gnu: mupdf: Fix CVE-2016-{7504,7505,7506,7563,7564,9017,9136} in bundled mujs.

* gnu/packages/patches/mupdf-CVE-2016-7504.patch,
gnu/packages/patches/mupdf-CVE-2016-7505.patch
gnu/packages/patches/mupdf-CVE-2016-7506.patch
gnu/packages/patches/mupdf-CVE-2016-7563.patch
gnu/packages/patches/mupdf-CVE-2016-7564.patch
gnu/packages/patches/mupdf-CVE-2016-9017.patch
gnu/packages/patches/mupdf-CVE-2016-9136.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/pdf.scm (mupdf)[source]: Use them.
This commit is contained in:
Leo Famulari 2016-11-07 22:56:53 -05:00
parent 81bf2ccbc4
commit 667e777b4e
No known key found for this signature in database
GPG key ID: 2646FA30BACA7F08
9 changed files with 337 additions and 1 deletions

View file

@ -721,7 +721,14 @@ dist_patch_DATA = \
%D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch \
%D%/packages/patches/mupdf-CVE-2016-6265.patch \
%D%/packages/patches/mupdf-CVE-2016-6525.patch \
%D%/packages/patches/mupdf-CVE-2016-7504.patch \
%D%/packages/patches/mupdf-CVE-2016-7505.patch \
%D%/packages/patches/mupdf-CVE-2016-7506.patch \
%D%/packages/patches/mupdf-CVE-2016-7563.patch \
%D%/packages/patches/mupdf-CVE-2016-7564.patch \
%D%/packages/patches/mupdf-CVE-2016-8674.patch \
%D%/packages/patches/mupdf-CVE-2016-9017.patch \
%D%/packages/patches/mupdf-CVE-2016-9136.patch \
%D%/packages/patches/mupen64plus-ui-console-notice.patch \
%D%/packages/patches/musl-CVE-2016-8859.patch \
%D%/packages/patches/mutt-store-references.patch \

View file

@ -0,0 +1,99 @@
Fix CVE-2016-7504:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7504
http://bugs.ghostscript.com/show_bug.cgi?id=697142
Patch copied from upstream source repository:
http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=5c337af4b3df80cf967e4f9f6a21522de84b392a
From 5c337af4b3df80cf967e4f9f6a21522de84b392a Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Wed, 21 Sep 2016 16:01:08 +0200
Subject: [PATCH] Fix bug 697142: Stale string pointer stored in regexp object.
Make sure to make a copy of the source pattern string.
A case we missed when adding short and memory strings to the runtime.
The code assumed all strings passed to it were either literal or interned.
---
jsgc.c | 4 +++-
jsi.h | 1 +
jsregexp.c | 2 +-
jsrun.c | 8 ++++++++
jsvalue.h | 2 +-
5 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/jsgc.c b/jsgc.c
index 9bd6482..4f7e7dc 100644
--- a/thirdparty/mujs/jsgc.c
+++ b/thirdparty/mujs/jsgc.c
@@ -44,8 +44,10 @@ static void jsG_freeobject(js_State *J, js_Object *obj)
{
if (obj->head)
jsG_freeproperty(J, obj->head);
- if (obj->type == JS_CREGEXP)
+ if (obj->type == JS_CREGEXP) {
+ js_free(J, obj->u.r.source);
js_regfree(obj->u.r.prog);
+ }
if (obj->type == JS_CITERATOR)
jsG_freeiterator(J, obj->u.iter.head);
if (obj->type == JS_CUSERDATA && obj->u.user.finalize)
diff --git a/jsi.h b/jsi.h
index 7d9f7c7..e855045 100644
--- a/thirdparty/mujs/jsi.h
+++ b/thirdparty/mujs/jsi.h
@@ -79,6 +79,7 @@ typedef unsigned short js_Instruction;
/* String interning */
+char *js_strdup(js_State *J, const char *s);
const char *js_intern(js_State *J, const char *s);
void jsS_dumpstrings(js_State *J);
void jsS_freestrings(js_State *J);
diff --git a/jsregexp.c b/jsregexp.c
index 2a056b7..a2d5156 100644
--- a/thirdparty/mujs/jsregexp.c
+++ b/thirdparty/mujs/jsregexp.c
@@ -21,7 +21,7 @@ void js_newregexp(js_State *J, const char *pattern, int flags)
js_syntaxerror(J, "regular expression: %s", error);
obj->u.r.prog = prog;
- obj->u.r.source = pattern;
+ obj->u.r.source = js_strdup(J, pattern);
obj->u.r.flags = flags;
obj->u.r.last = 0;
js_pushobject(J, obj);
diff --git a/jsrun.c b/jsrun.c
index 2648c4c..ee80845 100644
--- a/thirdparty/mujs/jsrun.c
+++ b/thirdparty/mujs/jsrun.c
@@ -45,6 +45,14 @@ void *js_realloc(js_State *J, void *ptr, int size)
return ptr;
}
+char *js_strdup(js_State *J, const char *s)
+{
+ int n = strlen(s) + 1;
+ char *p = js_malloc(J, n);
+ memcpy(p, s, n);
+ return p;
+}
+
void js_free(js_State *J, void *ptr)
{
J->alloc(J->actx, ptr, 0);
diff --git a/jsvalue.h b/jsvalue.h
index 6cfbd89..8fb5016 100644
--- a/thirdparty/mujs/jsvalue.h
+++ b/thirdparty/mujs/jsvalue.h
@@ -71,7 +71,7 @@ struct js_String
struct js_Regexp
{
void *prog;
- const char *source;
+ char *source;
unsigned short flags;
unsigned short last;
};
--
2.10.2

View file

@ -0,0 +1,32 @@
Fix CVE-2016-7505:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7505
http://bugs.ghostscript.com/show_bug.cgi?id=697140
Patch copied from upstream source repository:
http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=8c805b4eb19cf2af689c860b77e6111d2ee439d5
From 8c805b4eb19cf2af689c860b77e6111d2ee439d5 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Wed, 21 Sep 2016 15:21:04 +0200
Subject: [PATCH] Fix bug 697140: Overflow check in ascii division in strtod.
---
jsdtoa.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/jsdtoa.c b/jsdtoa.c
index 2e52368..920c1a7 100644
--- a/thirdparty/mujs/jsdtoa.c
+++ b/thirdparty/mujs/jsdtoa.c
@@ -735,6 +735,7 @@ xx:
n -= c<<b;
*p++ = c + '0';
(*na)++;
+ if (*na >= Ndig) break; /* abort if overflowing */
}
*p = 0;
}
--
2.10.2

View file

@ -0,0 +1,42 @@
Fix CVE-2016-7506:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7506
http://bugs.ghostscript.com/show_bug.cgi?id=697141
Patch copied from upstream source repository:
http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=5000749f5afe3b956fc916e407309de840997f4a
From 5000749f5afe3b956fc916e407309de840997f4a Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Wed, 21 Sep 2016 16:02:11 +0200
Subject: [PATCH] Fix bug 697141: buffer overrun in regexp string substitution.
A '$' escape at the end of the string would read past the zero terminator
when looking for the escaped character.
---
jsstring.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/jsstring.c b/jsstring.c
index 66f6a89..0209a8e 100644
--- a/thirdparty/mujs/jsstring.c
+++ b/thirdparty/mujs/jsstring.c
@@ -421,6 +421,7 @@ loop:
while (*r) {
if (*r == '$') {
switch (*(++r)) {
+ case 0: --r; /* end of string; back up and fall through */
case '$': js_putc(J, &sb, '$'); break;
case '`': js_putm(J, &sb, source, s); break;
case '\'': js_puts(J, &sb, s + n); break;
@@ -516,6 +517,7 @@ static void Sp_replace_string(js_State *J)
while (*r) {
if (*r == '$') {
switch (*(++r)) {
+ case 0: --r; /* end of string; back up and fall through */
case '$': js_putc(J, &sb, '$'); break;
case '&': js_putm(J, &sb, s, s + n); break;
case '`': js_putm(J, &sb, source, s); break;
--
2.10.2

View file

@ -0,0 +1,37 @@
Fix CVE-2016-7563:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7563
http://bugs.ghostscript.com/show_bug.cgi?id=697136
Patch copied from upstream source repository:
http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=f8234d830e17fc5e8fe09eb76d86dad3f6233c59
From f8234d830e17fc5e8fe09eb76d86dad3f6233c59 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Tue, 20 Sep 2016 17:11:32 +0200
Subject: [PATCH] Fix bug 697136.
We were unconditionally reading the next character if we encountered
a '*' in a multi-line comment; possibly reading past the end of
the input.
---
jslex.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/jslex.c b/jslex.c
index 7b80800..cbd0eeb 100644
--- a/thirdparty/mujs/jslex.c
+++ b/thirdparty/mujs/jslex.c
@@ -225,7 +225,8 @@ static int lexcomment(js_State *J)
if (jsY_accept(J, '/'))
return 0;
}
- jsY_next(J);
+ else
+ jsY_next(J);
}
return -1;
}
--
2.10.2

View file

@ -0,0 +1,34 @@
Fix CVE-2016-7564:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7564
http://bugs.ghostscript.com/show_bug.cgi?id=697137
Patch copied from upstream source repository:
http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a3a4fe840b80706c706e86160352af5936f292d8
From a3a4fe840b80706c706e86160352af5936f292d8 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Tue, 20 Sep 2016 17:19:06 +0200
Subject: [PATCH] Fix bug 697137: off by one in string length calculation.
We were not allocating space for the terminating zero byte.
---
jsfunction.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/jsfunction.c b/jsfunction.c
index 8b5b18e..28f7aa7 100644
--- a/thirdparty/mujs/jsfunction.c
+++ b/thirdparty/mujs/jsfunction.c
@@ -61,7 +61,7 @@ static void Fp_toString(js_State *J)
n += strlen(F->name);
for (i = 0; i < F->numparams; ++i)
n += strlen(F->vartab[i]) + 1;
- s = js_malloc(J, n);
+ s = js_malloc(J, n + 1);
strcpy(s, "function ");
strcat(s, F->name);
strcat(s, "(");
--
2.10.2

View file

@ -0,0 +1,46 @@
Fix CVE-2016-9017:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9107
http://bugs.ghostscript.com/show_bug.cgi?id=697171
Patch copied from upstream source repository:
http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a5c747f1d40e8d6659a37a8d25f13fb5acf8e767
From a5c747f1d40e8d6659a37a8d25f13fb5acf8e767 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Tue, 25 Oct 2016 14:08:27 +0200
Subject: [PATCH] Fix 697171: missed an operand in the bytecode debugger dump.
---
jscompile.h | 2 +-
jsdump.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/jscompile.h b/jscompile.h
index 802cc9e..3054d13 100644
--- a/thirdparty/mujs/jscompile.h
+++ b/thirdparty/mujs/jscompile.h
@@ -21,7 +21,7 @@ enum js_OpCode
OP_NEWARRAY,
OP_NEWOBJECT,
- OP_NEWREGEXP,
+ OP_NEWREGEXP, /* -S,opts- <regexp> */
OP_UNDEF,
OP_NULL,
diff --git a/jsdump.c b/jsdump.c
index 1c51c29..37ad88c 100644
--- a/thirdparty/mujs/jsdump.c
+++ b/thirdparty/mujs/jsdump.c
@@ -750,6 +750,7 @@ void jsC_dumpfunction(js_State *J, js_Function *F)
case OP_INITVAR:
case OP_DEFVAR:
case OP_GETVAR:
+ case OP_HASVAR:
case OP_SETVAR:
case OP_DELVAR:
case OP_GETPROP_S:
--
2.10.2

View file

@ -0,0 +1,32 @@
Fix CVE-2016-9136:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9136
http://bugs.ghostscript.com/show_bug.cgi?id=697244
Patch copied from upstream source repository:
http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a0ceaf5050faf419401fe1b83acfa950ec8a8a89
From a0ceaf5050faf419401fe1b83acfa950ec8a8a89 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Mon, 31 Oct 2016 13:05:37 +0100
Subject: [PATCH] Fix 697244: Check for incomplete escape sequence at end of
input.
---
jslex.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/jslex.c b/jslex.c
index cbd0eeb..aaafdac 100644
--- a/thirdparty/mujs/jslex.c
+++ b/thirdparty/mujs/jslex.c
@@ -377,6 +377,7 @@ static int lexescape(js_State *J)
return 0;
switch (J->lexchar) {
+ case 0: jsY_error(J, "unterminated escape sequence");
case 'u':
jsY_next(J);
if (!jsY_ishex(J->lexchar)) return 1; else { x |= jsY_tohex(J->lexchar) << 12; jsY_next(J); }
--
2.10.2

View file

@ -491,7 +491,14 @@ (define-public mupdf
(patches (search-patches "mupdf-build-with-openjpeg-2.1.patch"
"mupdf-CVE-2016-6265.patch"
"mupdf-CVE-2016-6525.patch"
"mupdf-CVE-2016-8674.patch"))
"mupdf-CVE-2016-7504.patch"
"mupdf-CVE-2016-7505.patch"
"mupdf-CVE-2016-7506.patch"
"mupdf-CVE-2016-7563.patch"
"mupdf-CVE-2016-7564.patch"
"mupdf-CVE-2016-8674.patch"
"mupdf-CVE-2016-9017.patch"
"mupdf-CVE-2016-9136.patch"))
(modules '((guix build utils)))
(snippet
;; Delete all the bundled libraries except for mujs, which is