rpms/ghostscript/F-11 ghostscript-CVE-2009-4270.patch, NONE, 1.1 ghostscript-vsnprintf.patch, NONE, 1.1 ghostscript.spec, 1.193, 1.194
Tim Waugh
twaugh at fedoraproject.org
Thu Dec 24 11:30:49 UTC 2009
Author: twaugh
Update of /cvs/pkgs/rpms/ghostscript/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13013
Modified Files:
ghostscript.spec
Added Files:
ghostscript-CVE-2009-4270.patch ghostscript-vsnprintf.patch
Log Message:
* Thu Dec 24 2009 Tim Waugh <twaugh at redhat.com> 8.70-2
- Fix debugging output from gdevcups (CVE-2009-4270, bug #540760).
- Harden ghostscript's debugging output functions (bug #540760).
ghostscript-CVE-2009-4270.patch:
gdevcups.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- NEW FILE ghostscript-CVE-2009-4270.patch ---
diff -up ghostscript-8.70/cups/gdevcups.c.gdevcups-debug ghostscript-8.70/cups/gdevcups.c
--- ghostscript-8.70/cups/gdevcups.c.gdevcups-debug 2009-05-20 23:30:48.000000000 +0100
+++ ghostscript-8.70/cups/gdevcups.c 2009-11-24 17:16:11.929250977 +0000
@@ -2816,11 +2816,11 @@ cups_put_params(gx_device *pdev, /*
} \
else if (code == 0) \
{ \
- dprintf2("DEBUG: Setting %s to \"%s\"...\n", sname, \
- (char *)stringval.data); \
strncpy(cups->header.name, (const char *)stringval.data, \
stringval.size); \
cups->header.name[stringval.size] = '\0'; \
+ dprintf2("DEBUG: Setting %s to \"%s\"...\n", sname, \
+ cups->header.name); \
}
#define intoption(name, sname, type) \
ghostscript-vsnprintf.patch:
gsmisc.c | 14 +++++++-------
gxttfb.c | 2 +-
rinkj/rinkj-byte-stream.c | 2 +-
3 files changed, 9 insertions(+), 9 deletions(-)
--- NEW FILE ghostscript-vsnprintf.patch ---
diff -up ghostscript-8.70/base/gsmisc.c.vsnprintf ghostscript-8.70/base/gsmisc.c
--- ghostscript-8.70/base/gsmisc.c.vsnprintf 2008-01-07 18:43:02.000000000 +0000
+++ ghostscript-8.70/base/gsmisc.c 2009-11-24 17:16:38.575250571 +0000
@@ -69,10 +69,10 @@ int outprintf(const gs_memory_t *mem, co
va_start(args, fmt);
- count = vsprintf(buf, fmt, args);
+ count = vsnprintf(buf, sizeof (buf), fmt, args);
outwrite(mem, buf, count);
- if (count >= PRINTF_BUF_LENGTH) {
- count = sprintf(buf,
+ if (count == -1 || count >= sizeof (buf)) {
+ count = snprintf(buf, sizeof (buf),
"PANIC: printf exceeded %d bytes. Stack has been corrupted.\n",
PRINTF_BUF_LENGTH);
outwrite(mem, buf, count);
@@ -89,10 +89,10 @@ int errprintf(const char *fmt, ...)
va_start(args, fmt);
- count = vsprintf(buf, fmt, args);
+ count = vsnprintf(buf, sizeof (buf), fmt, args);
errwrite(buf, count);
- if (count >= PRINTF_BUF_LENGTH) {
- count = sprintf(buf,
+ if (count == -1 || count >= sizeof (buf)) {
+ count = snprintf(buf, sizeof (buf),
"PANIC: printf exceeded %d bytes. Stack has been corrupted.\n",
PRINTF_BUF_LENGTH);
errwrite(buf, count);
@@ -236,7 +236,7 @@ int gs_throw_imp(const char *func, const
va_list ap;
va_start(ap, fmt);
- vsprintf(msg, fmt, ap);
+ vsnprintf(msg, sizeof (msg), fmt, ap);
msg[sizeof(msg) - 1] = 0;
va_end(ap);
diff -up ghostscript-8.70/base/gxttfb.c.vsnprintf ghostscript-8.70/base/gxttfb.c
--- ghostscript-8.70/base/gxttfb.c.vsnprintf 2009-07-09 06:59:44.000000000 +0100
+++ ghostscript-8.70/base/gxttfb.c 2009-11-24 17:16:38.577250996 +0000
@@ -246,7 +246,7 @@ static int DebugPrint(ttfFont *ttf, cons
if (gs_debug_c('Y')) {
va_start(args, fmt);
- count = vsprintf(buf, fmt, args);
+ count = vsnprintf(buf, sizeof (buf), fmt, args);
/* NB: moved debug output from stdout to stderr
*/
errwrite(buf, count);
diff -up ghostscript-8.70/base/rinkj/rinkj-byte-stream.c.vsnprintf ghostscript-8.70/base/rinkj/rinkj-byte-stream.c
--- ghostscript-8.70/base/rinkj/rinkj-byte-stream.c.vsnprintf 2008-04-04 02:02:16.000000000 +0100
+++ ghostscript-8.70/base/rinkj/rinkj-byte-stream.c 2009-11-24 17:16:38.577250996 +0000
@@ -43,7 +43,7 @@ rinkj_byte_stream_printf (RinkjByteStrea
va_list ap;
va_start (ap, fmt);
- len = vsprintf (str, fmt, ap);
+ len = vsnprintf (str, sizeof (str), fmt, ap);
va_end (ap);
return rinkj_byte_stream_write (bs, str, len);
}
Index: ghostscript.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ghostscript/F-11/ghostscript.spec,v
retrieving revision 1.193
retrieving revision 1.194
diff -u -p -r1.193 -r1.194
--- ghostscript.spec 3 Aug 2009 17:39:55 -0000 1.193
+++ ghostscript.spec 24 Dec 2009 11:30:49 -0000 1.194
@@ -5,7 +5,7 @@ Summary: A PostScript interpreter and re
Name: ghostscript
Version: %{gs_ver}
-Release: 1%{?dist}
+Release: 2%{?dist}
# Included CMap data is Redistributable, no modification permitted,
# see http://bugzilla.redhat.com/487510
@@ -25,6 +25,8 @@ Patch6: ghostscript-system-jasper.patch
Patch7: ghostscript-pksmraw.patch
Patch8: ghostscript-jbig2dec-nullderef.patch
Patch9: ghostscript-gs-executable.patch
+Patch10: ghostscript-CVE-2009-4270.patch
+Patch11: ghostscript-vsnprintf.patch
Requires: urw-fonts >= 1.1, ghostscript-fonts
BuildRequires: xz
@@ -115,6 +117,12 @@ rm -rf libpng zlib jpeg jasper
# Fix scripts so they don't get broken on install (bug #502550).
%patch9 -p1 -b .gs-executable
+# Fix debugging output from gdevcups (bug #540760).
+%patch10 -p1 -b .CVE-2009-4270
+
+# Harden ghostscript's debugging output functions (bug #540760).
+%patch11 -p1 -b .vsnprintf
+
# Convert manual pages to UTF-8
from8859_1() {
iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
@@ -296,6 +304,10 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/libgs.so
%changelog
+* Thu Dec 24 2009 Tim Waugh <twaugh at redhat.com> 8.70-2
+- Fix debugging output from gdevcups (CVE-2009-4270, bug #540760).
+- Harden ghostscript's debugging output functions (bug #540760).
+
* Mon Aug 3 2009 Tim Waugh <twaugh at redhat.com> 8.70-1
- 8.70.
- License has changed to GPLv3+. Packages containing programs that
More information about the fedora-extras-commits
mailing list