diff --git a/ghostscript-9.20-cve-2016-10220.patch b/ghostscript-9.20-cve-2016-10220.patch new file mode 100644 index 0000000..4a3388a --- /dev/null +++ b/ghostscript-9.20-cve-2016-10220.patch @@ -0,0 +1,50 @@ +From daf85701dab05f17e924a48a81edc9195b4a04e8 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Wed, 21 Dec 2016 16:54:14 +0000 +Subject: [PATCH] fix crash with bad data supplied to makeimagedevice + +Bug #697450 "Null pointer dereference in gx_device_finalize()" + +The problem here is that the code to finalise a device unconditionally +frees the icc_struct member of the device structure. However this +particular (weird) device is not setup as a normal device, probably +because its very, very ancient. Its possible for the initialisation +of the device to abort with an error before calling gs_make_mem_device() +which is where the icc_struct member gets allocated (or set to NULL). + +If that happens, then the cleanup code tries to free the device, which +calls finalize() which tries to free a garbage pointer. + +Setting the device memory to 0x00 after we allocate it means that the +icc_struct member will be NULL< and our memory manager allows for that +happily enough, which avoids the problem. +--- + base/gsdevmem.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/base/gsdevmem.c b/base/gsdevmem.c +index 97b9cf4..fe75bcc 100644 +--- a/base/gsdevmem.c ++++ b/base/gsdevmem.c +@@ -225,6 +225,18 @@ gs_makewordimagedevice(gx_device ** pnew_dev, const gs_matrix * pmat, + + if (pnew == 0) + return_error(gs_error_VMerror); ++ ++ /* Bug #697450 "Null pointer dereference in gx_device_finalize()" ++ * If we have incorrect data passed to gs_initialise_wordimagedevice() then the ++ * initialisation will fail, crucially it will fail *before* it calls ++ * gs_make_mem_device() which initialises the device. This means that the ++ * icc_struct member will be uninitialsed, but the device finalise method ++ * will unconditionally free that memory. Since its a garbage pointer, bad things happen. ++ * Apparently we do still need makeimagedevice to be available from ++ * PostScript, so in here just zero the device memory, which means that ++ * the finalise routine won't have a problem. ++ */ ++ memset(pnew, 0x00, st_device_memory.ssize); + code = gs_initialize_wordimagedevice(pnew, pmat, width, height, + colors, num_colors, word_oriented, + page_device, mem); +-- +2.9.3 + diff --git a/ghostscript.spec b/ghostscript.spec index 6ca59d4..3dd5236 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -34,6 +34,7 @@ Patch13: ghostscript-9.20-cve-2017-7207.patch Patch14: ghostscript-9.20-cve-2016-10217.patch Patch15: ghostscript-9.20-cve-2016-10218.patch Patch16: ghostscript-9.20-cve-2016-10219.patch +Patch17: ghostscript-9.20-cve-2016-10220.patch Requires: %{name}-core%{?_isa} = %{version}-%{release} Requires: %{name}-x11%{?_isa} = %{version}-%{release} @@ -171,6 +172,9 @@ rm -rf expat freetype icclib jasper jpeg jpegxr lcms lcms2 libpng openjpeg zlib # CVE-2016-10219 (bug #1441569): %patch16 -p1 +# CVE-2016-10220 (bug #1441571): +%patch17 -p1 + # Convert manual pages to UTF-8 from8859_1() { iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_" @@ -372,6 +376,7 @@ rm -rf $RPM_BUILD_ROOT - CVE-2016-10217 (bug #1441564) - CVE-2016-10218 (bug #1441568) - CVE-2016-10219 (bug #1441569) + - CVE-2016-10220 (bug #1441571) * Thu Apr 06 2017 David Kaspar [Dee'Kej] - 9.20-8 Added security fix for CVE-2017-7207 (bug #1434497)