--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package ghostscript/9.20~dfsg-3.2+deb9u2
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sun, 29 Apr 2018 20:43:24 +0200
- Message-id: <152502740432.18664.6330025917544932540.reportbug@lorien.valinor.li>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi
I would like to propose the following ghostscript update via a stretch
point release. It adresses two CVEs which do not warrant a DSA on it's
own but would still be good to be adressed in stable.
It adresses:
- CVE-2018-10194 / 896069. Triggering the poc was not possible here
but the fix consist of doing an additional check in
set_text_distance function.
- CVE-2016-10317, testing happened with the fixed version against the
provided poc. The fix requires a previous prerequisite change.
Given
https://lists.debian.org/debian-devel-announce/2018/04/msg00007.html I
still prefered to get a peer an explicit ack before the upload.
Regards,
Salvatore
diff -Nru ghostscript-9.20~dfsg/debian/changelog ghostscript-9.20~dfsg/debian/changelog
--- ghostscript-9.20~dfsg/debian/changelog 2017-09-28 21:47:33.000000000 +0200
+++ ghostscript-9.20~dfsg/debian/changelog 2018-04-29 10:58:15.000000000 +0200
@@ -1,3 +1,14 @@
+ghostscript (9.20~dfsg-3.2+deb9u2) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * Segfault with fuzzing file in gxht_thresh_image_init
+ * Buffer overflow in fill_threshold_buffer (CVE-2016-10317)
+ (Closes: #860869)
+ * pdfwrite - Guard against trying to output an infinite number
+ (CVE-2018-10194) (Closes: #896069)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sun, 29 Apr 2018 10:58:15 +0200
+
ghostscript (9.20~dfsg-3.2+deb9u1) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru ghostscript-9.20~dfsg/debian/patches/Fix-Bug-696398-Segfault-with-fuzzing-file.patch ghostscript-9.20~dfsg/debian/patches/Fix-Bug-696398-Segfault-with-fuzzing-file.patch
--- ghostscript-9.20~dfsg/debian/patches/Fix-Bug-696398-Segfault-with-fuzzing-file.patch 1970-01-01 01:00:00.000000000 +0100
+++ ghostscript-9.20~dfsg/debian/patches/Fix-Bug-696398-Segfault-with-fuzzing-file.patch 2018-04-29 10:58:15.000000000 +0200
@@ -0,0 +1,29 @@
+From: Ray Johnston <ray.johnston@artifex.com>
+Date: Wed, 19 Jul 2017 22:05:33 -0700
+Subject: Fix Bug 696398: Segfault with fuzzing file.
+Origin: http://git.ghostscript.com/?p=ghostpdl.git;h=983e56cb679768fe5a048fbb33a43259efb9afbf
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=696398
+
+Oveflow of integer caused later failure even if allocation of the
+ht_buffer succeeded. Detect overflow, return error.
