Hello community, here is the log from the commit of package ghostscript for openSUSE:Factory checked in at 2017-06-17 10:19:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ghostscript (Old) and /work/SRC/openSUSE:Factory/.ghostscript.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghostscript" Sat Jun 17 10:19:25 2017 rev:28 rq:501328 version:9.21 Changes: -------- --- /work/SRC/openSUSE:Factory/ghostscript/ghostscript-mini.changes 2017-05-03 15:53:53.168212350 +0200 +++ /work/SRC/openSUSE:Factory/.ghostscript.new/ghostscript-mini.changes 2017-06-17 10:19:27.241673334 +0200 @@ -1,0 +2,10 @@ +Fri Jun 2 09:12:45 UTC 2017 - [email protected] + +- CVE-2017-7207.patch fixes a NULL pointer dereference in mem_get_bits_rectangle + see https://bugs.ghostscript.com/show_bug.cgi?id=697676 + (bsc#1030263) +- CVE-2017-9216.patch fixes a NULL pointer dereference in jbig2_huffman_get + see https://bugs.ghostscript.com/show_bug.cgi?id=697934 + (bsc#1040643) + +------------------------------------------------------------------- ghostscript.changes: same change New: ---- CVE-2017-7207.patch CVE-2017-9216.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ghostscript-mini.spec ++++++ --- /var/tmp/diff_new_pack.tffyyE/_old 2017-06-17 10:19:28.397510289 +0200 +++ /var/tmp/diff_new_pack.tffyyE/_new 2017-06-17 10:19:28.401509725 +0200 @@ -88,6 +88,15 @@ # and https://bugs.ghostscript.com/show_bug.cgi?id=697799 # and https://bugzilla.opensuse.org/show_bug.cgi?id=1036453 Patch102: CVE-2017-8291.patch +# Patch103 fixes NULL pointer dereference in the jbig2_huffman_get function +# see https://bugs.ghostscript.com/show_bug.cgi?id=697934 +# and https://bugzilla.suse.com/show_bug.cgi?id=1040643 +Patch103: CVE-2017-9216.patch +# Patch104 CVE-2017-7207.patch fixes a NULL pointer dereference in mem_get_bits_rectangle +# see https://bugs.ghostscript.com/show_bug.cgi?id=697676 +# and https://bugzilla.suse.com/show_bug.cgi?id=1030263 +Patch104: CVE-2017-7207.patch + # RPM dependencies: Conflicts: ghostscript Conflicts: ghostscript-x11 @@ -183,7 +192,14 @@ # and https://bugs.ghostscript.com/show_bug.cgi?id=697799 # and https://bugzilla.opensuse.org/show_bug.cgi?id=1036453 %patch102 -p1 -b .CVE-2017-8291.orig - +# Patch103 fixes NULL pointer dereference in the jbig2_huffman_get function +# see https://bugs.ghostscript.com/show_bug.cgi?id=697934 +# and https://bugzilla.suse.com/show_bug.cgi?id=1040643 +%patch103 -p1 -b .CVE-2017-9216.orig +# Patch104 CVE-2017-7207.patch fixes a NULL pointer dereference in mem_get_bits_rectangle +# see https://bugs.ghostscript.com/show_bug.cgi?id=697676 +# and https://bugzilla.suse.com/show_bug.cgi?id=1030263 +%patch104 -p1 -b .CVE-2017-7207.orig %build # Derive build timestamp from latest changelog entry export SOURCE_DATE_EPOCH=$(date -d "$(head -n 2 %{_sourcedir}/%{name}.changes | tail -n 1 | cut -d- -f1 )" +%s) ++++++ ghostscript.spec ++++++ --- /var/tmp/diff_new_pack.tffyyE/_old 2017-06-17 10:19:28.433505211 +0200 +++ /var/tmp/diff_new_pack.tffyyE/_new 2017-06-17 10:19:28.437504647 +0200 @@ -108,6 +108,15 @@ # and https://bugs.ghostscript.com/show_bug.cgi?id=697799 # and https://bugzilla.opensuse.org/show_bug.cgi?id=1036453 Patch102: CVE-2017-8291.patch +# Patch103 fixes NULL pointer dereference in the jbig2_huffman_get function +# see https://bugs.ghostscript.com/show_bug.cgi?id=697934 +# and https://bugzilla.suse.com/show_bug.cgi?id=1040643 +Patch103: CVE-2017-9216.patch +# Patch104 CVE-2017-7207.patch fixes a NULL pointer dereference in mem_get_bits_rectangle +# see https://bugs.ghostscript.com/show_bug.cgi?id=697676 +# and https://bugzilla.suse.com/show_bug.cgi?id=1030263 +Patch104: CVE-2017-7207.patch + # RPM dependencies: # Additional RPM Provides of the ghostscript-library packages in openSUSE 11.4 from # "rpm -q --provides ghostscript-library" and "rpm -q --provides ghostscript-x11": @@ -234,7 +243,6 @@ %package x11 Summary: X11 library for Ghostscript -Group: Productivity/Publishing/PS # Require the exact matching version-release of the ghostscript main-package because # a non-matching ghostscript main-package may let it fail or even crash (e.g. segfault) # because all Ghostscript software is built from one same Ghostscript source tar ball @@ -242,6 +250,7 @@ # The exact matching version-release of the ghostscript main-package is available # on the same package repository where the ghostscript-x11 sub-package is because # all are built simulaneously from the same Ghostscript source package: +Group: Productivity/Publishing/PS Requires: ghostscript = %{version}-%{release} # Unfortunately ghostscript-library.spec and ghostscript-mini.spec have # an unversioned "Provides: ghostscript" and for RPM this means that both @@ -319,6 +328,14 @@ # and https://bugs.ghostscript.com/show_bug.cgi?id=697799 # and https://bugzilla.opensuse.org/show_bug.cgi?id=1036453 %patch102 -p1 -b .CVE-2017-8291.orig +# Patch103 fixes NULL pointer dereference in the jbig2_huffman_get function +# see https://bugs.ghostscript.com/show_bug.cgi?id=697934 +# and https://bugzilla.suse.com/show_bug.cgi?id=1040643 +%patch103 -p1 -b .CVE-2017-9216.orig +# Patch104 CVE-2017-7207.patch fixes a NULL pointer dereference in mem_get_bits_rectangle +# see https://bugs.ghostscript.com/show_bug.cgi?id=697676 +# and https://bugzilla.suse.com/show_bug.cgi?id=1030263 +%patch104 -p1 -b .CVE-2017-7207.orig %build # Derive build timestamp from latest changelog entry ++++++ CVE-2017-7207.patch ++++++ >From 309eca4e0a31ea70dcc844812691439312dad091 Mon Sep 17 00:00:00 2001 From: Ken Sharp <[email protected]> Date: Mon, 20 Mar 2017 09:34:11 +0000 Subject: [PATCH] Ensure a device has raster memory, before trying to read it. Bug #697676 "Null pointer dereference in mem_get_bits_rectangle()" This is only possible by abusing/mis-using Ghostscript-specific language extensions, so cannot happen in a general PostScript program. Nevertheless, Ghostscript should not crash. So this commit checks the memory device to see if raster memory has been allocated, before trying to read from it. --- base/gdevmem.c | 2 ++ 1 file changed, 2 insertions(+) Index: ghostscript-9.15/base/gdevmem.c =================================================================== --- ghostscript-9.15.orig/base/gdevmem.c 2014-09-22 12:17:33.000000000 +0200 +++ ghostscript-9.15/base/gdevmem.c 2017-04-28 10:55:17.479490151 +0200 @@ -590,6 +590,8 @@ mem_get_bits_rectangle(gx_device * dev, GB_PACKING_CHUNKY | GB_COLORS_NATIVE | GB_ALPHA_NONE; return_error(gs_error_rangecheck); } + if (mdev->line_ptrs == 0x00) + return_error(gs_error_rangecheck); if ((w <= 0) | (h <= 0)) { if ((w | h) < 0) return_error(gs_error_rangecheck); ++++++ CVE-2017-9216.patch ++++++ >From 3ebffb1d96ba0cacec23016eccb4047dab365853 Mon Sep 17 00:00:00 2001 From: Shailesh Mistry <[email protected]> Date: Wed, 24 May 2017 19:29:57 +0100 Subject: [PATCH] Bug 697934: Fix SEGV due to error code being ignored. The return code from jbig2_decode_text_region was being ignored so the code continued to try and parse the invalid file using incomplete/empty structures. --- jbig2dec/jbig2_symbol_dict.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/jbig2dec/jbig2_symbol_dict.c b/jbig2dec/jbig2_symbol_dict.c index 3cc17316f..672425d98 100644 --- a/jbig2dec/jbig2_symbol_dict.c +++ b/jbig2dec/jbig2_symbol_dict.c @@ -493,8 +493,10 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, } /* multiple symbols are handled as a text region */ - jbig2_decode_text_region(ctx, segment, tparams, (const Jbig2SymbolDict * const *)refagg_dicts, + code = jbig2_decode_text_region(ctx, segment, tparams, (const Jbig2SymbolDict * const *)refagg_dicts, n_refagg_dicts, image, data, size, GR_stats, as, ws); + if (code < 0) + goto cleanup4; SDNEWSYMS->glyphs[NSYMSDECODED] = image; refagg_dicts[0]->glyphs[params->SDNUMINSYMS + NSYMSDECODED] = jbig2_image_clone(ctx, SDNEWSYMS->glyphs[NSYMSDECODED]); -- 2.12.3
