ghostscript : CVE-2016-10219, CVE-2016-10220, CVE-2017-5951

The intersect function in base/gxfill.c in Artifex Software, Inc. Ghostscript
9.20 allows remote attackers to cause a denial of service (divide-by-zero
error and application crash) via a crafted file.

The gs_makewordimagedevice function in base/gsdevmem.c in Artifex Software, Inc.
Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted file that is
mishandled in the PDF Transparency module.

The mem_get_bits_rectangle function in base/gdevmem.c in Artifex Software, Inc.
Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10219
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10220
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5951

Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;h=4bef1a1d32e29b68855616020dbff574b9cda08f
http://git.ghostscript.com/?p=ghostpdl.git;h=daf85701dab05f17e924a48a81edc9195b4a04e8
http://git.ghostscript.com/?p=ghostpdl.git;h=bfa6b2ecbe48edc69a7d9d22a12419aed25960b8

Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>

1 files changed, 44 insertions, 0 deletions

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-5951.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-5951.patch
new file mode 100644
index 0000000000..62cc1342ad
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-5951.patch
@@ -0,0 +1,44 @@
+From bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Thu, 6 Apr 2017 16:44:54 +0100
+Subject: [PATCH] Bug 697548: use the correct param list enumerator
+
+When we encountered dictionary in a ref_param_list, we were using the enumerator
+for the "parent" param_list, rather than the enumerator for the param_list
+we just created for the dictionary. That parent was usually the stack
+list enumerator, and caused a segfault.
+
+Using the correct enumerator works better.
+
+Upstream-Status: Backport
+CVE: CVE-2017-5951
+
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ psi/iparam.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/psi/iparam.c b/psi/iparam.c
+index 4e63b6d..b2fa85f 100644
+--- a/psi/iparam.c
++++ b/psi/iparam.c
+@@ -770,12 +770,13 @@ ref_param_read_typed(gs_param_list * plist, gs_param_name pkey,
+                 gs_param_enumerator_t enumr;
+                 gs_param_key_t key;
+                 ref_type keytype;
++                dict_param_list *dlist = (dict_param_list *) pvalue->value.d.list;
+ 
+                 param_init_enumerator(&enumr);
+-                if (!(*((iparam_list *) plist)->enumerate)
+-                    ((iparam_list *) pvalue->value.d.list, &enumr, &key, &keytype)
++                if (!(*(dlist->enumerate))
++                    ((iparam_list *) dlist, &enumr, &key, &keytype)
+                     && keytype == t_integer) {
+-                    ((dict_param_list *) pvalue->value.d.list)->int_keys = 1;
++                    dlist->int_keys = 1;
+                     pvalue->type = gs_param_type_dict_int_keys;
+                 }
+             }
+-- 
+2.10.2
+