~alpine/aports

2

[alpine-aports] [PATCH] main/ghostscript: security fix for CVE-2017-8291

Daniel Sabogal <dsabogalcc@gmail.com>
Details
Message ID
<20170503174131.31939-1-dsabogalcc@gmail.com>
Sender timestamp
1493833289
DKIM signature
missing
Download raw message
Patch: +68 -2
---
 main/ghostscript/APKBUILD            | 10 ++++--
 main/ghostscript/CVE-2017-8291.patch | 60 ++++++++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+), 2 deletions(-)
 create mode 100644 main/ghostscript/CVE-2017-8291.patch

diff --git a/main/ghostscript/APKBUILD b/main/ghostscript/APKBUILD
index ef5b1cdd10..697f2ffc73 100644
--- a/main/ghostscript/APKBUILD
+++ b/main/ghostscript/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Cameron Banta <cbanta@gmail.com>
pkgname=ghostscript
pkgver=9.21
pkgrel=1
pkgrel=2
pkgdesc="An interpreter for the PostScript language and for PDF"
url="http://ghostscript.com/"
arch="all"
@@ -15,9 +15,14 @@ source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/
	ghostscript-system-zlib.patch
	fix-sprintf.patch
	fix-alignment.patch
	CVE-2017-8291.patch
	"
builddir="$srcdir/$pkgname-$pkgver"

# secfixes:
#   9.21-r2:
#     - CVE-2017-8291

prepare() {
	cd "$builddir"

@@ -110,4 +115,5 @@ gtk() {
sha512sums="c5ff632dc9b418ebeecaae796cecbaf9ffcb84d7a1b62c1af2e6c9082f7b9f24fe9dd9f6a57bde3640f54c3036f0b99b32aac9f8ca1f489c012369ab2b72ae92  ghostscript-9.21.tar.gz
70721e3a335afa5e21d4e6cf919119010bd4544a03ab8f53f5325c173902221ad9b88c118b4bfeee80b3e1956bcdbaf4c53f64ae7fb81f5ba57dbc956750c482  ghostscript-system-zlib.patch
beefcf395f7f828e1b81c088022c08a506e218f27535b9de01e0f0edf7979b435316c318fa676771630f6ad16ff1ab059cd68aa128ed97e5a9f2f3fa840200c4  fix-sprintf.patch
7c6f40217dc687df27ee6d33351fba12a737c2ae06d1c35208dc943776d8efa66c3e882f0b1b9aec566fad69fd28ce360cc243f1c1aa20834467e769889194f2  fix-alignment.patch"
7c6f40217dc687df27ee6d33351fba12a737c2ae06d1c35208dc943776d8efa66c3e882f0b1b9aec566fad69fd28ce360cc243f1c1aa20834467e769889194f2  fix-alignment.patch
c17121e564dd26033508199f3e587bfcee5589fec6e45e822c79f648c3a3b70363f04ad33538070c4d24c96e5795b277345359b66d2f360b996fca77239102b5  CVE-2017-8291.patch"
diff --git a/main/ghostscript/CVE-2017-8291.patch b/main/ghostscript/CVE-2017-8291.patch
new file mode 100644
index 0000000000..83f3b4fcc5
--- /dev/null
+++ b/main/ghostscript/CVE-2017-8291.patch
@@ -0,0 +1,60 @@
From 04b37bbce174eed24edec7ad5b920eb93db4d47d Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Thu, 27 Apr 2017 13:21:31 +0100
Subject: [PATCH] Bug 697799: have .rsdparams check its parameters

The Ghostscript internal operator .rsdparams wasn't checking the number or
type of the operands it was being passed. Do so.
---
 psi/zfrsd.c | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/psi/zfrsd.c b/psi/zfrsd.c
index 191107d..950588d 100644
--- a/psi/zfrsd.c
+++ b/psi/zfrsd.c
@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p)
     ref *pFilter;
     ref *pDecodeParms;
     int Intent = 0;
-    bool AsyncRead;
+    bool AsyncRead = false;
     ref empty_array, filter1_array, parms1_array;
     uint i;
-    int code;
+    int code = 0;
+
+    if (ref_stack_count(&o_stack) < 1)
+        return_error(gs_error_stackunderflow);
+    if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {
+        return_error(gs_error_typecheck);
+    }
 
     make_empty_array(&empty_array, a_readonly);
-    if (dict_find_string(op, "Filter", &pFilter) > 0) {
+    if (r_has_type(op, t_dictionary)
+        && dict_find_string(op, "Filter", &pFilter) > 0) {
         if (!r_is_array(pFilter)) {
             if (!r_has_type(pFilter, t_name))
                 return_error(gs_error_typecheck);
@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p)
                 return_error(gs_error_typecheck);
         }
     }
-    code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
+    if (r_has_type(op, t_dictionary))
+        code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
     if (code < 0 && code != gs_error_rangecheck) /* out-of-range int is ok, use 0 */
         return code;
-    if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
-        )
-        return code;
+    if (r_has_type(op, t_dictionary))
+        if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
+            return code;
     push(1);
     op[-1] = *pFilter;
     if (pDecodeParms)
-- 
2.9.1

-- 
2.12.2



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---

[alpine-aports] [PATCH 3.5-stable] main/mupdf: security fixes #6897 (CVE-2017-6060)

Daniel Sabogal <dsabogalcc@gmail.com>
Details
Message ID
<20170503174131.31939-2-dsabogalcc@gmail.com>
In-Reply-To
<20170503174131.31939-1-dsabogalcc@gmail.com> (view parent)
Sender timestamp
1493833290
DKIM signature
missing
Download raw message
Patch: +51 -4
---
 main/mupdf/APKBUILD            | 14 ++++++++++----
 main/mupdf/CVE-2017-6060.patch | 41 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+), 4 deletions(-)
 create mode 100644 main/mupdf/CVE-2017-6060.patch

diff --git a/main/mupdf/APKBUILD b/main/mupdf/APKBUILD
index 166d6d5075..4f6117af2c 100644
--- a/main/mupdf/APKBUILD
+++ b/main/mupdf/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Daniel Sabogal <dsabogalcc@gmail.com>
pkgname=mupdf
pkgver=1.10a
pkgrel=2
pkgrel=3
pkgdesc="A lightweight PDF and XPS viewer"
url="http://mupdf.com"
arch="all"
@@ -18,9 +18,12 @@ source="http://mupdf.com/downloads/archive/$pkgname-$pkgver-source.tar.gz
	openjpeg-2.1.patch
	CVE-2017-5896.patch
	CVE-2017-5991.patch
	CVE-2017-6060.patch
	"

# secfixes:
#   1.10a-r3:
#   - CVE-2017-6060
#   1.10a-r2:
#   - CVE-2017-5991
#   1.10a-r1:
@@ -86,14 +89,17 @@ md5sums="f80fbba2524d1d52f6ed09237d382411  mupdf-1.10a-source.tar.gz
8c4c5ec03c3df7e87a672c79302f6df5  shared-lib.patch
a5b85a55be0e958c16f900730ff24ad8  openjpeg-2.1.patch
64d2931655dbea67a291032221b67e10  CVE-2017-5896.patch
1c10386d9b536669c5c787b3b1585d6f  CVE-2017-5991.patch"
1c10386d9b536669c5c787b3b1585d6f  CVE-2017-5991.patch
b0a85e545d0ae1bfe8173c3034a1bab5  CVE-2017-6060.patch"
sha256sums="aacc1f36b9180f562022ef1ab3439b009369d944364f3cff8a2a898834e3a836  mupdf-1.10a-source.tar.gz
3ff3c9413c4c1005db7e41a085ce8e72ee1e956e8d1538a615f51f86f8bb1d14  shared-lib.patch
12ea2a295b62ca85298273d54b423ec8e73fb52d712bcee20bab0507a595b7a0  openjpeg-2.1.patch
23994ce0dc819b29f983328503d073595d56d75fd1001674d30275170fe96792  CVE-2017-5896.patch
c600d516648c6324069930ea6b606a0a040dfaf7a9d3d323156c5e7d80bc4eb9  CVE-2017-5991.patch"
c600d516648c6324069930ea6b606a0a040dfaf7a9d3d323156c5e7d80bc4eb9  CVE-2017-5991.patch
0dd145a8ac2c11b0cf493b39c71b39b163b0ed0d05ee8c351500670e669bbe8b  CVE-2017-6060.patch"
sha512sums="8c735963364985e74ceb38242afae555a3d2ee7c69abe3fe5c485e8613a83d996a58f231cb689a156019d431fa67d565503247d010b0a404054850483aed9fec  mupdf-1.10a-source.tar.gz
bc38cc6935ed1c5941773e0671bea25d33897c1018c30f11ff3a1ec1e583276597f521b9e526f9bd38a6f9a1e76aa3e52782995ded72a618d07811abcd7ca734  shared-lib.patch
bfb509c529e26c3d2dc827298ce3a6083640fbe3fd7491560ffb1e8f86d62bbd4a5d52721079caef8a38d6f332132b581859276000b397f9512673eedb0315a7  openjpeg-2.1.patch
e9f29b909e016967fc9e6ca6723d63aecfea5c8aeadbd923bbf8a0fa1f4b0e16bd4eedac178bbf5fa359e47a55aa307b6581c6ce45b177ee12430f41c0b49cd7  CVE-2017-5896.patch
b65a9dce7ba239be788d144c27edb7528ebcf08ead4defe887a08d7879cf72ca3b172a9a33ec3f9426743f45ecb9aac17baf1b526bf5f880beb00bdd84bdc42a  CVE-2017-5991.patch"
b65a9dce7ba239be788d144c27edb7528ebcf08ead4defe887a08d7879cf72ca3b172a9a33ec3f9426743f45ecb9aac17baf1b526bf5f880beb00bdd84bdc42a  CVE-2017-5991.patch
3e3f34e448967acb7772365065234c313cb014ebe6e3c3b3bcdbed2242b32ee5589ecd749d06fb4cd5f406eb37ca431e369c96b9adb3b5367d2e5296f1ca983e  CVE-2017-6060.patch"
diff --git a/main/mupdf/CVE-2017-6060.patch b/main/mupdf/CVE-2017-6060.patch
new file mode 100644
index 0000000000..cc03f6106b
--- /dev/null
+++ b/main/mupdf/CVE-2017-6060.patch
@@ -0,0 +1,41 @@
squashed commits:
06a012a42c9884e3cd653e7826cff1ddec04eb6e
e089b2e2c1d38c5696c7dfd741e21f8f3ef22b14

From 05cb7595b61aa00a29f1609b75d280b589091356 Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Tue, 11 Apr 2017 10:54:12 +0800
Subject: [PATCH] Bug 697551: Make path and line buffers of equal size.

Previously a too long line could be copied into the too short path buffer.

jstest: Stop printing bogus script lines.
---
 platform/x11/jstest_main.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/platform/x11/jstest_main.c b/platform/x11/jstest_main.c
index 13c3a0a3..36b32155 100644
--- a/platform/x11/jstest_main.c
+++ b/platform/x11/jstest_main.c
@@ -346,7 +346,7 @@ main(int argc, char *argv[])
 				}
 				else if (match(&line, "OPEN"))
 				{
-					char path[1024];
+					char path[LONGLINE];
 					if (file_open)
 						pdfapp_close(&gapp);
 					if (prefix)
@@ -402,7 +402,7 @@ main(int argc, char *argv[])
 				}
 				else
 				{
-					fprintf(stderr, "Unmatched: %s\n", line);
+					fprintf(stderr, "Ignoring line without script statement.\n");
 				}
 			}
 			while (!feof(script));
-- 
2.12.2

-- 
2.12.2



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---

[alpine-aports] [PATCH] main/tiff: improve CVE-2016-10268 patch

Daniel Sabogal <dsabogalcc@gmail.com>
Details
Message ID
<20170503174131.31939-3-dsabogalcc@gmail.com>
In-Reply-To
<20170503174131.31939-1-dsabogalcc@gmail.com> (view parent)
Sender timestamp
1493833291
DKIM signature
missing
Download raw message
Patch: +2 -20
Ignore changes made to the ChangeLog
---
 main/tiff/APKBUILD             |  2 +-
 main/tiff/CVE-2016-10268.patch | 20 +-------------------
 2 files changed, 2 insertions(+), 20 deletions(-)

diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD
index 6f83689b14..ee9667c878 100644
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
@@ -92,7 +92,7 @@ tools() {
sha512sums="941357bdd5f947cdca41a1d31ae14b3fadc174ae5dce7b7981dbe58f61995f575ac2e97a7cc4fcc435184012017bec0920278263490464644f2cdfad9a6c5ddc  tiff-4.0.7.tar.gz
5f7a86b6dc1c9bcf707a1fc9fc4b79cc0cfa457582d13f89cc5db1d59193db468ecc8fe976fe688ae7bb6cb451759420cd0a00d957b7c614dbe8fc762adc9734  CVE-2016-10266.patch
fccbf981daedff8e4f3b610dc86823cdb0b2f1e08be345b775bd5c7ba89ef681b3cd4e04a97832753081e9df07db0a68a0a0a38cb4f538f260c475565c204f8b  CVE-2016-10267.patch
57cd4f9aadaedac5f43d8085729ca5871a40c5bfc88fe01ec9db94162067fb9290ead0d5fba0fef1f6efc04fe2ec18a21703a314c0732be86ddfcca5275803c1  CVE-2016-10268.patch
ed173f71e159a9bb22c602d067e455843e10484173aabdc085ee718afd404f4b58f77373a3526c16ac7c91395bbb277218b7a8ca840db4e3482d715661987236  CVE-2016-10268.patch
3a807132bf751b9e3c0e5a014b6cd9c9b98f79581b2d70167af3e29797a204fe2977349052042757f9bc634faa1afbec01462a947c739fb1ee9b7249341e4879  CVE-2016-10269.patch
1db4890259028c1c29c15137e743e376e1044475b1a3bbdeb946a1b54708a85422217228aed5f5c8ddf2cf156ec75264b430d1d3aa3539b805809d69522f84b5  CVE-2016-10270.patch
001a2df978f51025771c243edee2d033c91114bdd5318a05730b910add9c70f219a848faad899f27421ca18da6ce9972013aa3ecf689cf4ea37ac5409b4b6244  CVE-2017-5225.patch
diff --git a/main/tiff/CVE-2016-10268.patch b/main/tiff/CVE-2016-10268.patch
index ce5f9be7a2..73e4552a77 100644
--- a/main/tiff/CVE-2016-10268.patch
+++ b/main/tiff/CVE-2016-10268.patch
@@ -7,27 +7,9 @@ Subject: [PATCH] * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips
 http://bugzilla.maptools.org/show_bug.cgi?id=2598

---
 ChangeLog      | 7 +++++++
 tools/tiffcp.c | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 668b66a..0f154d6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 2016-12-02 Even Rouault <even.rouault at spatialys.com>
 
+	* tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that 
+	can cause various issues, such as buffer overflows in the library.
+	Reported by Agostino Sarubbo.
+	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598
+
+2016-12-02 Even Rouault <even.rouault at spatialys.com>
+
 	* libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in
 	TIFFReadEncodedStrip() that caused an integer division by zero.
 	Reported by Agostino Sarubbo.
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index a99c906..f294ed1 100644
--- a/tools/tiffcp.c
-- 
2.12.2



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)