Bug 99012

Summary: Invalid access with libspectre 0.2.8 and latest Ubuntu ghostscript security update
Product: libspectre Reporter: Jeremy Bicha <jbicha>
Component: generalAssignee: Carlos Garcia Campos <carlosgc>
Status: RESOLVED NOTOURBUG QA Contact: Carlos Garcia Campos <carlosgc>
Severity: normal    
Priority: high    
Version: unspecified   
Hardware: Other   
OS: All   
See Also: https://launchpad.net/bugs/1647917
Whiteboard:
i915 platform: i915 features:
Attachments: ubuntu-patch1
ubuntu-patch2

Description Jeremy Bicha 2016-12-07 03:14:02 UTC 
Created attachment 128364 [details] [review]
ubuntu-patch1

1. Install the latest Ubuntu security update for ghostscript on a stable Ubuntu release (I tested with 16.10)

2. Install libspectre1 0.2.8-1 (it's available in zesty-proposed).

3. Open a .eps with Evince. Here's a test file:

https://bugs.launchpad.net/ubuntu/+source/libspectre/+bug/1348384/+attachment/4171120/+files/countrate.eps

What happens:
The .eps fails to display. If run from a terminal, this is output:

 invalidaccess -7

Ubuntu's libspectre 0.2.7 does not have this problem. Note that Ubuntu 16.10 handled bug 76450 differently than the fix that was included in 0.2.8. I am attaching the two Ubuntu patches that Ubuntu applied against 0.2.7.
Comment 1 Jeremy Bicha 2016-12-07 03:14:32 UTC 
Created attachment 128365 [details] [review]
ubuntu-patch2
Comment 2 Jeremy Bicha 2016-12-07 20:57:02 UTC 
This was fixed in Ubuntu by another ghostscript update today. See
https://launchpad.net/ubuntu/+source/ghostscript/9.19~dfsg+1-0ubuntu6.3

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.