Pullup ticket 3280 - requested by tron security fixes Revisions pulled up: - pkgsrc/print/ghostscript/Makefile 1.82 - pkgsrc/print/ghostscript/distinfo 1.36 Files added: pkgsrc/print/ghostscript/patches/patch-ae pkgsrc/print/ghostscript/patches/patch-bd ------------------------------------------------------------------------- Module Name: pkgsrc Committed By: bouyer Date: Sat Nov 13 17:03:00 UTC 2010 Modified Files: pkgsrc/print/ghostscript: Makefile distinfo Added Files: pkgsrc/print/ghostscript/patches: patch-bd Log Message: Apply patch from official repository: - Fixed memory reallocation on bitmap size change. Reallocation is not only needed when dimendions and margins change, but also when the color depth changes. Fixes bugs #691029 and #691108. - Fixed arrayoption() macro in cups_put_params() function. Array values did not get actually set in cups.header data structure. Bug only showed via a compiler warning. - Silenced compiler warning by presetting c0..c3 in cups_map_cmyk() to zero. makes my epson USB printer work again with 2010Q3 cups+ghostscript PKGREVISION++ To generate a diff of this commit: cvs rdiff -u -r1.80 -r1.81 pkgsrc/print/ghostscript/Makefile cvs rdiff -u -r1.34 -r1.35 pkgsrc/print/ghostscript/distinfo cvs rdiff -u -r0 -r1.3 pkgsrc/print/ghostscript/patches/patch-bd ------------------------------------------------------------------------- Module Name: pkgsrc Committed By: tron Date: Tue Nov 23 11:10:16 UTC 2010 Modified Files: pkgsrc/print/ghostscript: Makefile distinfo Added Files: pkgsrc/print/ghostscript/patches: patch-ae Log Message: Add Dr. Werner Fink's patch for the vulnerability reported in CVE-2010-2055. To generate a diff of this commit: cvs rdiff -u -r1.81 -r1.82 pkgsrc/print/ghostscript/Makefile cvs rdiff -u -r1.35 -r1.36 pkgsrc/print/ghostscript/distinfo cvs rdiff -u -r0 -r1.6 pkgsrc/print/ghostscript/patches/patch-ae

(spz)

 @@ -1,17 +1,17 @@
-# $NetBSD: Makefile,v 1.80 2010/06/30 12:44:55 tron Exp $
+# $NetBSD: Makefile,v 1.80.2.1 2010/11/23 22:43:36 spz Exp $
 DISTNAME=	ghostscript-8.71
-PKGREVISION=	4
+PKGREVISION=	6
 CATEGORIES=	print
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=ghostscript/}
 MASTER_SITES+=	http://ghostscript.com/releases/
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://ghostscript.sourceforge.net/
 COMMENT=	Postscript interpreter
 # Plus adobe verbatim for Resources/CMap.
 LICENSE=	gnu-gpl-v3
 DEPENDS+=		ghostscript-fonts>=6.0:../../fonts/ghostscript-fonts

 @@ -1,20 +1,22 @@
-$NetBSD: distinfo,v 1.34 2010/06/30 12:44:55 tron Exp $
+$NetBSD: distinfo,v 1.34.2.1 2010/11/23 22:43:36 spz Exp $
 SHA1 (ghostscript-8.71.tar.gz) = 629299140f612fac32f6289be0904107dfd1b555
 RMD160 (ghostscript-8.71.tar.gz) = efce74cf22cf99b2b1a145df466e79a86e3dfefb
 Size (ghostscript-8.71.tar.gz) = 25240801 bytes
 SHA1 (patch-aa) = 31f2107c474398a350916df6fe793a5920f81169
 SHA1 (patch-ab) = 7a98cad37f94394f172bdac23f5dd73fb1f08006
 SHA1 (patch-ac) = b1f71dc446f433be0b07b0511dc1028e8e3b77f3
 SHA1 (patch-ad) = 8b3b743b2d6405ea35bfb16970942ecd55702401
 SHA1 (patch-ae) = e015d340a69da3881d4c95ae169ff255f1ffcfd4
 SHA1 (patch-af) = 13aa7b5159cbd5413353b48380d5665ed879fe64
 SHA1 (patch-ag) = bdfbe40c849537d84ac2b3def4a0a3a87ecc152f
 SHA1 (patch-ah) = 2007d42df0bf1d93af90dedaadc882da9fc3e5bc
 SHA1 (patch-ai) = ad69ddd4a4bd50cf2263ac6c6d17a59798ef3124
 SHA1 (patch-aj) = 620d921210b5c0efec0a84e33bc416e4ab4bd11c
 SHA1 (patch-al) = 86489b704c60320385794c3eb68170d9b9f1f6cc
 SHA1 (patch-am) = 47a994e902d565f2a06b054766d6fa93c7534d21
