diff --git a/extra/ghostscript/CVE-2017-8291.patch b/extra/ghostscript/CVE-2017-8291.patch new file mode 100644 index 000000000..5f11a4428 --- /dev/null +++ b/extra/ghostscript/CVE-2017-8291.patch @@ -0,0 +1,132 @@ +From: Chris Liddell +Date: Thu, 27 Apr 2017 12:03:33 +0000 (+0100) +Subject: Bug 697799: have .eqproc check its parameters +X-Git-Url: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=4f83478c88 + +Bug 697799: have .eqproc check its parameters + +The Ghostscript custom operator .eqproc was not check the number or type of +the parameters it was given. +--- + +diff --git a/psi/zmisc3.c b/psi/zmisc3.c +index 54b3042..37293ff 100644 +--- a/psi/zmisc3.c ++++ b/psi/zmisc3.c +@@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p) + ref2_t stack[MAX_DEPTH + 1]; + ref2_t *top = stack; + ++ if (ref_stack_count(&o_stack) < 2) ++ return_error(gs_error_stackunderflow); ++ if (!r_is_array(op - 1) || !r_is_array(op)) { ++ return_error(gs_error_typecheck); ++ } ++ + make_array(&stack[0].proc1, 0, 1, op - 1); + make_array(&stack[0].proc2, 0, 1, op); + for (;;) { +From: Chris Liddell +Date: Thu, 27 Apr 2017 12:21:31 +0000 (+0100) +Subject: Bug 697799: have .rsdparams check its parameters +X-Git-Url: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=04b37bbce1 + +Bug 697799: have .rsdparams check its parameters + +The Ghostscript internal operator .rsdparams wasn't checking the number or +type of the operands it was being passed. Do so. +--- + +diff --git a/psi/zfrsd.c b/psi/zfrsd.c +index 191107d..950588d 100644 +--- a/psi/zfrsd.c ++++ b/psi/zfrsd.c +@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p) + ref *pFilter; + ref *pDecodeParms; + int Intent = 0; +- bool AsyncRead; ++ bool AsyncRead = false; + ref empty_array, filter1_array, parms1_array; + uint i; +- int code; ++ int code = 0; ++ ++ if (ref_stack_count(&o_stack) < 1) ++ return_error(gs_error_stackunderflow); ++ if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) { ++ return_error(gs_error_typecheck); ++ } + + make_empty_array(&empty_array, a_readonly); +- if (dict_find_string(op, "Filter", &pFilter) > 0) { ++ if (r_has_type(op, t_dictionary) ++ && dict_find_string(op, "Filter", &pFilter) > 0) { + if (!r_is_array(pFilter)) { + if (!r_has_type(pFilter, t_name)) + return_error(gs_error_typecheck); +@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p) + return_error(gs_error_typecheck); + } + } +- code = dict_int_param(op, "Intent", 0, 3, 0, &Intent); ++ if (r_has_type(op, t_dictionary)) ++ code = dict_int_param(op, "Intent", 0, 3, 0, &Intent); + if (code < 0 && code != gs_error_rangecheck) /* out-of-range int is ok, use 0 */ + return code; +- if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0 +- ) +- return code; ++ if (r_has_type(op, t_dictionary)) ++ if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0) ++ return code; + push(1); + op[-1] = *pFilter; + if (pDecodeParms) + +From: Chris Liddell +Date: Wed, 3 May 2017 11:05:45 +0000 (+0100) +Subject: Bug 697846: revision to commit 4f83478c88 (.eqproc) +X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=57f20719 + +Bug 697846: revision to commit 4f83478c88 (.eqproc) + +When using the "DELAYBIND" feature, it turns out that .eqproc can be called with +parameters that are not both procedures. In this case, it turns out, the +expectation is for the operator to return 'false', rather than throw an error. +--- + +diff --git a/psi/zmisc3.c b/psi/zmisc3.c +index 37293ff..3f01d39 100644 +--- a/psi/zmisc3.c ++++ b/psi/zmisc3.c +@@ -38,6 +38,15 @@ zcliprestore(i_ctx_t *i_ctx_p) + return gs_cliprestore(igs); + } + ++static inline bool ++eqproc_check_type(ref *r) ++{ ++ return r_has_type(r, t_array) ++ || r_has_type(r, t_mixedarray) ++ || r_has_type(r, t_shortarray) ++ || r_has_type(r, t_oparray); ++} ++ + /* .eqproc */ + /* + * Test whether two procedures are equal to depth 10. +@@ -58,8 +67,10 @@ zeqproc(i_ctx_t *i_ctx_p) + + if (ref_stack_count(&o_stack) < 2) + return_error(gs_error_stackunderflow); +- if (!r_is_array(op - 1) || !r_is_array(op)) { +- return_error(gs_error_typecheck); ++ if (!eqproc_check_type(op -1) || !eqproc_check_type(op)) { ++ make_false(op - 1); ++ pop(1); ++ return 0; + } + + make_array(&stack[0].proc1, 0, 1, op - 1); + diff --git a/extra/ghostscript/PKGBUILD b/extra/ghostscript/PKGBUILD index bf0657c2c..c8f55ac09 100644 --- a/extra/ghostscript/PKGBUILD +++ b/extra/ghostscript/PKGBUILD @@ -6,7 +6,7 @@ pkgname=ghostscript pkgver=9.21 -pkgrel=1 +pkgrel=2 pkgdesc="An interpreter for the PostScript language" arch=('i686' 'x86_64') license=('AGPL' 'custom') @@ -17,16 +17,20 @@ optdepends=('texlive-core: needed for dvipdf' 'gtk3: needed for gsx') url="http://www.ghostscript.com/" source=(https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${pkgver/./}/ghostscript-${pkgver}.tar.xz - ghostscript-sys-zlib.patch) + ghostscript-sys-zlib.patch + CVE-2017-8291.patch) options=('!makeflags') # https://github.com/ArtifexSoftware/ghostpdl-downloads/releases sha256sums=('2be1d014888a34187ad4bbec19ab5692cc943bd1cb14886065aeb43a3393d053' - 'c08c7e1354aaa243e753517c61ff86a799a49e0177c7bf6fe0029abc693386f6') + 'c08c7e1354aaa243e753517c61ff86a799a49e0177c7bf6fe0029abc693386f6' + '9cf9b04c274eba318907807b24d813fdfd5e7e2f88352a4b88dfc728a5b1e6c3') prepare() { cd ghostscript-${pkgver} # fix build with system zlib patch -Np1 -i ${srcdir}/ghostscript-sys-zlib.patch + # CVE-2017-8291; https://bugs.ghostscript.com/show_bug.cgi?id=697808 + patch -Np1 -i ${srcdir}/CVE-2017-8291.patch } build() {