Package: ghostscript / 9.06~dfsg-2+deb8u7

Metadata

Package Version Patches format
ghostscript 9.06~dfsg-2+deb8u7 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
020120802~d8ca80d.patch | (download)

base/Makefile.in | 6 0 + 6 - 0 !
base/gdevpdfk.c | 5 2 + 3 - 0 !
base/gs.mak | 11 0 + 11 - 0 !
base/ijs.mak | 2 1 + 1 - 0 !
base/macos-mcp.mak | 3 1 + 2 - 0 !
base/macosx.mak | 1 0 + 1 - 0 !
base/openvms.mak | 3 1 + 2 - 0 !
base/openvms.mmk | 8 1 + 7 - 0 !
base/ugcclib.mak | 1 0 + 1 - 0 !
base/unix-gcc.mak | 5 0 + 5 - 0 !
base/unixansi.mak | 5 0 + 5 - 0 !
base/winlib.mak | 1 0 + 1 - 0 !
psi/os2.mak | 2 1 + 1 - 0 !
psi/winint.mak | 2 1 + 1 - 0 !
psi/zicc.c | 2 1 + 1 - 0 !
15 files changed, 9 insertions(+), 48 deletions(-)

 get rid of 'icclib' since we now use lcms2 (or optionally lcms).
020120909~3a56f4e.patch | (download)

Resource/Init/pdf_draw.ps | 5 2 + 3 - 0 !
1 file changed, 2 insertions(+), 3 deletions(-)

 correctly restore ps stack when pdf stream run aborts.
 Fix "File has unbalanced q/Q operators (too many Q's)" endless loop.
020121130~a3d00da.patch | (download)

base/gdevpdfe.c | 65 59 + 6 - 0 !
1 file changed, 59 insertions(+), 6 deletions(-)

 pdfwrite - convert non-utf-16be doc info to utf-8
020130619~1b87b82.patch | (download)

cups/gstoraster.c | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 make colord-supplied icc profile getting applied by gstoraster
020130619~daceba6.patch | (download)

Resource/Init/pdf_base.ps | 30 22 + 8 - 0 !
1 file changed, 22 insertions(+), 8 deletions(-)

 pdf interpreter - ignore invalid /decodeparams for streams
 Fix "File has unbalanced q/Q operators (too many Q's)" endless loop.
 .
 The PDF file is invalid, it has a /Filters array with 2 elements, and a
 /DecodeParams array with 1 element. The DecodeParams array must have
 either the same number of elements as the Filters, or not be present
 (default).
 .
 We now test the length of each array and ignore the DecodeParams if the
 lengths are not the same (as we have no way to know which Params relate
 to which Filter)
020140211~f4584b0.patch | (download)

Resource/Init/gs_fonts.ps | 20 14 + 6 - 0 !
1 file changed, 14 insertions(+), 6 deletions(-)

 bug 695031: don't assume we can read a font file
X-Git-Tag: ghostpdl-9.12rc1~50
1001_document_inkcov_device.patch | (download)

doc/Devices.htm | 29 29 + 0 - 0 !
1 file changed, 29 insertions(+)

 document inkcov device
2001_docdir_fix_for_debian.patch | (download)

base/Makefile.in | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 set docdir appropriately for debian
2002_gs_man_fix_debian.patch | (download)

man/gs.1 | 15 8 + 7 - 0 !
1 file changed, 8 insertions(+), 7 deletions(-)

 fixes for gs.1 (debian specific path adjustments)
2003_support_multiarch.patch | (download)

base/unix-aux.mak | 12 6 + 6 - 0 !
1 file changed, 6 insertions(+), 6 deletions(-)

 check multiarch paths
2004_remove_non Debian_paths_from_docs.patch | (download)

man/gs.1 | 22 6 + 16 - 0 !
1 file changed, 6 insertions(+), 16 deletions(-)

 remove non-debian paths from documentation
2005_fix_Debian_paths_in_docs.patch | (download)

