Hi,

I've prepared a NMU to fix CVE-2009-0792 CVE-2009-0196 CVE-2007-6725
CVE-2008-6679 in lenny.

Proposed debdiff in attachment.

Cheers,
Giuseppe.
diff -u ghostscript-8.62.dfsg.1/debian/changelog 
ghostscript-8.62.dfsg.1/debian/changelog
--- ghostscript-8.62.dfsg.1/debian/changelog
+++ ghostscript-8.62.dfsg.1/debian/changelog
@@ -1,3 +1,25 @@
+ghostscript (8.62.dfsg.1-3.2lenny2) stable-security; urgency=high
+
+  * Non-maintainer upload.
+  * This update fixes various security issues:
+    - CVE-2009-0792: multiple integer overflows in the icc library
+      can cause a heap-based buffer overflow possibly leading to arbitray
+      code execution.
+    - CVE-2009-0196: heap-based buffer overflow in big2_decode_symbol_dict()
+      leading to arbitrary code execution via a crafted JBIG2 symbol
+      dictionary segment.
+    - CVE-2007-6725: The CCITTFax decoding filter in Ghostscript 8.60, 8.61,
+      and possibly other versions, allows remote attackers to cause a denial of
+      service (crash) and possibly execute arbitrary code via a crafted PDF
+      file that triggers a buffer underflow in the cf_decode_2d function.
+    - CVE-2008-6679: Buffer overflow in the BaseFont writer module in
+      Ghostscript 8.62, and possibly other versions, allows remote attackers to
+      cause a denial of service (ps2pdf crash) and possibly execute arbitrary
+      code via a crafted Postscript file.
+      (Closes: #524803, #524915)
+
+ -- Giuseppe Iuculano <giuse...@iuculano.it>  Wed, 22 Apr 2009 19:49:03 +0200
+
 ghostscript (8.62.dfsg.1-3.2lenny1) stable-security; urgency=high
 
   * Non-maintainer upload by the security team
diff -u ghostscript-8.62.dfsg.1/debian/patches/00list 
ghostscript-8.62.dfsg.1/debian/patches/00list
--- ghostscript-8.62.dfsg.1/debian/patches/00list
+++ ghostscript-8.62.dfsg.1/debian/patches/00list
@@ -18,0 +19,3 @@
+33_CVE-2009-0792.dpatch
+34_CVE-2009-0196.dpatch
+35_CVE-2007-6725.dpatch
only in patch2:
unchanged:
--- ghostscript-8.62.dfsg.1.orig/debian/patches/33_CVE-2009-0792.dpatch
+++ ghostscript-8.62.dfsg.1/debian/patches/33_CVE-2009-0792.dpatch
@@ -0,0 +1,173 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 33_CVE-2009-0792.dpatch by Giuseppe Iuculano <giuse...@iuculano.it>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix CVE-2009-0792
+
+...@dpatch@
+diff -urNad ghostscript-8.62.dfsg.1~/icclib/icc.c 
ghostscript-8.62.dfsg.1/icclib/icc.c
+--- ghostscript-8.62.dfsg.1~/icclib/icc.c      2009-04-22 19:07:36.000000000 
+0200
++++ ghostscript-8.62.dfsg.1/icclib/icc.c       2009-04-22 19:08:46.000000000 
+0200
+@@ -2982,7 +2982,7 @@
+                       rv |= 1;
+               }
+               ix = (int)floor(val);           /* Coordinate */
+-              if (ix > (p->size-2))
++              if (ix < 0 || ix > (p->size-2))
+                       ix = (p->size-2);
+               w = val - (double)ix;           /* weight */
+               val = p->data[ix];
+@@ -3004,6 +3004,11 @@
+ ) {
+       int i;
+ 
++      if (size > INT_MAX - 2)
++              /* Although rt->size is unsigned long, the rt data
++               * structure uses int data types to store indices. */
++              return 2;
++
+       rt->size = size;                /* Stash pointers to these away */
+       rt->data = data;
+       
+@@ -3022,7 +3027,7 @@
+       rt->qscale = (double)rt->rsize/(rt->rmax - rt->rmin);   /* Scale factor 
to quantize to */
+       
+       /* Initialize the reverse lookup structures, and get overall min/max */
+-      if ((rt->rlists = (int **) icp->al->calloc(icp->al, 1, rt->rsize * 
sizeof(int *))) == NULL) {
++      if ((rt->rlists = (int **) icp->al->calloc(icp->al, rt->rsize, 
sizeof(int *))) == NULL) {
+               return 2;
+       }
+ 
+@@ -3035,6 +3040,15 @@
+                       int t;
+                       t = s; s = e; e = t;
+               }
++              /* s and e should both be in the range [0,rt->rsize]
++               * now, but let's not rely on floating point
++               * calculations -- double-check. */
++              if (s < 0)
++                      s = 0;
++              if (e < 0)
++                      e = 0;
++              if (s >= rt->rsize)
++                      s = rt->rsize-1;
+               if (e >= rt->rsize)
+                       e = rt->rsize-1;
+ 
+@@ -3053,6 +3067,9 @@
+                               as = rt->rlists[j][0];  /* Allocate space for 
this list */
+                               nf = rt->rlists[j][1];  /* Next free location 
in list */
+                               if (nf >= as) {                 /* need to 
expand space */
++                                      if (as > INT_MAX / 2 / sizeof (int))
++                                              return 2;
++
+                                       as *= 2;
+                                       rt->rlists[j] = (int *) 
icp->al->realloc(icp->al,rt->rlists[j], sizeof(int) * as);
+                                       if (rt->rlists[j] == NULL) {
+@@ -3104,7 +3121,7 @@
+               val = rsize_1;
+       ix = (int)floor(val);           /* Coordinate */
+ 
+-      if (ix > (rt->size-2))
++      if (ix < 0 || ix > (rt->size-2))
+               ix = (rt->size-2);
+       if (rt->rlists[ix] != NULL)  {          /* There is a list of fwd 
candidates */
+               /* For each candidate forward range */
+@@ -3131,6 +3148,7 @@
+       /* We have failed to find an exact value, so return the nearest value */
+       /* (This is slow !) */
+       val = fabs(ival - rt->data[0]);
++      /* rt->size is known to be < INT_MAX */
+       for (k = 0, i = 1; i < rt->size; i++) {
+               double er;
+               er = fabs(ival - rt->data[i]);
+@@ -3671,7 +3689,7 @@
+       if (p->size != p->_size) {
+               if (p->data != NULL)
+                       icp->al->free(icp->al, p->data);
+-              if ((p->data = (unsigned char *) icp->al->malloc(icp->al, 
p->size * sizeof(unsigned char))) == NULL) {
++              if ((p->data = (unsigned char *) icp->al->calloc(icp->al, 
p->size, sizeof(unsigned char))) == NULL) {
+                       sprintf(icp->err,"icmData_alloc: malloc() of icmData 
data failed");
+                       return icp->errc = 2;
+               }
+@@ -3887,7 +3905,7 @@
+       if (p->size != p->_size) {
+               if (p->data != NULL)
+                       icp->al->free(icp->al, p->data);
+-              if ((p->data = (char *) icp->al->malloc(icp->al, p->size * 
sizeof(char))) == NULL) {
++              if ((p->data = (char *) icp->al->calloc(icp->al, p->size, 
sizeof(char))) == NULL) {
+                       sprintf(icp->err,"icmText_alloc: malloc() of icmText 
data failed");
+                       return icp->errc = 2;
+               }
+@@ -4301,7 +4319,7 @@
+                       rv |= 1;
+               }
+               ix = (int)floor(val);           /* Grid coordinate */
+-              if (ix > (p->inputEnt-2))
++              if (ix < 0 || ix > (p->inputEnt-2))
+                       ix = (p->inputEnt-2);
+               w = val - (double)ix;           /* weight */
+               val = table[ix];
+@@ -4360,7 +4378,7 @@
+                               rv |= 1;
+                       }
+                       x = (int)floor(val);            /* Grid coordinate */
+-                      if (x > clutPoints_2)
++                      if (x < 0 || x > clutPoints_2)
+                               x = clutPoints_2;
+                       co[e] = val - (double)x;        /* 1.0 - weight */
+                       gp += x * p->dinc[e];           /* Add index offset for 
base of cube */
+@@ -4433,7 +4451,7 @@
+                               rv |= 1;
+                       }
+                       x = (int)floor(val);            /* Grid coordinate */
+-                      if (x > clutPoints_2)
++                      if (x < 0 || x > clutPoints_2)
+                               x = clutPoints_2;
+                       co[e] = val - (double)x;        /* 1.0 - weight */
+                       gp += x * p->dinc[e];           /* Add index offset for 
base of cube */
+@@ -4506,7 +4524,7 @@
+                       rv |= 1;
+               }
+               ix = (int)floor(val);           /* Grid coordinate */
+-              if (ix > (p->outputEnt-2))
++              if (ix < 0 || ix > (p->outputEnt-2))
+                       ix = (p->outputEnt-2);
+               w = val - (double)ix;           /* weight */
+               val = table[ix];
+@@ -6714,7 +6732,7 @@
+       if (p->size != p->_size) {
+               if (p->desc != NULL)
+                       icp->al->free(icp->al, p->desc);
+-              if ((p->desc = (char *) icp->al->malloc(icp->al, p->size * 
sizeof(char))) == NULL) {
++              if ((p->desc = (char *) icp->al->calloc(icp->al, p->size, 
sizeof(char))) == NULL) {
+                       sprintf(icp->err,"icmTextDescription_alloc: malloc() of 
Ascii description failed");
+                       return icp->errc = 2;
+               }
+@@ -7888,7 +7906,7 @@
+       if (p->size != p->_size) {
+               if (p->string != NULL)
+                       icp->al->free(icp->al, p->string);
+-              if ((p->string = (char *) icp->al->malloc(icp->al, p->size * 
sizeof(char))) == NULL) {
++              if ((p->string = (char *) icp->al->calloc(icp->al, p->size, 
sizeof(char))) == NULL) {
+                       sprintf(icp->err,"icmUcrBg_allocate: malloc() of string 
data failed");
+                       return icp->errc = 2;
+               }
+@@ -8827,7 +8845,7 @@
+       if (p->ppsize != p->_ppsize) {
+               if (p->ppname != NULL)
+                       icp->al->free(icp->al, p->ppname);
+-              if ((p->ppname = (char *) icp->al->malloc(icp->al, p->ppsize * 
sizeof(char))) == NULL) {
++              if ((p->ppname = (char *) icp->al->calloc(icp->al, p->ppsize, 
sizeof(char))) == NULL) {
+                       sprintf(icp->err,"icmCrdInfo_alloc: malloc() of string 
data failed");
+                       return icp->errc = 2;
+               }
+@@ -8837,7 +8855,7 @@
+               if (p->crdsize[t] != p->_crdsize[t]) {
+                       if (p->crdname[t] != NULL)
+                               icp->al->free(icp->al, p->crdname[t]);
+-                      if ((p->crdname[t] = (char *) icp->al->malloc(icp->al, 
p->crdsize[t] * sizeof(char))) == NULL) {
++                      if ((p->crdname[t] = (char *) icp->al->calloc(icp->al, 
p->crdsize[t], sizeof(char))) == NULL) {
+                               sprintf(icp->err,"icmCrdInfo_alloc: malloc() of 
