GNU bug report logs -
#32181
[PATCH] gnu: ghostscript: Fix CVE-2018-10194.
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Tue, 17 Jul 2018 03:35:01 UTC
Severity: normal
Tags: patch, security
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 32181 in the body.
You can then email your comments to 32181 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#32181; Package
guix-patches.
(Tue, 17 Jul 2018 03:35:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Tue, 17 Jul 2018 03:35:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/ghostscript.scm (ghostscript)[replacement]: New field.
(ghostscript/fixed): New variable.
* gnu/packages/patches/ghostscript-CVE-2018-10194.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
---
gnu/local.mk | 1 +
gnu/packages/ghostscript.scm | 11 ++++
.../patches/ghostscript-CVE-2018-10194.patch | 52 +++++++++++++++++++
3 files changed, 64 insertions(+)
create mode 100644 gnu/packages/patches/ghostscript-CVE-2018-10194.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index d40b1963d..20a7d17e7 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -713,6 +713,7 @@ dist_patch_DATA = \
%D%/packages/patches/geoclue-config.patch \
%D%/packages/patches/ghc-8.0-fall-back-to-madv_dontneed.patch \
%D%/packages/patches/ghc-dont-pass-linker-flags-via-response-files.patch \
+ %D%/packages/patches/ghostscript-CVE-2018-10194.patch \
%D%/packages/patches/ghostscript-no-header-id.patch \
%D%/packages/patches/ghostscript-no-header-uuid.patch \
%D%/packages/patches/ghostscript-no-header-creationdate.patch \
diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm
index 0a6043ba6..1240b1dc1 100644
--- a/gnu/packages/ghostscript.scm
+++ b/gnu/packages/ghostscript.scm
@@ -132,6 +132,7 @@ printing, and psresize, for adjusting page sizes.")
(define-public ghostscript
(package
(name "ghostscript")
+ (replacement ghostscript/fixed)
(version "9.23")
(source
(origin
@@ -250,6 +251,16 @@ output file formats and printers.")
(home-page "https://www.ghostscript.com/")
(license license:agpl3+)))
+(define-public ghostscript/fixed
+ (hidden-package
+ (package
+ (inherit ghostscript)
+ (source
+ (origin
+ (inherit (package-source ghostscript))
+ (patches (append (origin-patches (package-source ghostscript))
+ (search-patches "ghostscript-CVE-2018-10194.patch"))))))))
+
(define-public ghostscript/x
(package/inherit ghostscript
(name (string-append (package-name ghostscript) "-with-x"))
diff --git a/gnu/packages/patches/ghostscript-CVE-2018-10194.patch b/gnu/packages/patches/ghostscript-CVE-2018-10194.patch
new file mode 100644
index 000000000..242e57c27
--- /dev/null
+++ b/gnu/packages/patches/ghostscript-CVE-2018-10194.patch
@@ -0,0 +1,52 @@
+Fix CVE-2018-10194:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10194
+https://bugs.ghostscript.com/show_bug.cgi?id=699255
+
+Patch copied from upstream source repository:
+
+https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879
+
+From 39b1e54b2968620723bf32e96764c88797714879 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp <at> artifex.com>
+Date: Wed, 18 Apr 2018 15:46:32 +0100
+Subject: [PATCH] pdfwrite - Guard against trying to output an infinite number
+
+Bug #699255 " Buffer overflow on pprintg1 due to mishandle postscript file data to pdf"
+
+The file uses an enormous parameter to xyxhow, causing an overflow in
+the calculation of text positioning (value > 1e39).
+
+Since this is basically a nonsense value, and PostScript only supports
+real values up to 1e38, this patch follows the same approach as for
+a degenerate CTM, and treats it as 0.
+
+Adobe Acrobat Distiller throws a limitcheck error, so we could do that
+instead if this approach proves to be a problem.
+---
+ devices/vector/gdevpdts.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/devices/vector/gdevpdts.c b/devices/vector/gdevpdts.c
+index 848ad781f..172fe6bc3 100644
+--- a/devices/vector/gdevpdts.c
++++ b/devices/vector/gdevpdts.c
+@@ -103,9 +103,14 @@ append_text_move(pdf_text_state_t *pts, double dw)
+ static int
+ set_text_distance(gs_point *pdist, double dx, double dy, const gs_matrix *pmat)
+ {
+- int code = gs_distance_transform_inverse(dx, dy, pmat, pdist);
++ int code;
+ double rounded;
+
++ if (dx > 1e38 || dy > 1e38)
++ code = gs_error_undefinedresult;
++ else
++ code = gs_distance_transform_inverse(dx, dy, pmat, pdist);
++
+ if (code == gs_error_undefinedresult) {
+ /* The CTM is degenerate.
+ Can't know the distance in user space.
+--
+2.18.0
+
--
2.18.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#32181; Package
guix-patches.
(Tue, 17 Jul 2018 15:33:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 32181 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
> * gnu/packages/ghostscript.scm (ghostscript)[replacement]: New field.
> (ghostscript/fixed): New variable.
