[PATCH] gnu: ghostscript: Fix CVE-2018-10194.

  • Done
  • quality assurance status badge
Details
3 participants
  • Kei Kebreau
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 17 Jul 2018 05:33
(address . guix-patches@gnu.org)
d779b7c331b9e8dbf63288a4ca742f4092ff95e0.1531798424.git.leo@famulari.name
* gnu/packages/ghostscript.scm (ghostscript)[replacement]: New field.
(ghostscript/fixed): New variable.
* gnu/packages/patches/ghostscript-CVE-2018-10194.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
---
gnu/local.mk | 1 +
gnu/packages/ghostscript.scm | 11 ++++
.../patches/ghostscript-CVE-2018-10194.patch | 52 +++++++++++++++++++
3 files changed, 64 insertions(+)
create mode 100644 gnu/packages/patches/ghostscript-CVE-2018-10194.patch

Toggle diff (101 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index d40b1963d..20a7d17e7 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -713,6 +713,7 @@ dist_patch_DATA = \
%D%/packages/patches/geoclue-config.patch \
%D%/packages/patches/ghc-8.0-fall-back-to-madv_dontneed.patch \
%D%/packages/patches/ghc-dont-pass-linker-flags-via-response-files.patch \
+ %D%/packages/patches/ghostscript-CVE-2018-10194.patch \
%D%/packages/patches/ghostscript-no-header-id.patch \
%D%/packages/patches/ghostscript-no-header-uuid.patch \
%D%/packages/patches/ghostscript-no-header-creationdate.patch \
diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm
index 0a6043ba6..1240b1dc1 100644
--- a/gnu/packages/ghostscript.scm
+++ b/gnu/packages/ghostscript.scm
@@ -132,6 +132,7 @@ printing, and psresize, for adjusting page sizes.")
(define-public ghostscript
(package
(name "ghostscript")
+ (replacement ghostscript/fixed)
(version "9.23")
(source
(origin
@@ -250,6 +251,16 @@ output file formats and printers.")
(home-page "https://www.ghostscript.com/")
(license license:agpl3+)))
+(define-public ghostscript/fixed
+ (hidden-package
+ (package
+ (inherit ghostscript)
+ (source
+ (origin
+ (inherit (package-source ghostscript))
+ (patches (append (origin-patches (package-source ghostscript))
+ (search-patches "ghostscript-CVE-2018-10194.patch"))))))))
+
(define-public ghostscript/x
(package/inherit ghostscript
(name (string-append (package-name ghostscript) "-with-x"))
diff --git a/gnu/packages/patches/ghostscript-CVE-2018-10194.patch b/gnu/packages/patches/ghostscript-CVE-2018-10194.patch
new file mode 100644
index 000000000..242e57c27
--- /dev/null
+++ b/gnu/packages/patches/ghostscript-CVE-2018-10194.patch
@@ -0,0 +1,52 @@
+Fix CVE-2018-10194:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10194
+https://bugs.ghostscript.com/show_bug.cgi?id=699255
+
+Patch copied from upstream source repository:
+
+https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879
+
+From 39b1e54b2968620723bf32e96764c88797714879 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Wed, 18 Apr 2018 15:46:32 +0100
+Subject: [PATCH] pdfwrite - Guard against trying to output an infinite number
+
+Bug #699255 " Buffer overflow on pprintg1 due to mishandle postscript file data to pdf"
+
+The file uses an enormous parameter to xyxhow, causing an overflow in
+the calculation of text positioning (value > 1e39).
+
+Since this is basically a nonsense value, and PostScript only supports
+real values up to 1e38, this patch follows the same approach as for
+a degenerate CTM, and treats it as 0.
+
+Adobe Acrobat Distiller throws a limitcheck error, so we could do that
+instead if this approach proves to be a problem.
+---
+ devices/vector/gdevpdts.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/devices/vector/gdevpdts.c b/devices/vector/gdevpdts.c
+index 848ad781f..172fe6bc3 100644
+--- a/devices/vector/gdevpdts.c
++++ b/devices/vector/gdevpdts.c
+@@ -103,9 +103,14 @@ append_text_move(pdf_text_state_t *pts, double dw)
+ static int
+ set_text_distance(gs_point *pdist, double dx, double dy, const gs_matrix *pmat)
+ {
+- int code = gs_distance_transform_inverse(dx, dy, pmat, pdist);
++ int code;
+ double rounded;
+
++ if (dx > 1e38 || dy > 1e38)
++ code = gs_error_undefinedresult;
++ else
++ code = gs_distance_transform_inverse(dx, dy, pmat, pdist);
++
+ if (code == gs_error_undefinedresult) {
+ /* The CTM is degenerate.
+ Can't know the distance in user space.
+--
+2.18.0
+
--
2.18.0
K
K
Kei Kebreau wrote on 17 Jul 2018 17:32
(name . Leo Famulari)(address . leo@famulari.name)(address . 32181@debbugs.gnu.org)
87lga9zxn0.fsf@posteo.net
Leo Famulari <leo@famulari.name> writes:

Toggle quote (111 lines)
> * gnu/packages/ghostscript.scm (ghostscript)[replacement]: New field.
> (ghostscript/fixed): New variable.
> * gnu/packages/patches/ghostscript-CVE-2018-10194.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> ---
> gnu/local.mk | 1 +
> gnu/packages/ghostscript.scm | 11 ++++
> .../patches/ghostscript-CVE-2018-10194.patch | 52 +++++++++++++++++++
> 3 files changed, 64 insertions(+)
> create mode 100644 gnu/packages/patches/ghostscript-CVE-2018-10194.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index d40b1963d..20a7d17e7 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -713,6 +713,7 @@ dist_patch_DATA = \
> %D%/packages/patches/geoclue-config.patch \
> %D%/packages/patches/ghc-8.0-fall-back-to-madv_dontneed.patch \
> %D%/packages/patches/ghc-dont-pass-linker-flags-via-response-files.patch \
> + %D%/packages/patches/ghostscript-CVE-2018-10194.patch \
> %D%/packages/patches/ghostscript-no-header-id.patch \
> %D%/packages/patches/ghostscript-no-header-uuid.patch \
> %D%/packages/patches/ghostscript-no-header-creationdate.patch \
> diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm
> index 0a6043ba6..1240b1dc1 100644
> --- a/gnu/packages/ghostscript.scm
> +++ b/gnu/packages/ghostscript.scm
> @@ -132,6 +132,7 @@ printing, and psresize, for adjusting page sizes.")
> (define-public ghostscript
> (package
> (name "ghostscript")
> + (replacement ghostscript/fixed)
> (version "9.23")
> (source
> (origin
> @@ -250,6 +251,16 @@ output file formats and printers.")
> (home-page "https://www.ghostscript.com/")
> (license license:agpl3+)))
>
> +(define-public ghostscript/fixed
> + (hidden-package
> + (package
> + (inherit ghostscript)
> + (source
> + (origin
> + (inherit (package-source ghostscript))
> + (patches (append (origin-patches (package-source ghostscript))
> + (search-patches "ghostscript-CVE-2018-10194.patch"))))))))
> +
> (define-public ghostscript/x
> (package/inherit ghostscript
> (name (string-append (package-name ghostscript) "-with-x"))
> diff --git a/gnu/packages/patches/ghostscript-CVE-2018-10194.patch b/gnu/packages/patches/ghostscript-CVE-2018-10194.patch
> new file mode 100644
> index 000000000..242e57c27
> --- /dev/null
> +++ b/gnu/packages/patches/ghostscript-CVE-2018-10194.patch
> @@ -0,0 +1,52 @@
> +Fix CVE-2018-10194:
> +
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10194
> +https://bugs.ghostscript.com/show_bug.cgi?id=699255
> +
> +Patch copied from upstream source repository:
> +
> +https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879
> +
> +From 39b1e54b2968620723bf32e96764c88797714879 Mon Sep 17 00:00:00 2001
> +From: Ken Sharp <ken.sharp@artifex.com>
> +Date: Wed, 18 Apr 2018 15:46:32 +0100
> +Subject: [PATCH] pdfwrite - Guard against trying to output an infinite number
> +
> +Bug #699255 " Buffer overflow on pprintg1 due to mishandle postscript file data to pdf"
> +
> +The file uses an enormous parameter to xyxhow, causing an overflow in
> +the calculation of text positioning (value > 1e39).
> +
> +Since this is basically a nonsense value, and PostScript only supports
> +real values up to 1e38, this patch follows the same approach as for
> +a degenerate CTM, and treats it as 0.
> +
> +Adobe Acrobat Distiller throws a limitcheck error, so we could do that
> +instead if this approach proves to be a problem.
> +---
> + devices/vector/gdevpdts.c | 7 ++++++-
> + 1 file changed, 6 insertions(+), 1 deletion(-)
> +
> +diff --git a/devices/vector/gdevpdts.c b/devices/vector/gdevpdts.c
> +index 848ad781f..172fe6bc3 100644
> +--- a/devices/vector/gdevpdts.c
> ++++ b/devices/vector/gdevpdts.c
> +@@ -103,9 +103,14 @@ append_text_move(pdf_text_state_t *pts, double dw)
> + static int
> + set_text_distance(gs_point *pdist, double dx, double dy, const gs_matrix *pmat)
> + {
> +- int code = gs_distance_transform_inverse(dx, dy, pmat, pdist);
> ++ int code;
> + double rounded;
> +
> ++ if (dx > 1e38 || dy > 1e38)
> ++ code = gs_error_undefinedresult;
> ++ else
> ++ code = gs_distance_transform_inverse(dx, dy, pmat, pdist);
> ++
> + if (code == gs_error_undefinedresult) {
> + /* The CTM is degenerate.
> + Can't know the distance in user space.
> +--
> +2.18.0
> +

