[PATCH] gnu: ghostscript: Fix CVE-2018-10194.

DoneSubmitted by Leo Famulari.
Details
3 participants
  • Kei Kebreau
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Severity
normal
L
L
Leo Famulari wrote on 17 Jul 2018 05:33
(address . guix-patches@gnu.org)
d779b7c331b9e8dbf63288a4ca742f4092ff95e0.1531798424.git.leo@famulari.name
* gnu/packages/ghostscript.scm (ghostscript)[replacement]: New field.(ghostscript/fixed): New variable.* gnu/packages/patches/ghostscript-CVE-2018-10194.patch: New file.* gnu/local.mk (dist_patch_DATA): Add it.--- gnu/local.mk | 1 + gnu/packages/ghostscript.scm | 11 ++++ .../patches/ghostscript-CVE-2018-10194.patch | 52 +++++++++++++++++++ 3 files changed, 64 insertions(+) create mode 100644 gnu/packages/patches/ghostscript-CVE-2018-10194.patch
Toggle diff (101 lines)diff --git a/gnu/local.mk b/gnu/local.mkindex d40b1963d..20a7d17e7 100644--- a/gnu/local.mk+++ b/gnu/local.mk@@ -713,6 +713,7 @@ dist_patch_DATA = \ %D%/packages/patches/geoclue-config.patch \ %D%/packages/patches/ghc-8.0-fall-back-to-madv_dontneed.patch \ %D%/packages/patches/ghc-dont-pass-linker-flags-via-response-files.patch \+ %D%/packages/patches/ghostscript-CVE-2018-10194.patch \ %D%/packages/patches/ghostscript-no-header-id.patch \ %D%/packages/patches/ghostscript-no-header-uuid.patch \ %D%/packages/patches/ghostscript-no-header-creationdate.patch \diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scmindex 0a6043ba6..1240b1dc1 100644--- a/gnu/packages/ghostscript.scm+++ b/gnu/packages/ghostscript.scm@@ -132,6 +132,7 @@ printing, and psresize, for adjusting page sizes.") (define-public ghostscript (package (name "ghostscript")+ (replacement ghostscript/fixed) (version "9.23") (source (origin@@ -250,6 +251,16 @@ output file formats and printers.") (home-page "https://www.ghostscript.com/") (license license:agpl3+))) +(define-public ghostscript/fixed+ (hidden-package+ (package+ (inherit ghostscript)+ (source+ (origin+ (inherit (package-source ghostscript))+ (patches (append (origin-patches (package-source ghostscript))+ (search-patches "ghostscript-CVE-2018-10194.patch"))))))))+ (define-public ghostscript/x (package/inherit ghostscript (name (string-append (package-name ghostscript) "-with-x"))diff --git a/gnu/packages/patches/ghostscript-CVE-2018-10194.patch b/gnu/packages/patches/ghostscript-CVE-2018-10194.patchnew file mode 100644index 000000000..242e57c27--- /dev/null+++ b/gnu/packages/patches/ghostscript-CVE-2018-10194.patch@@ -0,0 +1,52 @@+Fix CVE-2018-10194:++https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10194+https://bugs.ghostscript.com/show_bug.cgi?id=699255++Patch copied from upstream source repository:++https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879++From 39b1e54b2968620723bf32e96764c88797714879 Mon Sep 17 00:00:00 2001+From: Ken Sharp <ken.sharp@artifex.com>+Date: Wed, 18 Apr 2018 15:46:32 +0100+Subject: [PATCH] pdfwrite - Guard against trying to output an infinite number++Bug #699255 " Buffer overflow on pprintg1 due to mishandle postscript file data to pdf"++The file uses an enormous parameter to xyxhow, causing an overflow in+the calculation of text positioning (value > 1e39).++Since this is basically a nonsense value, and PostScript only supports+real values up to 1e38, this patch follows the same approach as for+a degenerate CTM, and treats it as 0.++Adobe Acrobat Distiller throws a limitcheck error, so we could do that+instead if this approach proves to be a problem.+---+ devices/vector/gdevpdts.c | 7 ++++++-+ 1 file changed, 6 insertions(+), 1 deletion(-)++diff --git a/devices/vector/gdevpdts.c b/devices/vector/gdevpdts.c+index 848ad781f..172fe6bc3 100644+--- a/devices/vector/gdevpdts.c++++ b/devices/vector/gdevpdts.c+@@ -103,9 +103,14 @@ append_text_move(pdf_text_state_t *pts, double dw)+ static int+ set_text_distance(gs_point *pdist, double dx, double dy, const gs_matrix *pmat)+ {+- int code = gs_distance_transform_inverse(dx, dy, pmat, pdist);++ int code;+ double rounded;+ ++ if (dx > 1e38 || dy > 1e38)++ code = gs_error_undefinedresult;++ else++ code = gs_distance_transform_inverse(dx, dy, pmat, pdist);+++ if (code == gs_error_undefinedresult) {+ /* The CTM is degenerate.+ Can't know the distance in user space.+-- +2.18.0+-- 2.18.0
K
K
Kei Kebreau wrote on 17 Jul 2018 17:32
(name . Leo Famulari)(address . leo@famulari.name)(address . 32181@debbugs.gnu.org)
87lga9zxn0.fsf@posteo.net
Leo Famulari <leo@famulari.name> writes:
Toggle quote (111 lines)> * gnu/packages/ghostscript.scm (ghostscript)[replacement]: New field.> (ghostscript/fixed): New variable.> * gnu/packages/patches/ghostscript-CVE-2018-10194.patch: New file.> * gnu/local.mk (dist_patch_DATA): Add it.> ---> gnu/local.mk | 1 +> gnu/packages/ghostscript.scm | 11 ++++> .../patches/ghostscript-CVE-2018-10194.patch | 52 +++++++++++++++++++> 3 files changed, 64 insertions(+)> create mode 100644 gnu/packages/patches/ghostscript-CVE-2018-10194.patch>> diff --git a/gnu/local.mk b/gnu/local.mk> index d40b1963d..20a7d17e7 100644> --- a/gnu/local.mk> +++ b/gnu/local.mk> @@ -713,6 +713,7 @@ dist_patch_DATA = \> %D%/packages/patches/geoclue-config.patch \> %D%/packages/patches/ghc-8.0-fall-back-to-madv_dontneed.patch \> %D%/packages/patches/ghc-dont-pass-linker-flags-via-response-files.patch \> + %D%/packages/patches/ghostscript-CVE-2018-10194.patch \> %D%/packages/patches/ghostscript-no-header-id.patch \> %D%/packages/patches/ghostscript-no-header-uuid.patch \> %D%/packages/patches/ghostscript-no-header-creationdate.patch \> diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm> index 0a6043ba6..1240b1dc1 100644> --- a/gnu/packages/ghostscript.scm> +++ b/gnu/packages/ghostscript.scm> @@ -132,6 +132,7 @@ printing, and psresize, for adjusting page sizes.")> (define-public ghostscript> (package> (name "ghostscript")> + (replacement ghostscript/fixed)> (version "9.23")> (source> (origin> @@ -250,6 +251,16 @@ output file formats and printers.")> (home-page "https://www.ghostscript.com/")> (license license:agpl3+)))> > +(define-public ghostscript/fixed> + (hidden-package> + (package> + (inherit ghostscript)> + (source> + (origin> + (inherit (package-source ghostscript))> + (patches (append (origin-patches (package-source ghostscript))> + (search-patches "ghostscript-CVE-2018-10194.patch"))))))))> +> (define-public ghostscript/x> (package/inherit ghostscript> (name (string-append (package-name ghostscript) "-with-x"))> diff --git a/gnu/packages/patches/ghostscript-CVE-2018-10194.patch b/gnu/packages/patches/ghostscript-CVE-2018-10194.patch> new file mode 100644> index 000000000..242e57c27> --- /dev/null> +++ b/gnu/packages/patches/ghostscript-CVE-2018-10194.patch> @@ -0,0 +1,52 @@> +Fix CVE-2018-10194:> +> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10194> +https://bugs.ghostscript.com/show_bug.cgi?id=699255> +> +Patch copied from upstream source repository:> +> +https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879> +> +From 39b1e54b2968620723bf32e96764c88797714879 Mon Sep 17 00:00:00 2001> +From: Ken Sharp <ken.sharp@artifex.com>> +Date: Wed, 18 Apr 2018 15:46:32 +0100> +Subject: [PATCH] pdfwrite - Guard against trying to output an infinite number> +> +Bug #699255 " Buffer overflow on pprintg1 due to mishandle postscript file data to pdf"> +> +The file uses an enormous parameter to xyxhow, causing an overflow in> +the calculation of text positioning (value > 1e39).> +> +Since this is basically a nonsense value, and PostScript only supports> +real values up to 1e38, this patch follows the same approach as for> +a degenerate CTM, and treats it as 0.> +> +Adobe Acrobat Distiller throws a limitcheck error, so we could do that> +instead if this approach proves to be a problem.> +---> + devices/vector/gdevpdts.c | 7 ++++++-> + 1 file changed, 6 insertions(+), 1 deletion(-)> +> +diff --git a/devices/vector/gdevpdts.c b/devices/vector/gdevpdts.c> +index 848ad781f..172fe6bc3 100644> +--- a/devices/vector/gdevpdts.c> ++++ b/devices/vector/gdevpdts.c> +@@ -103,9 +103,14 @@ append_text_move(pdf_text_state_t *pts, double dw)> + static int> + set_text_distance(gs_point *pdist, double dx, double dy, const gs_matrix *pmat)> + {> +- int code = gs_distance_transform_inverse(dx, dy, pmat, pdist);> ++ int code;> + double rounded;> + > ++ if (dx > 1e38 || dy > 1e38)> ++ code = gs_error_undefinedresult;> ++ else> ++ code = gs_distance_transform_inverse(dx, dy, pmat, pdist);> ++> + if (code == gs_error_undefinedresult) {> + /* The CTM is degenerate.> + Can't know the distance in user space.> +-- > +2.18.0> +
I haven't built any dependent packages with this yet, but it buildsproperly on its own.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEg7ZwOtzKO2lLzi2m5qXuPBlGeg0FAltOC/MACgkQ5qXuPBlGeg3Buw/8DiFIsxVdzEEh/zl7kYYf8dhhjy0rpTZQYLba9FgmFf2479EzdTZSDmLLKn1SJeHGRxWrhUypmhZOWWbfU7dbRRgb7I59fzjYFTzbuF8NzzosQaPybFO+dmuj9ppJTkkrdVEp86nSpWdcgzJwJ1ag3wqt0Kso1t4gVcQEWiDz9lu9EdGRniAvMyGTHuzfKmohYC+5p0DnjVuDCgSEwXJkba95I5Lu8OT15KgrRrSU953P+pbM68WitbkOg6Nstub4W6YM8lPIgmATSAPMidK656Xo77xfBGCVxqhNMPvqaRcdPEf1wQsD/C5RxdZzSyv7jllEzJ5wGN64qAIBpIFMRa1ymBPmTR6wAeFF3L9kpdRYqL19ltTBpWeHwJ8qI10cMfW72M5KZiK5PUCJl2vVu7CmvZo2vsk4TPJzUg5JN7GgRsbftQsdqgwot9GJT7BjmgO6pBkzOibwkuhqmVOOW0yW9OJPd/ZGCmvZ2NLCdER0qbuacUP727RYn/jLIHwlzh3hwaMoVc3zRHAh+wb7F3zbz5BbXwxwNsKzvILNaoEj1pk0mdmaXxelgdxW2/qhfbs5rJEFpC2C4dbhTmUWPcGYTk9qcPQaKgzoPIjtwmSyVTTKy+7xg6WMvg0UF0RV5vNkUZk649+lrp7tEB0r9cEmpm0SUTO5TQLqku27oq0==jm1h-----END PGP SIGNATURE-----
L
L
Ludovic Courtès wrote on 18 Jul 2018 00:14
control message for bug #32181
(address . control@debbugs.gnu.org)
87r2k1se6c.fsf@gnu.org
tags 32181 security
L
L
Leo Famulari wrote on 18 Jul 2018 02:46
Re: [bug#32181] [PATCH] gnu: ghostscript: Fix CVE-2018-10194.
(name . Kei Kebreau)(address . kkebreau@posteo.net)(address . 32181-done@debbugs.gnu.org)
20180718004642.GB9861@jasmine.lan
On Tue, Jul 17, 2018 at 11:32:03AM -0400, Kei Kebreau wrote:
Toggle quote (9 lines)> Leo Famulari <leo@famulari.name> writes:> > * gnu/packages/ghostscript.scm (ghostscript)[replacement]: New field.> > (ghostscript/fixed): New variable.> > * gnu/packages/patches/ghostscript-CVE-2018-10194.patch: New file.> > * gnu/local.mk (dist_patch_DATA): Add it.> > I haven't built any dependent packages with this yet, but it builds> properly on its own.
Okay, pushed as a1e3da63cb4b9a9151849d1d4360c2a8415becb5
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAltOjfIACgkQJkb6MLrKfwijQQ/+Ip5Fz1JzZpBgpZQP4REnKjsEomnWbUd0ndSPhD13ALAztL9VOwcpU+8txVTpVtiko/CO+Em6R7frmI33RIefbsPr2x7HxW2qNlN6arSVljjSrazhYcqYiCj4bZvUZ2oAZNiQHEKe0r0leAO4kcRVOEJoBiCG5jy8Wr6xYFKzMRq4Thhm0HGnpX6hZdVsbOGR0SXUNgbQAQ2MqkAHYUE7/mPCALWqZWQkieQzj1tQAbkYRJdwCu+k4k9zv1c2OfuGG3ELD/SzfEZ1Xv7DabmqN6rvk74mo5GY3K9sUb/c1dwXGFsjielBrld4/X+05EH9sVpWkkKES2PywhSAOfOuKrySDCupMlx10NxdrV5eUPWHlOiUmUNtotSlguIs3BZputa+2Yp7zQ8FHKGjaSuqvD2KFrH9cINkq0OiycMunVXQSncah90B/qDDzDnybI9XGl3SeVNPTrSB4MiHYmwZDdLxnyA69Z3SiPNmIFomdrmWfhGvLQ86y6MbihHaEgT5SUDZiiOCRIoOWL5zR7V3oDIqszXEHR7L6M7AdB5SOpvUkb/oFmYn+kzqMcHSYJei0zS2A84jcVss79V4JJ70VCDJOdkq/iT6db4uRzJ85RP3ELbh7SXYRLTc73NJ6tCf3aRxFJajcFmONOj1Kan9OlqWmfuYrcixlxTgsFfbeZM==7WOe-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 32181@debbugs.gnu.org