Added security patch for CVE-2017-7975

Resolves: #1443940
2017-05-03 14:12:30 +02:00 · 2017-05-03 14:12:30 +02:00 · ea0a5e0b8c
parent d520456782
commit ea0a5e0b8c
2 changed files with 39 additions and 1 deletions
--- a/ghostscript-9.20-cve-2017-7975.patch
+++ b/ghostscript-9.20-cve-2017-7975.patch
@ -0,0 +1,31 @@
+From 5e57e483298dae8b8d4ec9aab37a526736ac2e97 Mon Sep 17 00:00:00 2001
+From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
+Date: Wed, 26 Apr 2017 22:12:14 +0100
+Subject: [PATCH] Bug 697693: Prevent SEGV due to integer overflow.
+
+While building a Huffman table, the start and end points were susceptible
+to integer overflow.
+
+Thank you to Jiaqi for finding this issue and suggesting a patch.
+---
+ jbig2dec/jbig2_huffman.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/jbig2dec/jbig2_huffman.c b/jbig2dec/jbig2_huffman.c
+index 511e461..b4189a1 100644
+--- a/jbig2dec/jbig2_huffman.c
+++ b/jbig2dec/jbig2_huffman.c
+@@ -421,8 +421,8 @@ jbig2_build_huffman_table(Jbig2Ctx *ctx, const Jbig2HuffmanParams *params)
+ 
+             if (PREFLEN == CURLEN) {
+                 int RANGELEN = lines[CURTEMP].RANGELEN;
+-                int start_j = CURCODE << shift;
+-                int end_j = (CURCODE + 1) << shift;
+                uint32_t start_j = CURCODE << shift;
+                uint32_t end_j = (CURCODE + 1) << shift;
+                 byte eflags = 0;
+ 
+                 if (end_j > max_j) {
+-- 
+2.9.3
+
--- a/ghostscript.spec
+++ b/ghostscript.spec
@ -5,7 +5,7 @@ Summary: A PostScript interpreter and renderer
 Name: ghostscript
 Version: %{gs_ver}

-Release: 8%{?dist}
+Release: 9%{?dist}

 # Included CMap data is Redistributable, no modification permitted,
 # see http://bugzilla.redhat.com/487510
@ -37,6 +37,7 @@ Patch16: ghostscript-9.20-cve-2016-10219.patch
 Patch17: ghostscript-9.20-cve-2016-10220.patch
 Patch18: ghostscript-9.20-cve-2017-5951.patch
 Patch19: ghostscript-9.20-cve-2017-8291.patch
+Patch20: ghostscript-9.20-cve-2017-7975.patch

 Requires: %{name}-core%{?_isa} = %{version}-%{release}
 Requires: %{name}-x11%{?_isa} = %{version}-%{release}
@ -183,6 +184,9 @@ rm -rf expat freetype icclib jasper jpeg jpegxr lcms lcms2 libpng openjpeg zlib
 # CVE-2017-8291 (bug #1446063):
 %patch19 -p1

+# CVE-2017-7975 (bug #1443940):
+%patch20 -p1
+
 # Convert manual pages to UTF-8
 from8859_1() {
        iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
@ -379,6 +383,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/libgs.so

 %changelog
+* Wed May 03 2017 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.20-9
+- Added security fix for CVE-2017-7975 (bug #1443940)
+
 * Thu Apr 27 2017 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.20-8
 - Added security fixes for:
  - CVE-2016-10217 (bug #1441564)