Port all debian CVE patches for ghostscript

print/ghostscript-gpl/distinfo

@@ -4,7 +4,9 @@ SHA1 (ghostscript-9.06.tar.bz2) = 4c1c2b4cddd16d86b21f36ad4fc15f6100162238
 RMD160 (ghostscript-9.06.tar.bz2) = 11ef74cf783ec5f7cde0ceaaf2823a1f62fb4d1d
 SHA512 (ghostscript-9.06.tar.bz2) = 99f7a56316bf96d55c0cd7b07c0791ad4e6ee0d3a8f3bfa04ea28890ea9ed822ebcd7084cc8118cc38dc5def27c91c24eebc08a20a630463a9bf9d0193d0923b
 Size (ghostscript-9.06.tar.bz2) = 29246039 bytes
+SHA1 (patch-00-gxht_threads_c) = ab0326253d8a68e310b02459d9186c00c2fcd3a3
 SHA1 (patch-CVE-2012-4405) = 1dcb4cfeceb366c144e0a1337c6ccc2d8e13e4ca
+SHA1 (patch-CVE-2013-5653.patch) = 56cb9917fb8ba631a15c2bd9282a37a216738e3c
 SHA1 (patch-CVE-2014-8137) = 5375f56f3d7cdfed0c9f900d291d75bbc3182b96
 SHA1 (patch-CVE-2014-8138) = be161051680e3c6c9246f31237019470a447ee49
 SHA1 (patch-CVE-2014-8157) = 18822069b9791fc3553e812878cfca483d881cd4
@@ -13,11 +15,37 @@ SHA1 (patch-CVE-2014-9029) = 9636c7d6909fc0dec7ad2102b59fb14d599bac6a
 SHA1 (patch-CVE-2016-10217) = 85f2cb708bb38a88215573e63821be8a54bc019e
 SHA1 (patch-CVE-2016-10219) = 24ef41da0579840360110cc5c1f79622210f8e6b
 SHA1 (patch-CVE-2016-10220) = 6edfa87948ff0f9412a5509efb98bf2d063a5951
+SHA1 (patch-CVE-2016-10317_gxht_thresh_c) = a1aad335c71f10d4ef4cdcb4174e33d1c3480f10
+SHA1 (patch-CVE-2016-10317_gxipxel) = d77405a7c4300dcb0a9a81ff0e5922829e719e46
+SHA1 (patch-CVE-2016-7976.patch) = 425f1b716818a9bf2b10b8563daca52a0ce8b18c
+SHA1 (patch-CVE-2016-7977.patch) = a773ad325ef19a386d7b1b616f63369df9e48055
+SHA1 (patch-CVE-2016-7979.patch) = c966b36a09c1f151347125b3c062e53c434398c6
 SHA1 (patch-CVE-2017-5951) = a4af8e561b9f5a6a330fbc2f915257bf5ba3cb2a
 SHA1 (patch-CVE-2017-6196) = 311d9236dd5abcd48ae0f412bf481e105b6207dc
 SHA1 (patch-CVE-2017-7207) = 31f4a73b49b52942385eaa3c8cf2a94b5bbde6df
 SHA1 (patch-CVE-2017-8291_eqproc) = 4963f1dd758b6f13739e6b411665507eb5eb2e9b
 SHA1 (patch-CVE-2017-8291_rsdparams) = aeb9b161995fa63d9cbd0b2d69e94fb53b6b67af
+SHA1 (patch-CVE-2018-11645.patch) = 9bcb99207e504d8a838a054bb723ee471045ba50
+SHA1 (patch-CVE-2018-15908.patch) = 28628acb4421237f210097dd41f30c4c9ed52675
+SHA1 (patch-CVE-2018-16509-part1) = d42af4b80614a497ceeeffe52eecd4556e9362f4
+SHA1 (patch-CVE-2018-16509-part2) = c74c990de5b839510b254b22871a26e0d72f02df
+SHA1 (patch-CVE-2018-16511) = 0d60dfc2782447826bba99ddb56f4a2ec2aa3172
+SHA1 (patch-CVE-2018-16511-additional) = bd197d11a48940056e776825ec1d03d28e2ebae0
+SHA1 (patch-CVE-2018-16513) = a12b39da733300febfc9a8bbfc8548edcb27bff6
+SHA1 (patch-CVE-2018-16539-related.patch) = 9799c49edc782911ff64f88fd037247de5f81201
+SHA1 (patch-CVE-2018-16540) = b4e3b74d4cd6985f0e332cbdcec857f1f98d4d63
+SHA1 (patch-CVE-2018-16541) = ad98bb9a76aee7c8d062aaec0bd3db0daaf4cbf7
+SHA1 (patch-CVE-2018-16542) = 7fa779cd0a6a48ec925fe763acca25ba951bbfdb
+SHA1 (patch-CVE-2018-16543) = 2ef83bf8851dd9ee0ffa573d4a35908c906a2db7
+SHA1 (patch-CVE-2018-16585_part1) = 1542e8ab7e1f6918d66c98069c29fdb84ac829de
+SHA1 (patch-CVE-2018-16585_part2) = 76ff2adfe5c7a0d3ba67ccd3ffc3dcce3bd00ee1
+SHA1 (patch-CVE-2018-16802) = 63296254a8777be1ef5633404224f6be0a5575d5
+SHA1 (patch-CVE-2018-17183) = a53afa10e9c45791237a045c428198d3765a2ce4
+SHA1 (patch-CVE-2018-17961_part1) = bab332b2b4114af5c521d4a3edb04604f82d34c7
+SHA1 (patch-CVE-2018-17961_part2) = 16d3c16d610695bee16bf8c6a79e618ceb817031
+SHA1 (patch-CVE-2018-17961_part3) = c76acaec0499dd85e48cd10ecf295d0811e3d318
+SHA1 (patch-CVE-2018-18073) = 5504a67a374f6eee849ed94d1df7b408ff8711c3
+SHA1 (patch-CVE-2018-18284) = 8b341fa18738b7c7a61a4a40abcce39454d5c3eb
 SHA1 (patch-af) = ade76a99fdf5a1c5b05caf7641c4833fde612fd7
 SHA1 (patch-ah) = 7548f6f78b8029febec044bc11214f9d6674c9d3
 SHA1 (patch-ai) = 3962a3acac1d4537dbbe3fc3b205aba87387d485

print/ghostscript-gpl/patches/patch-00-gxht_threads_c

@@ -0,0 +1,12 @@
+--- base/gxht_thresh.c
++++ base/gxht_thresh.c
+@@ -711,6 +711,9 @@ gxht_thresh_image_init(gx_image_enum *penum)
+            space */
+         max_height = (int) ceil(fixed2float(any_abs(penum->dst_height)) /
+                                             (float) penum->Height);
++        if ((max_height > 0) && (penum->ht_stride * spp_out > max_int / max_height))
++            return -1;         /* overflow */
++
+         penum->ht_buffer =
+                         gs_alloc_bytes(penum->memory,
+                            penum->ht_stride * max_height * spp_out,

print/ghostscript-gpl/patches/patch-CVE-2013-5653.patch

@@ -0,0 +1,63 @@
+Description: CVE-2013-5653: Information disclosure through getenv, filenameforall
+Origin: backport, http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ab109aaeb3ddba59518b036fb288402a65cf7ce8
+Bug: http://bugs.ghostscript.com/show_bug.cgi?id=694724
+Bug-Debian: https://bugs.debian.org/839118
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-10-07
+---
+
+--- Resource/Init/gs_init.ps
++++ Resource/Init/gs_init.ps
+@@ -2011,6 +2011,7 @@ readonly def
+     >> setuserparams
+   }
+   if
++  systemdict /getenv {pop //false} put
+   % setpagedevice has the side effect of clearing the page, but
+   % we will just document that. Using setpagedevice keeps the device
+   % properties and pagedevice .LockSafetyParams in agreement even
+--- psi/zfile.c
++++ psi/zfile.c
+@@ -371,22 +371,25 @@ file_continue(i_ctx_t *i_ctx_p)
+
+     if (len < devlen)
+         return_error(e_rangecheck);     /* not even room for device len */
+-    memcpy((char *)pscratch->value.bytes, iodev->dname, devlen);
+-    code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen,
+-                len - devlen);
+-    if (code == ~(uint) 0) {    /* all done */
+-        esp -= 5;               /* pop proc, pfen, devlen, iodev , mark */
+-        return o_pop_estack;
+-    } else if (code > len)      /* overran string */
+-        return_error(e_rangecheck);
+-    else {
+-        push(1);
+-        ref_assign(op, pscratch);
+-        r_set_size(op, code + devlen);
+-        push_op_estack(file_continue);  /* come again */
+-        *++esp = pscratch[2];   /* proc */
+-        return o_push_estack;
+-    }
++    do {
++        memcpy((char *)pscratch->value.bytes, iodev->dname, devlen);
++        code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen,
++                    len - devlen);
++        if (code == ~(uint) 0) {    /* all done */
++            esp -= 5;               /* pop proc, pfen, devlen, iodev , mark */
++            return o_pop_estack;
++        } else if (code > len)      /* overran string */
++            return_error(e_rangecheck);
++        else if (iodev != iodev_default(imemory)
++              || (check_file_permissions_reduced(i_ctx_p, (char *)pscratch->value.bytes, code + devlen, "PermitFileReading")) == 0) {
++            push(1);
++            ref_assign(op, pscratch);
++            r_set_size(op, code + devlen);
++            push_op_estack(file_continue);  /* come again */
++            *++esp = pscratch[2];   /* proc */
++            return o_push_estack;
++        }
++    } while(1);
+ }
+ /* Cleanup procedure for enumerating files */
+ static int

