Re: Bug#840691: ghostscript and evince/libspectre problem
- To: 840691@bugs.debian.org, 840691-submitter@bugs.debian.org
- Cc: Moritz Muehlenhoff <jmm@inutil.org>, Debian Security Team <team@security.debian.org>, debian-lts@lists.debian.org, ef@math.uni-bonn.de
- Subject: Re: Bug#840691: ghostscript and evince/libspectre problem
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Thu, 27 Oct 2016 13:12:10 +0200
- Message-id: <[🔎] 20161027111210.GA6844@lorien.valinor.li>
- Mail-followup-to: 840691@bugs.debian.org, 840691-submitter@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, Debian Security Team <team@security.debian.org>, debian-lts@lists.debian.org, ef@math.uni-bonn.de
- In-reply-to: <[🔎] 20161027105356.GA27238@lorien.valinor.li>
- References: <[🔎] 20161025195401.ha6xrmrewgphvi6l@eldamar.local> <[🔎] 20161027030954.GC14240@miami.connexer.com> <[🔎] 20161027065439.GA6772@inutil.org> <[🔎] 20161027103143.GF14240@miami.connexer.com> <[🔎] 20161027103516.GA12383@inutil.org> <[🔎] 20161027104012.GG14240@miami.connexer.com> <[🔎] 20161027105356.GA27238@lorien.valinor.li>
Hi,
On Thu, Oct 27, 2016 at 12:53:56PM +0200, Salvatore Bonaccorso wrote:
> Hi
>
> On Thu, Oct 27, 2016 at 06:40:12AM -0400, Roberto C. Sánchez wrote:
> > On Thu, Oct 27, 2016 at 12:35:16PM +0200, Moritz Muehlenhoff wrote:
> > > On Thu, Oct 27, 2016 at 06:31:43AM -0400, Roberto C. Sánchez wrote:
> > > > On Thu, Oct 27, 2016 at 08:54:39AM +0200, Moritz Muehlenhoff wrote:
> > > > >
> > > > > Salvatore mentioned that the same bug occurs when unstable has the security
> > > > > patches merged (which hasn't happened so far :-/), so this needs to be reported
> > > > > upstream.
> > > > >
> > > > Would that be to ghostscript upstream? I guess that with seeing the
> > > > evince problem in Jessie with both ghostscript 9.06~dfsg-2+deb8u2 and
> > > > 9.06~dfsg-2+deb8u3 I wasn't certain that the fault is completely with
> > > > ghostscript.
> > >
> > > I haven't debugged this myself, but my guess is that libspectre relies/relied
> > > on the insecure ghostscript behaviour which got patches with the security
> > > fixes...
> > >
> > OK. That makes sense. Thanks for clarifying.
>
> Edgar Fuss has now posted where the bug actually seem to be. I'm
> currently building ghostscript with that.
>
> @Roberto: note, +deb8u1 -> +deb8u3 to see the regression, not the
> intermittent +deb8u2.
Packages with that patch added are now as well on
https://people.debian.org/~carnil/tmp/ghostscript/
Please test those if possible for you.
Regards,
Salvatore
diff -Nru ghostscript-9.06~dfsg/debian/changelog ghostscript-9.06~dfsg/debian/changelog
--- ghostscript-9.06~dfsg/debian/changelog 2016-10-11 19:35:21.000000000 +0200
+++ ghostscript-9.06~dfsg/debian/changelog 2016-10-27 12:51:34.000000000 +0200
@@ -1,3 +1,13 @@
+ghostscript (9.06~dfsg-2+deb8u4) jessie-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Add 840691-Fix-.locksafe.patch patch.
+ Fixes regression seen with zathura and evince. Fix .locksafe. We need to
+ .forceput the defintion of getenv into systemdict.
+ Thanks to Edgar Fuß <ef@math.uni-bonn.de> (Closes: #840691)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Thu, 27 Oct 2016 12:51:34 +0200
+
ghostscript (9.06~dfsg-2+deb8u3) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru ghostscript-9.06~dfsg/debian/patches/840691-Fix-.locksafe.patch ghostscript-9.06~dfsg/debian/patches/840691-Fix-.locksafe.patch
--- ghostscript-9.06~dfsg/debian/patches/840691-Fix-.locksafe.patch 1970-01-01 01:00:00.000000000 +0100
+++ ghostscript-9.06~dfsg/debian/patches/840691-Fix-.locksafe.patch 2016-10-27 12:51:34.000000000 +0200
@@ -0,0 +1,24 @@
+Description: Fix .locksafe
+ Apparently we need to .forceput the definition of getenve into
+ systemdict, at least when running GSView 5.0.
+ .
+ Discovered when trying to investigate a customer bug report using
+ GSView 5.
+Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=99e331527d541a8f01ad5455c4eb2aabd67281a6
+Bug-Debian: https://bugs.debian.org/840691
+Forwarded: not-needed
+Author: Ken Sharp <ken.sharp@artifex.com>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-10-27
+
+--- a/Resource/Init/gs_init.ps
++++ b/Resource/Init/gs_init.ps
+@@ -2011,7 +2011,7 @@ readonly def
+ >> setuserparams
+ }
+ if
+- systemdict /getenv {pop //false} put
++ systemdict /getenv {pop //false} .forceput
+ % setpagedevice has the side effect of clearing the page, but
+ % we will just document that. Using setpagedevice keeps the device
+ % properties and pagedevice .LockSafetyParams in agreement even
diff -Nru ghostscript-9.06~dfsg/debian/patches/CVE-2016-8602.patch ghostscript-9.06~dfsg/debian/patches/CVE-2016-8602.patch
--- ghostscript-9.06~dfsg/debian/patches/CVE-2016-8602.patch 2016-10-11 19:35:21.000000000 +0200
+++ ghostscript-9.06~dfsg/debian/patches/CVE-2016-8602.patch 2016-10-27 12:51:34.000000000 +0200
@@ -5,13 +5,6 @@
Forwarded: not-needed
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2016-10-11
-
-From f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78 Mon Sep 17 00:00:00 2001
-From: Chris Liddell <chris.liddell@artifex.com>
-Date: Sat, 8 Oct 2016 16:10:27 +0100
-Subject: [PATCH] Bug 697203: check for sufficient params in .sethalftone5
-
-and param types
---
psi/zht2.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff -Nru ghostscript-9.06~dfsg/debian/patches/series ghostscript-9.06~dfsg/debian/patches/series
--- ghostscript-9.06~dfsg/debian/patches/series 2016-10-11 19:35:21.000000000 +0200
+++ ghostscript-9.06~dfsg/debian/patches/series 2016-10-27 12:51:34.000000000 +0200
@@ -20,3 +20,4 @@
CVE-2016-7978.patch
CVE-2016-7979.patch
CVE-2016-8602.patch
+840691-Fix-.locksafe.patch
Reply to: