| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 020201007~c6ce09a.patch | re-enable support for opvp/oprp devices A user got in touch to say that he maintains a printer driver "back end" that uses the opvp device. So reinstating it - at least we know it's getting tested. |
Chris Liddell <chris.liddell@artifex.com> | no | debian | upstream, https://git.ghostscript.com/?p=ghostpdl.git;h=c6ce09a | 2021-01-25 |
| 020201028~41ef9a0.patch | drop use of FT_CALLBACK_DEF() def From 2.10.3, Freetype disappeared the FT_CALLBACK_DEF() macro, which is what we used when defining our callbacks from Freetype. . No guidance forthcoming from the Freetype developer who made those changes, so change to explicitly declaring the callbacks file static. . Should fix the reported build failures. |
Chris Liddell <chris.liddell@artifex.com> | yes | upstream | upstream, https://git.ghostscript.com/?p=ghostpdl.git;h=41ef9a0 | 2020-12-23 |
| 020201120~bd48c43.patch | fix endian issues with CMM The interface code to the CMM was corrected to indicate when a endian swap was needed on the data. This should only occur in the case when we are dealing with transparency buffers during the put image blending operation that may include a color conversion. The final blend bakes the data as BE so if we are on a LE machine, the CMM will need to know to swap the bytes (assuming the pdf14 device is using 16bit buffers). . The code was rewritten to make it clear that this setting is no BE vs LE but simply an endian swap. That was a source of confusion. . Revealed in this testing was the lack of some proper error reporting during buffer conversions, which were fixed. |
Michael Vrhel <michael.vrhel@artifex.com> | yes | debian upstream | upstream, https://git.ghostscript.com/?p=ghostpdl.git;h=bd48c43 | 2020-12-01 |
| 020201214~c616676.patch | Fix bug 703270: Wrong path for PostScript helper file in ps2epsi In the change mentioned in the bug, rather than rely on the LIBPATH search method, the ps2epsi script assumed that pd2epsi.ps would be in the same directory as the 'gs' executable, which is not correct. Change to use bare 'ps2epsi.ps' so that it will be found on the LIBPATH as instialled by: make install |
Ray Johnston <ray.johnston@artifex.com> | yes | debian upstream | http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=c6166768c6e963b0fe28ccdb266629443e521381 | 2020-12-14 |
| 020210130~d787dad.patch | txtwrite - Address some memory handling problems There are two problems here; firstly the textw_text_release() function is called *from* gs_text_release, and should not be calling that function. This was the initial cause of the seg fault. . Secondly the txtwrite custom text enumerator was not declaring the 'pte_fallback' text enumerator member, which meant that it could be relocated without updating the txtwrite text enumerator, leading to seg faults further through the processing. . This resolves the seg faults on the supplied test file for me, but there are still memory problems (memory leaks in fact) revealed by running under Memento. I'll address these in a later commit or commits. |
Ken Sharp <ken.sharp@artifex.com> | yes | debian upstream | upstream, https://git.ghostscript.com/?p=ghostpdl.git;h=d787dad | 2021-01-30 |
| 020210201~41130dd.patch | PDF interpreter - work around broken ObjStms (again) Ghostscript can't read files that poppler, mupdf and Firefox and others can read . The problem is in an OObjStm, a compressed representation of various PDF objects. In the example file the ObjStm returns a lone 'mark' object for one of the compressed objects, which is not legal. . This appears to be the font T1_2 on page 87. . The mark confuses our counting of the returned objects and that leads to the interpreter falling in a heap. . There's no trivial way to address this, so I've chosen to use the approach used for error handling in other places; push a specific name onto the stack, and then use that instead of a mark to delimit the portion of the stack of interest. . Obviously nothing is going to rescue the broken font; but since this is a PDF file which has been OCR'ed I don't think this is a problem as we will not to try to use it for rendering as the text is all 'drawn' in text rendering mode 3 (neither fill nor stroke). . Because we keep using this I've also added a couple of utility procedures CountToKey and ClearToKey, which work similarly to countomark and cleartomark. Because I wanted to be able to detect a missing key on the stack CountToKey returns a boolean, not just a number. . I've also used that approach around the verify_page_tree call so that we don't end up with a pile of junk on the stack if it should fall over similar errors in future. . Finally I tested with the customer supplied file which originally inspired the changes in resolveobjectstream to detect the last kind of broken ObjStm and that file continues to work. |
Ken Sharp <ken.sharp@artifex.com> | yes | debian upstream | upstream, https://git.ghostscript.com/?p=ghostpdl.git;h=41130dd | 2021-02-02 |
| 020210212~7861fca.patch | oss-fuzz 30715: Check stack limits after function evaluation. During function result sampling, after the callout to the Postscript interpreter, make sure there is enough stack space available before pushing or popping entries. In thise case, the Postscript procedure for the "function" is totally invalid (as a function), and leaves the op stack in an unrecoverable state (as far as function evaluation is concerned). We end up popping more entries off the stack than are available. To cope, add in stack limit checking to throw an appropriate error when this happens. |
Chris Liddell <chris.liddell@artifex.com> | yes | upstream | https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=7861fcad13c497728189feafb41cd57b5b50ea25 | 2021-02-12 |
| 020210603~2a31293.patch | Bug 703902: Fix op stack management in sampled_data_continue() Replace pop() (which does no checking, and doesn't handle stack extension blocks) with ref_stack_pop() which does do all that. We still use pop() in one case (it's faster), but we have to later use ref_stack_pop() before calling sampled_data_sample() which also accesses the op stack. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675 |
Chris Liddell <chris.liddell@artifex.com> | yes | upstream | https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7 | 2021-06-01 |
| 020210907~a9bd3de.patch | Bug 704342: Include device specifier strings in access validation for the "%pipe%", %handle%" and %printer% io devices. We previously validated only the part after the "%pipe%" Postscript device specifier, but this proved insufficient. This rebuilds the original file name string, and validates it complete. The slight complication for "%pipe%" is it can be reached implicitly using "|" so we have to check both prefixes. Addresses CVE-2021-3781 |
Chris Liddell <chris.liddell@artifex.com> | yes | debian upstream | https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a9bd3dec9fde03327a4a2c69dad1036bf9632e20 | 2021-09-07 |
| 020230324~37ed502.patch | Graphics library - prevent buffer overrun in (T)BCP encoding Bug #706494 "Buffer Overflow in s_xBCPE_process" As described in detail in the bug report, if the write buffer is filled to one byte less than full, and we then try to write an escaped character, we overrun the buffer because we don't check before writing two bytes to it. This just checks if we have two bytes before starting to write an escaped character and exits if we don't (replacing the consumed byte of the input). Up for further discussion; why do we even permit a BCP encoding filter anyway ? I think we should remove this, at least when SAFER is true. |
Ken Sharp <ken.sharp@artifex.com> | yes | debian upstream | https://git.ghostscript.com/?p=ghostpdl.git;h=37ed5022cecd584de868933b5b60da2e995b3179 | 2023-03-24 |
| 020230607~5e65eea.patch | Bug 706761: Don't "reduce" %pipe% file names for permission validation For regular file names, we try to simplfy relative paths before we use them. Because the %pipe% device can, effectively, accept command line calls, we shouldn't be simplifying that string, because the command line syntax can end up confusing the path simplifying code. That can result in permitting a pipe command which does not match what was originally permitted. Special case "%pipe" in the validation code so we always deal with the entire string. |
Chris Liddell <chris.liddell@artifex.com> | yes | upstream | https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea | 2023-06-07 |
| 020230614~fb342fd.patch | Bug 706778: 706761 revisit Two problems with the original commit. The first a silly typo inverting the logic of a test. The second was forgetting that we actually actually validate two candidate strings for pipe devices. One with the expected "%pipe%" prefix, the other using the pipe character prefix: "|". This addresses both those. |
Chris Liddell <chris.liddell@artifex.com> | yes | upstream | https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb342fdb60391073a69147cb71af1ac416a81099 | 2023-06-14 |
| 020230717~d81b82c.patch | Bug 706897: Copy pcx buffer overrun fix from devices/gdevpcx.c Bounds check the buffer, before dereferencing the pointer. |
Chris Liddell <chris.liddell@artifex.com> | no | debian | https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f | 2023-07-17 |
| 020230824~8b0f200.patch | IJS device - try and secure the IJS server startup Bug #707051 ""ijs" device can execute arbitrary commands" The problem is that the 'IJS' device needs to start the IJS server, and that is indeed an arbitrary command line. There is (apparently) no way to validate it. Indeed, this is covered quite clearly in the comments at the start of the source: * WARNING: The ijs server can be selected on the gs command line * which is a security risk, since any program can be run. Previously this used the awful LockSafetyParams hackery, which we abandoned some time ago because it simply couldn't be made secure (it was implemented in PostScript and was therefore vulnerable to PostScript programs). This commit prevents PostScript programs switching to the IJS device after SAFER has been activated, and prevents changes to the IjsServer parameter after SAFER has been activated. SAFER is activated, unless explicitly disabled, before any user PostScript is executed which means that the device and the server invocation can only be configured on the command line. This does at least provide minimal security against malicious PostScript programs. |
Ken Sharp <ken.sharp@artifex.com> | no | https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8b0f20002536867bd73ff4552408a72597190cbe | 2023-08-24 | |
| 1001_cross.patch | allow skipping configure during bootstrap to support cross build ghostscript fails to cross build from source, because it configures for the build architecture when invoked from autogen.sh. Cross building configures for the host architecture as a separate call after initial bootstrapping. . This patch allows telling autogen.sh not to call configure. |
Helmut Grohne <helmut@subdivi.de> | no | debian | 2020-10-04 | |
| 1002-Update-lcms2-non-mt-code-for-buff_desc-endian_swap.patch | Update lcms2 (non-mt) code for buff_desc->endian_swap Forgotten in bd48c43be5f736393372dffbad627ed6fc486238 | Stefano Rivera <stefano@rivera.za.net> | yes | debian upstream | https://bugs.debian.org/976177#10 | 2020-12-01 |
| 1003_fix_gdevdsp_size_check.patch | fix size check in gdevdsp | Pino Toscano <pino@debian.org> | yes | debian upstream | https://bugs.debian.org/977754#36 | 2020-12-22 |
| 2001_docdir_fix_for_debian.patch | Set docdir appropriately for Debian | Masayuki Hatta <mhatta@debian.org> | no | 2009-04-15 | ||
| 2002_gs_man_fix_debian.patch | Fixes for gs.1 (Debian specific path adjustments) | Masayuki Hatta <mhatta@debian.org> | no | 2009-04-15 | ||
| 2003_support_multiarch.patch | Check multiarch paths | Jonas Smedegaard <dr@jones.dk> | no | 2011-09-19 | ||
| 2004_remove_non-Debian_paths_from_docs.patch | Remove non-Debian paths from documentation | Bastien ROUCARIS <roucaries.bastien@gmail.com> | no | 2012-07-24 | ||
| 2005_fix_Debian_paths_in_docs.patch | Fix Debian paths in documentation | Bastien ROUCARIS <roucaries.bastien@gmail.com> | no | 2012-07-24 | ||
| 2006_suggest_install_ghostscript-doc_in_docs.patch | Suggest install of ghostscript-doc in documentation | Bastien ROUCARIS <roucaries.bastien@gmail.com> | no | 2012-07-24 | ||
| 2007_suggest_install_ghostscript-doc_in_code.patch | Suggest install of ghostscript-doc in code | Bastien ROUCARIS <roucaries.bastien@gmail.com> | no | 2012-07-24 | ||
| 2008_mention_ghostscript-x_in_docs.patch | Mention ghostscipt-x affect on default device in docs | Bastien ROUCARIS <roucaries.bastien@gmail.com> | no | 2012-07-24 | ||
| 2009_use_system_javascript.patch | Use locally served jquery to avoid privacy breach | Jonas Smedegaard <dr@jones.dk> | no | 2018-09-14 | ||
| 2010_add_build_timestamp_setting.patch | Allow the build timestamp to be externally set In order to make Ghostscript output reproducible, we need a way to set the build timestamp to other values than the current time. We now consistently use gp_get_realtime() instead of directly calling time() or gp_get_usertime() and make gp_get_realtime() use the value found in the SOURCE_DATE_EPOCH environment variable if set. Also, environment timezone is fixed to UTC if SOURCE_DATE_EPOCH is used to avoid variations. |
Peter De Wachter <pdewacht@gmail.com> | no | debian | 2015-07-30 | |
| 2011_avoid_remote_font.patch | Avoid remote fonts to avoid privacy breach Simply avoid custom fonts for now... | Jonas Smedegaard <dr@jones.dk> | no | 2018-09-14 |