aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJ0WI <J0WI@users.noreply.github.com>2021-05-27 01:27:32 +0200
committerRasmus Thomsen <oss@cogitri.dev>2021-07-05 22:42:16 +0000
commit163413cadca94d9fd3691c109541b389f0e1975f (patch)
treed6fc49b30b10f6257e30c37132c69f4ca822fb69
parent9b67a73f9a843c43cd8961d34c2b2d5cf568ef17 (diff)
downloadaports-163413cadca94d9fd3691c109541b389f0e1975f.tar.gz
aports-163413cadca94d9fd3691c109541b389f0e1975f.tar.bz2
aports-163413cadca94d9fd3691c109541b389f0e1975f.tar.xz
main/ghostscript: patch CVE-2020-15900
-rw-r--r--main/ghostscript/APKBUILD12
-rw-r--r--main/ghostscript/CVE-2020-15900.patch47
2 files changed, 56 insertions, 3 deletions
diff --git a/main/ghostscript/APKBUILD b/main/ghostscript/APKBUILD
index 36e14ae2d4..9b89054cfc 100644
--- a/main/ghostscript/APKBUILD
+++ b/main/ghostscript/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Cameron Banta <cbanta@gmail.com>
pkgname=ghostscript
pkgver=9.50
-pkgrel=0
+pkgrel=1
pkgdesc="An interpreter for the PostScript language and for PDF"
url="https://ghostscript.com/"
arch="all"
@@ -13,11 +13,14 @@ makedepends="autoconf automake libjpeg-turbo-dev libpng-dev expat-dev
cups-dev libtool jbig2dec-dev openjpeg-dev"
subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev $pkgname-gtk"
source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${pkgver/./}/ghostscript-$pkgver.tar.gz
+ CVE-2020-15900.patch
ghostscript-system-zlib.patch
fix-sprintf.patch
"
# secfixes:
+# 9.50-r1:
+# - CVE-2020-15900
# 9.50-r0:
# - CVE-2019-14869
# 9.27-r4:
@@ -127,6 +130,9 @@ gtk() {
mv "$pkgdir"/usr/bin/gsx "$subpkgdir"/usr/bin/
}
-sha512sums="acee64fae78771bffa19b0b2bfaba3c345b420f93ceb4fc9df5fb705f785c8ed720fde2aef53546fac6aca2f7366c64c68a6e373a71999a42dc71aadc9aa782f ghostscript-9.50.tar.gz
+sha512sums="
+acee64fae78771bffa19b0b2bfaba3c345b420f93ceb4fc9df5fb705f785c8ed720fde2aef53546fac6aca2f7366c64c68a6e373a71999a42dc71aadc9aa782f ghostscript-9.50.tar.gz
+dc78034f38c71472fed03e9a9ebb3537ddcea09d7314b044c3efc8b43021b20a3e0d93faa4c42f9b819894b9e9e9778b5dfc19ce4fdc65364827179a26f725f6 CVE-2020-15900.patch
70721e3a335afa5e21d4e6cf919119010bd4544a03ab8f53f5325c173902221ad9b88c118b4bfeee80b3e1956bcdbaf4c53f64ae7fb81f5ba57dbc956750c482 ghostscript-system-zlib.patch
-beefcf395f7f828e1b81c088022c08a506e218f27535b9de01e0f0edf7979b435316c318fa676771630f6ad16ff1ab059cd68aa128ed97e5a9f2f3fa840200c4 fix-sprintf.patch"
+beefcf395f7f828e1b81c088022c08a506e218f27535b9de01e0f0edf7979b435316c318fa676771630f6ad16ff1ab059cd68aa128ed97e5a9f2f3fa840200c4 fix-sprintf.patch
+"
diff --git a/main/ghostscript/CVE-2020-15900.patch b/main/ghostscript/CVE-2020-15900.patch
new file mode 100644
index 0000000000..f17de1dfb7
--- /dev/null
+++ b/main/ghostscript/CVE-2020-15900.patch
@@ -0,0 +1,47 @@
+From 5d499272b95a6b890a1397e11d20937de000d31b Mon Sep 17 00:00:00 2001
+From: Ray Johnston <ray.johnston@artifex.com>
+Date: Wed, 22 Jul 2020 09:57:54 -0700
+Subject: [PATCH] Bug 702582, CVE 2020-15900 Memory Corruption in Ghostscript
+ 9.52
+
+Fix the 'rsearch' calculation for the 'post' size to give the correct
+size. Previous calculation would result in a size that was too large,
+and could underflow to max uint32_t. Also fix 'rsearch' to return the
+correct 'pre' string with empty string match.
+
+A future change may 'undefine' this undocumented, non-standard operator
+during initialization as we do with the many other non-standard internal
+PostScript operators and procedures.
+---
+ psi/zstring.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/psi/zstring.c b/psi/zstring.c
+index 33662dafac..58e1af2b35 100644
+--- a/psi/zstring.c
++++ b/psi/zstring.c
+@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
+ return 0;
+ found:
+ op->tas.type_attrs = op1->tas.type_attrs;
+- op->value.bytes = ptr;
+- r_set_size(op, size);
++ op->value.bytes = ptr; /* match */
++ op->tas.rsize = size; /* match */
+ push(2);
+- op[-1] = *op1;
+- r_set_size(op - 1, ptr - op[-1].value.bytes);
+- op1->value.bytes = ptr + size;
+- r_set_size(op1, count + (!forward ? (size - 1) : 0));
++ op[-1] = *op1; /* pre */
++ op[-3].value.bytes = ptr + size; /* post */
++ if (forward) {
++ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */
++ op[-3].tas.rsize = count; /* post */
++ } else {
++ op[-1].tas.rsize = count; /* pre */
++ op[-3].tas.rsize -= count + size; /* post */
++ }
+ make_true(op);
+ return 0;
+ }