Bug#859132: marked as done (unblock: ghostscript/9.20~dfsg-3)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Thu, 30 Mar 2017 19:09:00 +0000
with message-id <8e3ced6f-efd4-d3b4-7b33-fe1e3dca7a0b@thykier.net>
and subject line Re: Bug#859132: unblock: ghostscript/9.20~dfsg-3
has caused the Debian Bug report #859132,
regarding unblock: ghostscript/9.20~dfsg-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
859132: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859132
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: ghostscript/9.20~dfsg-3
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Thu, 30 Mar 2017 20:14:33 +0200
• Message-id: <[🔎] 149089767340.24846.11905895442182593278.reportbug@eldamar.local>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi

Please unblock package ghostscript

The recent upload to unstable of ghostscript fixed CVE-2017-7207, a
NULL pointer dereference vulnerability in mem_get_bits_rectangle
function.

https://security-tracker.debian.org/tracker/CVE-2017-7207

Tracked as #858350 in the BTS (note the changelog did mistyped and
actually referenced the upstream bugzilla bugnumber, but apart the
typo the bug is closed).

unblock ghostscript/9.20~dfsg-3

Regards,
Salvatore

diff -Nru ghostscript-9.20~dfsg/debian/changelog ghostscript-9.20~dfsg/debian/changelog
--- ghostscript-9.20~dfsg/debian/changelog	2017-01-25 05:26:10.000000000 +0100
+++ ghostscript-9.20~dfsg/debian/changelog	2017-03-21 17:20:00.000000000 +0100
@@ -1,3 +1,10 @@
+ghostscript (9.20~dfsg-3) unstable; urgency=medium
+
+  * Fix NULL pointer dereference in mem_get_bits_rectangle().
+    Closes: Bug#697676 (CVE-2017-7207). Thanks to Salvatore Bonaccorso.
+
+ -- Jonas Smedegaard <dr@jones.dk>  Tue, 21 Mar 2017 17:20:00 +0100
+
 ghostscript (9.20~dfsg-2) unstable; urgency=medium
 
   * Add patch cherry-picked upstream to always print full PWG Raster
diff -Nru ghostscript-9.20~dfsg/debian/patches/020170317~309eca4.patch ghostscript-9.20~dfsg/debian/patches/020170317~309eca4.patch
--- ghostscript-9.20~dfsg/debian/patches/020170317~309eca4.patch	1970-01-01 01:00:00.000000000 +0100
+++ ghostscript-9.20~dfsg/debian/patches/020170317~309eca4.patch	2017-03-21 17:18:22.000000000 +0100
@@ -0,0 +1,29 @@
+Description: Fix NULL pointer dereference in mem_get_bits_rectangle()
+ Ensure a device has raster memory, before trying to read it.
+ .
+ This is only possible by abusing/mis-using Ghostscript-specific
+ language extensions, so cannot happen in a general PostScript program.
+ .
+ Nevertheless, Ghostscript should not crash. So this commit checks the
+ memory device to see if raster memory has been allocated, before trying
+ to read from it.
+Origin: backport, http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=309eca4
+Author: Ken Sharp <ken.sharp@artifex.com>
+Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697676
+Bug-Debian: https://bugs.debian.org/858350
+Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2017-7207
+Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7207
+Forwarded: yes
+Last-Update: 2017-03-21
+
+--- a/base/gdevmem.c
++++ b/base/gdevmem.c
+@@ -605,6 +605,8 @@
+             GB_PACKING_CHUNKY | GB_COLORS_NATIVE | GB_ALPHA_NONE;
+         return_error(gs_error_rangecheck);
+     }
++    if (mdev->line_ptrs == 0x00)
++        return_error(gs_error_rangecheck);
+     if ((w <= 0) | (h <= 0)) {
+         if ((w | h) < 0)
+             return_error(gs_error_rangecheck);
diff -Nru ghostscript-9.20~dfsg/debian/patches/series ghostscript-9.20~dfsg/debian/patches/series
--- ghostscript-9.20~dfsg/debian/patches/series	2017-01-25 05:04:25.000000000 +0100
+++ ghostscript-9.20~dfsg/debian/patches/series	2017-03-21 17:14:17.000000000 +0100
@@ -6,6 +6,7 @@
 020161005~875a009.patch
 020161008~f5c7555.patch
 020161026~0726780.patch
+020170317~309eca4.patch
 1001_fix_openjp2_dynamic_linking.patch
 2001_docdir_fix_for_debian.patch
 2002_gs_man_fix_debian.patch

--- End Message ---

--- Begin Message ---

• To: Salvatore Bonaccorso <carnil@debian.org>, 859132-done@bugs.debian.org
• Subject: Re: Bug#859132: unblock: ghostscript/9.20~dfsg-3
• From: Niels Thykier <niels@thykier.net>
• Date: Thu, 30 Mar 2017 19:09:00 +0000
• Message-id: <8e3ced6f-efd4-d3b4-7b33-fe1e3dca7a0b@thykier.net>
• In-reply-to: <[🔎] 149089767340.24846.11905895442182593278.reportbug@eldamar.local>
• References: <[🔎] 149089767340.24846.11905895442182593278.reportbug@eldamar.local>

Salvatore Bonaccorso:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hi
> 
> Please unblock package ghostscript
> 
> The recent upload to unstable of ghostscript fixed CVE-2017-7207, a
> NULL pointer dereference vulnerability in mem_get_bits_rectangle
> function.
> 
> https://security-tracker.debian.org/tracker/CVE-2017-7207
> 
> Tracked as #858350 in the BTS (note the changelog did mistyped and
> actually referenced the upstream bugzilla bugnumber, but apart the
> typo the bug is closed).
> 
> unblock ghostscript/9.20~dfsg-3
> 
> Regards,
> Salvatore
> 

Unblocked, thanks.

~Niels

--- End Message ---