Bug#839118: ghostscript: diff for NMU version 9.19~dfsg-3.1
Control: tags 839118 + patch
Control: tags 839260 + patch
Control: tags 839841 + patch
Control: tags 839845 + patch
Dear maintainer,
I've prepared now an NMU debdiff for ghostscript as well for the
version in unstable. Due to further investigation needed for #840691
I'm not yet uploading.
After updating ghostscript the same problems seem visible in unstable
for evince and zathura, and I'm not yet sure that the patches just
uncovered a bug in libspectre. Help in debugging this would be
welcome.
Regards,
Salvatore
diff -Nru ghostscript-9.19~dfsg/debian/changelog ghostscript-9.19~dfsg/debian/changelog
--- ghostscript-9.19~dfsg/debian/changelog 2016-09-22 12:08:56.000000000 +0200
+++ ghostscript-9.19~dfsg/debian/changelog 2016-10-16 20:40:03.000000000 +0200
@@ -1,3 +1,21 @@
+ghostscript (9.19~dfsg-3.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2013-5653: Information disclosure through getenv, filenameforall
+ (Closes: #839118)
+ * CVE-2016-7976: Various userparams allow %pipe% in paths, allowing remote
+ shell command execution (Closes: #839260)
+ * CVE-2016-7977: .libfile doesn't check PermitFileReading array, allowing
+ remote file disclosure (Closes: #839841)
+ * CVE-2016-7978: reference leak in .setdevice allows use-after-free and
+ remote code execution (Closes: #839845)
+ * CVE-2016-7979: type confusion in .initialize_dsc_parser allows remote code
+ execution (Closes: #839846)
+ * CVE-2016-8602: check for sufficient params in .sethalftone5 and param
+ types (Closes: #840451)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sun, 16 Oct 2016 20:40:03 +0200
+
ghostscript (9.19~dfsg-3) unstable; urgency=medium
* Avoid merging same-licensed sections in copyright_hints.
diff -Nru ghostscript-9.19~dfsg/debian/patches/CVE-2013-5653.patch ghostscript-9.19~dfsg/debian/patches/CVE-2013-5653.patch
--- ghostscript-9.19~dfsg/debian/patches/CVE-2013-5653.patch 1970-01-01 01:00:00.000000000 +0100
+++ ghostscript-9.19~dfsg/debian/patches/CVE-2013-5653.patch 2016-10-16 20:40:03.000000000 +0200
@@ -0,0 +1,79 @@
+Description: CVE-2013-5653: Information disclosure through getenv, filenameforall
+Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ab109aaeb3ddba59518b036fb288402a65cf7ce8
+Bug: http://bugs.ghostscript.com/show_bug.cgi?id=694724
+Bug-Debian: https://bugs.debian.org/839118
+Forwarded: not-needed
+Author: Chris Liddell <chris.liddell@artifex.com>
+Last-Update: 2016-10-16
+---
+
+diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
+index fa33d88..99888ac 100644
+--- a/Resource/Init/gs_init.ps
++++ b/Resource/Init/gs_init.ps
+@@ -2021,6 +2021,7 @@ readonly def
+
+ /.locksafe {
+ .locksafe_userparams
++ systemdict /getenv {pop //false} put
+ % setpagedevice has the side effect of clearing the page, but
+ % we will just document that. Using setpagedevice keeps the device
+ % properties and pagedevice .LockSafetyParams in agreement even
+@@ -2039,6 +2040,7 @@ readonly def
+ %%
+ /.locksafeglobal {
+ .locksafe_userparams
++ systemdict /getenv {pop //false} put
+ % setpagedevice has the side effect of clearing the page, but
+ % we will just document that. Using setpagedevice keeps the device
+ % properties and pagedevice .LockSafetyParams in agreement even
+diff --git a/psi/zfile.c b/psi/zfile.c
+index 320ecd5..0b9f299 100644
+--- a/psi/zfile.c
++++ b/psi/zfile.c
+@@ -371,22 +371,26 @@ file_continue(i_ctx_t *i_ctx_p)
+
+ if (len < devlen)
+ return_error(gs_error_rangecheck); /* not even room for device len */
+- memcpy((char *)pscratch->value.bytes, iodev->dname, devlen);
+- code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen,
+- len - devlen);
+- if (code == ~(uint) 0) { /* all done */
+- esp -= 5; /* pop proc, pfen, devlen, iodev , mark */
+- return o_pop_estack;
+- } else if (code > len) /* overran string */
+- return_error(gs_error_rangecheck);
+- else {
+- push(1);
+- ref_assign(op, pscratch);
+- r_set_size(op, code + devlen);
+- push_op_estack(file_continue); /* come again */
+- *++esp = pscratch[2]; /* proc */
+- return o_push_estack;
+- }
++
++ do {
++ memcpy((char *)pscratch->value.bytes, iodev->dname, devlen);
++ code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen,
++ len - devlen);
++ if (code == ~(uint) 0) { /* all done */
++ esp -= 5; /* pop proc, pfen, devlen, iodev , mark */
++ return o_pop_estack;
++ } else if (code > len) /* overran string */
++ return_error(gs_error_rangecheck);
++ else if (iodev != iodev_default(imemory)
++ || (check_file_permissions_reduced(i_ctx_p, (char *)pscratch->value.bytes, code + devlen, "PermitFileReading")) == 0) {
++ push(1);
++ ref_assign(op, pscratch);
++ r_set_size(op, code + devlen);
++ push_op_estack(file_continue); /* come again */
++ *++esp = pscratch[2]; /* proc */
++ return o_push_estack;
++ }
++ } while(1);
+ }
+ /* Cleanup procedure for enumerating files */
+ static int
+--
+2.1.4
+
diff -Nru ghostscript-9.19~dfsg/debian/patches/CVE-2016-7976.patch ghostscript-9.19~dfsg/debian/patches/CVE-2016-7976.patch
--- ghostscript-9.19~dfsg/debian/patches/CVE-2016-7976.patch 1970-01-01 01:00:00.000000000 +0100
+++ ghostscript-9.19~dfsg/debian/patches/CVE-2016-7976.patch 2016-10-16 20:40:03.000000000 +0200
@@ -0,0 +1,154 @@
+Description: CVE-2016-7976: Various userparams allow %pipe% in paths, allowing remote shell command execution
+Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=6d444c273da5499a4cd72f21cb6d4c9a5256807d
+Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697178
+Bug-Debian: https://bugs.debian.org/839260
+Forwarded: not-needed
+Author: Chris Liddell <chris.liddell@artifex.com>
+Last-Update: 2016-10-16
+---
+
+--- a/base/gsicc_manage.c
++++ b/base/gsicc_manage.c
+@@ -1104,10 +1104,12 @@ gsicc_open_search(const char* pname, int
+ }
+
+ /* First just try it like it is */
+- str = sfopen(pname, "r", mem_gc);
+- if (str != NULL) {
+- *strp = str;
+- return 0;
++ if (gs_check_file_permission(mem_gc, pname, namelen, "r") >= 0) {
++ str = sfopen(pname, "r", mem_gc);
++ if (str != NULL) {
++ *strp = str;
++ return 0;
++ }
+ }
+
+ /* If that fails, try %rom% */ /* FIXME: Not sure this is needed or correct */
+--- a/base/gslibctx.c
++++ b/base/gslibctx.c
+@@ -183,7 +183,7 @@ int gs_lib_ctx_init( gs_memory_t *mem )
+ mem->gs_lib_ctx = NULL;
+ return -1;
+ }
+-
++ pio->client_check_file_permission = NULL;
+ gp_get_realtime(pio->real_time_0);
+
+ return 0;
+@@ -333,3 +333,13 @@ void errflush(const gs_memory_t *mem)
+ fflush(mem->gs_lib_ctx->fstderr);
+ /* else nothing to flush */
+ }
++
++int
++gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission)
