Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes remotecode exec CVE with ghostscript #128

Closed
wants to merge 1 commit into from
Closed

Fixes remotecode exec CVE with ghostscript #128

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 5 additions & 4 deletions print/ghostscript-gpl/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# $NetBSD: Makefile,v 1.37 2017/11/23 17:19:43 wiz Exp $
# $NetBSD: Makefile,v 1.42 2018/04/17 22:29:33 wiz Exp $

DISTNAME= ghostscript-${GS_VERSION}
PKGNAME= ${DISTNAME:S/ghostscript/ghostscript-gpl/}
PKGREVISION= 20
PKGREVISION= 25
CATEGORIES= print
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=ghostscript/}
MASTER_SITES+= https://ghostscript.com/releases/
Expand Down Expand Up @@ -76,8 +76,9 @@ CONFIGURE_ENV.HPUX+= ac_cv_func_fopen64=no
CFLAGS+= -fPIC
.endif

.if ${OPSYS} == "SunOS" && !empty(CC_VERSION:Mgcc-[6-9]*)
CPPFLAGS+= -D_XOPEN_SOURCE=600 -D__EXTENSIONS__
# Not ideal but too many files hardcode _XOPEN_SOURCE=500.
.if !empty(CC_VERSION:Mgcc-[6-9]*) || !empty(PKGSRC_COMPILER:Mclang)
CPPFLAGS.SunOS+= -D_XOPEN_SOURCE=600 -D__EXTENSIONS__
.endif

# Interim IRIX build fix, the real problem is that fontconfig.pc doesn't
Expand Down
4 changes: 2 additions & 2 deletions print/ghostscript-gpl/buildlink3.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
# $NetBSD: buildlink3.mk,v 1.10 2017/11/23 17:19:43 wiz Exp $
# $NetBSD: buildlink3.mk,v 1.14 2018/04/17 22:29:33 wiz Exp $

BUILDLINK_TREE+= ghostscript-gpl

.if !defined(GHOSTSCRIPT_GPL_BUILDLINK3_MK)
GHOSTSCRIPT_GPL_BUILDLINK3_MK:=

BUILDLINK_API_DEPENDS.ghostscript-gpl+= ghostscript-gpl>=8.63nb1
BUILDLINK_ABI_DEPENDS.ghostscript-gpl+= ghostscript-gpl>=9.06nb20
BUILDLINK_ABI_DEPENDS.ghostscript-gpl+= ghostscript-gpl>=9.06nb24
BUILDLINK_PKGSRCDIR.ghostscript-gpl?= ../../print/ghostscript-gpl

.include "../../graphics/png/buildlink3.mk"
Expand Down
5 changes: 3 additions & 2 deletions print/ghostscript-gpl/distinfo
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,9 @@ SHA1 (patch-CVE-2016-10220) = 6edfa87948ff0f9412a5509efb98bf2d063a5951
SHA1 (patch-CVE-2017-5951) = a4af8e561b9f5a6a330fbc2f915257bf5ba3cb2a
SHA1 (patch-CVE-2017-6196) = 311d9236dd5abcd48ae0f412bf481e105b6207dc
SHA1 (patch-CVE-2017-7207) = 31f4a73b49b52942385eaa3c8cf2a94b5bbde6df
SHA1 (patch-af) = 9644b665deee3e11a4510f9edf4c35ebabc192ea
SHA1 (patch-CVE-2017-8291_eqproc) = 542fdd73dbf631f63851090a53836d3326643fe4
SHA1 (patch-CVE-2017-8291_rsdparams) = 93ba6dc53bcb0d0b46c39d4fc96d712f8a0ff86c
SHA1 (patch-af) = ade76a99fdf5a1c5b05caf7641c4833fde612fd7
SHA1 (patch-ah) = 7548f6f78b8029febec044bc11214f9d6674c9d3
SHA1 (patch-ai) = 3962a3acac1d4537dbbe3fc3b205aba87387d485
SHA1 (patch-aj) = 620d921210b5c0efec0a84e33bc416e4ab4bd11c
Expand All @@ -30,4 +32,3 @@ SHA1 (patch-base_gsmalloc.c) = 891bdcef49e0f2c435744eaf7bbcd31f5dbcbaba
SHA1 (patch-base_memento.c) = d30cfb9285a0268e743c90cdf831674eaa24789b
SHA1 (patch-cups_colord.h) = ab5c4bfa7184d2c1756697b87e7046645bdc2bc2
SHA1 (patch-openjpeg_libopenjpeg_opj_malloc_h) = 24f15c55cd7961afc1254f6c4bccd6d0c2a5e737
SHA1 (patch-psi_zfile.c) = 24626fed9b161a77d9ab43233bad4c8391120b16
18 changes: 18 additions & 0 deletions print/ghostscript-gpl/patches/patch-CVE-2017-8291_eqproc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
--- psi/zmisc3.c
+++ psi/zmisc3.c
@@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p)
ref2_t stack[MAX_DEPTH + 1];
ref2_t *top = stack;

+ if (ref_stack_count(&o_stack) < 2)
+ return_error(e_stackunderflow);
+ if (!r_is_array(op - 1) || !r_is_array(op)) {
+ return_error(e_typecheck);
+ }
+
make_array(&stack[0].proc1, 0, 1, op - 1);
make_array(&stack[0].proc2, 0, 1, op);
for (;;) {
--
2.1.4

44 changes: 44 additions & 0 deletions print/ghostscript-gpl/patches/patch-CVE-2017-8291_rsdparams
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
--- psi/zfrsd.c
+++ psi/zfrsd.c
@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p)
ref *pFilter;
ref *pDecodeParms;
int Intent = 0;
- bool AsyncRead;
+ bool AsyncRead = false;
ref empty_array, filter1_array, parms1_array;
uint i;
- int code;
+ int code = 0;
+
+ if (ref_stack_count(&o_stack) < 1)
+ return_error(e_stackunderflow);
+ if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {
+ return_error(e_typecheck);
+ }

make_empty_array(&empty_array, a_readonly);
- if (dict_find_string(op, "Filter", &pFilter) > 0) {
+ if (r_has_type(op, t_dictionary)
+ && dict_find_string(op, "Filter", &pFilter) > 0) {
if (!r_is_array(pFilter)) {
if (!r_has_type(pFilter, t_name))
return_error(e_typecheck);
@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p)
return_error(e_typecheck);
}
}
- code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
+ if (r_has_type(op, t_dictionary))
+ code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
if (code < 0 && code != e_rangecheck) /* out-of-range int is ok, use 0 */
return code;
- if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
- )
- return code;
+ if (r_has_type(op, t_dictionary))
+ if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
+ return code;
push(1);
op[-1] = *pFilter;
if (pDecodeParms)