From b62d20303f9b0048a86a141a022074c4e51af8af Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Wed, 15 Apr 2009 16:25:02 +0000 Subject: [PATCH] - Applied patch to fix CVE-2009-0792 (bug #491853). - Applied patch to fix CVE-2009-0196 (bug #493379). --- ghostscript-CVE-2009-0196.patch | 19 ++++ ghostscript-CVE-2009-0792.patch | 166 ++++++++++++++++++++++++++++++++ ghostscript.spec | 14 ++- 3 files changed, 198 insertions(+), 1 deletion(-) create mode 100644 ghostscript-CVE-2009-0196.patch create mode 100644 ghostscript-CVE-2009-0792.patch diff --git a/ghostscript-CVE-2009-0196.patch b/ghostscript-CVE-2009-0196.patch new file mode 100644 index 0000000..5ee8d86 --- /dev/null +++ b/ghostscript-CVE-2009-0196.patch @@ -0,0 +1,19 @@ +diff -up ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c.CVE-2009-0196 ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c +--- ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c.CVE-2009-0196 2007-12-11 08:29:58.000000000 +0000 ++++ ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c 2009-04-15 16:27:43.000000000 +0100 +@@ -699,6 +699,15 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, + exrunlength = params->SDNUMEXSYMS; + else + code = jbig2_arith_int_decode(IAEX, as, &exrunlength); ++ if (exrunlength > params->SDNUMEXSYMS - j) { ++ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, ++ "runlength too large in export symbol table (%d > %d - %d)\n", ++ exrunlength, params->SDNUMEXSYMS, j); ++ jbig2_sd_release(ctx, SDEXSYMS); ++ /* skip to the cleanup code and return SDEXSYMS = NULL */ ++ SDEXSYMS = NULL; ++ break; ++ } + for(k = 0; k < exrunlength; k++) + if (exflag) { + SDEXSYMS->glyphs[j++] = (i < m) ? diff --git a/ghostscript-CVE-2009-0792.patch b/ghostscript-CVE-2009-0792.patch new file mode 100644 index 0000000..3c40a76 --- /dev/null +++ b/ghostscript-CVE-2009-0792.patch @@ -0,0 +1,166 @@ +diff -up ghostscript-8.64/icclib/icc.c.CVE-2009-0792 ghostscript-8.64/icclib/icc.c +--- ghostscript-8.64/icclib/icc.c.CVE-2009-0792 2009-04-15 16:20:04.000000000 +0100 ++++ ghostscript-8.64/icclib/icc.c 2009-04-15 16:20:24.000000000 +0100 +@@ -2982,7 +2982,7 @@ static int icmCurve_lookup_fwd( + rv |= 1; + } + ix = (int)floor(val); /* Coordinate */ +- if (ix > (p->size-2)) ++ if (ix < 0 || ix > (p->size-2)) + ix = (p->size-2); + w = val - (double)ix; /* weight */ + val = p->data[ix]; +@@ -3004,6 +3004,11 @@ static int icmTable_setup_bwd( + ) { + int i; + ++ if (size > INT_MAX - 2) ++ /* Although rt->size is unsigned long, the rt data ++ * structure uses int data types to store indices. */ ++ return 2; ++ + rt->size = size; /* Stash pointers to these away */ + rt->data = data; + +@@ -3022,7 +3027,7 @@ static int icmTable_setup_bwd( + rt->qscale = (double)rt->rsize/(rt->rmax - rt->rmin); /* Scale factor to quantize to */ + + /* Initialize the reverse lookup structures, and get overall min/max */ +- if ((rt->rlists = (int **) icp->al->calloc(icp->al, 1, rt->rsize * sizeof(int *))) == NULL) { ++ if ((rt->rlists = (int **) icp->al->calloc(icp->al, rt->rsize, sizeof(int *))) == NULL) { + return 2; + } + +@@ -3035,6 +3040,15 @@ static int icmTable_setup_bwd( + int t; + t = s; s = e; e = t; + } ++ /* s and e should both be in the range [0,rt->rsize] ++ * now, but let's not rely on floating point ++ * calculations -- double-check. */ ++ if (s < 0) ++ s = 0; ++ if (e < 0) ++ e = 0; ++ if (s >= rt->rsize) ++ s = rt->rsize-1; + if (e >= rt->rsize) + e = rt->rsize-1; + +@@ -3053,6 +3067,9 @@ static int icmTable_setup_bwd( + as = rt->rlists[j][0]; /* Allocate space for this list */ + nf = rt->rlists[j][1]; /* Next free location in list */ + if (nf >= as) { /* need to expand space */ ++ if (as > INT_MAX / 2 / sizeof (int)) ++ return 2; ++ + as *= 2; + rt->rlists[j] = (int *) icp->al->realloc(icp->al,rt->rlists[j], sizeof(int) * as); + if (rt->rlists[j] == NULL) { +@@ -3104,7 +3121,7 @@ static int icmTable_lookup_bwd( + val = rsize_1; + ix = (int)floor(val); /* Coordinate */ + +- if (ix > (rt->size-2)) ++ if (ix < 0 || ix > (rt->size-2)) + ix = (rt->size-2); + if (rt->rlists[ix] != NULL) { /* There is a list of fwd candidates */ + /* For each candidate forward range */ +@@ -3131,6 +3148,7 @@ static int icmTable_lookup_bwd( + /* We have failed to find an exact value, so return the nearest value */ + /* (This is slow !) */ + val = fabs(ival - rt->data[0]); ++ /* rt->size is known to be < INT_MAX */ + for (k = 0, i = 1; i < rt->size; i++) { + double er; + er = fabs(ival - rt->data[i]); +@@ -3671,7 +3689,7 @@ static int icmData_allocate( + if (p->size != p->_size) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (unsigned char *) icp->al->malloc(icp->al, p->size * sizeof(unsigned char))) == NULL) { ++ if ((p->data = (unsigned char *) icp->al->calloc(icp->al, p->size, sizeof(unsigned char))) == NULL) { + sprintf(icp->err,"icmData_alloc: malloc() of icmData data failed"); + return icp->errc = 2; + } +@@ -3887,7 +3905,7 @@ static int icmText_allocate( + if (p->size != p->_size) { + if (p->data != NULL) + icp->al->free(icp->al, p->data); +- if ((p->data = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) { ++ if ((p->data = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) { + sprintf(icp->err,"icmText_alloc: malloc() of icmText data failed"); + return icp->errc = 2; + } +@@ -4301,7 +4319,7 @@ double *in /* Input array[inputChan] */ + rv |= 1; + } + ix = (int)floor(val); /* Grid coordinate */ +- if (ix > (p->inputEnt-2)) ++ if (ix < 0 || ix > (p->inputEnt-2)) + ix = (p->inputEnt-2); + w = val - (double)ix; /* weight */ + val = table[ix]; +@@ -4360,7 +4378,7 @@ double *in /* Input array[outputChan] * + rv |= 1; + } + x = (int)floor(val); /* Grid coordinate */ +- if (x > clutPoints_2) ++ if (x < 0 || x > clutPoints_2) + x = clutPoints_2; + co[e] = val - (double)x; /* 1.0 - weight */ + gp += x * p->dinc[e]; /* Add index offset for base of cube */ +@@ -4433,7 +4451,7 @@ double *in /* Input array[outputChan] * + rv |= 1; + } + x = (int)floor(val); /* Grid coordinate */ +- if (x > clutPoints_2) ++ if (x < 0 || x > clutPoints_2) + x = clutPoints_2; + co[e] = val - (double)x; /* 1.0 - weight */ + gp += x * p->dinc[e]; /* Add index offset for base of cube */ +@@ -4506,7 +4524,7 @@ double *in /* Input array[outputChan] * + rv |= 1; + } + ix = (int)floor(val); /* Grid coordinate */ +- if (ix > (p->outputEnt-2)) ++ if (ix < 0 || ix > (p->outputEnt-2)) + ix = (p->outputEnt-2); + w = val - (double)ix; /* weight */ + val = table[ix]; +@@ -6714,7 +6732,7 @@ static int icmTextDescription_allocate( + if (p->size != p->_size) { + if (p->desc != NULL) + icp->al->free(icp->al, p->desc); +- if ((p->desc = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) { ++ if ((p->desc = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) { + sprintf(icp->err,"icmTextDescription_alloc: malloc() of Ascii description failed"); + return icp->errc = 2; + } +@@ -7888,7 +7906,7 @@ static int icmUcrBg_allocate( + if (p->size != p->_size) { + if (p->string != NULL) + icp->al->free(icp->al, p->string); +- if ((p->string = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) { ++ if ((p->string = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) { + sprintf(icp->err,"icmUcrBg_allocate: malloc() of string data failed"); + return icp->errc = 2; + } +@@ -8827,7 +8845,7 @@ static int icmCrdInfo_allocate( + if (p->ppsize != p->_ppsize) { + if (p->ppname != NULL) + icp->al->free(icp->al, p->ppname); +- if ((p->ppname = (char *) icp->al->malloc(icp->al, p->ppsize * sizeof(char))) == NULL) { ++ if ((p->ppname = (char *) icp->al->calloc(icp->al, p->ppsize, sizeof(char))) == NULL) { + sprintf(icp->err,"icmCrdInfo_alloc: malloc() of string data failed"); + return icp->errc = 2; + } +@@ -8837,7 +8855,7 @@ static int icmCrdInfo_allocate( + if (p->crdsize[t] != p->_crdsize[t]) { + if (p->crdname[t] != NULL) + icp->al->free(icp->al, p->crdname[t]); +- if ((p->crdname[t] = (char *) icp->al->malloc(icp->al, p->crdsize[t] * sizeof(char))) == NULL) { ++ if ((p->crdname[t] = (char *) icp->al->calloc(icp->al, p->crdsize[t], sizeof(char))) == NULL) { + sprintf(icp->err,"icmCrdInfo_alloc: malloc() of CRD%d name string failed",t); + return icp->errc = 2; + } diff --git a/ghostscript.spec b/ghostscript.spec index c315bb9..eb8afce 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -5,7 +5,7 @@ Summary: A PostScript interpreter and renderer. Name: ghostscript Version: %{gs_ver} -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 URL: http://www.ghostscript.com/ @@ -23,6 +23,8 @@ Patch6: ghostscript-system-jasper.patch Patch7: ghostscript-pksmraw.patch Patch8: ghostscript-bitcmyk.patch Patch9: ghostscript-CVE-2009-0583,0584.patch +Patch10: ghostscript-CVE-2009-0792.patch +Patch11: ghostscript-CVE-2009-0196.patch Requires: urw-fonts >= 1.1, ghostscript-fonts BuildRequires: libjpeg-devel, libXt-devel @@ -113,6 +115,12 @@ rm -rf libpng zlib jpeg jasper # (bug #487744). %patch9 -p1 -b .CVE-2009-0583,0584 +# Applied patch to fix CVE-2009-0792 (bug #491853). +%patch10 -p1 -b .CVE-2009-0792 + +# Applied patch to fix CVE-2009-0196 (bug #493379). +%patch11 -p1 -b .CVE-2009-0196 + # Convert manual pages to UTF-8 from8859_1() { iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_" @@ -294,6 +302,10 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libgs.so %changelog +* Wed Apr 15 2009 Tim Waugh 8.64-6 +- Applied patch to fix CVE-2009-0792 (bug #491853). +- Applied patch to fix CVE-2009-0196 (bug #493379). + * Fri Mar 20 2009 Tim Waugh 8.64-5 - Applied patch to fix CVE-2009-0583 (bug #487742) and CVE-2009-0584 (bug #487744).