Submitted By: Ken Moffat Date: 2019-08-14 Initial Package Version: 9.27 Upstream Status: Applied Origin: Cherry-picked by debian security. Description: Fixes CVE-2019-10216 The .buildfont1 procedure in Ghostscript does not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox. Debian patches 020190410~06c9207.patch and 020190802~5b85ddd.patch. Description: Fix regression resolving bounding box of font glyphs Re-introduce over/underflow workaround . Commit 355434f4b1bbe8c4f98cafad5a6868aa2f0eaae1 reverted a workaround that compensated for over/underflow in Freetype's TTF hinting (related to freedom and projection vector calculations). That problem no longer exists in recent Freetype releases, and the workaround actually caused other issues to occur with hinting. . What wasn't obvious was that the workaround also protected over/underflow issues relating to the unitsPerEm value. . So this re-instates the workaround, but bases the decision on how the final scale is distributing between the Freetype "size" and the Freetype matrix on the unitsPerEm value (this is relevant for all font types as for non-TTF font types Freetype derives the unitsPerEm from the FontMatrix for PS type fonts). Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;h=06c9207 Author: Chris Liddell Forwarded: yes Bug: http://bugs.ghostscript.com/show_bug.cgi?id=700952 Bug: http://bugs.ghostscript.com/show_bug.cgi?id=700875 Bug-Debian: https://bugs.debian.org/927429 Last-Update: 2019-04-20 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ --- a/base/fapi_ft.c +++ b/base/fapi_ft.c @@ -974,13 +974,19 @@ */ static void transform_decompose(FT_Matrix * a_transform, FT_UInt * xresp, FT_UInt * yresp, - FT_Fixed * a_x_scale, FT_Fixed * a_y_scale) + FT_Fixed * a_x_scale, FT_Fixed * a_y_scale, int units_per_EM) { double scalex, scaley, fact = 1.0; double factx = 1.0, facty = 1.0; FT_Matrix ftscale_mat; FT_UInt xres; FT_UInt yres; + /* We have to account for units_per_EM as we fiddle with the scaling + * in order to avoid underflow (mostly in the TTF hinting code), but + * we also want to clamp to a lower value (512, admittedly arrived at + * via experimentation) in order to preserve the fidelity of the outlines. + */ + double upe = units_per_EM > 512 ? (float)units_per_EM : 512.0; scalex = hypot((double)a_transform->xx, (double)a_transform->xy); scaley = hypot((double)a_transform->yx, (double)a_transform->yy); @@ -1067,10 +1073,25 @@ scalex *= fact; } - ftscale_mat.xx = (FT_Fixed) (65536.0 / scalex); - ftscale_mat.xy = (FT_Fixed) 0; - ftscale_mat.yx = (FT_Fixed) 0; - ftscale_mat.yy = (FT_Fixed) (65536.0 / scaley); + /* see above */ + fact = 1.0; + while (scaley * yres > (double)upe * 72.0 && (xres > 0 && yres > 0) + && (scalex > 0.0 && scaley > 0.0)) { + if (scaley < yres) { + xres >>= 1; + yres >>= 1; + fact *= 2.0; + } + else { + scalex /= 1.25; + scaley /= 1.25; + } + } + + ftscale_mat.xx = (FT_Fixed) ((65536.0 / scalex) * fact); + ftscale_mat.xy = 0; + ftscale_mat.yx = 0; + ftscale_mat.yy = (FT_Fixed) ((65536.0 / scaley) * fact); FT_Matrix_Multiply(a_transform, &ftscale_mat); memcpy(a_transform, &ftscale_mat, sizeof(FT_Matrix)); @@ -1315,7 +1336,7 @@ * transform. */ transform_decompose(&face->ft_transform, &face->horz_res, - &face->vert_res, &face->width, &face->height); + &face->vert_res, &face->width, &face->height, face->ft_face->units_per_EM); ft_error = FT_Set_Char_Size(face->ft_face, face->width, face->height, face->horz_res, face->vert_res); From: Chris Liddell Date: Fri, 2 Aug 2019 15:18:26 +0100 Subject: Bug 701394: protect use of .forceput with executeonly Origin: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19a8420a1bd2d5529325be35d78e94234 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-10216 Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701394 --- Resource/Init/gs_type1.ps | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps index 6c7735bc0cc3..a039ccee3590 100644 --- a/Resource/Init/gs_type1.ps +++ b/Resource/Init/gs_type1.ps @@ -118,25 +118,25 @@ ( to be the same as glyph: ) print 1 index //== exec } if 3 index exch 3 index .forceput % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname - } + }executeonly {pop} ifelse - } forall + } executeonly forall pop pop - } + } executeonly { pop pop pop } ifelse - } + } executeonly { % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname pop pop } ifelse - } forall + } executeonly forall 3 1 roll pop pop - } if + } executeonly if pop dup /.AGLprocessed~GS //true .forceput - } if + } executeonly if %% We need to excute the C .buildfont1 in a stopped context so that, if there %% are errors we can put the stack back sanely and exit. Otherwise callers won't -- 2.20.1