Security patch for CVE-2018-10194 added

Resolves: #1569821
2018-04-23 14:38:16 +02:00 · 2018-04-23 14:38:16 +02:00 · be4ed7849b
commit be4ed7849b
parent 447d7797fe
2 changed files with 51 additions and 1 deletions
--- a/ghostscript-9.22-CVE-2018-10194.patch
+++ b/ghostscript-9.22-CVE-2018-10194.patch
@ -0,0 +1,43 @@
+From 7654b90e2b0025076adec33a16a1b18639fb2d63 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Wed, 18 Apr 2018 15:46:32 +0100
+Subject: [PATCH] pdfwrite - Guard against trying to output an infinite number
+
+Bug #699255 " Buffer overflow on pprintg1 due to mishandle postscript file data to pdf"
+
+The file uses an enormous parameter to xyxhow, causing an overflow in
+the calculation of text positioning (value > 1e39).
+
+Since this is basically a nonsense value, and PostScript only supports
+real values up to 1e38, this patch follows the same approach as for
+a degenerate CTM, and treats it as 0.
+
+Adobe Acrobat Distiller throws a limitcheck error, so we could do that
+instead if this approach proves to be a problem.
+---
+ devices/vector/gdevpdts.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/devices/vector/gdevpdts.c b/devices/vector/gdevpdts.c
+index f2807a8..a0b9d7e 100644
+--- a/devices/vector/gdevpdts.c
+++ b/devices/vector/gdevpdts.c
+@@ -103,9 +103,14 @@ append_text_move(pdf_text_state_t *pts, double dw)
+ static int
+ set_text_distance(gs_point *pdist, double dx, double dy, const gs_matrix *pmat)
+ {
+-    int code = gs_distance_transform_inverse(dx, dy, pmat, pdist);
+    int code;
+     double rounded;
+ 
+    if (dx > 1e38 || dy > 1e38)
+        code = gs_error_undefinedresult;
+    else
+        code = gs_distance_transform_inverse(dx, dy, pmat, pdist);
+
+     if (code == gs_error_undefinedresult) {
+         /* The CTM is degenerate.
+            Can't know the distance in user space.
+-- 
+2.14.3
+
--- a/ghostscript.spec
+++ b/ghostscript.spec
@ -5,7 +5,7 @@ Summary: A PostScript interpreter and renderer
 Name: ghostscript
 Version: %{gs_ver}

-Release: 3%{?dist}
+Release: 4%{?dist}

 # Included CMap data is Redistributable, no modification permitted,
 # see http://bugzilla.redhat.com/487510
@ -19,6 +19,7 @@ Patch2: ghostscript-9.20-run-dvipdf-securely.patch
 # Restore flushpage (xdvi also needs it)
 # http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=19ebb5f1f497b6f2d50fe13d17d3e627dfb6c868
 Patch3: ghostscript-9.22-restore-flushpage.patch
+Patch4: ghostscript-9.22-CVE-2018-10194.patch

 Requires: %{name}-core%{?_isa} = %{version}-%{release}
 Requires: %{name}-x11%{?_isa} = %{version}-%{release}
@ -117,6 +118,9 @@ rm -rf expat freetype icclib jasper jpeg jpegxr lcms lcms2 libpng openjpeg zlib
 # Restore flushpage
 %patch3 -p1

+# Fix for CVE-2018-10194:
+#%patch4 -p1
+
 # Convert manual pages to UTF-8
 from8859_1() {
        iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
@ -293,6 +297,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/libgs.so

 %changelog
+* Mon Apr 23 2018 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.22-4
+- Fix for CVE-2018-10194 added (bug #1569821)
+
 * Mon Dec 04 2017 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.22-2
 - Fontmap.GS lookup path for Helvetica-Narrow-Bold-Oblique font fixed (bug #1517518)