> * gnu/packages/patches/ghostscript-CVE-2018-10194.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> ---
> gnu/local.mk | 1 +
> gnu/packages/ghostscript.scm | 11 ++++
> .../patches/ghostscript-CVE-2018-10194.patch | 52 +++++++++++++++++++
> 3 files changed, 64 insertions(+)
> create mode 100644 gnu/packages/patches/ghostscript-CVE-2018-10194.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index d40b1963d..20a7d17e7 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -713,6 +713,7 @@ dist_patch_DATA = \
> %D%/packages/patches/geoclue-config.patch \
> %D%/packages/patches/ghc-8.0-fall-back-to-madv_dontneed.patch \
> %D%/packages/patches/ghc-dont-pass-linker-flags-via-response-files.patch \
> + %D%/packages/patches/ghostscript-CVE-2018-10194.patch \
> %D%/packages/patches/ghostscript-no-header-id.patch \
> %D%/packages/patches/ghostscript-no-header-uuid.patch \
> %D%/packages/patches/ghostscript-no-header-creationdate.patch \
> diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm
> index 0a6043ba6..1240b1dc1 100644
> --- a/gnu/packages/ghostscript.scm
> +++ b/gnu/packages/ghostscript.scm
> @@ -132,6 +132,7 @@ printing, and psresize, for adjusting page sizes.")
> (define-public ghostscript
> (package
> (name "ghostscript")
> + (replacement ghostscript/fixed)
> (version "9.23")
> (source
> (origin
> @@ -250,6 +251,16 @@ output file formats and printers.")
> (home-page "https://www.ghostscript.com/")
> (license license:agpl3+)))
>
> +(define-public ghostscript/fixed
> + (hidden-package
> + (package
> + (inherit ghostscript)
> + (source
> + (origin
> + (inherit (package-source ghostscript))
> + (patches (append (origin-patches (package-source ghostscript))
> + (search-patches "ghostscript-CVE-2018-10194.patch"))))))))
> +
> (define-public ghostscript/x
> (package/inherit ghostscript
> (name (string-append (package-name ghostscript) "-with-x"))
> diff --git a/gnu/packages/patches/ghostscript-CVE-2018-10194.patch b/gnu/packages/patches/ghostscript-CVE-2018-10194.patch
> new file mode 100644
> index 000000000..242e57c27
> --- /dev/null
> +++ b/gnu/packages/patches/ghostscript-CVE-2018-10194.patch
> @@ -0,0 +1,52 @@
> +Fix CVE-2018-10194:
> +
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10194
> +https://bugs.ghostscript.com/show_bug.cgi?id=699255
> +
> +Patch copied from upstream source repository:
> +
> +https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879
> +
> +From 39b1e54b2968620723bf32e96764c88797714879 Mon Sep 17 00:00:00 2001
> +From: Ken Sharp <ken.sharp <at> artifex.com>
> +Date: Wed, 18 Apr 2018 15:46:32 +0100
> +Subject: [PATCH] pdfwrite - Guard against trying to output an infinite number
> +
> +Bug #699255 " Buffer overflow on pprintg1 due to mishandle postscript file data to pdf"
> +
> +The file uses an enormous parameter to xyxhow, causing an overflow in
> +the calculation of text positioning (value > 1e39).
> +
> +Since this is basically a nonsense value, and PostScript only supports
> +real values up to 1e38, this patch follows the same approach as for
> +a degenerate CTM, and treats it as 0.
> +
> +Adobe Acrobat Distiller throws a limitcheck error, so we could do that
> +instead if this approach proves to be a problem.
> +---
> + devices/vector/gdevpdts.c | 7 ++++++-
> + 1 file changed, 6 insertions(+), 1 deletion(-)
> +
> +diff --git a/devices/vector/gdevpdts.c b/devices/vector/gdevpdts.c
> +index 848ad781f..172fe6bc3 100644
> +--- a/devices/vector/gdevpdts.c
> ++++ b/devices/vector/gdevpdts.c
> +@@ -103,9 +103,14 @@ append_text_move(pdf_text_state_t *pts, double dw)
> + static int
> + set_text_distance(gs_point *pdist, double dx, double dy, const gs_matrix *pmat)
> + {
> +- int code = gs_distance_transform_inverse(dx, dy, pmat, pdist);
> ++ int code;
> + double rounded;
> +
> ++ if (dx > 1e38 || dy > 1e38)
> ++ code = gs_error_undefinedresult;
> ++ else
> ++ code = gs_distance_transform_inverse(dx, dy, pmat, pdist);
> ++
> + if (code == gs_error_undefinedresult) {
> + /* The CTM is degenerate.
> + Can't know the distance in user space.
> +--
> +2.18.0
> +
I haven't built any dependent packages with this yet, but it builds
properly on its own.
[signature.asc (application/pgp-signature, inline)]
Added tag(s) security.
Request was from
ludo <at> gnu.org (Ludovic Courtès)
to
control <at> debbugs.gnu.org.
(Tue, 17 Jul 2018 22:15:05 GMT)
Full text and
rfc822 format available.
Reply sent
to
Leo Famulari <leo <at> famulari.name>:
You have taken responsibility.
(Wed, 18 Jul 2018 00:47:03 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Wed, 18 Jul 2018 00:47:03 GMT)
Full text and
rfc822 format available.
Message #15 received at 32181-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Tue, Jul 17, 2018 at 11:32:03AM -0400, Kei Kebreau wrote:
> Leo Famulari <leo <at> famulari.name> writes:
> > * gnu/packages/ghostscript.scm (ghostscript)[replacement]: New field.
> > (ghostscript/fixed): New variable.
> > * gnu/packages/patches/ghostscript-CVE-2018-10194.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
>
> I haven't built any dependent packages with this yet, but it builds
> properly on its own.
Okay, pushed as a1e3da63cb4b9a9151849d1d4360c2a8415becb5
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 15 Aug 2018 11:24:09 GMT)
Full text and
rfc822 format available.
This bug report was last modified 6 years and 303 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.