Bug#856142: ghostscript: CVE-2017-6196

To: 856142@bugs.debian.org
Subject: Bug#856142: ghostscript: CVE-2017-6196
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 26 Feb 2017 21:21:02 +0100
Message-id: <[🔎] 20170226202102.xmxtkd3j4fyigjbf@lorien.valinor.li>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 856142@bugs.debian.org
In-reply-to: <[🔎] alpine.DEB.2.02.1702251613110.21351@jupiter.server.alteholz.net>
References: <[🔎] alpine.DEB.2.02.1702251613110.21351@jupiter.server.alteholz.net>

Control: tags -1 + patch

Attached proposed debdiff (not yet uploaded, neither to a delayed
queue).

Regards,
Salvatore

diff -Nru ghostscript-9.20~dfsg/debian/changelog ghostscript-9.20~dfsg/debian/changelog
--- ghostscript-9.20~dfsg/debian/changelog	2017-01-25 05:26:10.000000000 +0100
+++ ghostscript-9.20~dfsg/debian/changelog	2017-02-26 21:03:15.000000000 +0100
@@ -1,3 +1,11 @@
+ghostscript (9.20~dfsg-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Resolve image enumerator ownership on error (CVE-2017-6196)
+    (Closes: #856142)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 26 Feb 2017 21:03:15 +0100
+
 ghostscript (9.20~dfsg-2) unstable; urgency=medium
 
   * Add patch cherry-picked upstream to always print full PWG Raster
diff -Nru ghostscript-9.20~dfsg/debian/patches/1002-Resolve-image-enumerator-ownership-on-error.patch ghostscript-9.20~dfsg/debian/patches/1002-Resolve-image-enumerator-ownership-on-error.patch
--- ghostscript-9.20~dfsg/debian/patches/1002-Resolve-image-enumerator-ownership-on-error.patch	1970-01-01 01:00:00.000000000 +0100
+++ ghostscript-9.20~dfsg/debian/patches/1002-Resolve-image-enumerator-ownership-on-error.patch	2017-02-26 21:03:15.000000000 +0100
@@ -0,0 +1,63 @@
+From ecceafe3abba2714ef9b432035fe0739d9b1a283 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Mon, 20 Feb 2017 09:45:18 +0000
+Subject: [PATCH] Resolve image enumerator ownership on error
+
+Bug #697596 "Use-After-Free in i_free_object()"
+
+There is confusion over ownership of 'penum' between gx_begin_image1(),
+gx_begin_image4() and gx_image_enum_begin() which is called from these
+two functions (and only from these two functions).
+
+The enumerator is allocated in gx_begin_image?() and freed there if
+gx_image_enum_begin() returns an error. However, gx_image_enum_begin()
+also frees the enumerator on an error; except that it doesn't always do
+so. Its a large function and there are at least 9 ways to exit it, only
+4 of which free the enumerator.
+
+This commit removes the 'free' instances from gx_image_enum_begin()
+leaving the cleanup as the responsibility of the calling code, which
+performed the allocation.
+---
+ base/gxipixel.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/base/gxipixel.c b/base/gxipixel.c
+index c41d3b885..4eb654844 100644
+--- a/base/gxipixel.c
++++ b/base/gxipixel.c
+@@ -290,7 +290,6 @@ gx_image_enum_begin(gx_device * dev, const gs_gstate * pgs,
+     penum->Height = height;
+ 
+     if ((code = gx_image_compute_mat(pgs, pmat, &(pim->ImageMatrix), &mat)) < 0) {
+-        gs_free_object(mem, penum, "gx_default_begin_image");
+         return code;
+     }
+     /* Grid fit: A common construction in postscript/PDF files is for images
+@@ -587,7 +586,6 @@ gx_image_enum_begin(gx_device * dev, const gs_gstate * pgs,
+     }
+     if (masked) {       /* This is imagemask. */
+         if (bps != 1 || pcs != NULL || penum->alpha || decode[0] == decode[1]) {
+-            gs_free_object(mem, penum, "gx_default_begin_image");
+             return_error(gs_error_rangecheck);
+         }
+         /* Initialize color entries 0 and 255. */
+@@ -607,7 +605,6 @@ gx_image_enum_begin(gx_device * dev, const gs_gstate * pgs,
+ 
+         spp = cs_num_components(pcs);
+         if (spp < 0) {          /* Pattern not allowed */
+-            gs_free_object(mem, penum, "gx_default_begin_image");
+             return_error(gs_error_rangecheck);
+         }
+         if (penum->alpha)
+@@ -715,7 +712,6 @@ gx_image_enum_begin(gx_device * dev, const gs_gstate * pgs,
+     bsize = ((bps > 8 ? width * 2 : width) + 15) * spp;
+     buffer = gs_alloc_bytes(mem, bsize, "image buffer");
+     if (buffer == 0) {
+-        gs_free_object(mem, penum, "gx_default_begin_image");
+         return_error(gs_error_VMerror);
+     }
+     penum->bps = bps;
+-- 
+2.11.0
+
diff -Nru ghostscript-9.20~dfsg/debian/patches/series ghostscript-9.20~dfsg/debian/patches/series
--- ghostscript-9.20~dfsg/debian/patches/series	2017-01-25 05:04:25.000000000 +0100
+++ ghostscript-9.20~dfsg/debian/patches/series	2017-02-26 21:03:15.000000000 +0100
@@ -7,6 +7,7 @@
 020161008~f5c7555.patch
 020161026~0726780.patch
 1001_fix_openjp2_dynamic_linking.patch
+1002-Resolve-image-enumerator-ownership-on-error.patch
 2001_docdir_fix_for_debian.patch
 2002_gs_man_fix_debian.patch
 2003_support_multiarch.patch

Reply to:

References:
- Bug#856142: ghostscript: CVE-2017-6196
  - From: Thorsten Alteholz <debian@alteholz.de>

Prev by Date: Bug#855961: Cups PPD Update authentication requested
Next by Date: Processed: Re: Bug#856142: ghostscript: CVE-2017-6196
Previous by thread: Bug#856142: ghostscript: CVE-2017-6196
Next by thread: Processed: Re: Bug#856142: ghostscript: CVE-2017-6196
Index(es):
- Date
- Thread