SECURITY FIX:

CVE-2009-4270: Ghostscript "errprintf()" Buffer Overflow Vulnerability

ok kili@ (MAINTAINER)

print/ghostscript/gnu/Makefile

@@ -1,10 +1,10 @@
-# $OpenBSD: Makefile,v 1.69 2009/09/13 20:59:16 ajacoutot Exp $
+# $OpenBSD: Makefile,v 1.70 2010/01/04 19:14:52 jasper Exp $
 
 COMMENT=	GNU PostScript interpreter
 
 VERSION=	8.63
 DISTNAME=	ghostscript-${VERSION}
-PKGNAME=	${DISTNAME}p9
+PKGNAME=	${DISTNAME}p10
 CATEGORIES=	print lang
 SHARED_LIBS=	gs	11.0
 

print/ghostscript/gnu/patches/patch-src_gsmisc_c

@@ -0,0 +1,68 @@
+$OpenBSD: patch-src_gsmisc_c,v 1.1 2010/01/04 19:14:52 jasper Exp $
+
+CVE-2009-4270: Ghostscript "errprintf()" Buffer Overflow Vulnerability
+http://bugs.ghostscript.com/show_bug.cgi?id=690829
+
+--- src/gsmisc.c.orig	Mon Jan  4 17:00:27 2010
++++ src/gsmisc.c	Mon Jan  4 17:02:04 2010
+@@ -55,12 +55,15 @@ orig_sqrt(double x)
+ #include "gxfarith.h"
+ #include "gxfixed.h"
+ #include "stdint_.h"
++#include "stdio_.h"
+ 
+ /* ------ Redirected stdout and stderr  ------ */
+ 
+ #include <stdarg.h>
+ #define PRINTF_BUF_LENGTH 1024
+ 
++static const char msg_truncated[] = "\n*** Previous line has been truncated.\n";
++
+ int outprintf(const gs_memory_t *mem, const char *fmt, ...)
+ {
+     int count;
+@@ -68,14 +71,12 @@ int outprintf(const gs_memory_t *mem, const char *fmt,
+     va_list args;
+ 
+     va_start(args, fmt);
+-
+-    count = vsprintf(buf, fmt, args);
+-    outwrite(mem, buf, count);
+-    if (count >= PRINTF_BUF_LENGTH) {
+-	count = sprintf(buf, 
+-	    "PANIC: printf exceeded %d bytes.  Stack has been corrupted.\n", 
+-	    PRINTF_BUF_LENGTH);
+-	outwrite(mem, buf, count);
++    count = vsnprintf(buf, sizeof(buf), fmt, args);
++    if (count >= sizeof(buf) || count < 0)  { /* C99 || MSVC */
++        outwrite(mem, buf, sizeof(buf) - 1);
++        outwrite(mem, msg_truncated, sizeof(msg_truncated) - 1);
++    } else {
++        outwrite(mem, buf, count);
+     }
+     va_end(args);
+     return count;
+@@ -88,15 +89,15 @@ int errprintf(const char *fmt, ...)
+     va_list args;
+ 
+     va_start(args, fmt);
+-
+-    count = vsprintf(buf, fmt, args);
+-    errwrite(buf, count);
+-    if (count >= PRINTF_BUF_LENGTH) {
+-	count = sprintf(buf, 
+-	    "PANIC: printf exceeded %d bytes.  Stack has been corrupted.\n", 
+-	    PRINTF_BUF_LENGTH);
+-	errwrite(buf, count);
++    count = vsnprintf(buf, sizeof(buf), fmt, args);
++    if (count >= sizeof(buf) || count < 0)  { /* C99 || MSVC */
++        errwrite(buf, sizeof(buf) - 1);
++        errwrite(msg_truncated, sizeof(msg_truncated) - 1);
++    } else {
++        errwrite(buf, count);
+     }
++    errwrite(buf, count);
++
+     va_end(args);
+     return count;
+ }

print/ghostscript/gnu/patches/patch-src_lib_mak

@@ -1,6 +1,6 @@
-$OpenBSD: patch-src_lib_mak,v 1.2 2007/11/19 20:06:56 kili Exp $
---- src/lib.mak.orig	Tue Jul 17 11:55:56 2007
-+++ src/lib.mak	Mon Sep  3 15:27:31 2007
+$OpenBSD: patch-src_lib_mak,v 1.3 2010/01/04 19:14:52 jasper Exp $
+--- src/lib.mak.orig	Thu Jul 24 01:29:39 2008
++++ src/lib.mak	Mon Jan  4 17:00:48 2010
 @@ -25,12 +25,12 @@ GLO_=$(O_)$(GLOBJ)
  GLI_=$(GLGENDIR) $(II)$(GLSRCDIR)
  GLF_=
@@ -16,3 +16,12 @@ $OpenBSD: patch-src_lib_mak,v 1.2 2007/11/19 20:06:56 kili Exp $
  GLLDFJB2CC=$(CC_) $(I_)$(LDF_JB2I_) $(II)$(GLI_)$(_I) $(JB2CF_) $(GLF_)
  GLLWFJPXCC=$(CC_) $(I_)$(LWF_JPXI_) $(II)$(GLI_)$(_I) $(JPXCF_) $(GLF_)
  GLCCSHARED=$(CC_SHARED) $(GLCCFLAGS)
+@@ -246,7 +246,7 @@ $(GLOBJ)gsargs.$(OBJ) : $(GLSRC)gsargs.c\
+ $(GLOBJ)gsmisc.$(OBJ) : $(GLSRC)gsmisc.c $(GXERR)\
+  $(vmsmath_h)\
+  $(ctype__h) $(malloc__h) $(math__h) $(memory__h) $(string__h)\
+- $(gpcheck_h) $(gserror_h) $(gxfarith_h) $(gxfixed_h) $(stdint__h)
++ $(gpcheck_h) $(gserror_h) $(gxfarith_h) $(gxfixed_h) $(stdint__h) $(stdio__h)
+ 	$(GLCC) $(GLO_)gsmisc.$(OBJ) $(C_) $(GLSRC)gsmisc.c
+ 
+ $(GLOBJ)gslibctx.$(OBJ) : $(GLSRC)gslibctx.c  $(GXERR)\