Mail archive
alpine-aports

[alpine-aports] [PATCH] main/ghostscript: security fix for CVE-2017-8291

From: Daniel Sabogal <dsabogalcc_at_gmail.com>
Date: Wed, 3 May 2017 13:41:29 -0400

---
 main/ghostscript/APKBUILD            | 10 ++++--
 main/ghostscript/CVE-2017-8291.patch | 60 ++++++++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+), 2 deletions(-)
 create mode 100644 main/ghostscript/CVE-2017-8291.patch
diff --git a/main/ghostscript/APKBUILD b/main/ghostscript/APKBUILD
index ef5b1cdd10..697f2ffc73 100644
--- a/main/ghostscript/APKBUILD
+++ b/main/ghostscript/APKBUILD
_at_@ -2,7 +2,7 @@
 # Maintainer: Cameron Banta <cbanta_at_gmail.com>
 pkgname=ghostscript
 pkgver=9.21
-pkgrel=1
+pkgrel=2
 pkgdesc="An interpreter for the PostScript language and for PDF"
 url="http://ghostscript.com/"
 arch="all"
_at_@ -15,9 +15,14 @@ source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/
 	ghostscript-system-zlib.patch
 	fix-sprintf.patch
 	fix-alignment.patch
+	CVE-2017-8291.patch
 	"
 builddir="$srcdir/$pkgname-$pkgver"
 
+# secfixes:
+#   9.21-r2:
+#     - CVE-2017-8291
+
 prepare() {
 	cd "$builddir"
 
_at_@ -110,4 +115,5 @@ gtk() {
 sha512sums="c5ff632dc9b418ebeecaae796cecbaf9ffcb84d7a1b62c1af2e6c9082f7b9f24fe9dd9f6a57bde3640f54c3036f0b99b32aac9f8ca1f489c012369ab2b72ae92  ghostscript-9.21.tar.gz
 70721e3a335afa5e21d4e6cf919119010bd4544a03ab8f53f5325c173902221ad9b88c118b4bfeee80b3e1956bcdbaf4c53f64ae7fb81f5ba57dbc956750c482  ghostscript-system-zlib.patch
 beefcf395f7f828e1b81c088022c08a506e218f27535b9de01e0f0edf7979b435316c318fa676771630f6ad16ff1ab059cd68aa128ed97e5a9f2f3fa840200c4  fix-sprintf.patch
-7c6f40217dc687df27ee6d33351fba12a737c2ae06d1c35208dc943776d8efa66c3e882f0b1b9aec566fad69fd28ce360cc243f1c1aa20834467e769889194f2  fix-alignment.patch"
+7c6f40217dc687df27ee6d33351fba12a737c2ae06d1c35208dc943776d8efa66c3e882f0b1b9aec566fad69fd28ce360cc243f1c1aa20834467e769889194f2  fix-alignment.patch
+c17121e564dd26033508199f3e587bfcee5589fec6e45e822c79f648c3a3b70363f04ad33538070c4d24c96e5795b277345359b66d2f360b996fca77239102b5  CVE-2017-8291.patch"
diff --git a/main/ghostscript/CVE-2017-8291.patch b/main/ghostscript/CVE-2017-8291.patch
new file mode 100644
index 0000000000..83f3b4fcc5
--- /dev/null
+++ b/main/ghostscript/CVE-2017-8291.patch
_at_@ -0,0 +1,60 @@
+From 04b37bbce174eed24edec7ad5b920eb93db4d47d Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell_at_artifex.com>
+Date: Thu, 27 Apr 2017 13:21:31 +0100
+Subject: [PATCH] Bug 697799: have .rsdparams check its parameters
+
+The Ghostscript internal operator .rsdparams wasn't checking the number or
+type of the operands it was being passed. Do so.
+---
+ psi/zfrsd.c | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/psi/zfrsd.c b/psi/zfrsd.c
+index 191107d..950588d 100644
+--- a/psi/zfrsd.c
++++ b/psi/zfrsd.c
+_at_@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p)
+     ref *pFilter;
+     ref *pDecodeParms;
+     int Intent = 0;
+-    bool AsyncRead;
++    bool AsyncRead = false;
+     ref empty_array, filter1_array, parms1_array;
+     uint i;
+-    int code;
++    int code = 0;
++
++    if (ref_stack_count(&o_stack) < 1)
++        return_error(gs_error_stackunderflow);
++    if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {
++        return_error(gs_error_typecheck);
++    }
+ 
+     make_empty_array(&empty_array, a_readonly);
+-    if (dict_find_string(op, "Filter", &pFilter) > 0) {
++    if (r_has_type(op, t_dictionary)
++        && dict_find_string(op, "Filter", &pFilter) > 0) {
+         if (!r_is_array(pFilter)) {
+             if (!r_has_type(pFilter, t_name))
+                 return_error(gs_error_typecheck);
+_at_@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p)
+                 return_error(gs_error_typecheck);
+         }
+     }
+-    code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
++    if (r_has_type(op, t_dictionary))
++        code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
+     if (code < 0 && code != gs_error_rangecheck) /* out-of-range int is ok, use 0 */
+         return code;
+-    if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
+-        )
+-        return code;
++    if (r_has_type(op, t_dictionary))
++        if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
++            return code;
+     push(1);
+     op[-1] = *pFilter;
+     if (pDecodeParms)
+-- 
+2.9.1
+
-- 
2.12.2
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Wed May 03 2017 - 13:41:29 GMT