CRD%d name string failed",t);
+                               return icp->errc = 2;
+                       }
only in patch2:
unchanged:
--- ghostscript-8.62.dfsg.1.orig/debian/patches/35_CVE-2007-6725.dpatch
+++ ghostscript-8.62.dfsg.1/debian/patches/35_CVE-2007-6725.dpatch
@@ -0,0 +1,19 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 35_CVE-2007-6725.dpatch by Giuseppe Iuculano <giuse...@iuculano.it>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix for CVE-2007-6725
+
+...@dpatch@
+diff -urNad ghostscript-8.62.dfsg.1~/src/scfd.c 
ghostscript-8.62.dfsg.1/src/scfd.c
+--- ghostscript-8.62.dfsg.1~/src/scfd.c        2007-09-25 15:31:24.000000000 
+0200
++++ ghostscript-8.62.dfsg.1/src/scfd.c 2009-04-22 19:20:38.000000000 +0200
+@@ -161,7 +161,7 @@
+ /* makeup codes efficiently, since these are always a multiple of 64. */
+ #define invert_data(rlen, black_byte, makeup_action, d)\
+       if ( rlen > qbit )\
+-      {       *q++ ^= (1 << qbit) - 1;\
++      {       if (q >= ss->lbuf) *q++ ^= (1 << qbit) - 1; else q++;\
+               rlen -= qbit;\
+               switch ( rlen >> 3 )\
+               {\
only in patch2:
unchanged:
--- ghostscript-8.62.dfsg.1.orig/debian/patches/34_CVE-2009-0196.dpatch
+++ ghostscript-8.62.dfsg.1/debian/patches/34_CVE-2009-0196.dpatch
@@ -0,0 +1,26 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 34_CVE-2009-0196.dpatch by Giuseppe Iuculano <giuse...@iuculano.it>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix for CVE-2009-0196
+
+...@dpatch@
+diff -urNad ghostscript-8.62.dfsg.1~/jbig2dec/jbig2_symbol_dict.c 
ghostscript-8.62.dfsg.1/jbig2dec/jbig2_symbol_dict.c
+--- ghostscript-8.62.dfsg.1~/jbig2dec/jbig2_symbol_dict.c      2007-12-11 
09:29:58.000000000 +0100
++++ ghostscript-8.62.dfsg.1/jbig2dec/jbig2_symbol_dict.c       2009-04-22 
19:13:44.000000000 +0200
+@@ -699,6 +699,15 @@
+         exrunlength = params->SDNUMEXSYMS;
+       else
+         code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
++      if (exrunlength > params->SDNUMEXSYMS - j) {
++        jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
++          "runlength too large in export symbol table (%d > %d - %d)\n",
++          exrunlength, params->SDNUMEXSYMS, j);
++        jbig2_sd_release(ctx, SDEXSYMS);
++        /* skip to the cleanup code and return SDEXSYMS = NULL */
++        SDEXSYMS = NULL;
++        break;
++      }
+       for(k = 0; k < exrunlength; k++)
+         if (exflag) {
+           SDEXSYMS->glyphs[j++] = (i < m) ? 
only in patch2:
unchanged:
--- ghostscript-8.62.dfsg.1.orig/debian/patches/36_CVE-2008-6679.dpatch
+++ ghostscript-8.62.dfsg.1/debian/patches/36_CVE-2008-6679.dpatch
@@ -0,0 +1,19 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 36_CVE-2008-6679.dpatch by Giuseppe Iuculano <giuse...@iuculano.it>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix for CVE-2008-6679
+
+...@dpatch@
+diff -urNad ghostscript-8.62.dfsg.1~/src/gdevpdtb.c 
ghostscript-8.62.dfsg.1/src/gdevpdtb.c
+--- ghostscript-8.62.dfsg.1~/src/gdevpdtb.c    2008-01-02 14:10:59.000000000 
+0100
++++ ghostscript-8.62.dfsg.1/src/gdevpdtb.c     2009-04-22 19:24:48.000000000 
+0200
+@@ -131,7 +131,7 @@
+                       &st_pdf_base_font, "pdf_base_font_alloc");
+     const gs_font_name *pfname = &font->font_name;
+     gs_const_string font_name;
+-    char fnbuf[3 + sizeof(long) / 3 + 1]; /* .F#######\0 */
++    char fnbuf[2*sizeof(long) + 3]; /* .F########\0 */
+     int code;
+ 
+     if (pbfont == 0)

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to