+---
+ base/gxht_thresh.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/base/gxht_thresh.c b/base/gxht_thresh.c
+index 35f8e3f57..3fb840213 100644
+--- a/base/gxht_thresh.c
++++ b/base/gxht_thresh.c
+@@ -711,6 +711,9 @@ gxht_thresh_image_init(gx_image_enum *penum)
+ space */
+ max_height = (int) ceil(fixed2float(any_abs(penum->dst_height)) /
+ (float) penum->Height);
++ if ((max_height > 0) && (penum->ht_stride * spp_out > max_int / max_height))
++ return -1; /* overflow */
++
+ penum->ht_buffer =
+ gs_alloc_bytes(penum->memory,
+ penum->ht_stride * max_height * spp_out,
+--
+2.17.0
+
diff -Nru ghostscript-9.20~dfsg/debian/patches/Fix-bug-697459-Buffer-overflow-in-fill_threshold_buf.patch ghostscript-9.20~dfsg/debian/patches/Fix-bug-697459-Buffer-overflow-in-fill_threshold_buf.patch
--- ghostscript-9.20~dfsg/debian/patches/Fix-bug-697459-Buffer-overflow-in-fill_threshold_buf.patch 1970-01-01 01:00:00.000000000 +0100
+++ ghostscript-9.20~dfsg/debian/patches/Fix-bug-697459-Buffer-overflow-in-fill_threshold_buf.patch 2018-04-29 10:58:15.000000000 +0200
@@ -0,0 +1,78 @@
+From: Ray Johnston <ray.johnston@artifex.com>
+Date: Tue, 21 Nov 2017 12:48:54 -0800
+Subject: Fix bug 697459 Buffer overflow in fill_threshold_buffer
+Origin: http://git.ghostscript.com/?p=ghostpdl.git;h=362ec9daadb9992b0def3520cd1dc6fa52edd1c4
+Bug-Debian: https://bugs.debian.org/860869
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=697459
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-10317
+
+There was an overflow check for ht_buffer size, but none for the larger
+threshold_buffer. Note that this file didn't fail on Windows because the
+combination of the ht_buffer and the size of the (miscalculated due to
+overflow) threshold_buffer would have exceeded the 2Gb limit.
+---
+ base/gxht_thresh.c | 13 ++++++++++---
+ base/gxipixel.c | 2 +-
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/base/gxht_thresh.c b/base/gxht_thresh.c
+index 3fb840213..726861685 100644
+--- a/base/gxht_thresh.c
++++ b/base/gxht_thresh.c
+@@ -711,7 +711,9 @@ gxht_thresh_image_init(gx_image_enum *penum)
+ space */
+ max_height = (int) ceil(fixed2float(any_abs(penum->dst_height)) /
+ (float) penum->Height);
+- if ((max_height > 0) && (penum->ht_stride * spp_out > max_int / max_height))
++ if (max_height <= 0)
++ return -1; /* shouldn't happen, but check so we don't div by zero */
++ if (penum->ht_stride * spp_out > max_int / max_height)
+ return -1; /* overflow */
+
+ penum->ht_buffer =
+@@ -734,6 +736,11 @@ gxht_thresh_image_init(gx_image_enum *penum)
+ Also allow a 15 sample over run during the execution. */
+ temp = (int) ceil((float) ((dev_width + 15.0) + 15.0)/16.0);
+ penum->line_size = bitmap_raster(temp * 16 * 8); /* The stride */
++ if (penum->line_size > max_int / max_height) {
++ gs_free_object(penum->memory, penum->ht_buffer, "gxht_thresh");
++ penum->ht_buffer = NULL;
++ return -1; /* thresh_buffer size overflow */
++ }
+ penum->line = gs_alloc_bytes(penum->memory, penum->line_size * spp_out,
+ "gxht_thresh");
+ penum->thresh_buffer = gs_alloc_bytes(penum->memory,
+@@ -754,7 +761,7 @@ gxht_thresh_image_init(gx_image_enum *penum)
+ }
+
+ static void
+-fill_threshhold_buffer(byte *dest_strip, byte *src_strip, int src_width,
++fill_threshold_buffer(byte *dest_strip, byte *src_strip, int src_width,
+ int left_offset, int left_width, int num_tiles,
+ int right_width)
+ {
+@@ -908,7 +915,7 @@ gxht_thresh_planes(gx_image_enum *penum, fixed xrun,
+ to update with stride */
+ position = contone_stride * k;
+ /* Tile into the 128 bit aligned threshold strip */
+- fill_threshhold_buffer(&(thresh_align[position]),
++ fill_threshold_buffer(&(thresh_align[position]),
+ thresh_tile, thresh_width, dx, left_width,
+ num_full_tiles, right_tile_width);
+ }
+diff --git a/base/gxipixel.c b/base/gxipixel.c
+index edd40c52d..cb4f02a09 100644
+--- a/base/gxipixel.c
++++ b/base/gxipixel.c
+@@ -758,7 +758,7 @@ gx_image_enum_begin(gx_device * dev, const gs_gstate * pgs,
+ penum->memory = mem;
+ penum->buffer = buffer;
+ penum->buffer_size = bsize;
+- penum->line = 0;
++ penum->line = NULL;
+ penum->icc_link = NULL;
+ penum->color_cache = NULL;
+ penum->ht_buffer = NULL;
+--
+2.17.0
+
diff -Nru ghostscript-9.20~dfsg/debian/patches/pdfwrite-Guard-against-trying-to-output-an-infinite-.patch ghostscript-9.20~dfsg/debian/patches/pdfwrite-Guard-against-trying-to-output-an-infinite-.patch
--- ghostscript-9.20~dfsg/debian/patches/pdfwrite-Guard-against-trying-to-output-an-infinite-.patch 1970-01-01 01:00:00.000000000 +0100
+++ ghostscript-9.20~dfsg/debian/patches/pdfwrite-Guard-against-trying-to-output-an-infinite-.patch 2018-04-29 10:58:15.000000000 +0200
@@ -0,0 +1,46 @@
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Wed, 18 Apr 2018 15:46:32 +0100
+Subject: pdfwrite - Guard against trying to output an infinite number
+Origin: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879
+Bug-Debian: https://bugs.debian.org/896069
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=699255
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10194
+
+Bug #699255 " Buffer overflow on pprintg1 due to mishandle postscript file data to pdf"
+
+The file uses an enormous parameter to xyxhow, causing an overflow in
+the calculation of text positioning (value > 1e39).
+
+Since this is basically a nonsense value, and PostScript only supports
+real values up to 1e38, this patch follows the same approach as for
+a degenerate CTM, and treats it as 0.
+
+Adobe Acrobat Distiller throws a limitcheck error, so we could do that
+instead if this approach proves to be a problem.
+---
+ devices/vector/gdevpdts.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/devices/vector/gdevpdts.c b/devices/vector/gdevpdts.c
+index 848ad781f..172fe6bc3 100644
+--- a/devices/vector/gdevpdts.c
++++ b/devices/vector/gdevpdts.c
+@@ -103,9 +103,14 @@ append_text_move(pdf_text_state_t *pts, double dw)
+ static int
+ set_text_distance(gs_point *pdist, double dx, double dy, const gs_matrix *pmat)
+ {
+- int code = gs_distance_transform_inverse(dx, dy, pmat, pdist);
++ int code;
+ double rounded;
+
++ if (dx > 1e38 || dy > 1e38)
++ code = gs_error_undefinedresult;
++ else
++ code = gs_distance_transform_inverse(dx, dy, pmat, pdist);
++
+ if (code == gs_error_undefinedresult) {
+ /* The CTM is degenerate.
+ Can't know the distance in user space.
+--
+2.17.0
+
diff -Nru ghostscript-9.20~dfsg/debian/patches/series ghostscript-9.20~dfsg/debian/patches/series
--- ghostscript-9.20~dfsg/debian/patches/series 2017-09-28 21:47:33.000000000 +0200
+++ ghostscript-9.20~dfsg/debian/patches/series 2018-04-29 10:58:15.000000000 +0200
@@ -21,6 +21,9 @@
Bug-698056-make-bounds-check-in-gx_ttfReader__Read-m.patch
Bug-698063-Bounds-check-Ins_JMPR.patch
Bug-698158-prevent-trying-to-reloc-a-freed-object.patch
+Fix-Bug-696398-Segfault-with-fuzzing-file.patch
+Fix-bug-697459-Buffer-overflow-in-fill_threshold_buf.patch
+pdfwrite-Guard-against-trying-to-output-an-infinite-.patch
1001_fix_openjp2_dynamic_linking.patch
2001_docdir_fix_for_debian.patch
2002_gs_man_fix_debian.patch
--- End Message ---