man/gs.1 | 26 13 + 13 - 0 !
1 file changed, 13 insertions(+), 13 deletions(-)

 fix debian paths in documentation
2006_suggest_install_ghostscript doc_in_docs.patch | (download)

man/gs.1 | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 suggest install of ghostscript-doc in documentation
2007_suggest_install_ghostscript doc_in_code.patch | (download)

psi/imainarg.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 suggest install of ghostscript-doc in code
2008_mention_ghostscript x_in_docs.patch | (download)

man/gs.1 | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 mention ghostscipt-x affect on default device in docs
CVE 2015 3228.patch | (download)

base/gsmalloc.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 cve-2015-3228: integer overflow
CVE 2013 5653.patch | (download)

Resource/Init/gs_init.ps | 1 1 + 0 - 0 !
psi/zfile.c | 35 19 + 16 - 0 !
2 files changed, 20 insertions(+), 16 deletions(-)

 cve-2013-5653: information disclosure through getenv, filenameforall
CVE 2016 7976.patch | (download)

base/gsicc_manage.c | 9 6 + 3 - 0 !
base/gslibctx.c | 11 11 + 0 - 0 !
base/gslibctx.h | 7 7 + 0 - 0 !
psi/imain.c | 2 2 + 0 - 0 !
psi/int.mak | 3 2 + 1 - 0 !
psi/zfile.c | 19 19 + 0 - 0 !
psi/zfile.h | 7 7 + 0 - 0 !
7 files changed, 54 insertions(+), 4 deletions(-)

 cve-2016-7976: various userparams allow %pipe% in paths, allowing remote shell command execution
CVE 2016 7977.patch | (download)

psi/zfile.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 cve-2016-7977: .libfile doesn't check permitfilereading array, allowing remote file disclosure
CVE 2016 7978.patch | (download)

base/gsdevice.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 cve-2016-7978: reference leak in .setdevice allows use-after-free and remote code execution
CVE 2016 7979.patch | (download)

psi/zdscpars.c | 13 9 + 4 - 0 !
1 file changed, 9 insertions(+), 4 deletions(-)

 cve-2016-7979: type confusion in .initialize_dsc_parser allows remote code execution
CVE 2016 8602.patch | (download)

psi/zht2.c | 12 10 + 2 - 0 !
1 file changed, 10 insertions(+), 2 deletions(-)

 cve-2016-8602: check for sufficient params in .sethalftone5 and param types
840691 Fix .locksafe.patch | (download)

Resource/Init/gs_init.ps | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

  fix .locksafe
 Apparently we need to .forceput the definition of getenve into
 systemdict, at least when running GSView 5.0.
 .
 Discovered when trying to investigate a customer bug report using
 GSView 5.
CVE 2016 10219 Bug 697453 Avoid divide by 0 in scan conversion code.patch | (download)

base/gxfill.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] bug 697453: avoid divide by 0 in scan conversion code.

Arithmetic overflow due to extreme values in the scan conversion
code can cause a division by 0.

Avoid this with a simple extra check.

  dx_old=cf814d81
  endp->x_next=b0e859b9
  alp->x_next=8069a73a

leads to dx_den = 0

CVE 2016 10220 fix crash with bad data supplied to makeimagedevice.patch | (download)

base/gsdevmem.c | 12 12 + 0 - 0 !
1 file changed, 12 insertions(+)

 [patch] fix crash with bad data supplied to makeimagedevice

Bug #697450 "Null pointer dereference in gx_device_finalize()"

The problem here is that the code to finalise a device unconditionally
frees the icc_struct member of the device structure. However this
particular (weird) device is not setup as a normal device, probably
because its very, very ancient. Its possible for the initialisation
of the device to abort with an error before calling gs_make_mem_device()
which is where the icc_struct member gets allocated (or set to NULL).

If that happens, then the cleanup code tries to free the device, which
calls finalize() which tries to free a garbage pointer.

Setting the device memory to 0x00 after we allocate it means that the
icc_struct member will be NULL< and our memory manager allows for that
happily enough, which avoids the problem.

CVE 2017 5951 Bug 697548 use the correct param list enumerator.patch | (download)

psi/iparam.c | 7 4 + 3 - 0 !
1 file changed, 4 insertions(+), 3 deletions(-)

 [patch] bug 697548: use the correct param list enumerator

When we encountered dictionary in a ref_param_list, we were using the enumerator
for the "parent" param_list, rather than the enumerator for the param_list
we just created for the dictionary. That parent was usually the stack
list enumerator, and caused a segfault.

Using the correct enumerator works better.

CVE 2017 7207 Ensure a device has raster memory before trying to r.patch | (download)

base/gdevmem.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] ensure a device has raster memory, before trying to read it.

Bug #697676 "Null pointer dereference in mem_get_bits_rectangle()"

This is only possible by abusing/mis-using Ghostscript-specific
language extensions, so cannot happen in a general PostScript program.

Nevertheless, Ghostscript should not crash. So this commit checks the
memory device to see if raster memory has been allocated, before trying
to read from it.

CVE 2017 8291 Bug 697799 have .eqproc check its parameters.patch | (download)

psi/zmisc3.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 [patch 1/2] bug 697799: have .eqproc check its parameters

The Ghostscript custom operator .eqproc was not check the number or type of
the parameters it was given.

CVE 2017 8291 Bug 697799 have .rsdparams check its parameters.patch | (download)

psi/zfrsd.c | 22 15 + 7 - 0 !
1 file changed, 15 insertions(+), 7 deletions(-)

 [patch 2/2] bug 697799: have .rsdparams check its parameters

The Ghostscript internal operator .rsdparams wasn't checking the number or
type of the operands it was being passed. Do so.

Bug 697985 bounds check the array allocations method.patch | (download)

base/gsalloc.c | 42 28 + 14 - 0 !
1 file changed, 28 insertions(+), 14 deletions(-)

 bug 697985: bounds check the array allocations methods
Bug 698024 bounds check zone pointer in Ins_MIRP.patch | (download)

base/ttinterp.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 bug 698024: bounds check zone pointer in ins_mirp()
Bug 698026 bounds check zone pointers in Ins_IP.patch | (download)

base/ttinterp.c | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 bug 698026: bounds check zone pointers in ins_ip()
Bug 698055 bounds check zone pointer in Ins_MDRP.patch | (download)

base/ttinterp.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 bug 698055: bounds check zone pointer in ins_mdrp
Bug 698056 make bounds check in gx_ttfReader__Read m.patch | (download)

base/gxttfb.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 bug 698056: make bounds check in gx_ttfreader__read more robust
Bug 698063 Bounds check Ins_JMPR.patch | (download)

base/ttinterp.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 bug 698063: bounds check ins_jmpr
Bug 698158 prevent trying to reloc a freed object.patch | (download)

psi/ztoken.c | 14 13 + 1 - 0 !
1 file changed, 13 insertions(+), 1 deletion(-)

 bug 698158: prevent trying to reloc a freed object
Fix Bug 696398 Segfault with fuzzing file.patch | (download)

base/gxht_thresh.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 fix bug 696398: segfault with fuzzing file.
Fix bug 697459 Buffer overflow in fill_threshold_buf.patch | (download)

base/gxht_thresh.c | 13 10 + 3 - 0 !
base/gxipixel.c | 2 1 + 1 - 0 !
2 files changed, 11 insertions(+), 4 deletions(-)

 fix bug 697459 buffer overflow in fill_threshold_buffer
pdfwrite Guard against trying to output an infinite .patch | (download)

base/gdevpdts.c | 7 6 + 1 - 0 !
1 file changed, 6 insertions(+), 1 deletion(-)

 pdfwrite - guard against trying to output an infinite number