diff --git a/ghostscript-CVE-2007-2721.patch b/ghostscript-CVE-2007-2721.patch new file mode 100644 index 0000000..aa59ce3 --- /dev/null +++ b/ghostscript-CVE-2007-2721.patch @@ -0,0 +1,48 @@ +diff -up ghostscript-8.60/jasper/src/libjasper/jp2/jp2_cod.c.CVE-2007-2721 ghostscript-8.60/jasper/src/libjasper/jp2/jp2_cod.c +--- ghostscript-8.60/jasper/src/libjasper/jp2/jp2_cod.c.CVE-2007-2721 2006-02-08 06:21:28.000000000 +0000 ++++ ghostscript-8.60/jasper/src/libjasper/jp2/jp2_cod.c 2007-10-23 14:15:01.000000000 +0100 +@@ -247,7 +247,7 @@ jp2_box_t *jp2_box_get(jas_stream_t *in) + box = 0; + tmpstream = 0; + +- if (!(box = jas_malloc(sizeof(jp2_box_t)))) { ++ if (!(box = jas_calloc(1, sizeof(jp2_box_t)))) { + goto error; + } + box->ops = &jp2_boxinfo_unk.ops; +diff -up ghostscript-8.60/jasper/src/libjasper/jpc/jpc_cs.c.CVE-2007-2721 ghostscript-8.60/jasper/src/libjasper/jpc/jpc_cs.c +--- ghostscript-8.60/jasper/src/libjasper/jpc/jpc_cs.c.CVE-2007-2721 2006-02-08 06:21:28.000000000 +0000 ++++ ghostscript-8.60/jasper/src/libjasper/jpc/jpc_cs.c 2007-10-23 14:15:01.000000000 +0100 +@@ -991,7 +991,10 @@ static int jpc_qcx_getcompparms(jpc_qcxc + compparms->numstepsizes = (len - n) / 2; + break; + } +-if (compparms->numstepsizes > 0) { ++if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) { ++ jpc_qcx_destroycompparms(compparms); ++ return -1; ++ } else if (compparms->numstepsizes > 0) { + compparms->stepsizes = jas_malloc(compparms->numstepsizes * + sizeof(uint_fast32_t)); + assert(compparms->stepsizes); +diff -up ghostscript-8.60/jasper/src/libjasper/jpc/jpc_dec.c.CVE-2007-2721 ghostscript-8.60/jasper/src/libjasper/jpc/jpc_dec.c +--- ghostscript-8.60/jasper/src/libjasper/jpc/jpc_dec.c.CVE-2007-2721 2006-12-06 22:25:01.000000000 +0000 ++++ ghostscript-8.60/jasper/src/libjasper/jpc/jpc_dec.c 2007-10-23 14:15:01.000000000 +0100 +@@ -1219,7 +1219,7 @@ static int jpc_dec_process_siz(jpc_dec_t + dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth); + dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight); + dec->numtiles = dec->numhtiles * dec->numvtiles; +- if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) { ++ if (!(dec->tiles = jas_calloc(dec->numtiles, sizeof(jpc_dec_tile_t)))) { + return -1; + } + +@@ -1243,7 +1243,7 @@ static int jpc_dec_process_siz(jpc_dec_t + tile->pkthdrstreampos = 0; + tile->pptstab = 0; + tile->cp = 0; +- if (!(tile->tcomps = jas_malloc(dec->numcomps * ++ if (!(tile->tcomps = jas_calloc(dec->numcomps, + sizeof(jpc_dec_tcomp_t)))) { + return -1; + } diff --git a/ghostscript.spec b/ghostscript.spec index 20f0289..b2d9a53 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -5,7 +5,7 @@ Summary: A PostScript(TM) interpreter and renderer. Name: ghostscript Version: %{gs_ver} -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2 URL: http://www.ghostscript.com/ @@ -21,6 +21,7 @@ Patch3: ghostscript-noopt.patch Patch4: ghostscript-fPIC.patch Patch5: http://www.openprinting.org/download/printing/esp-gpl-ghostscript-merge/ghostscript-8.57-ijs-krgb.patch Patch6: ghostscript-mkstemp64.patch +Patch7: ghostscript-CVE-2007-2721.patch Requires: urw-fonts >= 1.1, ghostscript-fonts BuildRequires: libjpeg-devel, libXt-devel @@ -89,8 +90,12 @@ A GTK-enabled version of Ghostscript, called 'gsx'. # IJS KRGB patch. %patch5 -p1 -b .ijs-krgb +# From upstream. %patch6 -p1 -b .mkstemp64 +# Applied patch from upstream to fix CVE-2007-2721 (bug #346511). +%patch7 -p1 -b .CVE-2007-2721 + # Convert manual pages to UTF-8 from8859_1() { iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_" @@ -269,6 +274,9 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libgs.so %changelog +* Tue Oct 23 2007 Tim Waugh 8.60-5 +- Applied patch from upstream to fix CVE-2007-2721 (bug #346511). + * Tue Oct 9 2007 Tim Waugh 8.60-4 - Marked localized man pages as %%lang (bug #322321).