++{
++ int code = 0;
++ if (mem->gs_lib_ctx->client_check_file_permission != NULL) {
++ code = mem->gs_lib_ctx->client_check_file_permission(mem, fname, len, permission);
++ }
++ return code;
++}
+--- a/base/gslibctx.h
++++ b/base/gslibctx.h
+@@ -32,6 +32,9 @@ typedef struct gs_fapi_server_s gs_fapi_
+ # define gs_font_dir_DEFINED
+ typedef struct gs_font_dir_s gs_font_dir;
+ #endif
++
++typedef int (*client_check_file_permission_t) (gs_memory_t *mem, const char *fname, const int len, const char *permission);
++
+ typedef struct gs_lib_ctx_s
+ {
+ gs_memory_t *memory; /* mem->gs_lib_ctx->memory == mem */
+@@ -61,6 +64,7 @@ typedef struct gs_lib_ctx_s
+ struct gx_io_device_s **io_device_table;
+ int io_device_table_count;
+ int io_device_table_size;
++ client_check_file_permission_t client_check_file_permission;
+ /* Define the default value of AccurateScreens that affects setscreen
+ and setcolorscreen. */
+ bool screen_accurate_screens;
+@@ -124,6 +128,9 @@ int
+ gs_lib_ctx_get_default_device_list(const gs_memory_t *mem, char** dev_list_str,
+ int *list_str_len);
+
++int
++gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission);
++
+ #define IS_LIBCTX_STDOUT(mem, f) (f == mem->gs_lib_ctx->fstdout)
+ #define IS_LIBCTX_STDERR(mem, f) (f == mem->gs_lib_ctx->fstderr)
+
+--- a/psi/imain.c
++++ b/psi/imain.c
+@@ -57,6 +57,7 @@
+ #include "ivmspace.h"
+ #include "idisp.h" /* for setting display device callback */
+ #include "iplugin.h"
++#include "zfile.h"
+
+ #ifdef PACIFY_VALGRIND
+ #include "valgrind.h"
+@@ -212,6 +213,7 @@ gs_main_init1(gs_main_instance * minst)
+ "the_gs_name_table");
+ if (code < 0)
+ return code;
++ mem->gs_lib_ctx->client_check_file_permission = z_check_file_permissions;
+ }
+ code = obj_init(&minst->i_ctx_p, &idmem); /* requires name_init */
+ if (code < 0)
+--- a/psi/int.mak
++++ b/psi/int.mak
+@@ -2023,7 +2023,7 @@ $(PSOBJ)imain.$(OBJ) : $(PSSRC)imain.c $
+ $(ialloc_h) $(iconf_h) $(idebug_h) $(idict_h) $(idisp_h) $(iinit_h)\
+ $(iname_h) $(interp_h) $(iplugin_h) $(isave_h) $(iscan_h) $(ivmspace_h)\
+ $(iinit_h) $(main_h) $(oper_h) $(ostack_h)\
+- $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h)\
++ $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h) $(zfile_h)\
+ $(INT_MAK) $(MAKEDIRS)
+ $(PSCC) $(PSO_)imain.$(OBJ) $(C_) $(PSSRC)imain.c
+
+--- a/psi/zfile.c
++++ b/psi/zfile.c
+@@ -197,6 +197,25 @@ check_file_permissions(i_ctx_t *i_ctx_p,
+ return check_file_permissions_reduced(i_ctx_p, fname_reduced, rlen, permitgroup);
+ }
+
++/* z_check_file_permissions: see zfile.h for explanation
++ */
++int
++z_check_file_permissions(gs_memory_t *mem, const char *fname, const int len, const char *permission)
++{
++ i_ctx_t *i_ctx_p = get_minst_from_memory(mem)->i_ctx_p;
++ gs_parsed_file_name_t pname;
++ const char *permitgroup = permission[0] == 'r' ? "PermitFileReading" : "PermitFileWriting";
++ int code = gs_parse_file_name(&pname, fname, len, imemory);
++ if (code < 0)
++ return code;
++
++ if (pname.iodev && i_ctx_p->LockFilePermissions && strcmp(pname.iodev->dname, "%pipe%") == 0)
++ return gs_error_invalidfileaccess;
++
++ code = check_file_permissions(i_ctx_p, fname, len, permitgroup);
++ return code;
++}
++
+ /* <name_string> <access_string> file <file> */
+ int /* exported for zsysvm.c */
+ zfile(i_ctx_t *i_ctx_p)
