diff -Nru ghostscript-9.10~dfsg/debian/changelog ghostscript-9.10~dfsg/debian/changelog --- ghostscript-9.10~dfsg/debian/changelog 2017-08-24 18:34:10.000000000 +0000 +++ ghostscript-9.10~dfsg/debian/changelog 2018-04-23 18:44:05.000000000 +0000 @@ -1,3 +1,16 @@ +ghostscript (9.10~dfsg-0ubuntu10.12) trusty-security; urgency=medium + + * SECURITY UPDATE: Heap-based buffer overflow and application crash + - debian/patches/CVE-2016-10317.patch: check max_height bounds in + base/gxht_thresh.c, base/gxipixel.c. + - CVE-2016-10317 + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-2018-10194.patch: avoid infinite number + in devices/vector/gdevpdts.c. + - CVE-2018-10194 + + -- Leonidas S. Barbosa Mon, 23 Apr 2018 14:27:51 -0300 + ghostscript (9.10~dfsg-0ubuntu10.10) trusty-security; urgency=medium * SECURITY UPDATE: DoS via crafted files diff -Nru ghostscript-9.10~dfsg/debian/patches/CVE-2016-10317.patch ghostscript-9.10~dfsg/debian/patches/CVE-2016-10317.patch --- ghostscript-9.10~dfsg/debian/patches/CVE-2016-10317.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.10~dfsg/debian/patches/CVE-2016-10317.patch 2018-04-23 17:20:52.000000000 +0000 @@ -0,0 +1,70 @@ +Backported of: + +From 362ec9daadb9992b0def3520cd1dc6fa52edd1c4 Mon Sep 17 00:00:00 2001 +From: Ray Johnston +Date: Tue, 21 Nov 2017 12:48:54 -0800 +Subject: [PATCH] Fix bug 697459 Buffer overflow in fill_threshold_buffer + +There was an overflow check for ht_buffer size, but none for the larger +threshold_buffer. Note that this file didn't fail on Windows because the +combination of the ht_buffer and the size of the (miscalculated due to +overflow) threshold_buffer would have exceeded the 2Gb limit. +diff --git a/base/gxht_thresh.c b/base/gxht_thresh.c +index 3587454..fba5b23 100644 +--- a/base/gxht_thresh.c ++++ b/base/gxht_thresh.c +@@ -705,6 +705,11 @@ gxht_thresh_image_init(gx_image_enum *penum) + space */ + max_height = (int) ceil(fixed2float(any_abs(penum->dst_height)) / + (float) penum->Height); ++ if (max_height <= 0) ++ return -1; /* shouldn't happen, but check so we don't div by zero */ ++ if (penum->ht_stride * spp_out > max_int / max_height) ++ return -1; ++ + penum->ht_buffer = + gs_alloc_bytes(penum->memory, + penum->ht_stride * max_height * spp_out, +@@ -725,6 +730,11 @@ gxht_thresh_image_init(gx_image_enum *penum) + Also allow a 15 sample over run during the execution. */ + temp = (int) ceil((float) ((dev_width + 15.0) + 15.0)/16.0); + penum->line_size = bitmap_raster(temp * 16 * 8); /* The stride */ ++ if (penum->line_size > max_int / max_height) { ++ gs_free_object(penum->memory, penum->ht_buffer, "gxht_thresh"); ++ penum->ht_buffer = NULL; ++ return -1; /* thresh_buffer size overflow */ ++ } + penum->line = gs_alloc_bytes(penum->memory, penum->line_size * spp_out, + "gxht_thresh"); + penum->thresh_buffer = gs_alloc_bytes(penum->memory, +@@ -747,7 +757,7 @@ gxht_thresh_image_init(gx_image_enum *penum) + } + + static void +-fill_threshhold_buffer(byte *dest_strip, byte *src_strip, int src_width, ++fill_threshold_buffer(byte *dest_strip, byte *src_strip, int src_width, + int left_offset, int left_width, int num_tiles, + int right_width) + { +@@ -911,7 +921,7 @@ gxht_thresh_planes(gx_image_enum *penum, fixed xrun, + to update with stride */ + position = contone_stride * k; + /* Tile into the 128 bit aligned threshold strip */ +- fill_threshhold_buffer(&(thresh_align[position]), ++ fill_threshold_buffer(&(thresh_align[position]), + thresh_tile, thresh_width, dx, left_width, + num_full_tiles, right_tile_width); + } +diff --git a/base/gxipixel.c b/base/gxipixel.c +index 7b7d034..3b2f156 100644 +--- a/base/gxipixel.c ++++ b/base/gxipixel.c +@@ -692,7 +692,7 @@ gx_image_enum_begin(gx_device * dev, const gs_imager_state * pis, + penum->memory = mem; + penum->buffer = buffer; + penum->buffer_size = bsize; +- penum->line = 0; ++ penum->line = NULL; + penum->icc_link = NULL; + penum->color_cache = NULL; + penum->ht_buffer = NULL; diff -Nru ghostscript-9.10~dfsg/debian/patches/CVE-2018-10194.patch ghostscript-9.10~dfsg/debian/patches/CVE-2018-10194.patch --- ghostscript-9.10~dfsg/debian/patches/CVE-2018-10194.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-9.10~dfsg/debian/patches/CVE-2018-10194.patch 2018-04-23 17:27:40.000000000 +0000 @@ -0,0 +1,38 @@ +Backported of: + +From 39b1e54b2968620723bf32e96764c88797714879 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Wed, 18 Apr 2018 15:46:32 +0100 +Subject: [PATCH] pdfwrite - Guard against trying to output an infinite number + +Bug #699255 " Buffer overflow on pprintg1 due to mishandle postscript file data to pdf" + +The file uses an enormous parameter to xyxhow, causing an overflow in +the calculation of text positioning (value > 1e39). + +Since this is basically a nonsense value, and PostScript only supports +real values up to 1e38, this patch follows the same approach as for +a degenerate CTM, and treats it as 0. + +Adobe Acrobat Distiller throws a limitcheck error, so we could do that +instead if this approach proves to be a problem. +diff --git a/devices/vector/gdevpdts.c b/devices/vector/gdevpdts.c +index b7ddec7..ca433fd 100644 +--- a/devices/vector/gdevpdts.c ++++ b/devices/vector/gdevpdts.c +@@ -152,9 +152,14 @@ append_text_move(pdf_text_state_t *pts, floatp dw) + static int + set_text_distance(gs_point *pdist, floatp dx, floatp dy, const gs_matrix *pmat) + { +- int code = gs_distance_transform_inverse(dx, dy, pmat, pdist); ++ int code; + double rounded; + ++ if (dx > 1e38 || dy > 1e38) ++ code = gs_error_undefinedresult; ++ else ++ code = gs_distance_transform_inverse(dx, dy, pmat, pdist); ++ + if (code == gs_error_undefinedresult) { + /* The CTM is degenerate. + Can't know the distance in user space. diff -Nru ghostscript-9.10~dfsg/debian/patches/series ghostscript-9.10~dfsg/debian/patches/series --- ghostscript-9.10~dfsg/debian/patches/series 2017-08-24 18:32:22.000000000 +0000 +++ ghostscript-9.10~dfsg/debian/patches/series 2018-04-23 17:27:40.000000000 +0000 @@ -40,3 +40,5 @@ CVE-2017-9727.patch CVE-2017-9739.patch CVE-2017-9835.patch +CVE-2016-10317.patch +CVE-2018-10194.patch