print/ghostscript-gpl/patches/patch-CVE-2016-10317_gxht_thresh_c

@@ -0,0 +1,43 @@
+--- base/gxht_thresh.c
++++ base/gxht_thresh.c
+@@ -711,7 +711,9 @@ gxht_thresh_image_init(gx_image_enum *penum)
+            space */
+         max_height = (int) ceil(fixed2float(any_abs(penum->dst_height)) /
+                                             (float) penum->Height);
+-        if ((max_height > 0) && (penum->ht_stride * spp_out > max_int / max_height))
++        if (max_height <= 0)
++            return -1;         /* shouldn't happen, but check so we don't div by zero */
++        if (penum->ht_stride * spp_out > max_int / max_height)
+             return -1;         /* overflow */
+
+         penum->ht_buffer =
+@@ -734,6 +736,11 @@ gxht_thresh_image_init(gx_image_enum *penum)
+            Also allow a 15 sample over run during the execution.  */
+         temp = (int) ceil((float) ((dev_width + 15.0) + 15.0)/16.0);
+         penum->line_size = bitmap_raster(temp * 16 * 8);  /* The stride */
++        if (penum->line_size > max_int / max_height) {
++            gs_free_object(penum->memory, penum->ht_buffer, "gxht_thresh");
++            penum->ht_buffer = NULL;
++            return -1;         /* thresh_buffer size overflow */
++        }
+         penum->line = gs_alloc_bytes(penum->memory, penum->line_size * spp_out,
+                                      "gxht_thresh");
+         penum->thresh_buffer = gs_alloc_bytes(penum->memory,
+@@ -754,7 +761,7 @@ gxht_thresh_image_init(gx_image_enum *penum)
+ }
+
+ static void
+-fill_threshhold_buffer(byte *dest_strip, byte *src_strip, int src_width,
++fill_threshold_buffer(byte *dest_strip, byte *src_strip, int src_width,
+                        int left_offset, int left_width, int num_tiles,
+                        int right_width)
+ {
+@@ -908,7 +915,7 @@ gxht_thresh_planes(gx_image_enum *penum, fixed xrun,
+                        to update with stride */
+                     position = contone_stride * k;
+                     /* Tile into the 128 bit aligned threshold strip */
+-                    fill_threshhold_buffer(&(thresh_align[position]),
++                    fill_threshold_buffer(&(thresh_align[position]),
+                                            thresh_tile, thresh_width, dx, left_width,
+                                            num_full_tiles, right_tile_width);
+                 }

print/ghostscript-gpl/patches/patch-CVE-2016-10317_gxipxel

@@ -0,0 +1,11 @@
+--- base/gxipixel.c
++++ base/gxipixel.c
+@@ -758,7 +758,7 @@ gx_image_enum_begin(gx_device * dev, const gs_gstate * pgs,
+     penum->memory = mem;
+     penum->buffer = buffer;
+     penum->buffer_size = bsize;
+-    penum->line = 0;
++    penum->line = NULL;
+     penum->icc_link = NULL;
+     penum->color_cache = NULL;
+     penum->ht_buffer = NULL;

print/ghostscript-gpl/patches/patch-CVE-2016-7976.patch

@@ -0,0 +1,151 @@
+Description: CVE-2016-7976: Various userparams allow %pipe% in paths, allowing remote shell command execution
+Origin: backport, http://git.ghostscript.com/?p=ghostpdl.git;h=6d444c273da5499a4cd72f21cb6d4c9a5256807d
+Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697178
+Bug-Debian: https://bugs.debian.org/839260
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-10-07
+---
+
+--- base/gsicc_manage.c
++++ base/gsicc_manage.c
+@@ -916,9 +916,12 @@ gsicc_open_search(const char* pname, int
+     }
+
+     /* First just try it like it is */
+-    str = sfopen(pname, "rb", mem_gc);
+-    if (str != NULL)
+-        return(str);
++    if (gs_check_file_permission(mem_gc, pname, namelen, "r") >= 0) {
++        str = sfopen(pname, "r", mem_gc);
++        if (str != NULL) {
++            return(str);
++        }
++    }
+
+     /* If that fails, try %rom% */ /* FIXME: Not sure this is needed or correct */
+                                    /* A better approach might be to have built in defaults */
+--- base/gslibctx.c
++++ base/gslibctx.c
+@@ -111,6 +111,7 @@ int gs_lib_ctx_init( gs_memory_t *mem )
+     pio->profiledir_len = 0;
+     gs_lib_ctx_set_icc_directory(mem, DEFAULT_DIR_ICC, strlen(DEFAULT_DIR_ICC));
+
++    pio->client_check_file_permission = NULL;
+     gp_get_realtime(pio->real_time_0);
+
+     return 0;
+@@ -192,3 +193,13 @@ void errflush(const gs_memory_t *mem)
+         fflush(mem->gs_lib_ctx->fstderr);
+     /* else nothing to flush */
+ }
++
++int
++gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission)
++{
++    int code = 0;
++    if (mem->gs_lib_ctx->client_check_file_permission != NULL) {
++        code = mem->gs_lib_ctx->client_check_file_permission(mem, fname, len, permission);
++    }
++    return code;
++}
+--- base/gslibctx.h
++++ base/gslibctx.h
+@@ -27,6 +27,9 @@ typedef struct name_table_s *name_table_
+ #  define gs_font_dir_DEFINED
+ typedef struct gs_font_dir_s gs_font_dir;
+ #endif
++
++typedef int (*client_check_file_permission_t) (gs_memory_t *mem, const char *fname, const int len, const char *permission);
++
+ typedef struct gs_lib_ctx_s
+ {
+     gs_memory_t *memory;  /* mem->gs_lib_ctx->memory == mem */
+@@ -54,6 +57,7 @@ typedef struct gs_lib_ctx_s
+     bool dict_auto_expand;  /* ps dictionary: false level 1 true level 2 or 3 */
+     /* A table of local copies of the IODevices */
+     struct gx_io_device_s **io_device_table;
++    client_check_file_permission_t client_check_file_permission;
+     /* Define the default value of AccurateScreens that affects setscreen
+        and setcolorscreen. */
+     bool screen_accurate_screens;
+@@ -91,4 +95,7 @@ gs_memory_t * gs_lib_ctx_get_non_gc_memo
+ void gs_lib_ctx_set_icc_directory(const gs_memory_t *mem_gc, const char* pname,
+                         int dir_namelen);
+
++int
++gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission);
++
+ #endif /* GSLIBCTX_H */
+--- psi/imain.c
++++ psi/imain.c
+@@ -51,6 +51,7 @@
+ #include "ivmspace.h"
+ #include "idisp.h"              /* for setting display device callback */
+ #include "iplugin.h"
++#include "zfile.h"
+
+ /* ------ Exported data ------ */
+
+@@ -196,6 +197,7 @@ gs_main_init1(gs_main_instance * minst)
+                                            "the_gs_name_table");
+             if (code < 0)
+                 return code;
++            mem->gs_lib_ctx->client_check_file_permission = z_check_file_permissions;
+         }
+         code = obj_init(&minst->i_ctx_p, &idmem);  /* requires name_init */
+         if (code < 0)
+--- psi/int.mak
++++ psi/int.mak
+@@ -2044,7 +2044,8 @@ $(PSOBJ)imain.$(OBJ) : $(PSSRC)imain.c $
+  $(ialloc_h) $(iconf_h) $(idebug_h) $(idict_h) $(idisp_h) $(iinit_h)\
+  $(iname_h) $(interp_h) $(iplugin_h) $(isave_h) $(iscan_h) $(ivmspace_h)\
+  $(iinit_h) $(main_h) $(oper_h) $(ostack_h)\
+- $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h)
++ $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h) $(zfile_h)\
++ $(INT_MAK) $(MAKEDIRS)
+ 	$(PSCC) $(PSO_)imain.$(OBJ) $(C_) $(PSSRC)imain.c
+
+ #****** $(CCINT) interp.c
+--- psi/zfile.c
++++ psi/zfile.c
+@@ -197,6 +197,25 @@ check_file_permissions(i_ctx_t *i_ctx_p,
+     return check_file_permissions_reduced(i_ctx_p, fname_reduced, rlen, permitgroup);
+ }
+
++/* z_check_file_permissions: see zfile.h for explanation
++ */
++int
++z_check_file_permissions(gs_memory_t *mem, const char *fname, const int len, const char *permission)
++{
++    i_ctx_t *i_ctx_p = get_minst_from_memory(mem)->i_ctx_p;
++    gs_parsed_file_name_t pname;
++    const char *permitgroup = permission[0] == 'r' ? "PermitFileReading" : "PermitFileWriting";
++    int code = gs_parse_file_name(&pname, fname, len, imemory);
++    if (code < 0)
++        return code;
++
++    if (pname.iodev && i_ctx_p->LockFilePermissions && strcmp(pname.iodev->dname, "%pipe%") == 0)
++        return gs_error_invalidfileaccess;
++        
++    code = check_file_permissions(i_ctx_p, fname, len, permitgroup);
++    return code;
++}
++
+ /* <name_string> <access_string> file <file> */
+ int                             /* exported for zsysvm.c */
+ zfile(i_ctx_t *i_ctx_p)
+--- psi/zfile.h
++++ psi/zfile.h
+@@ -22,4 +22,11 @@
+ int zopen_file(i_ctx_t *i_ctx_p, const gs_parsed_file_name_t *pfn,
+            const char *file_access, stream **ps, gs_memory_t *mem);
+
++/* z_check_file_permissions: a callback (via mem->gs_lib_ctx->client_check_file_permission)
++ * to allow applying the above permissions checks when opening file(s) from
++ * the graphics library
++ */
++int
++z_check_file_permissions(gs_memory_t *mem, const char *fname,
++                                 const int len, const char *permission);
+ #endif

print/ghostscript-gpl/patches/patch-CVE-2016-7977.patch

@@ -0,0 +1,27 @@
+Description: CVE-2016-7977: .libfile doesn't check PermitFileReading array, allowing remote file disclosure
+Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=8abd22010eb4db0fb1b10e430d5f5d83e015ef70
+Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697169
+Bug-Debian: https://bugs.debian.org/839841
+Forwarded: not-needed
+Author: Chris Liddell <chris.liddell@artifex.com>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-10-08
+---
+
+diff --git a/psi/zfile.c b/psi/zfile.c
+index b6caea2..2c6c958 100644
+--- psi/zfile.c
++++ psi/zfile.c
+@@ -1081,6 +1081,9 @@ lib_file_open(gs_file_path_ptr  lib_path, const gs_memory_t *mem, i_ctx_t *i_ctx
+     gs_main_instance *minst = get_minst_from_memory(mem);
+     int code;
+
++    if (i_ctx_p && starting_arg_file)
++        i_ctx_p->starting_arg_file = false;
++
+     /* when starting arg files (@ files) iodev_default is not yet set */
+     if (iodev == 0)
+         iodev = (gx_io_device *)gx_io_device_table[0];
+-- 
+2.9.3
+

print/ghostscript-gpl/patches/patch-CVE-2016-7979.patch

@@ -0,0 +1,33 @@
+Description: CVE-2016-7979: type confusion in .initialize_dsc_parser allows remote code execution
+Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=875a0095f37626a721c7ff57d606a0f95af03913
+Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697190
+Bug-Debian: https://bugs.debian.org/839846
+Forwarded: not-needed
+Author: Ken Sharp <ken.sharp@artifex.com>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-10-08
+---
+
+--- psi/zdscpars.c
++++ psi/zdscpars.c
+@@ -132,11 +132,16 @@ zinitialize_dsc_parser(i_ctx_t *i_ctx_p)
+     ref local_ref;
+     int code;
+     os_ptr const op = osp;
+-    dict * const pdict = op->value.pdict;
+-    gs_memory_t * const mem = (gs_memory_t *)dict_memory(pdict);
+-    dsc_data_t * const data =
+-        gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init");
++    dict *pdict;
++    gs_memory_t *mem;
++    dsc_data_t *data;
+
++    check_read_type(*op, t_dictionary);
++
++    pdict = op->value.pdict;
++    mem = (gs_memory_t *)dict_memory(pdict);
++
++    data = gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init");
+     if (!data)
+         return_error(e_VMerror);
+     data->document_level = 0;