-                 }
-             }
-- 
-2.9.1
-
--- a/main/ghostscript/CVE-2017-7207.patch
+++ b/main/ghostscript/CVE-2017-7207.patch
-From 309eca4e0a31ea70dcc844812691439312dad091 Mon Sep 17 00:00:00 2001
-From: Ken Sharp <ken.sharp@artifex.com>
-Date: Mon, 20 Mar 2017 09:34:11 +0000
-Subject: [PATCH] Ensure a device has raster memory, before trying to read it.
-
-Bug #697676 "Null pointer dereference in mem_get_bits_rectangle()"
-
-This is only possible by abusing/mis-using Ghostscript-specific
-language extensions, so cannot happen in a general PostScript program.
-
-Nevertheless, Ghostscript should not crash. So this commit checks the
-memory device to see if raster memory has been allocated, before trying
-to read from it.
---
- base/gdevmem.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/base/gdevmem.c b/base/gdevmem.c
-index afd05bd..d52d684 100644
--- a/base/gdevmem.c
-+++ b/base/gdevmem.c
-@@ -606,6 +606,8 @@ mem_get_bits_rectangle(gx_device * dev, const gs_int_rect * prect,
-             GB_PACKING_CHUNKY | GB_COLORS_NATIVE | GB_ALPHA_NONE;
-         return_error(gs_error_rangecheck);
-     }
-+    if (mdev->line_ptrs == 0x00)
-+        return_error(gs_error_rangecheck);
-     if ((w <= 0) | (h <= 0)) {
-         if ((w | h) < 0)
-             return_error(gs_error_rangecheck);
-- 
-2.9.1
-
--- a/main/ghostscript/CVE-2017-8291.patch
+++ b/main/ghostscript/CVE-2017-8291.patch
-From 04b37bbce174eed24edec7ad5b920eb93db4d47d Mon Sep 17 00:00:00 2001
-From: Chris Liddell <chris.liddell@artifex.com>
-Date: Thu, 27 Apr 2017 13:21:31 +0100
-Subject: [PATCH] Bug 697799: have .rsdparams check its parameters
-
-The Ghostscript internal operator .rsdparams wasn't checking the number or
-type of the operands it was being passed. Do so.
---
- psi/zfrsd.c | 22 +++++++++++++++-------
- 1 file changed, 15 insertions(+), 7 deletions(-)
-
-diff --git a/psi/zfrsd.c b/psi/zfrsd.c
-index 191107d..950588d 100644
--- a/psi/zfrsd.c
-+++ b/psi/zfrsd.c
-@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p)
-     ref *pFilter;
-     ref *pDecodeParms;
-     int Intent = 0;
-    bool AsyncRead;
-+    bool AsyncRead = false;
-     ref empty_array, filter1_array, parms1_array;
-     uint i;
-    int code;
-+    int code = 0;
-+
-+    if (ref_stack_count(&o_stack) < 1)
-+        return_error(gs_error_stackunderflow);
-+    if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {
-+        return_error(gs_error_typecheck);
-+    }
- 
-     make_empty_array(&empty_array, a_readonly);
-    if (dict_find_string(op, "Filter", &pFilter) > 0) {
-+    if (r_has_type(op, t_dictionary)
-+        && dict_find_string(op, "Filter", &pFilter) > 0) {
-         if (!r_is_array(pFilter)) {
-             if (!r_has_type(pFilter, t_name))
-                 return_error(gs_error_typecheck);
-@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p)
-                 return_error(gs_error_typecheck);
-         }
-     }
-    code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
-+    if (r_has_type(op, t_dictionary))
-+        code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
-     if (code < 0 && code != gs_error_rangecheck) /* out-of-range int is ok, use 0 */
-         return code;
-    if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
-        )
-        return code;
-+    if (r_has_type(op, t_dictionary))
-+        if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
-+            return code;
-     push(1);
-     op[-1] = *pFilter;
-     if (pDecodeParms)
-- 
-2.9.1
-
--- a/main/ghostscript/ghostscript-9.25-security_fixes-2.patch
+++ b/main/ghostscript/ghostscript-9.25-security_fixes-2.patch