Version in base suite: 10.0.0~dfsg-11+deb12u5 Base version: ghostscript_10.0.0~dfsg-11+deb12u5 Target version: ghostscript_10.0.0~dfsg-11+deb12u6 Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/ghostscript/ghostscript_10.0.0~dfsg-11+deb12u5.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/g/ghostscript/ghostscript_10.0.0~dfsg-11+deb12u6.dsc changelog | 16 patches/0020-Bug-707793-Check-for-overflow-validating-format-stri.patch | 69 + patches/0021-Bug-706922-Fix-filenameforall-completion-cleanup.patch | 53 + patches/0022-Bug-707007-707015-707025-Don-t-leave-a-dangling-poin.patch | 47 + patches/0023-PostScript-interpreter-Null-dangling-references-on-s.patch | 79 ++ patches/0024-PostScript-interpreter-fix-buffer-length-check.patch | 32 patches/0025-PS-interpreter-review-colour-code-for-stack-pointers.patch | 382 ++++++++++ patches/0026-PS-interpreter-check-Indexed-colour-space-index.patch | 62 + patches/0027-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch | 33 patches/0028-PDF-interpreter-sanitise-W-array-values-in-Xref-stre.patch | 59 + patches/series | 9 11 files changed, 841 insertions(+) Unrecognised file line in .dsc: -----BEGIN PGP SIGNATURE----- Unrecognised file line in .dsc: -----BEGIN PGP SIGNATURE----- diff -Nru ghostscript-10.0.0~dfsg/debian/changelog ghostscript-10.0.0~dfsg/debian/changelog --- ghostscript-10.0.0~dfsg/debian/changelog 2024-08-24 19:29:52.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/changelog 2024-11-10 12:20:08.000000000 +0000 @@ -1,3 +1,19 @@ +ghostscript (10.0.0~dfsg-11+deb12u6) bookworm-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Check for overflow validating format string (CVE-2024-46953) + * Fix filenameforall completion cleanup + * Don't leave a dangling pointer on the stack + * PostScript interpreter - Null dangling references on stack + * PostScript interpreter - fix buffer length check (CVE-2024-46956) + * PS interpreter review colour code for stack pointers + * PS interpreter - check Indexed colour space index (CVE-2024-46955) + * PS interpreter - check the type of the Pattern Implementation + (CVE-2024-46951) + * PDF interpreter - sanitise W array values in Xref streams (CVE-2024-46952) + + -- Salvatore Bonaccorso Sun, 10 Nov 2024 13:20:08 +0100 + ghostscript (10.0.0~dfsg-11+deb12u5) bookworm-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0020-Bug-707793-Check-for-overflow-validating-format-stri.patch ghostscript-10.0.0~dfsg/debian/patches/0020-Bug-707793-Check-for-overflow-validating-format-stri.patch --- ghostscript-10.0.0~dfsg/debian/patches/0020-Bug-707793-Check-for-overflow-validating-format-stri.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0020-Bug-707793-Check-for-overflow-validating-format-stri.patch 2024-11-10 06:09:52.000000000 +0000 @@ -0,0 +1,69 @@ +From: Zdenek Hutyra +Date: Mon, 27 May 2024 13:38:36 +0100 +Subject: Bug 707793: Check for overflow validating format string +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=294a3755e33f453dd92e2a7c4cfceb087ac09d6a +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=707793 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-46953 + +for the output file name + +CVE-2024-46953 +--- + base/gsdevice.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/base/gsdevice.c b/base/gsdevice.c +index 90e699ab45a7..c1eaedd8517c 100644 +--- a/base/gsdevice.c ++++ b/base/gsdevice.c +@@ -1070,7 +1070,7 @@ static int + gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt) + { + bool have_format = false, field; +- int width[2], int_width = sizeof(int) * 3, w = 0; ++ uint width[2], int_width = sizeof(int) * 3, w = 0; + uint i; + + /* Scan the file name for a format string, and validate it if present. */ +@@ -1099,6 +1099,8 @@ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt) + default: /* width (field = 0) and precision (field = 1) */ + if (strchr("0123456789", pfn->fname[i])) { + width[field] = width[field] * 10 + pfn->fname[i] - '0'; ++ if (width[field] > max_int) ++ return_error(gs_error_undefinedfilename); + continue; + } else if (0 == field && '.' == pfn->fname[i]) { + field++; +@@ -1127,8 +1129,10 @@ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt) + /* Calculate a conservative maximum width. */ + w = max(width[0], width[1]); + w = max(w, int_width) + 5; ++ if (w > max_int) ++ return_error(gs_error_undefinedfilename); + } +- return w; ++ return (int)w; + } + + /* +@@ -1181,10 +1185,15 @@ gx_parse_output_file_name(gs_parsed_file_name_t *pfn, const char **pfmt, + if (!pfn->fname) + return 0; + code = gx_parse_output_format(pfn, pfmt); +- if (code < 0) ++ if (code < 0) { + return code; +- if (strlen(pfn->iodev->dname) + pfn->len + code >= gp_file_name_sizeof) ++ } ++ ++ if (pfn->len >= gp_file_name_sizeof - strlen(pfn->iodev->dname) || ++ code >= gp_file_name_sizeof - strlen(pfn->iodev->dname) - pfn->len) { + return_error(gs_error_undefinedfilename); ++ } ++ + return 0; + } + +-- +2.45.2 + diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0021-Bug-706922-Fix-filenameforall-completion-cleanup.patch ghostscript-10.0.0~dfsg/debian/patches/0021-Bug-706922-Fix-filenameforall-completion-cleanup.patch --- ghostscript-10.0.0~dfsg/debian/patches/0021-Bug-706922-Fix-filenameforall-completion-cleanup.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0021-Bug-706922-Fix-filenameforall-completion-cleanup.patch 2024-11-10 06:33:53.000000000 +0000 @@ -0,0 +1,53 @@ +From: Chris Liddell +Date: Mon, 31 Jul 2023 07:49:47 +0100 +Subject: Bug 706922: Fix filenameforall completion cleanup +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=9c24aae232be19ab4e5174578009e8b519d4f3bd +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=706922 + +Previously, zfilenameforall() relied upon the specifics of normal interpreter +loop operation to correctly cleanup on completion, which works unless the +interpreter loop is interrupted by a garbage collection which fails (VMerror). +In which case, the top objects on the exec stack are not correctly shuffled +around, and the file_cleanup() function ends up being called erroneously with +a corrupted file enumerator object which has already been freed anyway. + +So simply don't use the "trick" and cleanup the stack explicitly before we +return to the interpreter loop. +--- + psi/zfile.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/psi/zfile.c b/psi/zfile.c +index 1845a73e55bf..e374574574dd 100644 +--- a/psi/zfile.c ++++ b/psi/zfile.c +@@ -414,7 +414,7 @@ zfilenameforall(i_ctx_t *i_ctx_p) + *++esp = op[-1]; + ref_stack_pop(&o_stack, 3); + code = file_continue(i_ctx_p); +- return (code == o_pop_estack ? o_push_estack : code); ++ return code; + } + /* Continuation operator for enumerating files */ + static int +@@ -429,7 +429,7 @@ file_continue(i_ctx_t *i_ctx_p) + uint code; + + if (len < devlen) { +- esp -= 5; /* pop proc, pfen, devlen, iodev , mark */ ++ esp -= 6; /* pop proc, pfen, scratch, devlen, iodev , mark */ + return_error(gs_error_rangecheck); /* not even room for device len */ + } + +@@ -438,7 +438,7 @@ file_continue(i_ctx_t *i_ctx_p) + code = iodev->procs.enumerate_next(imemory, pfen, (char *)pscratch->value.bytes + devlen, + len - devlen); + if (code == ~(uint) 0) { /* all done */ +- esp -= 5; /* pop proc, pfen, devlen, iodev , mark */ ++ esp -= 6; /* pop proc, pfen, scratch, devlen, iodev , mark */ + return o_pop_estack; + } else if (code > len) { /* overran string */ + return_error(gs_error_rangecheck); +-- +2.45.2 + diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0022-Bug-707007-707015-707025-Don-t-leave-a-dangling-poin.patch ghostscript-10.0.0~dfsg/debian/patches/0022-Bug-707007-707015-707025-Don-t-leave-a-dangling-poin.patch --- ghostscript-10.0.0~dfsg/debian/patches/0022-Bug-707007-707015-707025-Don-t-leave-a-dangling-poin.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0022-Bug-707007-707015-707025-Don-t-leave-a-dangling-poin.patch 2024-11-10 06:40:29.000000000 +0000 @@ -0,0 +1,47 @@ +From: Chris Liddell +Date: Fri, 18 Aug 2023 07:55:13 +0100 +Subject: Bug 707007/707015/707025: Don't leave a dangling pointer on the stack +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e7b9aae979e45843a96b862439827682bcfb6ad1 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=707025 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=707015 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=707007 + +At the end of a show operation, we free the enumerator associated with it, and +decrement the exec stack pointer - effectively popping the enumerator and +various bits of house keeping off the stack. + +The problem is that in various places the garbage collector works entirely on +memory "clumps", and has no concept of where the top of the stacks actually are. + +As a consequence the freed enumerator's memory can end up being enumerated +(marked) and relocated, which obviously leads to problems. + +In the case of the test file for 707015 on my specific setup, for example, the +allocator's memory has be reused to hold a memory rendering device, the mark +and reloc corrupt that, which causes a crash when we come to free the device. +Note that exactly what gets corrupted depends very much on the memory use at +the time which is test file, configuration, platform etc specific. +--- + psi/zchar.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/psi/zchar.c b/psi/zchar.c +index 2517bea64440..573f21b9f30f 100644 +--- a/psi/zchar.c ++++ b/psi/zchar.c +@@ -1031,7 +1031,11 @@ op_show_restore(i_ctx_t *i_ctx_p, bool for_error) + if (penum->k_text_release) { + gsicc_restore_blacktextvec(igs, true); + } +- ++ /* Because the garbager, in most places, works on clumps, taking no ++ account of where the top of the exec stack is, we can't leave a ++ dangling pointer to this enumerator when we're about to free it. ++ */ ++ make_null(ep); + gs_text_release(NULL, penum, "op_show_restore"); + return code; + } +-- +2.45.2 + diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0023-PostScript-interpreter-Null-dangling-references-on-s.patch ghostscript-10.0.0~dfsg/debian/patches/0023-PostScript-interpreter-Null-dangling-references-on-s.patch --- ghostscript-10.0.0~dfsg/debian/patches/0023-PostScript-interpreter-Null-dangling-references-on-s.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0023-PostScript-interpreter-Null-dangling-references-on-s.patch 2024-11-10 06:42:08.000000000 +0000 @@ -0,0 +1,79 @@ +From: Ken Sharp +Date: Mon, 21 Aug 2023 16:50:00 +0100 +Subject: PostScript interpreter - Null dangling references on stack +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=05425198e588427327c55b76dfad57f20f62f944 + +In the wake of bug #707007 it is clear that due ot the way GC works on +stack clumps of memory, we cannot leave references to structures which +have been explicitly freed on the stacks. + +So far this only seems to be a problem with the exec stack, because +objects on the operand stack are left to GC to free. + +This commit is the result of reviewing all the places I could find where +we allocate a structure on the stack, and then free it explicitly in C +rather than leaving it to the garbage collector. +--- + psi/zfile.c | 2 ++ + psi/zfsample.c | 2 ++ + psi/zht1.c | 3 +++ + psi/zht2.c | 3 +++ + 4 files changed, 10 insertions(+) + +diff --git a/psi/zfile.c b/psi/zfile.c +index 45f4d5909d2e..a4f5439cd290 100644 +--- a/psi/zfile.c ++++ b/psi/zfile.c +@@ -464,6 +464,8 @@ file_cleanup(i_ctx_t *i_ctx_p) + gx_io_device *iodev = r_ptr(esp + 2, gx_io_device); + + iodev->procs.enumerate_close(imemory, r_ptr(esp + 5, file_enum)); ++ /* See bug #707007, gp_enumerate_file_close() explicitly frees the file enumerator */ ++ make_null(esp + 5); + return 0; + } + +diff --git a/psi/zfsample.c b/psi/zfsample.c +index 7ad503e3f87c..1fc30989ca32 100644 +--- a/psi/zfsample.c ++++ b/psi/zfsample.c +@@ -621,6 +621,8 @@ sampled_data_finish(i_ctx_t *i_ctx_p) + make_oper_new(cref.value.refs + 1, 0, zexecfunction); + ref_assign(op, &cref); + ++ /* See bug #707007, explicitly freed structures on the stacks need to be made NULL */ ++ make_null(esp); + esp -= estack_storage; + ifree_object(penum->pfn, "sampled_data_finish(pfn)"); + ifree_object(penum, "sampled_data_finish(enum)"); +diff --git a/psi/zht1.c b/psi/zht1.c +index 77a0bcb96dcc..fb33193a65c6 100644 +--- a/psi/zht1.c ++++ b/psi/zht1.c +@@ -141,6 +141,9 @@ setcolorscreen_cleanup(i_ctx_t *i_ctx_p) + "setcolorscreen_cleanup(device halftone)"); + gs_free_object(pht->rc.memory, pht, + "setcolorscreen_cleanup(halftone)"); ++ /* See bug #707007, explicitly freed structures on the stacks need to be made NULL */ ++ make_null(esp + 6); ++ make_null(esp + 7); + return 0; + } + +diff --git a/psi/zht2.c b/psi/zht2.c +index c0f151aa63ab..6a1e7666f2bf 100644 +--- a/psi/zht2.c ++++ b/psi/zht2.c +@@ -649,6 +649,9 @@ sethalftone_cleanup(i_ctx_t *i_ctx_p) + "sethalftone_cleanup(device halftone)"); + gs_free_object(pht->rc.memory, pht, + "sethalftone_cleanup(halftone)"); ++ /* See bug #707007, explicitly freed structures on the stacks need to be made NULL */ ++ make_null(&esp[4]); ++ make_null(&esp[3]); + return 0; + } + +-- +2.45.2 + diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0024-PostScript-interpreter-fix-buffer-length-check.patch ghostscript-10.0.0~dfsg/debian/patches/0024-PostScript-interpreter-fix-buffer-length-check.patch --- ghostscript-10.0.0~dfsg/debian/patches/0024-PostScript-interpreter-fix-buffer-length-check.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0024-PostScript-interpreter-fix-buffer-length-check.patch 2024-11-10 06:43:19.000000000 +0000 @@ -0,0 +1,32 @@ +From: Zdenek Hutyra +Date: Tue, 23 Jul 2024 11:48:39 +0100 +Subject: PostScript interpreter - fix buffer length check +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ea69a1388245ad959d31c272b5ba66d40cebba2c +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=707895 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-46956 + +Bug 707895 + +See bug report for details. + +CVE-2024-46956 +--- + psi/zfile.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/psi/zfile.c b/psi/zfile.c +index a4f5439cd290..12a0357b41de 100644 +--- a/psi/zfile.c ++++ b/psi/zfile.c +@@ -443,7 +443,7 @@ file_continue(i_ctx_t *i_ctx_p) + if (code == ~(uint) 0) { /* all done */ + esp -= 6; /* pop proc, pfen, scratch, devlen, iodev , mark */ + return o_pop_estack; +- } else if (code > len) { /* overran string */ ++ } else if (code > len - devlen) { /* overran string */ + return_error(gs_error_rangecheck); + } + else if (iodev != iodev_default(imemory) +-- +2.45.2 + diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0025-PS-interpreter-review-colour-code-for-stack-pointers.patch ghostscript-10.0.0~dfsg/debian/patches/0025-PS-interpreter-review-colour-code-for-stack-pointers.patch --- ghostscript-10.0.0~dfsg/debian/patches/0025-PS-interpreter-review-colour-code-for-stack-pointers.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0025-PS-interpreter-review-colour-code-for-stack-pointers.patch 2024-11-10 11:31:06.000000000 +0000 @@ -0,0 +1,382 @@ +From: Ken Sharp +Date: Thu, 3 Aug 2023 12:09:50 +0100 +Subject: PS interpreter review colour code for stack pointers +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=f22a42f334b9e7965cb99429b1346346d3e7c2d3 + +No bug report but after the recent slew of fuzzing bugs exploiting +incorrect or missing stack checking, a desk check of the colour and +colour space code. + +Mostly the code seems robust, there are a few improvements here; in a +couple of places add checks that the operand stack has at least the +expected number of operands. A number of places add checks that the +exec stack can hold an additional item before incrementing esp. Quite a +few places replace explicit decrement of esp with ref_stack_pop() in +order to ensure we don't fall off the bottom of a stack block. + +[Salvatore Bonaccorso: Backport to 10.0.0 for context changes] +--- + psi/zcolor.c | 79 ++++++++++++++++++++++++++++++---------------------- + 1 file changed, 46 insertions(+), 33 deletions(-) + +--- a/psi/zcolor.c ++++ b/psi/zcolor.c +@@ -205,6 +205,7 @@ zcurrentcolorspace(i_ctx_t * i_ctx_p) + } + } + r_set_attrs(&stref, a_executable); ++ check_estack(1); + esp++; + ref_assign(esp, &stref); + return o_push_estack; +@@ -1005,6 +1006,7 @@ static int setgrayspace(i_ctx_t * i_ctx_ + memcpy(body, "/DefaultGray ..nosubstdevicetest",32); + make_string(&stref, a_all | icurrent_space, 32, body); + r_set_attrs(&stref, a_executable); ++ check_estack(1); + esp++; + ref_assign(esp, &stref); + return o_push_estack; +@@ -1017,6 +1019,7 @@ static int setgrayspace(i_ctx_t * i_ctx_ + memcpy(body, "{/DefaultGray /ColorSpace findresource} stopped",47); + make_string(&stref, a_all | icurrent_space, 47, body); + r_set_attrs(&stref, a_executable); ++ check_estack(1); + esp++; + ref_assign(esp, &stref); + return o_push_estack; +@@ -1177,6 +1180,7 @@ static int grayvalidate(i_ctx_t *i_ctx_p + { + os_ptr op = osp; + ++ check_op(1); + if (!r_is_number(op)) + return_error(gs_error_typecheck); + +@@ -1229,6 +1233,7 @@ static int setrgbspace(i_ctx_t * i_ctx_p + memcpy(body, "/DefaultRGB ..nosubstdevicetest",31); + make_string(&stref, a_all | icurrent_space, 31, body); + r_set_attrs(&stref, a_executable); ++ check_estack(1); + esp++; + ref_assign(esp, &stref); + return o_push_estack; +@@ -1241,6 +1246,7 @@ static int setrgbspace(i_ctx_t * i_ctx_p + memcpy(body, "{/DefaultRGB /ColorSpace findresource} stopped", 46); + make_string(&stref, a_all | icurrent_space, 46, body); + r_set_attrs(&stref, a_executable); ++ check_estack(1); + esp++; + ref_assign(esp, &stref); + return o_push_estack; +@@ -1577,6 +1583,7 @@ static int setcmykspace(i_ctx_t * i_ctx_ + memcpy(body, "/DefaultCMYK ..nosubstdevicetest",32); + make_string(&stref, a_all | icurrent_space, 32, body); + r_set_attrs(&stref, a_executable); ++ check_estack(1); + esp++; + ref_assign(esp, &stref); + return o_push_estack; +@@ -1589,6 +1596,7 @@ static int setcmykspace(i_ctx_t * i_ctx_ + memcpy(body, "{/DefaultCMYK /ColorSpace findresource} stopped", 47); + make_string(&stref, a_all | icurrent_space, 47, body); + r_set_attrs(&stref, a_executable); ++ check_estack(1); + esp++; + ref_assign(esp, &stref); + return o_push_estack; +@@ -3625,6 +3633,7 @@ static int septransform(i_ctx_t *i_ctx_p + + if (*usealternate && *stage == 0) { + (*stage)++; ++ check_estack(1); + esp++; + code = array_get(imemory, sepspace, 3, &proc); + if (code < 0) +@@ -3775,21 +3784,21 @@ static int devicencolorants_cont(i_ctx_t + do { + index = dict_next(pdict, index, (ref *)&space); + if (index == -1) { +- esp -= 4; ++ ref_stack_pop(&e_stack, 4); + return o_pop_estack; + } + + if (stage == 0) { + code = gs_gsave(igs); + if (code < 0) { +- esp -= 4; ++ ref_stack_pop(&e_stack, 4); + return code; + } + + code = validate_spaces(i_ctx_p, &space[1], &depth); + if (code < 0) { + (void)gs_grestore(igs); +- esp -= 4; ++ ref_stack_pop(&e_stack, 4); + return code; + } + +@@ -3810,7 +3819,7 @@ static int devicencolorants_cont(i_ctx_t + + if (code < 0) { + (void)gs_grestore(igs); +- esp -= 4; ++ ref_stack_pop(&e_stack, 4); + return code; + } else + return code; +@@ -3828,7 +3837,7 @@ static int devicencolorants_cont(i_ctx_t + * colour space is the one we want. + */ + if (!pgs->saved) { +- esp -= 4; ++ ref_stack_pop(&e_stack, 4); + return gs_note_error(gs_error_unknownerror); + } + devn_cs = gs_currentcolorspace_inline(pgs->saved); +@@ -3864,7 +3873,7 @@ static int devicencolorants_cont(i_ctx_t + + code = gs_grestore(igs); + if (code < 0) { +- esp -= 4; ++ ref_stack_pop(&e_stack, 4); + return code; + } + } +@@ -3888,7 +3897,7 @@ static int devicenprocess_cont(i_ctx_t * + if (stage == 0) { + code = gs_gsave(igs); + if (code < 0) { +- esp -= 4; ++ ref_stack_pop(&e_stack, 4); + return code; + } + /* If we get a continuation from a sub-procedure, we will want to come back +@@ -3908,7 +3917,7 @@ static int devicenprocess_cont(i_ctx_t * + + if (code < 0) { + (void)gs_grestore(igs); +- esp -= 4; ++ ref_stack_pop(&e_stack, 5); + return code; + } else + return code; +@@ -3925,14 +3934,14 @@ static int devicenprocess_cont(i_ctx_t * + + code = gs_grestore(igs); + if (code < 0) { +- esp -= 4; ++ ref_stack_pop(&e_stack, 4); + return code; + } + devn_cs = gs_currentcolorspace_inline(igs); + devn_cs->params.device_n.devn_process_space = process; + } + +- esp -= 4; ++ ref_stack_pop(&e_stack, 4); + return o_pop_estack; + } + +@@ -4446,10 +4455,11 @@ static int devicentransform(i_ctx_t *i_c + } + if (*usealternate && *stage == 0) { + (*stage)++; +- esp++; ++ check_estack(1); + code = array_get(imemory, devicenspace, 3, &proc); + if (code < 0) + return code; ++ esp++; + *esp = proc; + return o_push_estack; + } +@@ -4616,17 +4626,19 @@ indexed_cont(i_ctx_t *i_ctx_p) + int code = float_params(op, m, &r_ptr(&ep[csme_map], gs_indexed_map)->values[i * m]); + + if (code < 0) { +- esp -= num_csme; ++ ref_stack_pop(&e_stack, num_csme); + return code; + } + ref_stack_pop(&o_stack, m); + op -= m; + if (i == (int)ep[csme_hival].value.intval) { /* All done. */ +- esp -= num_csme; ++ ref_stack_pop(&e_stack, num_csme); + return o_pop_estack; + } + } + push(1); ++ check_estack(2); ++ ep = esp; + ep[csme_index].value.intval = ++i; + make_int(op, i); + make_op_estack(ep + 1, indexed_cont); +@@ -5450,6 +5462,7 @@ static int labvalidate(i_ctx_t *i_ctx_p, + + if (num_comps < 3) + return_error(gs_error_stackunderflow); ++ check_op(3); + op -= 2; + for (i=0;i<3;i++) { + if (!r_is_number(op)) +@@ -6448,7 +6461,7 @@ setcolor_cont(i_ctx_t *i_ctx_p) + for (i=0;i<=depth;i++) { + code = get_space_object(i_ctx_p, parr, &obj); + if (code < 0) { +- esp -= 5; ++ ref_stack_pop(&e_stack, 5); + return code; + } + +@@ -6461,7 +6474,7 @@ setcolor_cont(i_ctx_t *i_ctx_p) + } + code = obj->alternateproc(i_ctx_p, parr, &parr, &CIESubst); + if (code < 0) { +- esp -= 5; ++ ref_stack_pop(&e_stack, 5); + return code; + } + } +@@ -6471,7 +6484,7 @@ setcolor_cont(i_ctx_t *i_ctx_p) + make_int(&ep[-3], stack_depth); + make_int(&ep[-1], stage); + if (code < 0) { +- esp -= 5; ++ ref_stack_pop(&e_stack, 5); + return code; + } + if (code != 0) +@@ -6491,7 +6504,7 @@ setcolor_cont(i_ctx_t *i_ctx_p) + if (IsICC && depth == 0) { + code = gx_set_dev_color(i_ctx_p->pgs); + if (code < 0) { +- esp -= 5; ++ ref_stack_pop(&e_stack, 5); + return code; + } + } +@@ -6501,7 +6514,7 @@ setcolor_cont(i_ctx_t *i_ctx_p) + /* This would be better done sooner, but we need the color space object first */ + check_op(i); + pop(i); +- esp -= 5; ++ ref_stack_pop(&e_stack, 5); + return o_pop_estack; + } + /* +@@ -6550,18 +6563,18 @@ setcolorspace_cont(i_ctx_t *i_ctx_p) + for (i = 0;i < depth;i++) { + code = get_space_object(i_ctx_p, parr, &obj); + if (code < 0) { +- esp -= 5; ++ ref_stack_pop(&e_stack, 5); + return code; + } + + if (i < (depth - 1)) { + if (!obj->alternateproc) { +- esp -= 5; ++ ref_stack_pop(&e_stack, 5); + return_error(gs_error_typecheck); + } + code = obj->alternateproc(i_ctx_p, parr, &parr, &CIESubst); + if (code < 0) { +- esp -= 5; ++ ref_stack_pop(&e_stack, 5); + return code; + } + } +@@ -6571,7 +6584,7 @@ setcolorspace_cont(i_ctx_t *i_ctx_p) + make_int(pstage, stage); + if (code != 0) { + if (code < 0 && code != gs_error_stackoverflow) +- esp -= 5; ++ ref_stack_pop(&e_stack, 5); + return code; + } + if (!cont) { +@@ -6582,7 +6595,7 @@ setcolorspace_cont(i_ctx_t *i_ctx_p) + } + if (code == 0) { + /* Remove our next continuation and our data */ +- esp -= 5; ++ ref_stack_pop(&e_stack, 5); + op = osp; + istate->colorspace[0].array = *op; + /* Remove the colorspace array form the operand stack */ +@@ -6641,12 +6654,12 @@ setdevicecolor_cont(i_ctx_t *i_ctx_p) + break; + } + if (code < 0) { +- esp -= 3; ++ ref_stack_pop(&e_stack, 3); + return code; + } + code = absolute_setcolorspace(i_ctx_p); + if (code < 0) { +- esp -= 3; ++ ref_stack_pop(&e_stack, 3); + return code; + } + if (code != 0) +@@ -6656,14 +6669,14 @@ setdevicecolor_cont(i_ctx_t *i_ctx_p) + make_int(pstage, ++stage); + code = zsetcolor(i_ctx_p); + if (code < 0) { +- esp -= 3; ++ ref_stack_pop(&e_stack, 3); + return code; + } + if (code != 0) + return code; + break; + case 2: +- esp -= 3; ++ ref_stack_pop(&e_stack, 3); + return o_pop_estack; + break; + } +@@ -6860,7 +6873,7 @@ currentbasecolor_cont(i_ctx_t *i_ctx_p) + * set the depth to at *least* 1. + */ + if (depth < 1) { +- esp -= 7; ++ ref_stack_pop(&e_stack, 7); + return_error(gs_error_unknownerror); + } + +@@ -6881,18 +6894,18 @@ currentbasecolor_cont(i_ctx_t *i_ctx_p) + for (i = 0;i < depth;i++) { + code = get_space_object(i_ctx_p, parr, &obj); + if (code < 0) { +- esp -= 7; ++ ref_stack_pop(&e_stack, 7); + return code; + } + + if (i < (depth - 1)) { + if (!obj->alternateproc) { +- esp -= 7; ++ ref_stack_pop(&e_stack, 7); + return_error(gs_error_typecheck); + } + code = obj->alternateproc(i_ctx_p, parr, &parr, &CIESubst); + if (code < 0) { +- esp -= 7; ++ ref_stack_pop(&e_stack, 7); + return code; + } + } +@@ -6907,7 +6920,7 @@ currentbasecolor_cont(i_ctx_t *i_ctx_p) + make_int(&ep[-2], ++depth); + } + /* Remove our next continuation and our data */ +- esp -= 7; ++ ref_stack_pop(&e_stack, 7); + code = o_pop_estack; + return code; + } diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0026-PS-interpreter-check-Indexed-colour-space-index.patch ghostscript-10.0.0~dfsg/debian/patches/0026-PS-interpreter-check-Indexed-colour-space-index.patch --- ghostscript-10.0.0~dfsg/debian/patches/0026-PS-interpreter-check-Indexed-colour-space-index.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0026-PS-interpreter-check-Indexed-colour-space-index.patch 2024-11-10 11:31:28.000000000 +0000 @@ -0,0 +1,62 @@ +From: Zdenek Hutyra +Date: Fri, 30 Aug 2024 13:11:53 +0100 +Subject: PS interpreter - check Indexed colour space index +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ca1fc2aefe9796e321d0589afe7efb35063c8b2a +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=707990 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-46955 + +Bug #707990 "Out of bounds read when reading color in "Indexed" color space" + +Check the 'index' is in the valid range (0 to hival) for the colour +space. + +Also a couple of additional checks on the type of the 'proc' for +Indexed, DeviceN and Separation spaces. Make sure these really are +procs in case the user changed the colour space array. + +CVE-2024-46955 +--- + psi/zcolor.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/psi/zcolor.c b/psi/zcolor.c +index 18caebe01857..d4e7a4438186 100644 +--- a/psi/zcolor.c ++++ b/psi/zcolor.c +@@ -3815,6 +3815,7 @@ static int septransform(i_ctx_t *i_ctx_p, ref *sepspace, int *usealternate, int + code = array_get(imemory, sepspace, 3, &proc); + if (code < 0) + return code; ++ check_proc(proc); + *esp = proc; + return o_push_estack; + } +@@ -4630,6 +4631,7 @@ static int devicentransform(i_ctx_t *i_ctx_p, ref *devicenspace, int *usealterna + code = array_get(imemory, devicenspace, 3, &proc); + if (code < 0) + return code; ++ check_proc(proc); + esp++; + *esp = proc; + return o_push_estack; +@@ -5054,6 +5056,7 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage, + code = array_get(imemory, space, 3, &proc); + if (code < 0) + return code; ++ check_proc(proc); + *ep = proc; /* lookup proc */ + return o_push_estack; + } else { +@@ -5067,6 +5070,9 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage, + if (!r_has_type(op, t_integer)) + return_error (gs_error_typecheck); + index = op->value.intval; ++ /* Ensure it is in range. See bug #707990 */ ++ if (index < 0 || index > pcs->params.indexed.hival) ++ return_error(gs_error_rangecheck); + /* And remove it from the stack. */ + ref_stack_pop(&o_stack, 1); + op = osp; +-- +2.45.2 + diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0027-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch ghostscript-10.0.0~dfsg/debian/patches/0027-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch --- ghostscript-10.0.0~dfsg/debian/patches/0027-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0027-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch 2024-11-10 12:16:33.000000000 +0000 @@ -0,0 +1,33 @@ +From: Zdenek Hutyra +Date: Fri, 30 Aug 2024 13:16:39 +0100 +Subject: PS interpreter - check the type of the Pattern Implementation +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ada21374f0c90cc3acf7ce0e96302394560c7aee +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=707991 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-46951 + +Bug #707991 + +See bug report for details. + +CVE-2024-46951 +--- + psi/zcolor.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/psi/zcolor.c b/psi/zcolor.c +index d4e7a4438186..d3384d75d49c 100644 +--- a/psi/zcolor.c ++++ b/psi/zcolor.c +@@ -5276,6 +5276,9 @@ static int patterncomponent(i_ctx_t * i_ctx_p, ref *space, int *n) + code = array_get(imemory, pImpl, 0, &pPatInst); + if (code < 0) + return code; ++ ++ if (!r_is_struct(&pPatInst) || (!r_has_stype(&pPatInst, imemory, st_pattern1_instance) && !r_has_stype(&pPatInst, imemory, st_pattern2_instance))) ++ return_error(gs_error_typecheck); + cc.pattern = r_ptr(&pPatInst, gs_pattern_instance_t); + if (pattern_instance_uses_base_space(cc.pattern)) + *n = n_comps; +-- +2.45.2 + diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0028-PDF-interpreter-sanitise-W-array-values-in-Xref-stre.patch ghostscript-10.0.0~dfsg/debian/patches/0028-PDF-interpreter-sanitise-W-array-values-in-Xref-stre.patch --- ghostscript-10.0.0~dfsg/debian/patches/0028-PDF-interpreter-sanitise-W-array-values-in-Xref-stre.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0028-PDF-interpreter-sanitise-W-array-values-in-Xref-stre.patch 2024-11-10 12:19:31.000000000 +0000 @@ -0,0 +1,59 @@ +From: Ken Sharp +Date: Mon, 2 Sep 2024 15:14:01 +0100 +Subject: PDF interpreter - sanitise W array values in Xref streams +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=1fb76aaddac34530242dfbb9579d9997dae41264 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=708001 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-46952 + +Bug #708001 "Buffer overflow in PDF XRef stream" + +See bug report. I've chosen to fix this by checking the values in the +W array; these can (currently at least) only have certain relatively +small values. + +As a future proofing fix I've also updated field_size in +pdf_xref_stream_entries() to be a 64-bit integer. This is far bigger +than required, but matches the W array values and so prevents the +mismatch which could lead to a buffer overrun. + +CVE-2024-46952 +--- + pdf/pdf_xref.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/pdf/pdf_xref.c ++++ b/pdf/pdf_xref.c +@@ -53,7 +53,7 @@ static int resize_xref(pdf_context *ctx, + static int read_xref_stream_entries(pdf_context *ctx, pdf_c_stream *s, uint64_t first, uint64_t last, uint64_t *W) + { + uint i, j; +- uint field_width = 0; ++ uint64_t field_width = 0; + uint32_t type = 0; + uint64_t objnum = 0, gen = 0; + byte *Buffer; +@@ -298,6 +298,24 @@ static int pdfi_process_xref_stream(pdf_ + } + pdfi_countdown(a); + ++ /* W[0] is either: ++ * 0 (no type field) or a single byte with the type. ++ * W[1] is either: ++ * The object number of the next free object, the byte offset of this object in the file or the object5 number of the object stream where this object is stored. ++ * W[2] is either: ++ * The generation number to use if this object is used again, the generation number of the object or the index of this object within the object stream. ++ * ++ * Object and generation numbers are limited to unsigned 64-bit values, as are bytes offsets in the file, indexes of objects within the stream likewise (actually ++ * most of these are generally 32-bit max). So we can limit the field widths to 8 bytes, enough to hold a 64-bit number. ++ * Even if a later version of the spec makes these larger (which seems unlikely!) we still cna't cope with integers > 64-bits. ++ */ ++ if (W[0] > 1 || W[1] > 8 || W[2] > 8) { ++ pdfi_close_file(ctx, XRefStrm); ++ pdfi_countdown(ctx->xref_table); ++ ctx->xref_table = NULL; ++ return code; ++ } ++ + code = pdfi_dict_get_type(ctx, sdict, "Index", PDF_ARRAY, (pdf_obj **)&a); + if (code == gs_error_undefined) { + code = read_xref_stream_entries(ctx, XRefStrm, 0, size - 1, (uint64_t *)W); diff -Nru ghostscript-10.0.0~dfsg/debian/patches/series ghostscript-10.0.0~dfsg/debian/patches/series --- ghostscript-10.0.0~dfsg/debian/patches/series 2024-08-24 19:29:52.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/series 2024-11-10 12:19:00.000000000 +0000 @@ -17,6 +17,15 @@ 0017-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch 0018-Bug-707510-don-t-use-strlen-on-passwords.patch 0019-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch +0020-Bug-707793-Check-for-overflow-validating-format-stri.patch +0021-Bug-706922-Fix-filenameforall-completion-cleanup.patch +0022-Bug-707007-707015-707025-Don-t-leave-a-dangling-poin.patch +0023-PostScript-interpreter-Null-dangling-references-on-s.patch +0024-PostScript-interpreter-fix-buffer-length-check.patch +0025-PS-interpreter-review-colour-code-for-stack-pointers.patch +0026-PS-interpreter-check-Indexed-colour-space-index.patch +0027-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch +0028-PDF-interpreter-sanitise-W-array-values-in-Xref-stre.patch 1004_enable_spot_devices.patch 2001_docdir_fix_for_debian.patch 2002_gs_man_fix_debian.patch