NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/ghostscript: fix CVE-2020-15900

Browse Source 
A memory corruption issue was found in Artifex Ghostscript 9.50 and
9.52. Use of a non-standard PostScript operator can allow overriding of
file access controls. The 'rsearch' calculation for the 'post' size
resulted in a size that was too large, and could underflow to max
uint32_t. This was fixed in commit
5d499272b95a6b890a1397e11d20937de000d31b.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit is contained in:
Fabrice Fontaine 2020-08-10 11:14:41 +02:00 committed by Thomas Petazzoni
parent 9b367a0033
commit 13ddfcdce7
2 changed files with 57 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
package/ghostscript/0002-Bug-702582-CVE-2020-15900-Memory-Corruption-in-Ghostscript-9-52.patch Normal file
View File

@ -0,0 +1,54 @@
From 5d499272b95a6b890a1397e11d20937de000d31b Mon Sep 17 00:00:00 2001
From: Ray Johnston <ray.johnston@artifex.com>
Date: Wed, 22 Jul 2020 09:57:54 -0700
Subject: [PATCH] Bug 702582, CVE 2020-15900 Memory Corruption in Ghostscript
9.52
Fix the 'rsearch' calculation for the 'post' size to give the correct
size. Previous calculation would result in a size that was too large,
and could underflow to max uint32_t. Also fix 'rsearch' to return the
correct 'pre' string with empty string match.
A future change may 'undefine' this undocumented, non-standard operator
during initialization as we do with the many other non-standard internal
PostScript operators and procedures.
[Retrieved from:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
psi/zstring.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/psi/zstring.c b/psi/zstring.c
index 33662dafa..58e1af2b3 100644
--- a/psi/zstring.c
+++ b/psi/zstring.c
@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
return 0;
found:
op->tas.type_attrs = op1->tas.type_attrs;
- op->value.bytes = ptr;
- r_set_size(op, size);
+ op->value.bytes = ptr; /* match */
+ op->tas.rsize = size; /* match */
push(2);
- op[-1] = *op1;
- r_set_size(op - 1, ptr - op[-1].value.bytes);
- op1->value.bytes = ptr + size;
- r_set_size(op1, count + (!forward ? (size - 1) : 0));
+ op[-1] = *op1; /* pre */
+ op[-3].value.bytes = ptr + size; /* post */
+ if (forward) {
+ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */
+ op[-3].tas.rsize = count; /* post */
+ } else {
+ op[-1].tas.rsize = count; /* pre */
+ op[-3].tas.rsize -= count + size; /* post */
+ }
make_true(op);
return 0;
}
--
2.17.1

3
package/ghostscript/ghostscript.mk
View File

@ -23,6 +23,9 @@ GHOSTSCRIPT_DEPENDENCIES = \
libpng \
tiff
# 0002-Bug-702582-CVE-2020-15900-Memory-Corruption-in-Ghostscript-9-52.patch
GHOSTSCRIPT_IGNORE_CVES += CVE-2020-15900
# Ghostscript includes (old) copies of several libraries, delete them.
# Inspired by linuxfromscratch:
# http://www.linuxfromscratch.org/blfs/view/svn/pst/gs.html