diff --git a/Bug-702582-CVE-2020-15900-Memory-Corruption-in-Ghost.patch b/Bug-702582-CVE-2020-15900-Memory-Corruption-in-Ghost.patch new file mode 100644 index 0000000000000000000000000000000000000000..d279fb827e4b1299195d47526f81cb9e630d6da8 --- /dev/null +++ b/Bug-702582-CVE-2020-15900-Memory-Corruption-in-Ghost.patch @@ -0,0 +1,50 @@ +From 5d499272b95a6b890a1397e11d20937de000d31b Mon Sep 17 00:00:00 2001 +From: Ray Johnston +Date: Wed, 22 Jul 2020 09:57:54 -0700 +Subject: [PATCH 410/532] Bug 702582, CVE 2020-15900 Memory Corruption in + Ghostscript 9.52 + +Fix the 'rsearch' calculation for the 'post' size to give the correct +size. Previous calculation would result in a size that was too large, +and could underflow to max uint32_t. Also fix 'rsearch' to return the +correct 'pre' string with empty string match. + +A future change may 'undefine' this undocumented, non-standard operator +during initialization as we do with the many other non-standard internal +PostScript operators and procedures. +--- + psi/zstring.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/psi/zstring.c b/psi/zstring.c +index 33662da..58e1af2 100644 +--- a/psi/zstring.c ++++ b/psi/zstring.c +@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward) + return 0; + found: + op->tas.type_attrs = op1->tas.type_attrs; +- op->value.bytes = ptr; +- r_set_size(op, size); ++ op->value.bytes = ptr; /* match */ ++ op->tas.rsize = size; /* match */ + push(2); +- op[-1] = *op1; +- r_set_size(op - 1, ptr - op[-1].value.bytes); +- op1->value.bytes = ptr + size; +- r_set_size(op1, count + (!forward ? (size - 1) : 0)); ++ op[-1] = *op1; /* pre */ ++ op[-3].value.bytes = ptr + size; /* post */ ++ if (forward) { ++ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */ ++ op[-3].tas.rsize = count; /* post */ ++ } else { ++ op[-1].tas.rsize = count; /* pre */ ++ op[-3].tas.rsize -= count + size; /* post */ ++ } + make_true(op); + return 0; + } +-- +1.8.3.1 + diff --git a/ghostscript.spec b/ghostscript.spec index 00e4de06a819739fa6a318f6edbdb66a41dc2ba5..78c3eef3cc89f4e159d285c70a8bc81908f29d77 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,7 +9,7 @@ Name: ghostscript Version: 9.52 -Release: 2 +Release: 3 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ @@ -40,6 +40,7 @@ Patch21: Bug-702335-jbig2dec-Refill-input-buffer-upon-failure-to-parse-segment-h Patch22: Bug-697545-Prevent-memory-leak-in-gx-path-assign-free.patch Patch23: Bug-697545-Prevent-numerous-memory-leaks.patch Patch24: lgtmcom-tweak-Make-it-clear-that-something-isn-t-a-typo.patch +Patch25: Bug-702582-CVE-2020-15900-Memory-Corruption-in-Ghost.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -200,6 +201,12 @@ make check %{_bindir}/dvipdf %changelog +* Thu Sep 10 2020 yangzhuangzhuang - 9.52-3 +- Type:bugfix +- ID:CVE-2020-15900 +- SUG:NA +- DESC:fix CVE-2020-15900 + * Thu Sep 3 2020 wangchen - 9.52-2 - Type:bugfix - ID:NA