 SHA1 (patch-an) = 875360319e486f4606627d8cfa3dbffd48d76130
 SHA1 (patch-ba) = 9c9f9aa27bcbcb43c9eb3b7f7ae6d70fb6545057
 SHA1 (patch-bb) = 6487b61fafe39a4ac8141b9f84044fc210df66ac
 SHA1 (patch-bc) = c35ee6c3075b89714fbb74956d68747d3c17bf9c
 SHA1 (patch-bd) = f7a0448317118bd46d84d9cbc8f4c553175f1e74

$NetBSD: patch-ae,v 1.6.2.2 2010/11/23 22:43:36 spz Exp $ Security patch for CVE-2010-2055 by Dr. Werner Fink taken from here: http://bugs.ghostscript.com/attachment.cgi?id=6449 --- psi/zfile.c.orig 2009-10-04 13:42:07.000000000 +0100 +++ psi/zfile.c 2010-11-23 11:03:52.000000000 +0000 @@ -902,6 +902,90 @@ return 0; } +/* return zero for success, -ve for error, +1 for continue */ +static int +lib_file_open_search_with_no_combine(gs_file_path_ptr lib_path, const gs_memory_t *mem, i_ctx_t *i_ctx_p, + const char *fname, uint flen, char *buffer, int blen, uint *pclen, ref *pfile, + gx_io_device *iodev, bool starting_arg_file, char *fmode) +{ + stream *s; + uint blen1 = blen; + if (gp_file_name_reduce(fname, flen, buffer, &blen1) != gp_combine_success) + goto skip; + if (iodev_os_open_file(iodev, (const char *)buffer, blen1, + (const char *)fmode, &s, (gs_memory_t *)mem) == 0) { + if (starting_arg_file || + check_file_permissions_aux(i_ctx_p, buffer, blen1) >= 0) { + *pclen = blen1; + make_stream_file(pfile, s, "r"); + return 0; + } + sclose(s); + return_error(e_invalidfileaccess); + } + skip:; + return 1; +} + +/* return zero for success, -ve for error, +1 for continue */ +static int +lib_file_open_search_with_combine(gs_file_path_ptr lib_path, const gs_memory_t *mem, i_ctx_t *i_ctx_p, + const char *fname, uint flen, char *buffer, int blen, uint *pclen, ref *pfile, + gx_io_device *iodev, bool starting_arg_file, char *fmode) +{ + stream *s; + const gs_file_path *pfpath = lib_path; + uint pi; + + for (pi = 0; pi < r_size(&pfpath->list); ++pi) { + const ref *prdir = pfpath->list.value.refs + pi; + const char *pstr = (const char *)prdir->value.const_bytes; + uint plen = r_size(prdir), blen1 = blen; + gs_parsed_file_name_t pname; + gp_file_name_combine_result r; + + /* We need to concatenate and parse the file name here + * if this path has a %device% prefix. */ + if (pstr[0] == '%') { + int code; + + /* We concatenate directly since gp_file_name_combine_* + * rules are not correct for other devices such as %rom% */ + code = gs_parse_file_name(&pname, pstr, plen); + if (code < 0) + continue; + memcpy(buffer, pname.fname, pname.len); + memcpy(buffer+pname.len, fname, flen); + code = pname.iodev->procs.open_file(pname.iodev, buffer, pname.len + flen, fmode, + &s, (gs_memory_t *)mem); + if (code < 0) + continue; + make_stream_file(pfile, s, "r"); + /* fill in the buffer with the device concatenated */ + memcpy(buffer, pstr, plen); + memcpy(buffer+plen, fname, flen); + *pclen = plen + flen; + return 0; + } else { + r = gp_file_name_combine(pstr, plen, + fname, flen, false, buffer, &blen1); + if (r != gp_combine_success) + continue; + if (iodev_os_open_file(iodev, (const char *)buffer, blen1, (const char *)fmode, + &s, (gs_memory_t *)mem) == 0) { + if (starting_arg_file || + check_file_permissions_aux(i_ctx_p, buffer, blen1) >= 0) { + *pclen = blen1; + make_stream_file(pfile, s, "r"); + return 0; + } + sclose(s); + return_error(e_invalidfileaccess); + } + } + } + return 1; +} /* Return a file object of of the file searched for using the search paths. */ /* The fname cannot contain a device part (%...%) but the lib paths might. */ @@ -919,6 +1003,8 @@ char fmode[4] = { 'r', 0, 0, 0 }; /* room for binary suffix */ stream *s; gx_io_device *iodev = iodev_default; + gs_main_instance *minst = get_minst_from_memory(mem); + int code; /* when starting arg files (@ files) iodev_default is not yet set */ if (iodev == 0) @@ -932,75 +1018,36 @@ search_with_no_combine = starting_arg_file; search_with_combine = true; } - if (search_with_no_combine) { - uint blen1 = blen; - - if (gp_file_name_reduce(fname, flen, buffer, &blen1) != gp_combine_success) - goto skip; - if (iodev_os_open_file(iodev, (const char *)buffer, blen1, - (const char *)fmode, &s, (gs_memory_t *)mem) == 0) { - if (starting_arg_file || - check_file_permissions_aux(i_ctx_p, buffer, blen1) >= 0) { - *pclen = blen1; - make_stream_file(pfile, s, "r"); - return 0; - } - sclose(s); - return_error(e_invalidfileaccess); - } - skip:; - } - if (search_with_combine) { - const gs_file_path *pfpath = lib_path; - uint pi; - - for (pi = 0; pi < r_size(&pfpath->list); ++pi) { - const ref *prdir = pfpath->list.value.refs + pi; - const char *pstr = (const char *)prdir->value.const_bytes; - uint plen = r_size(prdir), blen1 = blen; - gs_parsed_file_name_t pname; - gp_file_name_combine_result r; - - /* We need to concatenate and parse the file name here - * if this path has a %device% prefix. */ - if (pstr[0] == '%') { - int code; - - /* We concatenate directly since gp_file_name_combine_* - * rules are not correct for other devices such as %rom% */ - code = gs_parse_file_name(&pname, pstr, plen); - if (code < 0) - continue; - memcpy(buffer, pname.fname, pname.len); - memcpy(buffer+pname.len, fname, flen); - code = pname.iodev->procs.open_file(pname.iodev, buffer, pname.len + flen, fmode, - &s, (gs_memory_t *)mem); - if (code < 0) - continue; - make_stream_file(pfile, s, "r"); - /* fill in the buffer with the device concatenated */ - memcpy(buffer, pstr, plen); - memcpy(buffer+plen, fname, flen); - *pclen = plen + flen; - return 0; - } else { - r = gp_file_name_combine(pstr, plen, - fname, flen, false, buffer, &blen1); - if (r != gp_combine_success) - continue; - if (iodev_os_open_file(iodev, (const char *)buffer, blen1, (const char *)fmode, - &s, (gs_memory_t *)mem) == 0) { - if (starting_arg_file || - check_file_permissions_aux(i_ctx_p, buffer, blen1) >= 0) { - *pclen = blen1; - make_stream_file(pfile, s, "r"); - return 0; - } - sclose(s); - return_error(e_invalidfileaccess); - } - } - } + if (minst->search_here_first) { + if (search_with_no_combine) { + code = lib_file_open_search_with_no_combine(lib_path, mem, i_ctx_p, + fname, flen, buffer, blen, pclen, pfile, + iodev, starting_arg_file, fmode); + if (code <= 0) /* +ve means continue continue */ + return code; + } + if (search_with_combine) { + code = lib_file_open_search_with_combine(lib_path, mem, i_ctx_p, + fname, flen, buffer, blen, pclen, pfile, + iodev, starting_arg_file, fmode); + if (code <= 0) /* +ve means continue searching */ + return code; + } + } else { + if (search_with_combine) { + code = lib_file_open_search_with_combine(lib_path, mem, i_ctx_p, + fname, flen, buffer, blen, pclen, pfile, + iodev, starting_arg_file, fmode); + if (code <= 0) /* +ve means continue searching */ + return code; + } + if (search_with_no_combine) { + code = lib_file_open_search_with_no_combine(lib_path, mem, i_ctx_p, + fname, flen, buffer, blen, pclen, pfile, + iodev, starting_arg_file, fmode); + if (code <= 0) /* +ve means continue searching */ + return code; + } } return_error(e_undefinedfilename); }

$NetBSD: patch-bd,v 1.3.2.2 2010/11/23 22:43:36 spz Exp $ From 6d26e9b1c38d8c0f0ab4af42c513cb23f3ae1656 Mon Sep 17 00:00:00 2001 From: till <till@a1074d23-0009-0410-80fe-cf8c14f379e6> Date: Tue, 9 Mar 2010 16:35:06 +0000 Subject: [PATCH] Fixes on CUPS Raster output device: - Fixed memory reallocation on bitmap size change. Reallocation is not only needed when dimendions and margins change, but also when the color depth changes. Fixes bugs #691029 and #691108. - Fixed arrayoption() macro in cups_put_params() function. Array values did not get actually set in cups.header data structure. Bug only showed via a compiler warning. - Silenced compiler warning by presetting c0..c3 in cups_map_cmyk() to zero. git-svn-id: http://svn.ghostscript.com/ghostscript/trunk/gs@10890 a1074d23-0009-0410-80fe-cf8c14f379e6 --- cups/gdevcups.c | 32 +++++++++++++++++++++++--------- 1 files changed, 23 insertions(+), 9 deletions(-) diff --git a/cups/gdevcups.c b/cups/gdevcups.c index 551b806..4000abf 100644 --- a/cups/gdevcups.c +++ cups/gdevcups.c @@ -975,7 +975,8 @@ cups_map_cmyk(gx_device *pdev, /* I - Device info */ frac k, /* I - Black value */ frac *out) /* O - Device colors */ { - int c0, c1, c2, c3; /* Temporary color values */ + int c0 = 0, c1 = 0, + c2 = 0, c3 = 0; /* Temporary color values */ float rr, rg, rb, /* Real RGB colors */ ciex, ciey, ciez, /* CIE XYZ colors */ ciey_yn, /* Normalized luminance */ @@ -2703,9 +2704,13 @@ cups_put_params(gx_device *pdev, /* I - Device info */ int color_set; /* Were the color attrs set? */ gdev_prn_space_params sp; /* Space parameter data */ int width, /* New width of page */ - height; /* New height of page */ + height, /* New height of page */ + colorspace, /* New color space */ + bitspercolor; /* New bits per color */ static int width_old = 0, /* Previous width */ - height_old = 0; /* Previous height */ + height_old = 0, /* Previous height */ + colorspace_old = 0,/* Previous color space */ + bitspercolor_old = 0;/* Previous bits per color */ ppd_attr_t *backside = NULL, *backsiderequiresflippedmargins = NULL; float swap; @@ -2800,9 +2805,10 @@ cups_put_params(gx_device *pdev, /* I - Device info */ else if (code == 0) \ { \ dprintf1("DEBUG: Setting %s to", sname); \ - for (i = 0; i < count; i ++) \ - dprintf1(" %d", (unsigned)(arrayval.data[i])); \ - cups->header.name[i] = (unsigned)arrayval.data[i]; \ + for (i = 0; i < count; i ++) { \ + dprintf1(" %d", (unsigned)(arrayval.data[i])); \ + cups->header.name[i] = (unsigned)(arrayval.data[i]); \ + } \ dprintf("...\n"); \ } @@ -3243,23 +3249,31 @@ cups_put_params(gx_device *pdev, /* I - Device info */ } #endif /* CUPS_RASTER_SYNCv1 */ + colorspace = cups->header.cupsColorSpace; + bitspercolor = cups->header.cupsBitsPerColor; + /* * Don't reallocate memory unless the device has been opened... * Also reallocate only if the size has actually changed... */ - if (pdev->is_open && (width != width_old || height != height_old)) + if (pdev->is_open && + (width != width_old || height != height_old || + colorspace != colorspace_old || bitspercolor != bitspercolor_old)) { width_old = width; height_old = height; + colorspace_old = colorspace; + bitspercolor_old = bitspercolor; /* * Device is open and size has changed, so reallocate... */ - dprintf4("DEBUG2: Reallocating memory, [%.0f %.0f] = %dx%d pixels...\n", - pdev->MediaSize[0], pdev->MediaSize[1], width, height); + dprintf6("DEBUG2: Reallocating memory, [%.0f %.0f] = %dx%d pixels, color space: %d, bits per color: %d...\n", + pdev->MediaSize[0], pdev->MediaSize[1], width, height, + colorspace, bitspercolor); sp = ((gx_device_printer *)pdev)->space_params;