From 92ae98e2a0c2ffc807111dbf7616df47a9d3b31c Mon Sep 17 00:00:00 2001 From: Alex Vong Date: Thu, 2 Mar 2017 19:59:05 +0800 Subject: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}. * gnu/packages/patches/mupdf-CVE-2017-5896.patch, gnu/packages/patches/mupdf-CVE-2017-5991.patch: New files. * gnu/packages/pdf.scm (mupdf/fixed)[source]: Add patches. * gnu/local.mk (dist_patch_DATA): Add them. Signed-off-by: Leo Famulari --- gnu/local.mk | 2 + .../patches/mupdf-CVE-2017-5896.patch | 63 +++++++++++ .../patches/mupdf-CVE-2017-5991.patch | 101 ++++++++++++++++++ gnu/packages/pdf.scm | 5 +- 4 files changed, 170 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/mupdf-CVE-2017-5896.patch create mode 100644 gnu/packages/patches/mupdf-CVE-2017-5991.patch diff --git a/gnu/local.mk b/gnu/local.mk index 406e0dc963..584ab75a57 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -764,6 +764,8 @@ dist_patch_DATA = \ %D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch \ %D%/packages/patches/mupdf-mujs-CVE-2016-10132.patch \ %D%/packages/patches/mupdf-mujs-CVE-2016-10133.patch \ + %D%/packages/patches/mupdf-CVE-2017-5896.patch \ + %D%/packages/patches/mupdf-CVE-2017-5991.patch \ %D%/packages/patches/mupen64plus-ui-console-notice.patch \ %D%/packages/patches/musl-CVE-2016-8859.patch \ %D%/packages/patches/mutt-store-references.patch \ diff --git a/gnu/packages/patches/mupdf-CVE-2017-5896.patch b/gnu/packages/patches/mupdf-CVE-2017-5896.patch new file mode 100644 index 0000000000..1537ecc896 --- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2017-5896.patch @@ -0,0 +1,63 @@ +Fix CVE-2017-5896: + +https://bugs.ghostscript.com/show_bug.cgi?id=697515 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5896 +http://www.openwall.com/lists/oss-security/2017/02/10/1 +https://security-tracker.debian.org/tracker/CVE-2017-5896 +https://blogs.gentoo.org/ago/2017/02/09/mupdf-use-after-free-in-fz_subsample_pixmap-pixmap-c/ + +Patch lifted from upstream source repository: + +http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 + +From 2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 Mon Sep 17 00:00:00 2001 +From: Robin Watts +Date: Thu, 9 Feb 2017 07:12:16 -0800 +Subject: [PATCH] bug 697515: Fix out of bounds read in fz_subsample_pixmap + +Pointer arithmetic for final special case was going wrong. +--- + source/fitz/pixmap.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c +index a8317127..f1291dc2 100644 +--- a/source/fitz/pixmap.c ++++ b/source/fitz/pixmap.c +@@ -1104,6 +1104,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor, + "@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,back5,divXY\n" + "ldr r4, [r13,#4*22] @ r4 = divXY \n" + "ldr r5, [r13,#4*11] @ for (nn = n; nn > 0; n--) { \n" ++ "ldr r8, [r13,#4*17] @ r8 = back4 \n" + "18: @ \n" + "mov r14,#0 @ r14= v = 0 \n" + "sub r5, r5, r1, LSL #8 @ for (xx = x; xx > 0; x--) { \n" +@@ -1120,7 +1121,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor, + "mul r14,r4, r14 @ r14= v *= divX \n" + "mov r14,r14,LSR #16 @ r14= v >>= 16 \n" + "strb r14,[r9], #1 @ *d++ = r14 \n" +- "sub r0, r0, r8 @ s -= back2 \n" ++ "sub r0, r0, r8 @ s -= back4 \n" + "subs r5, r5, #1 @ n-- \n" + "bgt 18b @ } \n" + "21: @ \n" +@@ -1249,6 +1250,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor) + x += f; + if (x > 0) + { ++ int back4 = x * n - 1; + div = x * y; + for (nn = n; nn > 0; nn--) + { +@@ -1263,7 +1265,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor) + s -= back5; + } + *d++ = v / div; +- s -= back2; ++ s -= back4; + } + } + } +-- +2.12.0 + diff --git a/gnu/packages/patches/mupdf-CVE-2017-5991.patch b/gnu/packages/patches/mupdf-CVE-2017-5991.patch new file mode 100644 index 0000000000..1fa6dc3466 --- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2017-5991.patch @@ -0,0 +1,101 @@ +Fix CVE-2017-5991: + +https://bugs.ghostscript.com/show_bug.cgi?id=697500 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5991 +https://security-tracker.debian.org/tracker/CVE-2017-5991 + +Patch lifted from upstream source repository: + +http://git.ghostscript.com/?p=mupdf.git;h=1912de5f08e90af1d9d0a9791f58ba3afdb9d465 + +From 1912de5f08e90af1d9d0a9791f58ba3afdb9d465 Mon Sep 17 00:00:00 2001 +From: Robin Watts +Date: Thu, 9 Feb 2017 15:49:15 +0000 +Subject: [PATCH] Bug 697500: Fix NULL ptr access. + +Cope better with errors during rendering - avoid letting the +gstate stack get out of sync. + +This avoids us ever getting into the situation of popping +a clip when we should be popping a mask or a group. This was +causing an unexpected case in the painting. +--- + source/pdf/pdf-op-run.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/source/pdf/pdf-op-run.c b/source/pdf/pdf-op-run.c +index a3ea895d..f1eac8d3 100644 +--- a/source/pdf/pdf-op-run.c ++++ b/source/pdf/pdf-op-run.c +@@ -1213,6 +1213,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf + pdf_run_processor *pr = (pdf_run_processor *)proc; + pdf_gstate *gstate = NULL; + int oldtop = 0; ++ int oldbot = -1; + fz_matrix local_transform = *transform; + softmask_save softmask = { NULL }; + int gparent_save; +@@ -1232,16 +1233,17 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf + fz_var(cleanup_state); + fz_var(gstate); + fz_var(oldtop); ++ fz_var(oldbot); + + gparent_save = pr->gparent; + pr->gparent = pr->gtop; ++ oldtop = pr->gtop; + + fz_try(ctx) + { + pdf_gsave(ctx, pr); + + gstate = pr->gstate + pr->gtop; +- oldtop = pr->gtop; + + pdf_xobject_bbox(ctx, xobj, &xobj_bbox); + pdf_xobject_matrix(ctx, xobj, &xobj_matrix); +@@ -1302,12 +1304,25 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf + + doc = pdf_get_bound_document(ctx, xobj->obj); + ++ oldbot = pr->gbot; ++ pr->gbot = pr->gtop; ++ + pdf_process_contents(ctx, (pdf_processor*)pr, doc, resources, xobj->obj, NULL); + } + fz_always(ctx) + { ++ /* Undo any gstate mismatches due to the pdf_process_contents call */ ++ if (oldbot != -1) ++ { ++ while (pr->gtop > pr->gbot) ++ { ++ pdf_grestore(ctx, pr); ++ } ++ pr->gbot = oldbot; ++ } ++ + if (cleanup_state >= 3) +- pdf_grestore(ctx, pr); /* Remove the clippath */ ++ pdf_grestore(ctx, pr); /* Remove the state we pushed for the clippath */ + + /* wrap up transparency stacks */ + if (transparency) +@@ -1341,13 +1356,8 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf + pr->gstate[pr->gparent].ctm = gparent_save_ctm; + pr->gparent = gparent_save; + +- if (gstate) +- { +- while (oldtop < pr->gtop) +- pdf_grestore(ctx, pr); +- ++ while (oldtop < pr->gtop) + pdf_grestore(ctx, pr); +- } + + pdf_unmark_obj(ctx, xobj->obj); + } +-- +2.12.0 + diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index a229d689dd..13dbd0ecd1 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -11,6 +11,7 @@ ;;; Coypright © 2016 Julien Lepiller ;;; Copyright © 2016 Arun Isaac ;;; Copyright © 2017 Leo Famulari +;;; Copyright © 2017 Alex Vong ;;; ;;; This file is part of GNU Guix. ;;; @@ -550,7 +551,9 @@ (define mupdf/fixed (append (origin-patches (package-source mupdf)) (search-patches "mupdf-mujs-CVE-2016-10132.patch" - "mupdf-mujs-CVE-2016-10133.patch"))))))) + "mupdf-mujs-CVE-2016-10133.patch" + "mupdf-CVE-2017-5896.patch" + "mupdf-CVE-2017-5991.patch"))))))) (define-public qpdf (package