Version in base suite: 10.0.0~dfsg-11+deb12u6 Base version: ghostscript_10.0.0~dfsg-11+deb12u6 Target version: ghostscript_10.0.0~dfsg-11+deb12u7 Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/ghostscript/ghostscript_10.0.0~dfsg-11+deb12u6.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/g/ghostscript/ghostscript_10.0.0~dfsg-11+deb12u7.dsc changelog | 16 + patches/0029-Bug-708131-Fix-confusion-between-bytes-and-shorts.patch | 32 +++ patches/0030-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch | 43 ++++ patches/0031-PCL-interpreter-fix-decode_glyph-for-Unicode.patch | 83 +++++++++ patches/0032-Prevent-Unicode-decoding-overrun.patch | 82 +++++++++ patches/0033-Bug-708192-Fix-potential-print-buffer-overflow.patch | 62 ++++++ patches/0034-Bug-708241-Fix-potential-Buffer-overflow-with-Dollar.patch | 70 +++++++ patches/0035-Bug-707506-Cope-with-double-byte-chars-in-TTF-scanni.patch | 90 ++++++++++ patches/0036-Bug-708259-Check-TTF-name-size-before-copying-to-buf.patch | 37 ++++ patches/0037-PDF-interpreter-Guard-against-unsigned-int-overflow.patch | 55 ++++++ patches/0038-Fix-Coverity-IDs-457699-and-457700.patch | 42 ++++ patches/series | 10 + 12 files changed, 622 insertions(+) Unrecognised file line in .dsc: -----BEGIN PGP SIGNATURE----- diff -Nru ghostscript-10.0.0~dfsg/debian/changelog ghostscript-10.0.0~dfsg/debian/changelog --- ghostscript-10.0.0~dfsg/debian/changelog 2024-11-10 12:20:08.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/changelog 2025-03-26 09:10:35.000000000 +0000 @@ -1,3 +1,19 @@ +ghostscript (10.0.0~dfsg-11+deb12u7) bookworm-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix confusion between bytes and shorts (CVE-2025-27835) + * Avoid integer overflow leading to buffer overflow (CVE-2025-27832) + * PCL interpreter - fix decode_glyph for Unicode + * Prevent Unicode decoding overrun (CVE-2025-27831) + * Fix potential print buffer overflow (CVE-2025-27836) + * Fix potential Buffer overflow with DollarBlend (CVE-2025-27830) + * Cope with double byte chars in TTF scanning code + * Check TTF name size before copying to buffer. (CVE-2025-27833) + * PDF interpreter - Guard against unsigned int overflow (CVE-2025-27834) + * Fix Coverity IDs 457699 and 457700 + + -- Salvatore Bonaccorso Wed, 26 Mar 2025 10:10:35 +0100 + ghostscript (10.0.0~dfsg-11+deb12u6) bookworm-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0029-Bug-708131-Fix-confusion-between-bytes-and-shorts.patch ghostscript-10.0.0~dfsg/debian/patches/0029-Bug-708131-Fix-confusion-between-bytes-and-shorts.patch --- ghostscript-10.0.0~dfsg/debian/patches/0029-Bug-708131-Fix-confusion-between-bytes-and-shorts.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0029-Bug-708131-Fix-confusion-between-bytes-and-shorts.patch 2025-03-22 16:02:33.000000000 +0000 @@ -0,0 +1,32 @@ +From: Zdenek Hutyra +Date: Wed, 20 Nov 2024 11:27:52 +0000 +Subject: Bug 708131: Fix confusion between bytes and shorts +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=de900010a6f2310d1fd54e99eeba466693da0e13 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=708131 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-27835 + +We were copying data from a string in multiple of shorts, rather than multiple +of bytes, leading to both an read (probably benign, given the memory manager) +and write buffer overflow. + +CVE-2025-27835 +--- + psi/zbfont.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/psi/zbfont.c b/psi/zbfont.c +index acffb39ef5c0..5850ab54dbf8 100644 +--- a/psi/zbfont.c ++++ b/psi/zbfont.c +@@ -253,7 +253,7 @@ gs_font_map_glyph_to_unicode(gs_font *font, gs_glyph glyph, int ch, ushort *u, u + if (l > length) + return l; + +- memcpy(unicode_return, v->value.const_bytes, l * sizeof(short)); ++ memcpy(unicode_return, v->value.const_bytes, l); + return l; + } + if (r_type(v) == t_integer) { +-- +2.49.0 + diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0030-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch ghostscript-10.0.0~dfsg/debian/patches/0030-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch --- ghostscript-10.0.0~dfsg/debian/patches/0030-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0030-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch 2025-03-22 16:02:33.000000000 +0000 @@ -0,0 +1,43 @@ +From: Zdenek Hutyra +Date: Wed, 20 Nov 2024 11:42:31 +0000 +Subject: Bug 708133: Avoid integer overflow leading to buffer overflow +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=57291c846334f1585552010faa42d7cb2cbd5c41 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=708133 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-27832 + +The calculation of the buffer size was being done with int values, and +overflowing that data type. By leaving the total size calculation to the +memory manager, the calculation ends up being done in size_t values, and +avoiding the overflow in this case, but also meaning the memory manager +overflow protection will be effective. + +CVE-2025-27832 +--- + contrib/japanese/gdevnpdl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c +index 60065bacf9fb..4967282bd757 100644 +--- a/contrib/japanese/gdevnpdl.c ++++ b/contrib/japanese/gdevnpdl.c +@@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c + int code; + int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh; + +- if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"))) ++ if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)"))) + return_error(gs_error_VMerror); + + /* Initialize printer */ +@@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c + /* Form Feed */ + gp_fputs("\014", prn_stream); + +- gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"); ++ gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)"); + return 0; + } + +-- +2.49.0 + diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0031-PCL-interpreter-fix-decode_glyph-for-Unicode.patch ghostscript-10.0.0~dfsg/debian/patches/0031-PCL-interpreter-fix-decode_glyph-for-Unicode.patch --- ghostscript-10.0.0~dfsg/debian/patches/0031-PCL-interpreter-fix-decode_glyph-for-Unicode.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0031-PCL-interpreter-fix-decode_glyph-for-Unicode.patch 2025-03-22 16:02:33.000000000 +0000 @@ -0,0 +1,83 @@ +From: Ken Sharp +Date: Tue, 27 Sep 2022 13:03:57 +0100 +Subject: PCL interpreter - fix decode_glyph for Unicode +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=bf79b61cb1677d6865c45d397435848a21e8a647 + +The text extraction (and pdfwrite family) expect that decode_glyph +should always return pairs of bytes (an assumption that Unicode code +points are 2 bytes), and the return value from the routine should be +the number of bytes required to hold the value. + +The PCL decode_glyph routine however was simply returning 1, which +caused the text extraction code some difficulty since it wasn't +expecting that. + +This commit firstly alters the text extraction code to cope 'better' +with a decode_glyph routine which returns an odd value (basically +ignore it and fall back to using the character code). + +We also alter the pl_decode_glyph routine to return 2 instead of 1, +so that it correctly tells the caller that it is returning 2 bytes. +Finally we make sure that the returned value is big-endian, because the +text extraction code assumes it will be. +--- + devices/vector/doc_common.c | 8 ++++++++ + pcl/pl/plfont.c | 12 +++++++++--- + 2 files changed, 17 insertions(+), 3 deletions(-) + +diff --git a/devices/vector/doc_common.c b/devices/vector/doc_common.c +index 4575aea4a8c0..71d5422d379b 100644 +--- a/devices/vector/doc_common.c ++++ b/devices/vector/doc_common.c +@@ -529,6 +529,14 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u + char *b, *u; + int l = length - 1; + ++ /* Real Unicode values should be at least 2 bytes. In fact I think the code assumes exactly ++ * 2 bytes. If we got an odd number, give up and return the character code. ++ */ ++ if (length & 1) { ++ *Buffer = fallback; ++ return 1; ++ } ++ + unicode = (ushort *)gs_alloc_bytes(dev->memory, length, "temporary Unicode array"); + length = font->procs.decode_glyph((gs_font *)font, glyph, ch, unicode, length); + #if ARCH_IS_BIG_ENDIAN +diff --git a/pcl/pl/plfont.c b/pcl/pl/plfont.c +index ec53dd9bff2f..6fe045e2cd4f 100644 +--- a/pcl/pl/plfont.c ++++ b/pcl/pl/plfont.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2021 Artifex Software, Inc. ++/* Copyright (C) 2001-2022 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -465,15 +465,21 @@ pl_glyph_name(gs_font * pfont, gs_glyph glyph, gs_const_string * pstr) + static int + pl_decode_glyph(gs_font * font, gs_glyph glyph, int ch, ushort *unicode_return, unsigned int length) + { ++ unsigned char *ucode = (unsigned char *)unicode_return; + + if (ch < 0 || ch > 255) + return (int) GS_NO_CHAR; + + if (length == 0) +- return 1; ++ return 2; + ++#if ARCH_IS_BIG_ENDIAN + *unicode_return = (ushort)ch; +- return 1; ++#else ++ ucode[0] = 0x00; ++ ucode[1] = ch & 0xff; ++#endif ++ return 2; + } + + /* ---------------- Width cache ---------------- */ +-- +2.49.0 + diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0032-Prevent-Unicode-decoding-overrun.patch ghostscript-10.0.0~dfsg/debian/patches/0032-Prevent-Unicode-decoding-overrun.patch --- ghostscript-10.0.0~dfsg/debian/patches/0032-Prevent-Unicode-decoding-overrun.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0032-Prevent-Unicode-decoding-overrun.patch 2025-03-22 16:02:33.000000000 +0000 @@ -0,0 +1,82 @@ +From: Zdenek Hutyra +Date: Thu, 21 Nov 2024 10:04:17 +0000 +Subject: Prevent Unicode decoding overrun +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=d6e713dda4f8d75c6a4ed8c7568a0d4f532dcb17 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=708132 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-27831 + +Bug #708132 "Text buffer overflow with long characters" + +The txt_get_unicode function was copying too few bytes from the +fixed glyph name to unicode mapping tables. This was probably +causing incorrect Unicode code points in relatively rare cases but +not otherwise a problem. + +However, a badly formed GlyphNames2Unicode array attached to a font +could cause the decoding to spill over the assigned buffer. + +We really should rewrite the Unicode handling, but until we do just +checking that the length is no more than 4 Unicode code points is +enough to prevent an overrun. All the current clients allocate at least +4 code points per character code. + +Added a comment to explain the magic number. + +CVE-2025-27831 +--- + devices/vector/doc_common.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/devices/vector/doc_common.c b/devices/vector/doc_common.c +index 690f8eaed7d8..05fb3d51f146 100644 +--- a/devices/vector/doc_common.c ++++ b/devices/vector/doc_common.c +@@ -479,7 +479,7 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u + } + if (strlen(dentry->Glyph) == gnstr.size) { + if(memcmp(gnstr.data, dentry->Glyph, gnstr.size) == 0) { +- memcpy(Buffer, dentry->Unicode, 2); ++ memcpy(Buffer, dentry->Unicode, 2 * sizeof(unsigned short)); + return 2; + } + } +@@ -497,7 +497,7 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u + } + if (strlen(tentry->Glyph) == gnstr.size) { + if(memcmp(gnstr.data, tentry->Glyph, gnstr.size) == 0) { +- memcpy(Buffer, tentry->Unicode, 3); ++ memcpy(Buffer, tentry->Unicode, 3 * sizeof(unsigned short)); + return 3; + } + } +@@ -515,7 +515,7 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u + } + if (strlen(qentry->Glyph) == gnstr.size) { + if(memcmp(gnstr.data, qentry->Glyph, gnstr.size) == 0) { +- memcpy(Buffer, qentry->Unicode, 4); ++ memcpy(Buffer, qentry->Unicode, 4 * sizeof(unsigned short)); + return 4; + } + } +@@ -527,12 +527,16 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u + return 1; + } else { + char *b, *u; +- int l = length - 1; ++ int l; + + /* Real Unicode values should be at least 2 bytes. In fact I think the code assumes exactly + * 2 bytes. If we got an odd number, give up and return the character code. ++ * ++ * The magic number here is due to the clients calling this code. Currently txtwrite and docxwrite ++ * allow up to 4 Unicode values per character/glyph, if the length would exceed that we can't ++ * write it. For now, again, fall back to the character code. + */ +- if (length & 1) { ++ if (length & 1 || length > 4 * sizeof(unsigned short)) { + *Buffer = fallback; + return 1; + } +-- +2.49.0 + diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0033-Bug-708192-Fix-potential-print-buffer-overflow.patch ghostscript-10.0.0~dfsg/debian/patches/0033-Bug-708192-Fix-potential-print-buffer-overflow.patch --- ghostscript-10.0.0~dfsg/debian/patches/0033-Bug-708192-Fix-potential-print-buffer-overflow.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0033-Bug-708192-Fix-potential-print-buffer-overflow.patch 2025-03-22 16:02:33.000000000 +0000 @@ -0,0 +1,62 @@ +From: Zdenek Hutyra +Date: Mon, 13 Jan 2025 09:07:57 +0000 +Subject: Bug 708192: Fix potential print buffer overflow +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8b6d19b2b4079da6863ef25f2370f25d4b054919 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=708192 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-27836 + +CVE-2025-27836 +--- + contrib/japanese/gdev10v.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/contrib/japanese/gdev10v.c b/contrib/japanese/gdev10v.c +index 0bd3cec02263..9d27573dc4de 100644 +--- a/contrib/japanese/gdev10v.c ++++ b/contrib/japanese/gdev10v.c +@@ -199,17 +199,25 @@ bj10v_print_page(gx_device_printer *pdev, gp_file *prn_stream) + int bytes_per_column = bits_per_column / 8; + int x_skip_unit = bytes_per_column * (xres / 180); + int y_skip_unit = (yres / 180); +- byte *in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)"); +- /* We need one extra byte in for our sentinel. */ +- byte *out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)"); ++ byte *in, *out; + int lnum = 0; + int y_skip = 0; + int code = 0; + int blank_lines = 0; + int bytes_per_data = ((xres == 360) && (yres == 360)) ? 1 : 3; + +- if ( in == 0 || out == 0 ) +- return -1; ++ if (bits_per_column == 0 || line_size > (max_int - 1) / bits_per_column) { ++ code = gs_note_error(gs_error_rangecheck); ++ goto error; ++ } ++ ++ in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)"); ++ /* We need one extra byte in for our sentinel. */ ++ out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)"); ++ if ( in == NULL || out == NULL ) { ++ code = gs_note_error(gs_error_VMerror); ++ goto error; ++ } + + /* Initialize the printer. */ + prn_puts(pdev, "\033@"); +@@ -320,8 +328,10 @@ notz: + } + + /* Eject the page */ +-xit: prn_putc(pdev, 014); /* form feed */ ++xit: ++ prn_putc(pdev, 014); /* form feed */ + prn_flush(pdev); ++error: + gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)"); + gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)"); + return code; +-- +2.49.0 + diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0034-Bug-708241-Fix-potential-Buffer-overflow-with-Dollar.patch ghostscript-10.0.0~dfsg/debian/patches/0034-Bug-708241-Fix-potential-Buffer-overflow-with-Dollar.patch --- ghostscript-10.0.0~dfsg/debian/patches/0034-Bug-708241-Fix-potential-Buffer-overflow-with-Dollar.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0034-Bug-708241-Fix-potential-Buffer-overflow-with-Dollar.patch 2025-03-22 16:02:33.000000000 +0000 @@ -0,0 +1,70 @@ +From: Zdenek Hutyra +Date: Mon, 13 Jan 2025 09:15:01 +0000 +Subject: Bug 708241: Fix potential Buffer overflow with DollarBlend +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8474e1d6b896e35741d3c608ea5c21deeec1078f +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=708241 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-27830 + +During serializing a multiple master font for passing to Freetype. + +Use CVE-2025-27830 +--- + base/write_t1.c | 9 +++++---- + psi/zfapi.c | 9 +++++++-- + 2 files changed, 12 insertions(+), 6 deletions(-) + +--- a/base/write_t1.c ++++ b/base/write_t1.c +@@ -628,6 +628,7 @@ write_main_dictionary(gs_fapi_font * a_f + WRF_wbyte(a_fapi_font->memory, a_output, '\n'); + if (is_MM_font(a_fapi_font)) { + short x, x2; ++ unsigned short ux; + float x1; + uint i, j, entries; + char Buffer[255]; +@@ -759,16 +760,16 @@ write_main_dictionary(gs_fapi_font * a_f + */ + code = a_fapi_font->get_word(a_fapi_font, + gs_fapi_font_feature_DollarBlend_length, +- 0, (unsigned short *)&x); ++ 0, &ux); + if (code < 0) + return code; + +- if (x > 0) { ++ if (ux > 0) { + int len; + WRF_wstring(a_fapi_font->memory, a_output, "/$Blend {"); + + if (a_output->m_count) +- a_output->m_count += x; ++ a_output->m_count += ux; + len = a_fapi_font->get_proc(a_fapi_font, + gs_fapi_font_feature_DollarBlend, 0, + (char *)a_output->m_pos); +--- a/psi/zfapi.c ++++ b/psi/zfapi.c +@@ -683,7 +683,7 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fa + } + for (i = 0; i < r_size(DBlend); i++) { + if (array_get(ff->memory, DBlend, i, &Element) < 0) { +- *ret = 0; ++ length = 0; + break; + } + switch (r_btype(&Element)) { +@@ -710,7 +710,12 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fa + default: + break; + } +- } ++ ++ if (length > max_ushort) { ++ length = 0; ++ break; ++ } ++ } + *ret = length; + break; + } diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0035-Bug-707506-Cope-with-double-byte-chars-in-TTF-scanni.patch ghostscript-10.0.0~dfsg/debian/patches/0035-Bug-707506-Cope-with-double-byte-chars-in-TTF-scanni.patch --- ghostscript-10.0.0~dfsg/debian/patches/0035-Bug-707506-Cope-with-double-byte-chars-in-TTF-scanni.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0035-Bug-707506-Cope-with-double-byte-chars-in-TTF-scanni.patch 2025-03-22 16:02:33.000000000 +0000 @@ -0,0 +1,90 @@ +From: Chris Liddell +Date: Wed, 24 Jan 2024 16:43:31 +0000 +Subject: Bug 707506: Cope with double byte chars in TTF scanning code +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=cc910f14ac02acbc63f70876f23d3fa1de15904f + +Despite PostScript being strictly single byte characters, the PostScript name +in a TTF name table can contain two byte characters. + +The pdfi code will now cope with that, in the same way the old PostScript +implementation did. +--- + pdf/pdf_fmap.c | 41 ++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 38 insertions(+), 3 deletions(-) + +diff --git a/pdf/pdf_fmap.c b/pdf/pdf_fmap.c +index b940ae26c0f7..26aad99c265e 100644 +--- a/pdf/pdf_fmap.c ++++ b/pdf/pdf_fmap.c +@@ -539,15 +539,33 @@ static int pdfi_ttf_add_to_native_map(pdf_context *ctx, stream *f, byte magic[4] + for (j = 0; j < nte; j++) { + byte *rec = namet + 6 + j * 12; + if (u16(rec + 6) == 6) { ++ int pid = u16(rec); ++ int eid = u16(rec + 2); + int nl = u16(rec + 8); + int noffs = u16(rec + 10); ++ + if (nl + noffs + storageOffset > table_len) { + break; + } + memcpy(pname, namet + storageOffset + noffs, nl); + pname[nl] = '\0'; ++ if ((pid == 0 || (pid == 2 && eid == 1) || (pid == 3 && eid == 1)) && (nl % 2) == 0) { ++ for (k = 0; k < nl; k += 2) { ++ if (pname[k] != '\0') ++ break; ++ } ++ if (k == nl) { ++ int k1, k2; ++ for (k1 = 0, k2 = 1; k2 < nl; k1++, k2 += 2) { ++ pname[k1] = pname[k2]; ++ } ++ nl = nl >> 1; ++ pname[nl] = '\0'; ++ } ++ } ++ + for (k = 0; k < nl; k++) +- if (pname[k] < 32 || pname[k] > 126) /* is it a valid name? */ ++ if (pname[k] < 32 || pname[k] > 126) /* is it a valid PS name? */ + break; + if (k == nl) { + code = 0; +@@ -559,15 +577,32 @@ static int pdfi_ttf_add_to_native_map(pdf_context *ctx, stream *f, byte magic[4] + for (j = 0; j < nte; j++) { + byte *rec = namet + 6 + j * 12; + if (u16(rec + 6) == 4) { ++ int pid = u16(rec); ++ int eid = u16(rec + 2); + int nl = u16(rec + 8); + int noffs = u16(rec + 10); ++ + if (nl + noffs + storageOffset > table_len) { + break; + } + memcpy(pname, namet + storageOffset + noffs, nl); + pname[nl] = '\0'; ++ if ((pid == 0 || (pid == 2 && eid == 1) || (pid == 3 && eid == 1)) && (nl % 2) == 0) { ++ for (k = 0; k < nl; k += 2) { ++ if (pname[k] != '\0') ++ break; ++ } ++ if (k == nl) { ++ int k1, k2; ++ for (k1 = 0, k2 = 1; k2 < nl; k1++, k2 += 2) { ++ pname[k1] = pname[k2]; ++ } ++ nl = nl >> 1; ++ pname[nl] = '\0'; ++ } ++ } + for (k = 0; k < nl; k++) +- if (pname[k] < 32 || pname[k] > 126) /* is it a valid name? */ ++ if (pname[k] < 32 || pname[k] > 126) /* is it a valid PS name? */ + break; + if (k == nl) + code = 0; +-- +2.49.0 + diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0036-Bug-708259-Check-TTF-name-size-before-copying-to-buf.patch ghostscript-10.0.0~dfsg/debian/patches/0036-Bug-708259-Check-TTF-name-size-before-copying-to-buf.patch --- ghostscript-10.0.0~dfsg/debian/patches/0036-Bug-708259-Check-TTF-name-size-before-copying-to-buf.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0036-Bug-708259-Check-TTF-name-size-before-copying-to-buf.patch 2025-03-22 16:02:33.000000000 +0000 @@ -0,0 +1,37 @@ +From: Zdenek Hutyra +Date: Mon, 20 Jan 2025 09:38:59 +0000 +Subject: Bug 708259: Check TTF name size before copying to buffer. +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a82738e387bbb44c7c4698404776dca53f62b158 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=708259 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-27833 + +CVE-2025-27833 +--- + pdf/pdf_fmap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/pdf/pdf_fmap.c b/pdf/pdf_fmap.c +index 73af9771d5c2..63e61d003745 100644 +--- a/pdf/pdf_fmap.c ++++ b/pdf/pdf_fmap.c +@@ -749,7 +749,7 @@ static int pdfi_ttf_add_to_native_map(pdf_context *ctx, stream *f, byte magic[4] + int nl = u16(rec + 8); + int noffs = u16(rec + 10); + +- if (nl + noffs + storageOffset > table_len) { ++ if (nl + noffs + storageOffset > table_len || nl >= pname_size) { + break; + } + memcpy(pname, namet + storageOffset + noffs, nl); +@@ -787,7 +787,7 @@ static int pdfi_ttf_add_to_native_map(pdf_context *ctx, stream *f, byte magic[4] + int nl = u16(rec + 8); + int noffs = u16(rec + 10); + +- if (nl + noffs + storageOffset > table_len) { ++ if (nl + noffs + storageOffset > table_len || nl >= pname_size) { + break; + } + memcpy(pname, namet + storageOffset + noffs, nl); +-- +2.49.0 + diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0037-PDF-interpreter-Guard-against-unsigned-int-overflow.patch ghostscript-10.0.0~dfsg/debian/patches/0037-PDF-interpreter-Guard-against-unsigned-int-overflow.patch --- ghostscript-10.0.0~dfsg/debian/patches/0037-PDF-interpreter-Guard-against-unsigned-int-overflow.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0037-PDF-interpreter-Guard-against-unsigned-int-overflow.patch 2025-03-22 16:02:33.000000000 +0000 @@ -0,0 +1,55 @@ +From: Zdenek Hutyra +Date: Mon, 20 Jan 2025 16:13:46 +0000 +Subject: PDF interpreter - Guard against unsigned int overflow +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ef42ff180a04926e187d40faea40d4a43e304e3b +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=708253 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-27834 + +Bug #708253 - see bug report for details. + +CVE-2025-27834 +--- + pdf/pdf_func.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/pdf/pdf_func.c b/pdf/pdf_func.c +index 635fdac54f2e..93492c783971 100644 +--- a/pdf/pdf_func.c ++++ b/pdf/pdf_func.c +@@ -153,6 +153,9 @@ pdfi_parse_type4_func_stream(pdf_context *ctx, pdf_c_stream *function_stream, in + byte *p = (ops ? ops + *size : NULL); + + while (1) { ++ if (*size > max_uint / 2) ++ return gs_note_error(gs_error_VMerror); ++ + c = pdfi_read_byte(ctx, function_stream); + if (c < 0) + break; +@@ -321,6 +324,11 @@ pdfi_build_function_4(pdf_context *ctx, gs_function_params_t * mnDR, + if (code < 0) + goto function_4_error; + ++ if (size > max_uint - 1) { ++ code = gs_note_error(gs_error_VMerror); ++ goto function_4_error; ++ } ++ + ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_function_4(ops)"); + if (ops == NULL) { + code = gs_error_VMerror; +@@ -825,6 +833,11 @@ int pdfi_build_halftone_function(pdf_context *ctx, gs_function_t ** ppfn, byte * + if (code < 0) + goto halftone_function_error; + ++ if (size > max_uint - 1) { ++ code = gs_note_error(gs_error_VMerror); ++ goto halftone_function_error; ++ } ++ + ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_halftone_function(ops)"); + if (ops == NULL) { + code = gs_error_VMerror; +-- +2.49.0 + diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0038-Fix-Coverity-IDs-457699-and-457700.patch ghostscript-10.0.0~dfsg/debian/patches/0038-Fix-Coverity-IDs-457699-and-457700.patch --- ghostscript-10.0.0~dfsg/debian/patches/0038-Fix-Coverity-IDs-457699-and-457700.patch 1970-01-01 00:00:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/0038-Fix-Coverity-IDs-457699-and-457700.patch 2025-03-26 09:08:56.000000000 +0000 @@ -0,0 +1,42 @@ +From: Ken Sharp +Date: Thu, 13 Mar 2025 11:01:16 +0000 +Subject: Fix Coverity IDs 457699 and 457700 +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=d84efb73723384a8b7fb3989c824cfa218060085 + +Not sure if Coverity has been updated, this is ancient contrib code +which has not changed for a long time. + +However, fix the warning by initialising the pointers to NULL, and then +avoid trying to free them if they are NULL. +--- + contrib/japanese/gdev10v.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/contrib/japanese/gdev10v.c b/contrib/japanese/gdev10v.c +index 9d27573dc4de..4d47200e508b 100644 +--- a/contrib/japanese/gdev10v.c ++++ b/contrib/japanese/gdev10v.c +@@ -199,7 +199,7 @@ bj10v_print_page(gx_device_printer *pdev, gp_file *prn_stream) + int bytes_per_column = bits_per_column / 8; + int x_skip_unit = bytes_per_column * (xres / 180); + int y_skip_unit = (yres / 180); +- byte *in, *out; ++ byte *in = NULL, *out = NULL; + int lnum = 0; + int y_skip = 0; + int code = 0; +@@ -332,7 +332,9 @@ xit: + prn_putc(pdev, 014); /* form feed */ + prn_flush(pdev); + error: +- gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)"); +- gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)"); ++ if (out != NULL) ++ gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)"); ++ if (in != NULL) ++ gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)"); + return code; + } +-- +2.49.0 + diff -Nru ghostscript-10.0.0~dfsg/debian/patches/series ghostscript-10.0.0~dfsg/debian/patches/series --- ghostscript-10.0.0~dfsg/debian/patches/series 2024-11-10 12:19:00.000000000 +0000 +++ ghostscript-10.0.0~dfsg/debian/patches/series 2025-03-26 09:10:17.000000000 +0000 @@ -26,6 +26,16 @@ 0026-PS-interpreter-check-Indexed-colour-space-index.patch 0027-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch 0028-PDF-interpreter-sanitise-W-array-values-in-Xref-stre.patch +0029-Bug-708131-Fix-confusion-between-bytes-and-shorts.patch +0030-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch +0031-PCL-interpreter-fix-decode_glyph-for-Unicode.patch +0032-Prevent-Unicode-decoding-overrun.patch +0033-Bug-708192-Fix-potential-print-buffer-overflow.patch +0034-Bug-708241-Fix-potential-Buffer-overflow-with-Dollar.patch +0035-Bug-707506-Cope-with-double-byte-chars-in-TTF-scanni.patch +0036-Bug-708259-Check-TTF-name-size-before-copying-to-buf.patch +0037-PDF-interpreter-Guard-against-unsigned-int-overflow.patch +0038-Fix-Coverity-IDs-457699-and-457700.patch 1004_enable_spot_devices.patch 2001_docdir_fix_for_debian.patch 2002_gs_man_fix_debian.patch