+--- a/psi/zfile.h
++++ b/psi/zfile.h
+@@ -22,4 +22,11 @@
+ int zopen_file(i_ctx_t *i_ctx_p, const gs_parsed_file_name_t *pfn,
+ const char *file_access, stream **ps, gs_memory_t *mem);
+
++/* z_check_file_permissions: a callback (via mem->gs_lib_ctx->client_check_file_permission)
++ * to allow applying the above permissions checks when opening file(s) from
++ * the graphics library
++ */
++int
++z_check_file_permissions(gs_memory_t *mem, const char *fname,
++ const int len, const char *permission);
+ #endif
diff -Nru ghostscript-9.19~dfsg/debian/patches/CVE-2016-7977.patch ghostscript-9.19~dfsg/debian/patches/CVE-2016-7977.patch
--- ghostscript-9.19~dfsg/debian/patches/CVE-2016-7977.patch 1970-01-01 01:00:00.000000000 +0100
+++ ghostscript-9.19~dfsg/debian/patches/CVE-2016-7977.patch 2016-10-16 20:40:03.000000000 +0200
@@ -0,0 +1,27 @@
+Description: CVE-2016-7977: .libfile doesn't check PermitFileReading array, allowing remote file disclosure
+Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=8abd22010eb4db0fb1b10e430d5f5d83e015ef70
+Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697169
+Bug-Debian: https://bugs.debian.org/839841
+Forwarded: not-needed
+Author: Chris Liddell <chris.liddell@artifex.com>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-10-16
+---
+
+diff --git a/psi/zfile.c b/psi/zfile.c
+index b6caea2..2c6c958 100644
+--- a/psi/zfile.c
++++ b/psi/zfile.c
+@@ -1081,6 +1081,9 @@ lib_file_open(gs_file_path_ptr lib_path, const gs_memory_t *mem, i_ctx_t *i_ctx
+ gs_main_instance *minst = get_minst_from_memory(mem);
+ int code;
+
++ if (i_ctx_p && starting_arg_file)
++ i_ctx_p->starting_arg_file = false;
++
+ /* when starting arg files (@ files) iodev_default is not yet set */
+ if (iodev == 0)
+ iodev = (gx_io_device *)gx_io_device_table[0];
+--
+2.9.3
+
diff -Nru ghostscript-9.19~dfsg/debian/patches/CVE-2016-7978.patch ghostscript-9.19~dfsg/debian/patches/CVE-2016-7978.patch
--- ghostscript-9.19~dfsg/debian/patches/CVE-2016-7978.patch 1970-01-01 01:00:00.000000000 +0100
+++ ghostscript-9.19~dfsg/debian/patches/CVE-2016-7978.patch 2016-10-16 20:40:03.000000000 +0200
@@ -0,0 +1,27 @@
+Description: CVE-2016-7978: reference leak in .setdevice allows use-after-free and remote code execution
+Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=6f749c0c44e7b9e09737b9f29edf29925a34f0cf
+Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697179
+Bug-Debian: https://bugs.debian.org/839845
+Forwarded: not-needed
+Author: Chris Liddell <chris.liddell@artifex.com>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-10-16
+---
+ base/gsdevice.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/base/gsdevice.c b/base/gsdevice.c
+index 778106f..aea986a 100644
+--- a/base/gsdevice.c
++++ b/base/gsdevice.c
+@@ -614,6 +614,7 @@ gx_device_init(gx_device * dev, const gx_device * proto, gs_memory_t * mem,
+ dev->memory = mem;
+ dev->retained = !internal;
+ rc_init(dev, mem, (internal ? 0 : 1));
++ rc_increment(dev->icc_struct);
+ }
+
+ void
+--
+2.1.4
+
diff -Nru ghostscript-9.19~dfsg/debian/patches/CVE-2016-7979.patch ghostscript-9.19~dfsg/debian/patches/CVE-2016-7979.patch
--- ghostscript-9.19~dfsg/debian/patches/CVE-2016-7979.patch 1970-01-01 01:00:00.000000000 +0100
+++ ghostscript-9.19~dfsg/debian/patches/CVE-2016-7979.patch 2016-10-16 20:40:03.000000000 +0200
