diff options
| author | Robert Scott <code@humanleg.org.uk> | 2019-10-24 00:12:15 +0100 |
|---|---|---|
| committer | Robert Scott <code@humanleg.org.uk> | 2019-11-04 21:08:46 +0000 |
| commit | 7e2ddc63cc7e21c950dcf7600dedf9090197e092 (patch) | |
| tree | 898cd4a27a824298283811db8f75b7f5da5e5336 | |
| parent | ghostscript: add patches for CVE-2019-3839 (diff) | |
| download | nixpkgs-7e2ddc63cc7e21c950dcf7600dedf9090197e092.tar.gz | |
ghostscript: add patches for CVE-2019-10216, CVE-2019-14811, CVE-2019-14812, CVE-2019-14813 and some of CVE-2019-14817
as with master, not all of the CVE-2019-14817 patch applies cleanly, but
the parts that do should provide some protection
(cherry picked from commit bd3f644a9067e3c70e296cca8a4cdbb8b6bbc2f5)
| -rw-r--r-- | pkgs/misc/ghostscript/9.26-CVE-2019-10216.patch | 36 | ||||
| -rw-r--r-- | pkgs/misc/ghostscript/default.nix | 14 |
2 files changed, 50 insertions, 0 deletions
diff --git a/pkgs/misc/ghostscript/9.26-CVE-2019-10216.patch b/pkgs/misc/ghostscript/9.26-CVE-2019-10216.patch new file mode 100644 index 000000000000..d1c8dbcfe42b --- /dev/null +++ b/pkgs/misc/ghostscript/9.26-CVE-2019-10216.patch @@ -0,0 +1,36 @@ +Based on upstream commit 5b85ddd19a8420a1bd2d5529325be35d78e94234 +--- a/Resource/Init/gs_type1.ps ++++ b/Resource/Init/gs_type1.ps +@@ -118,25 +118,25 @@ + ( to be the same as glyph: ) print 1 index //== exec } if + 3 index exch 3 index //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse + % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname +- } ++ }executeonly + {pop} ifelse +- } forall ++ } executeonly forall + pop pop +- } ++ } executeonly + { + pop pop pop + } ifelse +- } ++ } executeonly + { + % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname + pop pop + } ifelse +- } forall ++ } executeonly forall + 3 1 roll pop pop +- } if ++ } executeonly if + pop + dup /.AGLprocessed~GS //true //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse +- } if ++ } executeonly if + + %% We need to excute the C .buildfont1 in a stopped context so that, if there + %% are errors we can put the stack back sanely and exit. Otherwise callers won't diff --git a/pkgs/misc/ghostscript/default.nix b/pkgs/misc/ghostscript/default.nix index b3be05fef179..b44c38588edd 100644 --- a/pkgs/misc/ghostscript/default.nix +++ b/pkgs/misc/ghostscript/default.nix @@ -61,6 +61,20 @@ stdenv.mkDerivation rec { url = "http://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=db24f253409d5d085c2760c814c3e1d3fa2dac59"; sha256 = "1h6kpwc6ryr6jlxjr6bfnvmmf8x0kqmyjlx3hggqjs23n0wsr9p9"; }) + ./9.26-CVE-2019-10216.patch + (fetchpatch { + name = "CVE-2019-14811.CVE-2019-14812.CVE-2019-14813.patch"; + url = "https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33"; + sha256 = "19928sr7xpx7iibk9gn127g0r1yv2lcfpwgk2ipzz4wgrs3f5j70"; + }) + (fetchpatch { + name = "CVE-2019-14817-partial.patch"; + url = "https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19"; + # patch doesn't apply cleanly to all files, but at least partially applying it fixes + # *some* of the problematic sites. + excludes = ["Resource/Init/pdf_font.ps" "Resource/Init/pdf_draw.ps"]; + sha256 = "04sy05svm3d2hyyzq41x5aqg3cgg2shaq08ivdqsys95nlihccpn"; + }) ]; outputs = [ "out" "man" "doc" ]; |