Date: Monday, August 12, 2019 @ 20:31:48 Author: andyrtr Revision: 359775
upgpkg: ghostscript 9.27-2 apply fix for CVE-2019-10216 Added: ghostscript/trunk/CVE-2019-10216.diff Modified: ghostscript/trunk/PKGBUILD ---------------------+ CVE-2019-10216.diff | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ PKGBUILD | 10 +++++++--- 2 files changed, 57 insertions(+), 3 deletions(-) Added: CVE-2019-10216.diff =================================================================== --- CVE-2019-10216.diff (rev 0) +++ CVE-2019-10216.diff 2019-08-12 20:31:48 UTC (rev 359775) @@ -0,0 +1,50 @@ +From 5b85ddd19a8420a1bd2d5529325be35d78e94234 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <[email protected]> +Date: Fri, 2 Aug 2019 15:18:26 +0100 +Subject: [PATCH] Bug 701394: protect use of .forceput with executeonly + +--- + Resource/Init/gs_type1.ps | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps +index 6c7735b..a039cce 100644 +--- a/Resource/Init/gs_type1.ps ++++ b/Resource/Init/gs_type1.ps +@@ -118,25 +118,25 @@ + ( to be the same as glyph: ) print 1 index //== exec } if + 3 index exch 3 index .forceput + % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname +- } ++ }executeonly + {pop} ifelse +- } forall ++ } executeonly forall + pop pop +- } ++ } executeonly + { + pop pop pop + } ifelse +- } ++ } executeonly + { + % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname + pop pop + } ifelse +- } forall ++ } executeonly forall + 3 1 roll pop pop +- } if ++ } executeonly if + pop + dup /.AGLprocessed~GS //true .forceput +- } if ++ } executeonly if + + %% We need to excute the C .buildfont1 in a stopped context so that, if there + %% are errors we can put the stack back sanely and exit. Otherwise callers won't +-- +2.9.1 + + Modified: PKGBUILD =================================================================== --- PKGBUILD 2019-08-12 19:22:25 UTC (rev 359774) +++ PKGBUILD 2019-08-12 20:31:48 UTC (rev 359775) @@ -3,7 +3,7 @@ pkgbase=ghostscript pkgname=(ghostscript ghostxps ghostpcl) pkgver=9.27 -pkgrel=1 +pkgrel=2 pkgdesc="An interpreter for the PostScript language" url="https://www.ghostscript.com/"; arch=('x86_64') @@ -12,12 +12,16 @@ 'libtiff' 'lcms2' 'dbus' 'libpaper' 'ijs' 'openjpeg2' 'libidn') makedepends=('gtk3' 'gnutls' 'glu' 'freeglut') # https://github.com/ArtifexSoftware/ghostpdl-downloads/releases -source=(https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${pkgver/./}/ghostpdl-${pkgver}.tar.xz) -sha512sums=('bbdecbde3bebb0e22eb8976fe1e91d94b8d585aa72f9a2475ee58598de223ae31bc467eb518690dd05a4a4e1382cde7a682b854c324e98585ffff2250fde29c6') +source=(https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${pkgver/./}/ghostpdl-${pkgver}.tar.xz + CVE-2019-10216.diff) +sha512sums=('bbdecbde3bebb0e22eb8976fe1e91d94b8d585aa72f9a2475ee58598de223ae31bc467eb518690dd05a4a4e1382cde7a682b854c324e98585ffff2250fde29c6' + '71e8aa1573cecde1e7432ce43ffec719615ee86da0d30cbc27be1ff39a738570768037c8af10b968e07b1aa1af82ed6fa61045d5f9cf207e201177eb77560ca4') prepare() { cd ghostpdl-${pkgver} + patch -Np1 -i ../CVE-2019-10216.diff + # force it to use system-libs rm -r cups/libs expat ijs jbig2dec jpeg lcms2mt libpng openjpeg tiff zlib # using tree freetype because of https://bugs.archlinux.org/task/56849