@@ -0,0 +1,40 @@
+Description: CVE-2016-7979: type confusion in .initialize_dsc_parser allows remote code execution
+Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=875a0095f37626a721c7ff57d606a0f95af03913
+Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697190
+Bug-Debian: https://bugs.debian.org/839846
+Forwarded: not-needed
+Author: Ken Sharp <ken.sharp@artifex.com>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-10-16
+---
+ psi/zdscpars.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/psi/zdscpars.c b/psi/zdscpars.c
+index c05e154..9b4b605 100644
+--- a/psi/zdscpars.c
++++ b/psi/zdscpars.c
+@@ -150,11 +150,16 @@ zinitialize_dsc_parser(i_ctx_t *i_ctx_p)
+ ref local_ref;
+ int code;
+ os_ptr const op = osp;
+- dict * const pdict = op->value.pdict;
+- gs_memory_t * const mem = (gs_memory_t *)dict_memory(pdict);
+- dsc_data_t * const data =
+- gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init");
++ dict *pdict;
++ gs_memory_t *mem;
++ dsc_data_t *data;
+
++ check_read_type(*op, t_dictionary);
++
++ pdict = op->value.pdict;
++ mem = (gs_memory_t *)dict_memory(pdict);
++
++ data = gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init");
+ if (!data)
+ return_error(gs_error_VMerror);
+ data->document_level = 0;
+--
+2.1.4
+
diff -Nru ghostscript-9.19~dfsg/debian/patches/CVE-2016-8602.patch ghostscript-9.19~dfsg/debian/patches/CVE-2016-8602.patch
--- ghostscript-9.19~dfsg/debian/patches/CVE-2016-8602.patch 1970-01-01 01:00:00.000000000 +0100
+++ ghostscript-9.19~dfsg/debian/patches/CVE-2016-8602.patch 2016-10-16 20:40:03.000000000 +0200
@@ -0,0 +1,38 @@
+Description: CVE-2016-8602: check for sufficient params in .sethalftone5 and param types
+Origin: backport, http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78
+Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697203
+Bug-Debian: https://bugs.debian.org/840451
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-10-16
+---
+ psi/zht2.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/psi/zht2.c
++++ b/psi/zht2.c
+@@ -82,14 +82,22 @@ zsethalftone5(i_ctx_t *i_ctx_p)
+ gs_memory_t *mem;
+ uint edepth = ref_stack_count(&e_stack);
+ int npop = 2;
+- int dict_enum = dict_first(op);
++ int dict_enum;
+ ref rvalue[2];
+ int cname, colorant_number;
+ byte * pname;
+ uint name_size;
+ int halftonetype, type = 0;
+ gs_state *pgs = igs;
+- int space_index = r_space_index(op - 1);
++ int space_index;
++
++ if (ref_stack_count(&o_stack) < 2)
++ return_error(gs_error_stackunderflow);
++ check_type(*op, t_dictionary);
++ check_type(*(op - 1), t_dictionary);
++
++ dict_enum = dict_first(op);
++ space_index = r_space_index(op - 1);
+
+ mem = (gs_memory_t *) idmemory->spaces_indexed[space_index];
+
diff -Nru ghostscript-9.19~dfsg/debian/patches/series ghostscript-9.19~dfsg/debian/patches/series
--- ghostscript-9.19~dfsg/debian/patches/series 2016-08-11 13:20:32.000000000 +0200
+++ ghostscript-9.19~dfsg/debian/patches/series 2016-10-16 20:40:03.000000000 +0200
@@ -9,3 +9,9 @@
2007_suggest_install_ghostscript-doc_in_code.patch
2008_mention_ghostscript-x_in_docs.patch
2010_add_build_timestamp_setting.patch
+CVE-2013-5653.patch
+CVE-2016-7976.patch
+CVE-2016-7977.patch
+CVE-2016-7978.patch
+CVE-2016-7979.patch
+CVE-2016-8602.patch
Reply to: