diff --git a/ghostscript-CVE-2010-1628.patch b/ghostscript-CVE-2010-1628.patch new file mode 100644 index 0000000..428d4c0 --- /dev/null +++ b/ghostscript-CVE-2010-1628.patch @@ -0,0 +1,124 @@ +diff -up ghostscript-8.70/psi/ialloc.c.CVE-2010-1628 ghostscript-8.70/psi/ialloc.c +--- ghostscript-8.70/psi/ialloc.c.CVE-2010-1628 2008-08-28 23:48:19.000000000 +0100 ++++ ghostscript-8.70/psi/ialloc.c 2010-07-16 12:15:45.230948203 +0100 +@@ -185,7 +185,14 @@ gs_alloc_ref_array(gs_ref_memory_t * mem + */ + chunk_t *pcc = mem->pcc; + ref *end; ++ alloc_change_t *cp = 0; ++ int code = 0; + ++ if ((gs_memory_t *)mem != mem->stable_memory) { ++ code = alloc_save_change_alloc(mem, "gs_alloc_ref_array", &cp); ++ if (code < 0) ++ return code; ++ } + obj = gs_alloc_struct_array((gs_memory_t *) mem, num_refs + 1, + ref, &st_refs, cname); + if (obj == 0) +@@ -210,14 +217,10 @@ gs_alloc_ref_array(gs_ref_memory_t * mem + chunk_locate_ptr(obj, &cl); + cl.cp->has_refs = true; + } +- if ((gs_memory_t *)mem != mem->stable_memory) { +- ref_packed **ppr = 0; +- int code = alloc_save_change_alloc(mem, "gs_alloc_ref_array", &ppr); +- if (code < 0) +- return code; +- if (ppr) +- *ppr = (ref_packed *)obj; +- } ++ if (cp) { ++ mem->changes = cp; ++ cp->where = (ref_packed *)obj; ++ } + } + make_array(parr, attrs | mem->space, num_refs, obj); + return 0; +diff -up ghostscript-8.70/psi/idosave.h.CVE-2010-1628 ghostscript-8.70/psi/idosave.h +--- ghostscript-8.70/psi/idosave.h.CVE-2010-1628 2008-08-28 23:48:19.000000000 +0100 ++++ ghostscript-8.70/psi/idosave.h 2010-07-16 12:15:45.238073609 +0100 +@@ -18,6 +18,22 @@ + # define idosave_INCLUDED + + /* ++ * Structure for saved change chain for save/restore. Because of the ++ * garbage collector, we need to distinguish the cases where the change ++ * is in a static object, a dynamic ref, or a dynamic struct. ++ */ ++typedef struct alloc_change_s alloc_change_t; ++struct alloc_change_s { ++ alloc_change_t *next; ++ ref_packed *where; ++ ref contents; ++#define AC_OFFSET_STATIC (-2) /* static object */ ++#define AC_OFFSET_REF (-1) /* dynamic ref */ ++#define AC_OFFSET_ALLOCATED (-3) /* a newly allocated ref array */ ++ short offset; /* if >= 0, offset within struct */ ++}; ++ ++/* + * Save a change that must be undone by restore. We have to pass the + * pointer to the containing object to alloc_save_change for two reasons: + * +@@ -29,6 +45,7 @@ + * relocate the pointer to it from the change record during garbage + * collection. + */ ++ + int alloc_save_change(gs_dual_memory_t *dmem, const ref *pcont, + ref_packed *ptr, client_name_t cname); + int alloc_save_change_in(gs_ref_memory_t *mem, const ref *pcont, +@@ -36,6 +53,6 @@ int alloc_save_change_in(gs_ref_memory_t + /* Remove an AC_OFFSET_ALLOCATED element. */ + void alloc_save_remove(gs_ref_memory_t *mem, ref_packed *obj, client_name_t cname); + /* Allocate a structure for recording an allocation event. */ +-int alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, ref_packed ***ppr); ++int alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, alloc_change_t **pcp); + + #endif /* idosave_INCLUDED */ +diff -up ghostscript-8.70/psi/isave.c.CVE-2010-1628 ghostscript-8.70/psi/isave.c +--- ghostscript-8.70/psi/isave.c.CVE-2010-1628 2008-08-28 23:48:19.000000000 +0100 ++++ ghostscript-8.70/psi/isave.c 2010-07-16 12:15:45.245073557 +0100 +@@ -156,22 +156,6 @@ print_save(const char *str, uint spacen, + /* A link to igcref.c . */ + ptr_proc_reloc(igc_reloc_ref_ptr_nocheck, ref_packed); + +-/* +- * Structure for saved change chain for save/restore. Because of the +- * garbage collector, we need to distinguish the cases where the change +- * is in a static object, a dynamic ref, or a dynamic struct. +- */ +-typedef struct alloc_change_s alloc_change_t; +-struct alloc_change_s { +- alloc_change_t *next; +- ref_packed *where; +- ref contents; +-#define AC_OFFSET_STATIC (-2) /* static object */ +-#define AC_OFFSET_REF (-1) /* dynamic ref */ +-#define AC_OFFSET_ALLOCATED (-3) /* a newly allocated ref array */ +- short offset; /* if >= 0, offset within struct */ +-}; +- + static + CLEAR_MARKS_PROC(change_clear_marks) + { +@@ -519,7 +503,7 @@ alloc_save_change(gs_dual_memory_t * dme + + /* Allocate a structure for recording an allocation event. */ + int +-alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, ref_packed ***ppr) ++alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, alloc_change_t **pcp) + { + register alloc_change_t *cp; + +@@ -533,8 +517,7 @@ alloc_save_change_alloc(gs_ref_memory_t + cp->where = 0; + cp->offset = AC_OFFSET_ALLOCATED; + make_null(&cp->contents); +- mem->changes = cp; +- *ppr = &cp->where; ++ *pcp = cp; + return 1; + } + diff --git a/ghostscript.spec b/ghostscript.spec index 4066b4d..0012279 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -5,7 +5,7 @@ Summary: A PostScript interpreter and renderer Name: ghostscript Version: %{gs_ver} -Release: 9%{?dist} +Release: 10%{?dist} # Included CMap data is Redistributable, no modification permitted, # see http://bugzilla.redhat.com/487510 @@ -35,6 +35,7 @@ Patch16: ghostscript-cups-realloc-color-depth.patch Patch17: ghostscript-tif-fail-close.patch Patch18: ghostscript-tiff-default-strip-size.patch Patch19: ghostscript-tiff-fixes.patch +Patch20: ghostscript-CVE-2010-1628.patch Requires: urw-fonts >= 1.1, ghostscript-fonts BuildRequires: xz @@ -166,6 +167,10 @@ rm -rf libpng zlib jpeg jasper # Backported some more TIFF fixes (bug #573970). %patch19 -p1 -b .tiff-fixes +# Applied patch to fix CVE-2010-1628 (memory corruption at PS stack +# overflow, bug #592492). +%patch20 -p1 -b .CVE-2010-1628 + # Convert manual pages to UTF-8 from8859_1() { iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_" @@ -345,6 +350,10 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libgs.so %changelog +* Fri Jul 16 2010 Tim Waugh 8.71-10 +- Applied patch to fix CVE-2010-1628 (memory corruption at PS stack + overflow, bug #592492). + * Tue Mar 16 2010 Tim Waugh 8.71-9 - Backported some more TIFF fixes (bug #573970). - Use upstream fix for TIFF default strip size (bug #571520).