Hi, I've prepared a NMU to fix CVE-2009-0792 CVE-2009-0196 CVE-2007-6725 CVE-2008-6679 in lenny.
Proposed debdiff in attachment. Cheers, Giuseppe.
diff -u ghostscript-8.62.dfsg.1/debian/changelog
ghostscript-8.62.dfsg.1/debian/changelog
--- ghostscript-8.62.dfsg.1/debian/changelog
+++ ghostscript-8.62.dfsg.1/debian/changelog
@@ -1,3 +1,25 @@
+ghostscript (8.62.dfsg.1-3.2lenny2) stable-security; urgency=high
+
+ * Non-maintainer upload.
+ * This update fixes various security issues:
+ - CVE-2009-0792: multiple integer overflows in the icc library
+ can cause a heap-based buffer overflow possibly leading to arbitray
+ code execution.
+ - CVE-2009-0196: heap-based buffer overflow in big2_decode_symbol_dict()
+ leading to arbitrary code execution via a crafted JBIG2 symbol
+ dictionary segment.
+ - CVE-2007-6725: The CCITTFax decoding filter in Ghostscript 8.60, 8.61,
+ and possibly other versions, allows remote attackers to cause a denial of
+ service (crash) and possibly execute arbitrary code via a crafted PDF
+ file that triggers a buffer underflow in the cf_decode_2d function.
+ - CVE-2008-6679: Buffer overflow in the BaseFont writer module in
+ Ghostscript 8.62, and possibly other versions, allows remote attackers to
+ cause a denial of service (ps2pdf crash) and possibly execute arbitrary
+ code via a crafted Postscript file.
+ (Closes: #524803, #524915)
+
+ -- Giuseppe Iuculano <giuse...@iuculano.it> Wed, 22 Apr 2009 19:49:03 +0200
+
ghostscript (8.62.dfsg.1-3.2lenny1) stable-security; urgency=high
* Non-maintainer upload by the security team
diff -u ghostscript-8.62.dfsg.1/debian/patches/00list
ghostscript-8.62.dfsg.1/debian/patches/00list
--- ghostscript-8.62.dfsg.1/debian/patches/00list
+++ ghostscript-8.62.dfsg.1/debian/patches/00list
@@ -18,0 +19,3 @@
+33_CVE-2009-0792.dpatch
+34_CVE-2009-0196.dpatch
+35_CVE-2007-6725.dpatch
only in patch2:
unchanged:
--- ghostscript-8.62.dfsg.1.orig/debian/patches/33_CVE-2009-0792.dpatch
+++ ghostscript-8.62.dfsg.1/debian/patches/33_CVE-2009-0792.dpatch
@@ -0,0 +1,173 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 33_CVE-2009-0792.dpatch by Giuseppe Iuculano <giuse...@iuculano.it>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix CVE-2009-0792
+
+...@dpatch@
+diff -urNad ghostscript-8.62.dfsg.1~/icclib/icc.c
ghostscript-8.62.dfsg.1/icclib/icc.c
+--- ghostscript-8.62.dfsg.1~/icclib/icc.c 2009-04-22 19:07:36.000000000
+0200
++++ ghostscript-8.62.dfsg.1/icclib/icc.c 2009-04-22 19:08:46.000000000
+0200
+@@ -2982,7 +2982,7 @@
+ rv |= 1;
+ }
+ ix = (int)floor(val); /* Coordinate */
+- if (ix > (p->size-2))
++ if (ix < 0 || ix > (p->size-2))
+ ix = (p->size-2);
+ w = val - (double)ix; /* weight */
+ val = p->data[ix];
+@@ -3004,6 +3004,11 @@
+ ) {
+ int i;
+
++ if (size > INT_MAX - 2)
++ /* Although rt->size is unsigned long, the rt data
++ * structure uses int data types to store indices. */
++ return 2;
++
+ rt->size = size; /* Stash pointers to these away */
+ rt->data = data;
+
+@@ -3022,7 +3027,7 @@
+ rt->qscale = (double)rt->rsize/(rt->rmax - rt->rmin); /* Scale factor
to quantize to */
+
+ /* Initialize the reverse lookup structures, and get overall min/max */
+- if ((rt->rlists = (int **) icp->al->calloc(icp->al, 1, rt->rsize *
sizeof(int *))) == NULL) {
++ if ((rt->rlists = (int **) icp->al->calloc(icp->al, rt->rsize,
sizeof(int *))) == NULL) {
+ return 2;
+ }
+
+@@ -3035,6 +3040,15 @@
+ int t;
+ t = s; s = e; e = t;
+ }
++ /* s and e should both be in the range [0,rt->rsize]
++ * now, but let's not rely on floating point
++ * calculations -- double-check. */
++ if (s < 0)
++ s = 0;
++ if (e < 0)
++ e = 0;
++ if (s >= rt->rsize)
++ s = rt->rsize-1;
+ if (e >= rt->rsize)
+ e = rt->rsize-1;
+
+@@ -3053,6 +3067,9 @@
+ as = rt->rlists[j][0]; /* Allocate space for
this list */
+ nf = rt->rlists[j][1]; /* Next free location
in list */
+ if (nf >= as) { /* need to
expand space */
++ if (as > INT_MAX / 2 / sizeof (int))
++ return 2;
++
+ as *= 2;
+ rt->rlists[j] = (int *)
icp->al->realloc(icp->al,rt->rlists[j], sizeof(int) * as);
+ if (rt->rlists[j] == NULL) {
+@@ -3104,7 +3121,7 @@
+ val = rsize_1;
+ ix = (int)floor(val); /* Coordinate */
+
+- if (ix > (rt->size-2))
++ if (ix < 0 || ix > (rt->size-2))
+ ix = (rt->size-2);
+ if (rt->rlists[ix] != NULL) { /* There is a list of fwd
candidates */
+ /* For each candidate forward range */
+@@ -3131,6 +3148,7 @@
+ /* We have failed to find an exact value, so return the nearest value */
+ /* (This is slow !) */
+ val = fabs(ival - rt->data[0]);
++ /* rt->size is known to be < INT_MAX */
+ for (k = 0, i = 1; i < rt->size; i++) {
+ double er;
+ er = fabs(ival - rt->data[i]);
+@@ -3671,7 +3689,7 @@
+ if (p->size != p->_size) {
+ if (p->data != NULL)
+ icp->al->free(icp->al, p->data);
+- if ((p->data = (unsigned char *) icp->al->malloc(icp->al,
p->size * sizeof(unsigned char))) == NULL) {
++ if ((p->data = (unsigned char *) icp->al->calloc(icp->al,
p->size, sizeof(unsigned char))) == NULL) {
+ sprintf(icp->err,"icmData_alloc: malloc() of icmData
data failed");
+ return icp->errc = 2;
+ }
+@@ -3887,7 +3905,7 @@
+ if (p->size != p->_size) {
+ if (p->data != NULL)
+ icp->al->free(icp->al, p->data);
+- if ((p->data = (char *) icp->al->malloc(icp->al, p->size *
sizeof(char))) == NULL) {
++ if ((p->data = (char *) icp->al->calloc(icp->al, p->size,
sizeof(char))) == NULL) {
+ sprintf(icp->err,"icmText_alloc: malloc() of icmText
data failed");
+ return icp->errc = 2;
+ }
+@@ -4301,7 +4319,7 @@
+ rv |= 1;
+ }
+ ix = (int)floor(val); /* Grid coordinate */
+- if (ix > (p->inputEnt-2))
++ if (ix < 0 || ix > (p->inputEnt-2))
+ ix = (p->inputEnt-2);
+ w = val - (double)ix; /* weight */
+ val = table[ix];
+@@ -4360,7 +4378,7 @@
+ rv |= 1;
+ }
+ x = (int)floor(val); /* Grid coordinate */
+- if (x > clutPoints_2)
++ if (x < 0 || x > clutPoints_2)
+ x = clutPoints_2;
+ co[e] = val - (double)x; /* 1.0 - weight */
+ gp += x * p->dinc[e]; /* Add index offset for
base of cube */
+@@ -4433,7 +4451,7 @@
+ rv |= 1;
+ }
+ x = (int)floor(val); /* Grid coordinate */
+- if (x > clutPoints_2)
++ if (x < 0 || x > clutPoints_2)
+ x = clutPoints_2;
+ co[e] = val - (double)x; /* 1.0 - weight */
+ gp += x * p->dinc[e]; /* Add index offset for
base of cube */
+@@ -4506,7 +4524,7 @@
+ rv |= 1;
+ }
+ ix = (int)floor(val); /* Grid coordinate */
+- if (ix > (p->outputEnt-2))
++ if (ix < 0 || ix > (p->outputEnt-2))
+ ix = (p->outputEnt-2);
+ w = val - (double)ix; /* weight */
+ val = table[ix];
+@@ -6714,7 +6732,7 @@
+ if (p->size != p->_size) {
+ if (p->desc != NULL)
+ icp->al->free(icp->al, p->desc);
+- if ((p->desc = (char *) icp->al->malloc(icp->al, p->size *
sizeof(char))) == NULL) {
++ if ((p->desc = (char *) icp->al->calloc(icp->al, p->size,
sizeof(char))) == NULL) {
+ sprintf(icp->err,"icmTextDescription_alloc: malloc() of
Ascii description failed");
+ return icp->errc = 2;
+ }
+@@ -7888,7 +7906,7 @@
+ if (p->size != p->_size) {
+ if (p->string != NULL)
+ icp->al->free(icp->al, p->string);
+- if ((p->string = (char *) icp->al->malloc(icp->al, p->size *
sizeof(char))) == NULL) {
++ if ((p->string = (char *) icp->al->calloc(icp->al, p->size,
sizeof(char))) == NULL) {
+ sprintf(icp->err,"icmUcrBg_allocate: malloc() of string
data failed");
+ return icp->errc = 2;
+ }
+@@ -8827,7 +8845,7 @@
+ if (p->ppsize != p->_ppsize) {
+ if (p->ppname != NULL)
+ icp->al->free(icp->al, p->ppname);
+- if ((p->ppname = (char *) icp->al->malloc(icp->al, p->ppsize *
sizeof(char))) == NULL) {
++ if ((p->ppname = (char *) icp->al->calloc(icp->al, p->ppsize,
sizeof(char))) == NULL) {
+ sprintf(icp->err,"icmCrdInfo_alloc: malloc() of string
data failed");
+ return icp->errc = 2;
+ }
+@@ -8837,7 +8855,7 @@
+ if (p->crdsize[t] != p->_crdsize[t]) {
+ if (p->crdname[t] != NULL)
+ icp->al->free(icp->al, p->crdname[t]);
+- if ((p->crdname[t] = (char *) icp->al->malloc(icp->al,
p->crdsize[t] * sizeof(char))) == NULL) {
++ if ((p->crdname[t] = (char *) icp->al->calloc(icp->al,
p->crdsize[t], sizeof(char))) == NULL) {
+ sprintf(icp->err,"icmCrdInfo_alloc: malloc() of
CRD%d name string failed",t);
+ return icp->errc = 2;
+ }
only in patch2:
unchanged:
--- ghostscript-8.62.dfsg.1.orig/debian/patches/35_CVE-2007-6725.dpatch
+++ ghostscript-8.62.dfsg.1/debian/patches/35_CVE-2007-6725.dpatch
@@ -0,0 +1,19 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 35_CVE-2007-6725.dpatch by Giuseppe Iuculano <giuse...@iuculano.it>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix for CVE-2007-6725
+
+...@dpatch@
+diff -urNad ghostscript-8.62.dfsg.1~/src/scfd.c
ghostscript-8.62.dfsg.1/src/scfd.c
+--- ghostscript-8.62.dfsg.1~/src/scfd.c 2007-09-25 15:31:24.000000000
+0200
++++ ghostscript-8.62.dfsg.1/src/scfd.c 2009-04-22 19:20:38.000000000 +0200
+@@ -161,7 +161,7 @@
+ /* makeup codes efficiently, since these are always a multiple of 64. */
+ #define invert_data(rlen, black_byte, makeup_action, d)\
+ if ( rlen > qbit )\
+- { *q++ ^= (1 << qbit) - 1;\
++ { if (q >= ss->lbuf) *q++ ^= (1 << qbit) - 1; else q++;\
+ rlen -= qbit;\
+ switch ( rlen >> 3 )\
+ {\
only in patch2:
unchanged:
--- ghostscript-8.62.dfsg.1.orig/debian/patches/34_CVE-2009-0196.dpatch
+++ ghostscript-8.62.dfsg.1/debian/patches/34_CVE-2009-0196.dpatch
@@ -0,0 +1,26 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 34_CVE-2009-0196.dpatch by Giuseppe Iuculano <giuse...@iuculano.it>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix for CVE-2009-0196
+
+...@dpatch@
+diff -urNad ghostscript-8.62.dfsg.1~/jbig2dec/jbig2_symbol_dict.c
ghostscript-8.62.dfsg.1/jbig2dec/jbig2_symbol_dict.c
+--- ghostscript-8.62.dfsg.1~/jbig2dec/jbig2_symbol_dict.c 2007-12-11
09:29:58.000000000 +0100
++++ ghostscript-8.62.dfsg.1/jbig2dec/jbig2_symbol_dict.c 2009-04-22
19:13:44.000000000 +0200
+@@ -699,6 +699,15 @@
+ exrunlength = params->SDNUMEXSYMS;
+ else
+ code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
++ if (exrunlength > params->SDNUMEXSYMS - j) {
++ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
++ "runlength too large in export symbol table (%d > %d - %d)\n",
++ exrunlength, params->SDNUMEXSYMS, j);
++ jbig2_sd_release(ctx, SDEXSYMS);
++ /* skip to the cleanup code and return SDEXSYMS = NULL */
++ SDEXSYMS = NULL;
++ break;
++ }
+ for(k = 0; k < exrunlength; k++)
+ if (exflag) {
+ SDEXSYMS->glyphs[j++] = (i < m) ?
only in patch2:
unchanged:
--- ghostscript-8.62.dfsg.1.orig/debian/patches/36_CVE-2008-6679.dpatch
+++ ghostscript-8.62.dfsg.1/debian/patches/36_CVE-2008-6679.dpatch
@@ -0,0 +1,19 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 36_CVE-2008-6679.dpatch by Giuseppe Iuculano <giuse...@iuculano.it>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix for CVE-2008-6679
+
+...@dpatch@
+diff -urNad ghostscript-8.62.dfsg.1~/src/gdevpdtb.c
ghostscript-8.62.dfsg.1/src/gdevpdtb.c
+--- ghostscript-8.62.dfsg.1~/src/gdevpdtb.c 2008-01-02 14:10:59.000000000
+0100
++++ ghostscript-8.62.dfsg.1/src/gdevpdtb.c 2009-04-22 19:24:48.000000000
+0200
+@@ -131,7 +131,7 @@
+ &st_pdf_base_font, "pdf_base_font_alloc");
+ const gs_font_name *pfname = &font->font_name;
+ gs_const_string font_name;
+- char fnbuf[3 + sizeof(long) / 3 + 1]; /* .F#######\0 */
++ char fnbuf[2*sizeof(long) + 3]; /* .F########\0 */
+ int code;
+
+ if (pbfont == 0)
signature.asc
Description: OpenPGP digital signature
