Bug#856142: ghostscript: CVE-2017-6196
Control: tags -1 + patch
Attached proposed debdiff (not yet uploaded, neither to a delayed
queue).
Regards,
Salvatore
diff -Nru ghostscript-9.20~dfsg/debian/changelog ghostscript-9.20~dfsg/debian/changelog
--- ghostscript-9.20~dfsg/debian/changelog 2017-01-25 05:26:10.000000000 +0100
+++ ghostscript-9.20~dfsg/debian/changelog 2017-02-26 21:03:15.000000000 +0100
@@ -1,3 +1,11 @@
+ghostscript (9.20~dfsg-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Resolve image enumerator ownership on error (CVE-2017-6196)
+ (Closes: #856142)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sun, 26 Feb 2017 21:03:15 +0100
+
ghostscript (9.20~dfsg-2) unstable; urgency=medium
* Add patch cherry-picked upstream to always print full PWG Raster
diff -Nru ghostscript-9.20~dfsg/debian/patches/1002-Resolve-image-enumerator-ownership-on-error.patch ghostscript-9.20~dfsg/debian/patches/1002-Resolve-image-enumerator-ownership-on-error.patch
--- ghostscript-9.20~dfsg/debian/patches/1002-Resolve-image-enumerator-ownership-on-error.patch 1970-01-01 01:00:00.000000000 +0100
+++ ghostscript-9.20~dfsg/debian/patches/1002-Resolve-image-enumerator-ownership-on-error.patch 2017-02-26 21:03:15.000000000 +0100
@@ -0,0 +1,63 @@
+From ecceafe3abba2714ef9b432035fe0739d9b1a283 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Mon, 20 Feb 2017 09:45:18 +0000
+Subject: [PATCH] Resolve image enumerator ownership on error
+
+Bug #697596 "Use-After-Free in i_free_object()"
+
+There is confusion over ownership of 'penum' between gx_begin_image1(),
+gx_begin_image4() and gx_image_enum_begin() which is called from these
+two functions (and only from these two functions).
+
+The enumerator is allocated in gx_begin_image?() and freed there if
+gx_image_enum_begin() returns an error. However, gx_image_enum_begin()
+also frees the enumerator on an error; except that it doesn't always do
+so. Its a large function and there are at least 9 ways to exit it, only
+4 of which free the enumerator.
+
+This commit removes the 'free' instances from gx_image_enum_begin()
+leaving the cleanup as the responsibility of the calling code, which
+performed the allocation.
+---
+ base/gxipixel.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/base/gxipixel.c b/base/gxipixel.c
+index c41d3b885..4eb654844 100644
+--- a/base/gxipixel.c
++++ b/base/gxipixel.c
+@@ -290,7 +290,6 @@ gx_image_enum_begin(gx_device * dev, const gs_gstate * pgs,
+ penum->Height = height;
+
+ if ((code = gx_image_compute_mat(pgs, pmat, &(pim->ImageMatrix), &mat)) < 0) {
+- gs_free_object(mem, penum, "gx_default_begin_image");
+ return code;
+ }
+ /* Grid fit: A common construction in postscript/PDF files is for images
+@@ -587,7 +586,6 @@ gx_image_enum_begin(gx_device * dev, const gs_gstate * pgs,
+ }
+ if (masked) { /* This is imagemask. */
+ if (bps != 1 || pcs != NULL || penum->alpha || decode[0] == decode[1]) {
+- gs_free_object(mem, penum, "gx_default_begin_image");
+ return_error(gs_error_rangecheck);
+ }
+ /* Initialize color entries 0 and 255. */
+@@ -607,7 +605,6 @@ gx_image_enum_begin(gx_device * dev, const gs_gstate * pgs,
+
+ spp = cs_num_components(pcs);
+ if (spp < 0) { /* Pattern not allowed */
+- gs_free_object(mem, penum, "gx_default_begin_image");
+ return_error(gs_error_rangecheck);
+ }
+ if (penum->alpha)
+@@ -715,7 +712,6 @@ gx_image_enum_begin(gx_device * dev, const gs_gstate * pgs,
+ bsize = ((bps > 8 ? width * 2 : width) + 15) * spp;
+ buffer = gs_alloc_bytes(mem, bsize, "image buffer");
+ if (buffer == 0) {
+- gs_free_object(mem, penum, "gx_default_begin_image");
+ return_error(gs_error_VMerror);
+ }
+ penum->bps = bps;
+--
+2.11.0
+
diff -Nru ghostscript-9.20~dfsg/debian/patches/series ghostscript-9.20~dfsg/debian/patches/series
--- ghostscript-9.20~dfsg/debian/patches/series 2017-01-25 05:04:25.000000000 +0100
+++ ghostscript-9.20~dfsg/debian/patches/series 2017-02-26 21:03:15.000000000 +0100
@@ -7,6 +7,7 @@
020161008~f5c7555.patch
020161026~0726780.patch
1001_fix_openjp2_dynamic_linking.patch
+1002-Resolve-image-enumerator-ownership-on-error.patch
2001_docdir_fix_for_debian.patch
2002_gs_man_fix_debian.patch
2003_support_multiarch.patch
Reply to: