summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarius Bakke <marius@gnu.org>2020-12-08 21:11:19 +0100
committerMarius Bakke <marius@gnu.org>2020-12-08 22:57:53 +0100
commit3bd218e8d4abde56e7ce9149311df5e60db0e321 (patch)
tree156d70367f257d68b2066d8840d34600dea330f3
parent9337c16cb69fd47ca31ebe184d2a37028b978249 (diff)
gnu: ghostscript: Fix CVE-2020-15900.
* gnu/packages/patches/ghostscript-CVE-2020-15900.patch: New file. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/ghostscript.scm (ghostscript)[source](patches): Add it.
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/ghostscript.scm1
-rw-r--r--gnu/packages/patches/ghostscript-CVE-2020-15900.patch36
3 files changed, 38 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 97dd9a74d0..7f0b69cacf 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1055,6 +1055,7 @@ dist_patch_DATA = \
%D%/packages/patches/ghc-monad-par-fix-tests.patch \
%D%/packages/patches/ghc-pandoc-fix-html-tests.patch \
%D%/packages/patches/ghc-pandoc-fix-latex-test.patch \
+ %D%/packages/patches/ghostscript-CVE-2020-15900.patch \
%D%/packages/patches/ghostscript-freetype-compat.patch \
%D%/packages/patches/ghostscript-no-header-id.patch \
%D%/packages/patches/ghostscript-no-header-uuid.patch \
diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm
index b132fba7eb..03a516dc52 100644
--- a/gnu/packages/ghostscript.scm
+++ b/gnu/packages/ghostscript.scm
@@ -171,6 +171,7 @@ printing, and psresize, for adjusting page sizes.")
(base32
"0z1w42y2jmcpl2m1l3z0sfii6zmvzcwcgzn6bydklia6ig7jli2p"))
(patches (search-patches "ghostscript-freetype-compat.patch"
+ "ghostscript-CVE-2020-15900.patch"
"ghostscript-no-header-creationdate.patch"
"ghostscript-no-header-id.patch"
"ghostscript-no-header-uuid.patch"))
diff --git a/gnu/packages/patches/ghostscript-CVE-2020-15900.patch b/gnu/packages/patches/ghostscript-CVE-2020-15900.patch
new file mode 100644
index 0000000000..b6658d7c7f
--- /dev/null
+++ b/gnu/packages/patches/ghostscript-CVE-2020-15900.patch
@@ -0,0 +1,36 @@
+Fix CVE-2020-15900.
+
+https://cve.circl.lu/cve/CVE-2020-15900
+https://artifex.com/security-advisories/CVE-2020-15900
+
+Taken from upstream:
+https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b
+
+diff --git a/psi/zstring.c b/psi/zstring.c
+--- a/psi/zstring.c
++++ b/psi/zstring.c
+@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
+ return 0;
+ found:
+ op->tas.type_attrs = op1->tas.type_attrs;
+- op->value.bytes = ptr;
+- r_set_size(op, size);
++ op->value.bytes = ptr; /* match */
++ op->tas.rsize = size; /* match */
+ push(2);
+- op[-1] = *op1;
+- r_set_size(op - 1, ptr - op[-1].value.bytes);
+- op1->value.bytes = ptr + size;
+- r_set_size(op1, count + (!forward ? (size - 1) : 0));
++ op[-1] = *op1; /* pre */
++ op[-3].value.bytes = ptr + size; /* post */
++ if (forward) {
++ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */
++ op[-3].tas.rsize = count; /* post */
++ } else {
++ op[-1].tas.rsize = count; /* pre */
++ op[-3].tas.rsize -= count + size; /* post */
++ }
+ make_true(op);
+ return 0;
+ }