Author: ken Date: Wed Aug 14 18:09:11 2019 New Revision: 3981 Log: This week's ghostscript CVE fix.
Added: trunk/ghostscript/ghostscript-9.27-upstream_fixes-1.patch Added: trunk/ghostscript/ghostscript-9.27-upstream_fixes-1.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ trunk/ghostscript/ghostscript-9.27-upstream_fixes-1.patch Wed Aug 14 18:09:11 2019 (r3981) @@ -0,0 +1,155 @@ +Submitted By: Ken Moffat <ken at linuxfromscratch dot org> +Date: 2019-08-14 +Initial Package Version: 9.27 +Upstream Status: Applied +Origin: Cherry-picked by debian security. +Description: Fixes CVE-2019-10216 + +The .buildfont1 procedure in Ghostscript does not properly restrict +privileged calls, which could result in bypass of file system +restrictions of the dSAFER sandbox. + +Debian patches 020190410~06c9207.patch and 020190802~5b85ddd.patch. + +Description: Fix regression resolving bounding box of font glyphs + Re-introduce over/underflow workaround + . + Commit 355434f4b1bbe8c4f98cafad5a6868aa2f0eaae1 reverted a workaround + that compensated for over/underflow in Freetype's TTF hinting + (related to freedom and projection vector calculations). + That problem no longer exists in recent Freetype releases, + and the workaround actually caused other issues to occur with hinting. + . + What wasn't obvious was + that the workaround also protected over/underflow issues + relating to the unitsPerEm value. + . + So this re-instates the workaround, + but bases the decision on how the final scale is distributing + between the Freetype "size" and the Freetype matrix + on the unitsPerEm value + (this is relevant for all font types + as for non-TTF font types + Freetype derives the unitsPerEm from the FontMatrix for PS type fonts). +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=06c9207 +Author: Chris Liddell <chris.lidd...@artifex.com> +Forwarded: yes +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=700952 +Bug: http://bugs.ghostscript.com/show_bug.cgi?id=700875 +Bug-Debian: https://bugs.debian.org/927429 +Last-Update: 2019-04-20 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/base/fapi_ft.c ++++ b/base/fapi_ft.c +@@ -974,13 +974,19 @@ + */ + static void + transform_decompose(FT_Matrix * a_transform, FT_UInt * xresp, FT_UInt * yresp, +- FT_Fixed * a_x_scale, FT_Fixed * a_y_scale) ++ FT_Fixed * a_x_scale, FT_Fixed * a_y_scale, int units_per_EM) + { + double scalex, scaley, fact = 1.0; + double factx = 1.0, facty = 1.0; + FT_Matrix ftscale_mat; + FT_UInt xres; + FT_UInt yres; ++ /* We have to account for units_per_EM as we fiddle with the scaling ++ * in order to avoid underflow (mostly in the TTF hinting code), but ++ * we also want to clamp to a lower value (512, admittedly arrived at ++ * via experimentation) in order to preserve the fidelity of the outlines. ++ */ ++ double upe = units_per_EM > 512 ? (float)units_per_EM : 512.0; + + scalex = hypot((double)a_transform->xx, (double)a_transform->xy); + scaley = hypot((double)a_transform->yx, (double)a_transform->yy); +@@ -1067,10 +1073,25 @@ + scalex *= fact; + } + +- ftscale_mat.xx = (FT_Fixed) (65536.0 / scalex); +- ftscale_mat.xy = (FT_Fixed) 0; +- ftscale_mat.yx = (FT_Fixed) 0; +- ftscale_mat.yy = (FT_Fixed) (65536.0 / scaley); ++ /* see above */ ++ fact = 1.0; ++ while (scaley * yres > (double)upe * 72.0 && (xres > 0 && yres > 0) ++ && (scalex > 0.0 && scaley > 0.0)) { ++ if (scaley < yres) { ++ xres >>= 1; ++ yres >>= 1; ++ fact *= 2.0; ++ } ++ else { ++ scalex /= 1.25; ++ scaley /= 1.25; ++ } ++ } ++ ++ ftscale_mat.xx = (FT_Fixed) ((65536.0 / scalex) * fact); ++ ftscale_mat.xy = 0; ++ ftscale_mat.yx = 0; ++ ftscale_mat.yy = (FT_Fixed) ((65536.0 / scaley) * fact); + + FT_Matrix_Multiply(a_transform, &ftscale_mat); + memcpy(a_transform, &ftscale_mat, sizeof(FT_Matrix)); +@@ -1315,7 +1336,7 @@ + * transform. + */ + transform_decompose(&face->ft_transform, &face->horz_res, +- &face->vert_res, &face->width, &face->height); ++ &face->vert_res, &face->width, &face->height, face->ft_face->units_per_EM); + + ft_error = FT_Set_Char_Size(face->ft_face, face->width, face->height, + face->horz_res, face->vert_res); +From: Chris Liddell <chris.lidd...@artifex.com> +Date: Fri, 2 Aug 2019 15:18:26 +0100 +Subject: Bug 701394: protect use of .forceput with executeonly +Origin: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19a8420a1bd2d5529325be35d78e94234 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-10216 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701394 + +--- + Resource/Init/gs_type1.ps | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps +index 6c7735bc0cc3..a039ccee3590 100644 +--- a/Resource/Init/gs_type1.ps ++++ b/Resource/Init/gs_type1.ps +@@ -118,25 +118,25 @@ + ( to be the same as glyph: ) print 1 index //== exec } if + 3 index exch 3 index .forceput + % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname +- } ++ }executeonly + {pop} ifelse +- } forall ++ } executeonly forall + pop pop +- } ++ } executeonly + { + pop pop pop + } ifelse +- } ++ } executeonly + { + % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname + pop pop + } ifelse +- } forall ++ } executeonly forall + 3 1 roll pop pop +- } if ++ } executeonly if + pop + dup /.AGLprocessed~GS //true .forceput +- } if ++ } executeonly if + + %% We need to excute the C .buildfont1 in a stopped context so that, if there + %% are errors we can put the stack back sanely and exit. Otherwise callers won't +-- +2.20.1 + -- http://lists.linuxfromscratch.org/listinfo/patches FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page