I haven't built any dependent packages with this yet, but it builds
properly on its own.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEg7ZwOtzKO2lLzi2m5qXuPBlGeg0FAltOC/MACgkQ5qXuPBlG
eg3Buw/8DiFIsxVdzEEh/zl7kYYf8dhhjy0rpTZQYLba9FgmFf2479EzdTZSDmLL
Kn1SJeHGRxWrhUypmhZOWWbfU7dbRRgb7I59fzjYFTzbuF8NzzosQaPybFO+dmuj
9ppJTkkrdVEp86nSpWdcgzJwJ1ag3wqt0Kso1t4gVcQEWiDz9lu9EdGRniAvMyGT
HuzfKmohYC+5p0DnjVuDCgSEwXJkba95I5Lu8OT15KgrRrSU953P+pbM68WitbkO
g6Nstub4W6YM8lPIgmATSAPMidK656Xo77xfBGCVxqhNMPvqaRcdPEf1wQsD/C5R
xdZzSyv7jllEzJ5wGN64qAIBpIFMRa1ymBPmTR6wAeFF3L9kpdRYqL19ltTBpWeH
wJ8qI10cMfW72M5KZiK5PUCJl2vVu7CmvZo2vsk4TPJzUg5JN7GgRsbftQsdqgwo
t9GJT7BjmgO6pBkzOibwkuhqmVOOW0yW9OJPd/ZGCmvZ2NLCdER0qbuacUP727RY
n/jLIHwlzh3hwaMoVc3zRHAh+wb7F3zbz5BbXwxwNsKzvILNaoEj1pk0mdmaXxel
gdxW2/qhfbs5rJEFpC2C4dbhTmUWPcGYTk9qcPQaKgzoPIjtwmSyVTTKy+7xg6WM
vg0UF0RV5vNkUZk649+lrp7tEB0r9cEmpm0SUTO5TQLqku27oq0=
=jm1h
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 18 Jul 2018 00:14
control message for bug #32181
(address . control@debbugs.gnu.org)
87r2k1se6c.fsf@gnu.org
tags 32181 security
L
L
Leo Famulari wrote on 18 Jul 2018 02:46
Re: [bug#32181] [PATCH] gnu: ghostscript: Fix CVE-2018-10194.
(name . Kei Kebreau)(address . kkebreau@posteo.net)(address . 32181-done@debbugs.gnu.org)
20180718004642.GB9861@jasmine.lan
On Tue, Jul 17, 2018 at 11:32:03AM -0400, Kei Kebreau wrote:
Toggle quote (9 lines)
> Leo Famulari <leo@famulari.name> writes:
> > * gnu/packages/ghostscript.scm (ghostscript)[replacement]: New field.
> > (ghostscript/fixed): New variable.
> > * gnu/packages/patches/ghostscript-CVE-2018-10194.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
>
> I haven't built any dependent packages with this yet, but it builds
> properly on its own.

Okay, pushed as a1e3da63cb4b9a9151849d1d4360c2a8415becb5
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAltOjfIACgkQJkb6MLrK
fwijQQ/+Ip5Fz1JzZpBgpZQP4REnKjsEomnWbUd0ndSPhD13ALAztL9VOwcpU+8t
xVTpVtiko/CO+Em6R7frmI33RIefbsPr2x7HxW2qNlN6arSVljjSrazhYcqYiCj4
bZvUZ2oAZNiQHEKe0r0leAO4kcRVOEJoBiCG5jy8Wr6xYFKzMRq4Thhm0HGnpX6h
ZdVsbOGR0SXUNgbQAQ2MqkAHYUE7/mPCALWqZWQkieQzj1tQAbkYRJdwCu+k4k9z
v1c2OfuGG3ELD/SzfEZ1Xv7DabmqN6rvk74mo5GY3K9sUb/c1dwXGFsjielBrld4
/X+05EH9sVpWkkKES2PywhSAOfOuKrySDCupMlx10NxdrV5eUPWHlOiUmUNtotSl
guIs3BZputa+2Yp7zQ8FHKGjaSuqvD2KFrH9cINkq0OiycMunVXQSncah90B/qDD
zDnybI9XGl3SeVNPTrSB4MiHYmwZDdLxnyA69Z3SiPNmIFomdrmWfhGvLQ86y6Mb
ihHaEgT5SUDZiiOCRIoOWL5zR7V3oDIqszXEHR7L6M7AdB5SOpvUkb/oFmYn+kzq
McHSYJei0zS2A84jcVss79V4JJ70VCDJOdkq/iT6db4uRzJ85RP3ELbh7SXYRLTc
73NJ6tCf3aRxFJajcFmONOj1Kan9OlqWmfuYrcixlxTgsFfbeZM=
=7WOe
-----END PGP SIGNATURE-----


Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 32181@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 32181
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch