rpms/ghostscript/F-8 ghostscript-CVE-2007-2721.patch, NONE, 1.1 ghostscript.spec, 1.144, 1.145

Tim Waugh (twaugh) fedora-extras-commits at redhat.com
Tue Oct 23 13:37:02 UTC 2007 

Author: twaugh

Update of /cvs/pkgs/rpms/ghostscript/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4334

Modified Files:
	ghostscript.spec 
Added Files:
	ghostscript-CVE-2007-2721.patch 
Log Message:
* Tue Oct 23 2007 Tim Waugh <twaugh at redhat.com> 8.60-5
- Applied patch from upstream to fix CVE-2007-2721 (bug #346511).


ghostscript-CVE-2007-2721.patch:

--- NEW FILE ghostscript-CVE-2007-2721.patch ---
diff -up ghostscript-8.60/jasper/src/libjasper/jp2/jp2_cod.c.CVE-2007-2721 ghostscript-8.60/jasper/src/libjasper/jp2/jp2_cod.c
--- ghostscript-8.60/jasper/src/libjasper/jp2/jp2_cod.c.CVE-2007-2721	2006-02-08 06:21:28.000000000 +0000
+++ ghostscript-8.60/jasper/src/libjasper/jp2/jp2_cod.c	2007-10-23 14:15:01.000000000 +0100
@@ -247,7 +247,7 @@ jp2_box_t *jp2_box_get(jas_stream_t *in)
 	box = 0;
 	tmpstream = 0;
 
-	if (!(box = jas_malloc(sizeof(jp2_box_t)))) {
+	if (!(box = jas_calloc(1, sizeof(jp2_box_t)))) {
 		goto error;
 	}
 	box->ops = &jp2_boxinfo_unk.ops;
diff -up ghostscript-8.60/jasper/src/libjasper/jpc/jpc_cs.c.CVE-2007-2721 ghostscript-8.60/jasper/src/libjasper/jpc/jpc_cs.c
--- ghostscript-8.60/jasper/src/libjasper/jpc/jpc_cs.c.CVE-2007-2721	2006-02-08 06:21:28.000000000 +0000
+++ ghostscript-8.60/jasper/src/libjasper/jpc/jpc_cs.c	2007-10-23 14:15:01.000000000 +0100
@@ -991,7 +991,10 @@ static int jpc_qcx_getcompparms(jpc_qcxc
 		compparms->numstepsizes = (len - n) / 2;
 		break;
 	}
-if (compparms->numstepsizes > 0) {
+if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
+		jpc_qcx_destroycompparms(compparms);
+                return -1;
+        } else if (compparms->numstepsizes > 0) {
 	compparms->stepsizes = jas_malloc(compparms->numstepsizes *
 	  sizeof(uint_fast32_t));
 	assert(compparms->stepsizes);
diff -up ghostscript-8.60/jasper/src/libjasper/jpc/jpc_dec.c.CVE-2007-2721 ghostscript-8.60/jasper/src/libjasper/jpc/jpc_dec.c
--- ghostscript-8.60/jasper/src/libjasper/jpc/jpc_dec.c.CVE-2007-2721	2006-12-06 22:25:01.000000000 +0000
+++ ghostscript-8.60/jasper/src/libjasper/jpc/jpc_dec.c	2007-10-23 14:15:01.000000000 +0100
@@ -1219,7 +1219,7 @@ static int jpc_dec_process_siz(jpc_dec_t
 	dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth);
 	dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight);
 	dec->numtiles = dec->numhtiles * dec->numvtiles;
-	if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) {
+	if (!(dec->tiles = jas_calloc(dec->numtiles, sizeof(jpc_dec_tile_t)))) {
 		return -1;
 	}
 
@@ -1243,7 +1243,7 @@ static int jpc_dec_process_siz(jpc_dec_t
 		tile->pkthdrstreampos = 0;
 		tile->pptstab = 0;
 		tile->cp = 0;
-		if (!(tile->tcomps = jas_malloc(dec->numcomps *
+		if (!(tile->tcomps = jas_calloc(dec->numcomps,
 		  sizeof(jpc_dec_tcomp_t)))) {
 			return -1;
 		}


Index: ghostscript.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ghostscript/F-8/ghostscript.spec,v
retrieving revision 1.144
retrieving revision 1.145
diff -u -r1.144 -r1.145
--- ghostscript.spec	9 Oct 2007 12:28:25 -0000	1.144
+++ ghostscript.spec	23 Oct 2007 13:36:29 -0000	1.145
@@ -5,7 +5,7 @@
 Name: ghostscript
 Version: %{gs_ver}
 
-Release: 4%{?dist}
+Release: 5%{?dist}
 
 License: GPLv2
 URL: http://www.ghostscript.com/
@@ -21,6 +21,7 @@
 Patch4: ghostscript-fPIC.patch
 Patch5: http://www.openprinting.org/download/printing/esp-gpl-ghostscript-merge/ghostscript-8.57-ijs-krgb.patch
 Patch6: ghostscript-mkstemp64.patch
+Patch7: ghostscript-CVE-2007-2721.patch
 
 Requires: urw-fonts >= 1.1, ghostscript-fonts
 BuildRequires: libjpeg-devel, libXt-devel
@@ -89,8 +90,12 @@
 # IJS KRGB patch.
 %patch5 -p1 -b .ijs-krgb
 
+# From upstream.
 %patch6 -p1 -b .mkstemp64
 
+# Applied patch from upstream to fix CVE-2007-2721 (bug #346511).
+%patch7 -p1 -b .CVE-2007-2721
+
 # Convert manual pages to UTF-8
 from8859_1() {
 	iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
@@ -269,6 +274,9 @@
 %{_libdir}/libgs.so
 
 %changelog
+* Tue Oct 23 2007 Tim Waugh <twaugh at redhat.com> 8.60-5
+- Applied patch from upstream to fix CVE-2007-2721 (bug #346511).
+
 * Tue Oct  9 2007 Tim Waugh <twaugh at redhat.com> 8.60-4
 - Marked localized man pages as %%lang (bug #322321).

More information about the fedora-extras-commits mailing list