From 1de17a648fa631f0074d315bfff0716220ce4880 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Thu, 13 Oct 2016 03:20:46 -0400 Subject: gnu: ghostscript: Fix CVE-2013-5653 and CVE-2016-{7976,7978,7979,8602}. * gnu/packages/patches/ghostscript-CVE-2013-5653.patch, gnu/packages/patches/ghostscript-CVE-2016-7976.patch, gnu/packages/patches/ghostscript-CVE-2016-7978.patch, gnu/packages/patches/ghostscript-CVE-2016-7979.patch, gnu/packages/patches/ghostscript-CVE-2016-8602.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/ghostscript.scm (ghostscript)[replacement]: New field. (ghostscript/fixed): New variable. (ghostscript/x): Inherit 'ghostscript/fixed'. --- .../patches/ghostscript-CVE-2013-5653.patch | 85 ++++++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 gnu/packages/patches/ghostscript-CVE-2013-5653.patch (limited to 'gnu/packages/patches/ghostscript-CVE-2013-5653.patch') diff --git a/gnu/packages/patches/ghostscript-CVE-2013-5653.patch b/gnu/packages/patches/ghostscript-CVE-2013-5653.patch new file mode 100644 index 0000000000..622266b176 --- /dev/null +++ b/gnu/packages/patches/ghostscript-CVE-2013-5653.patch @@ -0,0 +1,85 @@ +The following patch was adapted for GNU Ghostscript +by Mark H Weaver based on: + +http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ab109aaeb3ddba59518b036fb288402a65cf7ce8 + +From ab109aaeb3ddba59518b036fb288402a65cf7ce8 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Sat, 5 Mar 2016 14:56:03 -0800 +Subject: [PATCH] Bug 694724: Have filenameforall and getenv honor SAFER + +--- + Resource/Init/gs_init.ps | 2 ++ + psi/zfile.c | 36 ++++++++++++++++++++---------------- + 2 files changed, 22 insertions(+), 16 deletions(-) + +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index fa33d88..99888ac 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -2018,6 +2018,7 @@ readonly def + + /.locksafe { + .locksafe_userparams ++ systemdict /getenv {pop //false} put + % setpagedevice has the side effect of clearing the page, but + % we will just document that. Using setpagedevice keeps the device + % properties and pagedevice .LockSafetyParams in agreement even +@@ -2036,6 +2037,7 @@ readonly def + %% + /.locksafeglobal { + .locksafe_userparams ++ systemdict /getenv {pop //false} put + % setpagedevice has the side effect of clearing the page, but + % we will just document that. Using setpagedevice keeps the device + % properties and pagedevice .LockSafetyParams in agreement even +diff --git a/psi/zfile.c b/psi/zfile.c +index 320ecd5..0b9f299 100644 +--- a/psi/zfile.c ++++ b/psi/zfile.c +@@ -371,22 +371,26 @@ file_continue(i_ctx_t *i_ctx_p) + + if (len < devlen) + return_error(e_rangecheck); /* not even room for device len */ +- memcpy((char *)pscratch->value.bytes, iodev->dname, devlen); +- code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen, +- len - devlen); +- if (code == ~(uint) 0) { /* all done */ +- esp -= 5; /* pop proc, pfen, devlen, iodev , mark */ +- return o_pop_estack; +- } else if (code > len) /* overran string */ +- return_error(e_rangecheck); +- else { +- push(1); +- ref_assign(op, pscratch); +- r_set_size(op, code + devlen); +- push_op_estack(file_continue); /* come again */ +- *++esp = pscratch[2]; /* proc */ +- return o_push_estack; +- } ++ ++ do { ++ memcpy((char *)pscratch->value.bytes, iodev->dname, devlen); ++ code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen, ++ len - devlen); ++ if (code == ~(uint) 0) { /* all done */ ++ esp -= 5; /* pop proc, pfen, devlen, iodev , mark */ ++ return o_pop_estack; ++ } else if (code > len) /* overran string */ ++ return_error(e_rangecheck); ++ else if (iodev != iodev_default(imemory) ++ || (check_file_permissions_reduced(i_ctx_p, (char *)pscratch->value.bytes, code + devlen, "PermitFileReading")) == 0) { ++ push(1); ++ ref_assign(op, pscratch); ++ r_set_size(op, code + devlen); ++ push_op_estack(file_continue); /* come again */ ++ *++esp = pscratch[2]; /* proc */ ++ return o_push_estack; ++ } ++ } while(1); + } + /* Cleanup procedure for enumerating files */ + static int +-- +2.9.1 + -- cgit v1.2.3