- Fix debugging output from gdevcups (CVE-2009-4270, bug #540760).

- Harden ghostscript's debugging output functions (bug #540760).
This commit is contained in:
Tim Waugh 2009-12-24 11:30:49 +00:00
parent f523a62b90
commit 537084bff8
3 changed files with 94 additions and 1 deletions

View File

@ -0,0 +1,17 @@
diff -up ghostscript-8.70/cups/gdevcups.c.gdevcups-debug ghostscript-8.70/cups/gdevcups.c
--- ghostscript-8.70/cups/gdevcups.c.gdevcups-debug 2009-05-20 23:30:48.000000000 +0100
+++ ghostscript-8.70/cups/gdevcups.c 2009-11-24 17:16:11.929250977 +0000
@@ -2816,11 +2816,11 @@ cups_put_params(gx_device *pdev, /*
} \
else if (code == 0) \
{ \
- dprintf2("DEBUG: Setting %s to \"%s\"...\n", sname, \
- (char *)stringval.data); \
strncpy(cups->header.name, (const char *)stringval.data, \
stringval.size); \
cups->header.name[stringval.size] = '\0'; \
+ dprintf2("DEBUG: Setting %s to \"%s\"...\n", sname, \
+ cups->header.name); \
}
#define intoption(name, sname, type) \

View File

@ -0,0 +1,64 @@
diff -up ghostscript-8.70/base/gsmisc.c.vsnprintf ghostscript-8.70/base/gsmisc.c
--- ghostscript-8.70/base/gsmisc.c.vsnprintf 2008-01-07 18:43:02.000000000 +0000
+++ ghostscript-8.70/base/gsmisc.c 2009-11-24 17:16:38.575250571 +0000
@@ -69,10 +69,10 @@ int outprintf(const gs_memory_t *mem, co
va_start(args, fmt);
- count = vsprintf(buf, fmt, args);
+ count = vsnprintf(buf, sizeof (buf), fmt, args);
outwrite(mem, buf, count);
- if (count >= PRINTF_BUF_LENGTH) {
- count = sprintf(buf,
+ if (count == -1 || count >= sizeof (buf)) {
+ count = snprintf(buf, sizeof (buf),
"PANIC: printf exceeded %d bytes. Stack has been corrupted.\n",
PRINTF_BUF_LENGTH);
outwrite(mem, buf, count);
@@ -89,10 +89,10 @@ int errprintf(const char *fmt, ...)
va_start(args, fmt);
- count = vsprintf(buf, fmt, args);
+ count = vsnprintf(buf, sizeof (buf), fmt, args);
errwrite(buf, count);
- if (count >= PRINTF_BUF_LENGTH) {
- count = sprintf(buf,
+ if (count == -1 || count >= sizeof (buf)) {
+ count = snprintf(buf, sizeof (buf),
"PANIC: printf exceeded %d bytes. Stack has been corrupted.\n",
PRINTF_BUF_LENGTH);
errwrite(buf, count);
@@ -236,7 +236,7 @@ int gs_throw_imp(const char *func, const
va_list ap;
va_start(ap, fmt);
- vsprintf(msg, fmt, ap);
+ vsnprintf(msg, sizeof (msg), fmt, ap);
msg[sizeof(msg) - 1] = 0;
va_end(ap);
diff -up ghostscript-8.70/base/gxttfb.c.vsnprintf ghostscript-8.70/base/gxttfb.c
--- ghostscript-8.70/base/gxttfb.c.vsnprintf 2009-07-09 06:59:44.000000000 +0100
+++ ghostscript-8.70/base/gxttfb.c 2009-11-24 17:16:38.577250996 +0000
@@ -246,7 +246,7 @@ static int DebugPrint(ttfFont *ttf, cons
if (gs_debug_c('Y')) {
va_start(args, fmt);
- count = vsprintf(buf, fmt, args);
+ count = vsnprintf(buf, sizeof (buf), fmt, args);
/* NB: moved debug output from stdout to stderr
*/
errwrite(buf, count);
diff -up ghostscript-8.70/base/rinkj/rinkj-byte-stream.c.vsnprintf ghostscript-8.70/base/rinkj/rinkj-byte-stream.c
--- ghostscript-8.70/base/rinkj/rinkj-byte-stream.c.vsnprintf 2008-04-04 02:02:16.000000000 +0100
+++ ghostscript-8.70/base/rinkj/rinkj-byte-stream.c 2009-11-24 17:16:38.577250996 +0000
@@ -43,7 +43,7 @@ rinkj_byte_stream_printf (RinkjByteStrea
va_list ap;
va_start (ap, fmt);
- len = vsprintf (str, fmt, ap);
+ len = vsnprintf (str, sizeof (str), fmt, ap);
va_end (ap);
return rinkj_byte_stream_write (bs, str, len);
}

View File

@ -5,7 +5,7 @@ Summary: A PostScript interpreter and renderer.
Name: ghostscript
Version: %{gs_ver}
Release: 1%{?dist}
Release: 2%{?dist}
# Included CMap data is Redistributable, no modification permitted,
# see http://bugzilla.redhat.com/487510
@ -25,6 +25,8 @@ Patch6: ghostscript-system-jasper.patch
Patch7: ghostscript-pksmraw.patch
Patch8: ghostscript-jbig2dec-nullderef.patch
Patch9: ghostscript-gs-executable.patch
Patch10: ghostscript-CVE-2009-4270.patch
Patch11: ghostscript-vsnprintf.patch
Requires: urw-fonts >= 1.1, ghostscript-fonts
BuildRequires: xz
@ -115,6 +117,12 @@ rm -rf libpng zlib jpeg jasper
# Fix scripts so they don't get broken on install (bug #502550).
%patch9 -p1 -b .gs-executable
# Fix debugging output from gdevcups (bug #540760).
%patch10 -p1 -b .CVE-2009-4270
# Harden ghostscript's debugging output functions (bug #540760).
%patch11 -p1 -b .vsnprintf
# Convert manual pages to UTF-8
from8859_1() {
iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
@ -296,6 +304,10 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/libgs.so
%changelog
* Thu Dec 24 2009 Tim Waugh <twaugh@redhat.com> 8.70-2
- Fix debugging output from gdevcups (CVE-2009-4270, bug #540760).
- Harden ghostscript's debugging output functions (bug #540760).
* Mon Aug 3 2009 Tim Waugh <twaugh@redhat.com> 8.70-1
- 8.70.
- License has changed to GPLv3+. Packages containing programs that