Add a fix for the security vulnerability reported in CVE-2010-1628

taken from the Ghostscript Bugzilla.
author: tron <tron@pkgsrc.org> 2010-06-30 12:44:55 +0000
committer: tron <tron@pkgsrc.org> 2010-06-30 12:44:55 +0000
commit: fc6f81e619e9d03c11b040dd9e235979fce19754 (patch)
tree: c73fc580640bd26a5cdb283424ed8fa8c7d04185 /print
parent: 5ce2da448294d9daee6b1a654319213f2b0f5cec (diff)
download: pkgsrc-fc6f81e619e9d03c11b040dd9e235979fce19754.tar.gz
5 files changed, 145 insertions, 3 deletions
diff --git a/print/ghostscript/Makefile b/print/ghostscript/Makefile
index 2c3507413ff..9ed949aa1d8 100644
--- a/print/ghostscript/Makefile
+++ b/print/ghostscript/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.79 2010/06/13 22:45:15 wiz Exp $
+# $NetBSD: Makefile,v 1.80 2010/06/30 12:44:55 tron Exp $
 
 DISTNAME=	ghostscript-8.71
-PKGREVISION=	3
+PKGREVISION=	4
 CATEGORIES=	print
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=ghostscript/}
 MASTER_SITES+=	http://ghostscript.com/releases/
diff --git a/print/ghostscript/distinfo b/print/ghostscript/distinfo
index 764c72b895a..4497b546d01 100644
--- a/print/ghostscript/distinfo
+++ b/print/ghostscript/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.33 2010/06/13 22:45:15 wiz Exp $
+$NetBSD: distinfo,v 1.34 2010/06/30 12:44:55 tron Exp $
 
 SHA1 (ghostscript-8.71.tar.gz) = 629299140f612fac32f6289be0904107dfd1b555
 RMD160 (ghostscript-8.71.tar.gz) = efce74cf22cf99b2b1a145df466e79a86e3dfefb
@@ -15,3 +15,6 @@ SHA1 (patch-aj) = 620d921210b5c0efec0a84e33bc416e4ab4bd11c
 SHA1 (patch-al) = 86489b704c60320385794c3eb68170d9b9f1f6cc
 SHA1 (patch-am) = 47a994e902d565f2a06b054766d6fa93c7534d21
 SHA1 (patch-an) = 875360319e486f4606627d8cfa3dbffd48d76130
+SHA1 (patch-ba) = 9c9f9aa27bcbcb43c9eb3b7f7ae6d70fb6545057
+SHA1 (patch-bb) = 6487b61fafe39a4ac8141b9f84044fc210df66ac
+SHA1 (patch-bc) = c35ee6c3075b89714fbb74956d68747d3c17bf9c
diff --git a/print/ghostscript/patches/patch-ba b/print/ghostscript/patches/patch-ba
new file mode 100644
index 00000000000..8becb375bf4
--- /dev/null
+++ b/print/ghostscript/patches/patch-ba
@@ -0,0 +1,47 @@
+$NetBSD: patch-ba,v 1.3 2010/06/30 12:44:55 tron Exp $
+
+Fix for security vulnerability reported in CVE-2010-1628 taken from here:
+
+http://bugs.ghostscript.com/attachment.cgi?id=6350
+
+--- psi/idosave.h.orig	2008-08-28 23:48:19.000000000 +0100
++++ psi/idosave.h	2010-06-30 13:31:32.000000000 +0100
+@@ -18,6 +18,22 @@
+ #  define idosave_INCLUDED
+ 
+ /*
++ * Structure for saved change chain for save/restore.  Because of the
++ * garbage collector, we need to distinguish the cases where the change
++ * is in a static object, a dynamic ref, or a dynamic struct.
++ */
++typedef struct alloc_change_s alloc_change_t;
++struct alloc_change_s {
++    alloc_change_t *next;
++    ref_packed *where;
++    ref contents;
++#define AC_OFFSET_STATIC (-2)	/* static object */
++#define AC_OFFSET_REF (-1)	/* dynamic ref */
++#define AC_OFFSET_ALLOCATED (-3) /* a newly allocated ref array */
++    short offset;		/* if >= 0, offset within struct */
++};
++
++/*
+  * Save a change that must be undone by restore.  We have to pass the
+  * pointer to the containing object to alloc_save_change for two reasons:
+  *
+@@ -29,6 +45,7 @@
+  * relocate the pointer to it from the change record during garbage
+  * collection.
+  */
++
+ int alloc_save_change(gs_dual_memory_t *dmem, const ref *pcont,
+ 		      ref_packed *ptr, client_name_t cname);
+ int alloc_save_change_in(gs_ref_memory_t *mem, const ref *pcont,
+@@ -36,6 +53,6 @@
+ /* Remove an AC_OFFSET_ALLOCATED element. */
+ void alloc_save_remove(gs_ref_memory_t *mem, ref_packed *obj, client_name_t cname);
+ /* Allocate a structure for recording an allocation event. */
+-int alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, ref_packed ***ppr);
++int alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, alloc_change_t **pcp);
+ 
+ #endif /* idosave_INCLUDED */
diff --git a/print/ghostscript/patches/patch-bb b/print/ghostscript/patches/patch-bb
new file mode 100644
index 00000000000..27baf7fbd51
--- /dev/null
+++ b/print/ghostscript/patches/patch-bb
@@ -0,0 +1,50 @@
+$NetBSD: patch-bb,v 1.3 2010/06/30 12:44:55 tron Exp $
+
+Fix for security vulnerability reported in CVE-2010-1628 taken from here:
+
+http://bugs.ghostscript.com/attachment.cgi?id=6350
+
+--- psi/isave.c.orig	2008-08-28 23:48:19.000000000 +0100
++++ psi/isave.c	2010-06-30 13:31:32.000000000 +0100
+@@ -156,22 +156,6 @@
+ /* A link to igcref.c . */
+ ptr_proc_reloc(igc_reloc_ref_ptr_nocheck, ref_packed);
+ 
+-/*
+- * Structure for saved change chain for save/restore.  Because of the
+- * garbage collector, we need to distinguish the cases where the change
+- * is in a static object, a dynamic ref, or a dynamic struct.
+- */
+-typedef struct alloc_change_s alloc_change_t;
+-struct alloc_change_s {
+-    alloc_change_t *next;
+-    ref_packed *where;
+-    ref contents;
+-#define AC_OFFSET_STATIC (-2)	/* static object */
+-#define AC_OFFSET_REF (-1)	/* dynamic ref */
+-#define AC_OFFSET_ALLOCATED (-3) /* a newly allocated ref array */
+-    short offset;		/* if >= 0, offset within struct */
+-};
+-
+ static 
+ CLEAR_MARKS_PROC(change_clear_marks)
+ {
+@@ -519,7 +503,7 @@
+ 
+ /* Allocate a structure for recording an allocation event. */
+ int
+-alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, ref_packed ***ppr)
++alloc_save_change_alloc(gs_ref_memory_t *mem, client_name_t cname, alloc_change_t **pcp)
+ {
+     register alloc_change_t *cp;
+ 
+@@ -533,8 +517,7 @@
+     cp->where = 0;
+     cp->offset = AC_OFFSET_ALLOCATED;
+     make_null(&cp->contents);
+-    mem->changes = cp;
+-    *ppr = &cp->where;
++    *pcp = cp;
+     return 1;
+ }
+ 
diff --git a/print/ghostscript/patches/patch-bc b/print/ghostscript/patches/patch-bc
new file mode 100644
index 00000000000..f5d7987ef0d
--- /dev/null
+++ b/print/ghostscript/patches/patch-bc
@@ -0,0 +1,42 @@
+$NetBSD: patch-bc,v 1.3 2010/06/30 12:44:55 tron Exp $
+
+Fix for security vulnerability reported in CVE-2010-1628 taken from here:
+
+http://bugs.ghostscript.com/attachment.cgi?id=6350
+
+--- psi/ialloc.c.orig	2008-08-28 23:48:19.000000000 +0100
++++ psi/ialloc.c	2010-06-30 13:31:32.000000000 +0100
+@@ -185,7 +185,14 @@
+ 	 */
+ 	chunk_t *pcc = mem->pcc;
+ 	ref *end;
++	alloc_change_t *cp = 0;
++        int code = 0;
+ 
++	if ((gs_memory_t *)mem != mem->stable_memory) {
++	    code = alloc_save_change_alloc(mem, "gs_alloc_ref_array", &cp);
++	    if (code < 0)
++		return code;
++	}
+ 	obj = gs_alloc_struct_array((gs_memory_t *) mem, num_refs + 1,
+ 				    ref, &st_refs, cname);
+ 	if (obj == 0)
+@@ -210,14 +217,10 @@
+ 	    chunk_locate_ptr(obj, &cl);
+ 	    cl.cp->has_refs = true;
+ 	}
+-	if ((gs_memory_t *)mem != mem->stable_memory) {
+-	    ref_packed **ppr = 0;
+-	    int code = alloc_save_change_alloc(mem, "gs_alloc_ref_array", &ppr);
+-	    if (code < 0)
+-		return code;
+-            if (ppr)
+-	        *ppr = (ref_packed *)obj;
+-	}
++	if (cp) {
++            mem->changes = cp;
++            cp->where = (ref_packed *)obj;
++        }
+     }
+     make_array(parr, attrs | mem->space, num_refs, obj);
+     return 0;
author	tron <tron@pkgsrc.org>	2010-06-30 12:44:55 +0000
committer	tron <tron@pkgsrc.org>	2010-06-30 12:44:55 +0000
commit	fc6f81e619e9d03c11b040dd9e235979fce19754 (patch)
tree	c73fc580640bd26a5cdb283424ed8fa8c7d04185 /print
parent	5ce2da448294d9daee6b1a654319213f2b0f5cec (diff)
download	pkgsrc-fc6f81e619e9d03c11b040dd9e235979fce19754.tar.gz