diff --git a/ghostscript-9.20-cve-2017-7207.patch b/ghostscript-9.20-cve-2017-7207.patch new file mode 100644 index 0000000..ebe83fe --- /dev/null +++ b/ghostscript-9.20-cve-2017-7207.patch @@ -0,0 +1,33 @@ +From 309eca4e0a31ea70dcc844812691439312dad091 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Mon, 20 Mar 2017 09:34:11 +0000 +Subject: [PATCH] Ensure a device has raster memory, before trying to read it. + +Bug #697676 "Null pointer dereference in mem_get_bits_rectangle()" + +This is only possible by abusing/mis-using Ghostscript-specific +language extensions, so cannot happen in a general PostScript program. + +Nevertheless, Ghostscript should not crash. So this commit checks the +memory device to see if raster memory has been allocated, before trying +to read from it. +--- + base/gdevmem.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/base/gdevmem.c b/base/gdevmem.c +index afd05bd..d52d684 100644 +--- a/base/gdevmem.c ++++ b/base/gdevmem.c +@@ -606,6 +606,8 @@ mem_get_bits_rectangle(gx_device * dev, const gs_int_rect * prect, + GB_PACKING_CHUNKY | GB_COLORS_NATIVE | GB_ALPHA_NONE; + return_error(gs_error_rangecheck); + } ++ if (mdev->line_ptrs == 0x00) ++ return_error(gs_error_rangecheck); + if ((w <= 0) | (h <= 0)) { + if ((w | h) < 0) + return_error(gs_error_rangecheck); +-- +2.9.3 + diff --git a/ghostscript.spec b/ghostscript.spec index 490f640..d2e0dea 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -5,7 +5,7 @@ Summary: A PostScript interpreter and renderer Name: ghostscript Version: %{gs_ver} -Release: 7%{?dist} +Release: 8%{?dist} # Included CMap data is Redistributable, no modification permitted, # see http://bugzilla.redhat.com/487510 @@ -30,6 +30,7 @@ Patch7: ghostscript-9.20-cve-2016-7978.patch Patch8: ghostscript-9.20-cve-2016-8602.patch Patch9: ghostscript-9.20-cve-2016-7977.patch Patch12: ghostscript-9.20-cve-2016-9601.patch +Patch13: ghostscript-9.20-cve-2017-7207.patch Requires: %{name}-core%{?_isa} = %{version}-%{release} Requires: %{name}-x11%{?_isa} = %{version}-%{release} @@ -155,6 +156,9 @@ rm -rf expat freetype icclib jasper jpeg jpegxr lcms lcms2 libpng openjpeg zlib # Squash signed/unsigned warnings in MSVC jbig2 build (bug #1410021): %patch12 -p1 +# Check for null-pointer dereference in mem_get_bits_rectangle() (bug #1434497): +%patch13 -p1 + # Convert manual pages to UTF-8 from8859_1() { iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_" @@ -351,6 +355,9 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libgs.so %changelog +* Thu Apr 06 2017 David Kaspar [Dee'Kej] - 9.20-8 + Added security fix for CVE-2017-7207 (bug #1434497) + * Fri Feb 10 2017 Fedora Release Engineering - 9.20-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild