mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-25 05:48:07 -05:00
gnu: mupdf: Fix CVE-2017-{5896,5991}.
* gnu/packages/patches/mupdf-CVE-2017-5896.patch, gnu/packages/patches/mupdf-CVE-2017-5991.patch: New files. * gnu/packages/pdf.scm (mupdf/fixed)[source]: Add patches. * gnu/local.mk (dist_patch_DATA): Add them. Signed-off-by: Leo Famulari <leo@famulari.name>
This commit is contained in:
parent
89d42ac17c
commit
92ae98e2a0
4 changed files with 170 additions and 1 deletions
|
@ -764,6 +764,8 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch \
|
||||
%D%/packages/patches/mupdf-mujs-CVE-2016-10132.patch \
|
||||
%D%/packages/patches/mupdf-mujs-CVE-2016-10133.patch \
|
||||
%D%/packages/patches/mupdf-CVE-2017-5896.patch \
|
||||
%D%/packages/patches/mupdf-CVE-2017-5991.patch \
|
||||
%D%/packages/patches/mupen64plus-ui-console-notice.patch \
|
||||
%D%/packages/patches/musl-CVE-2016-8859.patch \
|
||||
%D%/packages/patches/mutt-store-references.patch \
|
||||
|
|
63
gnu/packages/patches/mupdf-CVE-2017-5896.patch
Normal file
63
gnu/packages/patches/mupdf-CVE-2017-5896.patch
Normal file
|
@ -0,0 +1,63 @@
|
|||
Fix CVE-2017-5896:
|
||||
|
||||
https://bugs.ghostscript.com/show_bug.cgi?id=697515
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5896
|
||||
http://www.openwall.com/lists/oss-security/2017/02/10/1
|
||||
https://security-tracker.debian.org/tracker/CVE-2017-5896
|
||||
https://blogs.gentoo.org/ago/2017/02/09/mupdf-use-after-free-in-fz_subsample_pixmap-pixmap-c/
|
||||
|
||||
Patch lifted from upstream source repository:
|
||||
|
||||
http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27
|
||||
|
||||
From 2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 Mon Sep 17 00:00:00 2001
|
||||
From: Robin Watts <Robin.Watts@artifex.com>
|
||||
Date: Thu, 9 Feb 2017 07:12:16 -0800
|
||||
Subject: [PATCH] bug 697515: Fix out of bounds read in fz_subsample_pixmap
|
||||
|
||||
Pointer arithmetic for final special case was going wrong.
|
||||
---
|
||||
source/fitz/pixmap.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c
|
||||
index a8317127..f1291dc2 100644
|
||||
--- a/source/fitz/pixmap.c
|
||||
+++ b/source/fitz/pixmap.c
|
||||
@@ -1104,6 +1104,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
|
||||
"@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,back5,divXY\n"
|
||||
"ldr r4, [r13,#4*22] @ r4 = divXY \n"
|
||||
"ldr r5, [r13,#4*11] @ for (nn = n; nn > 0; n--) { \n"
|
||||
+ "ldr r8, [r13,#4*17] @ r8 = back4 \n"
|
||||
"18: @ \n"
|
||||
"mov r14,#0 @ r14= v = 0 \n"
|
||||
"sub r5, r5, r1, LSL #8 @ for (xx = x; xx > 0; x--) { \n"
|
||||
@@ -1120,7 +1121,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
|
||||
"mul r14,r4, r14 @ r14= v *= divX \n"
|
||||
"mov r14,r14,LSR #16 @ r14= v >>= 16 \n"
|
||||
"strb r14,[r9], #1 @ *d++ = r14 \n"
|
||||
- "sub r0, r0, r8 @ s -= back2 \n"
|
||||
+ "sub r0, r0, r8 @ s -= back4 \n"
|
||||
"subs r5, r5, #1 @ n-- \n"
|
||||
"bgt 18b @ } \n"
|
||||
"21: @ \n"
|
||||
@@ -1249,6 +1250,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
|
||||
x += f;
|
||||
if (x > 0)
|
||||
{
|
||||
+ int back4 = x * n - 1;
|
||||
div = x * y;
|
||||
for (nn = n; nn > 0; nn--)
|
||||
{
|
||||
@@ -1263,7 +1265,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
|
||||
s -= back5;
|
||||
}
|
||||
*d++ = v / div;
|
||||
- s -= back2;
|
||||
+ s -= back4;
|
||||
}
|
||||
}
|
||||
}
|
||||
--
|
||||
2.12.0
|
||||
|
101
gnu/packages/patches/mupdf-CVE-2017-5991.patch
Normal file
101
gnu/packages/patches/mupdf-CVE-2017-5991.patch
Normal file
|
@ -0,0 +1,101 @@
|
|||
Fix CVE-2017-5991:
|
||||
|
||||
https://bugs.ghostscript.com/show_bug.cgi?id=697500
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5991
|
||||
https://security-tracker.debian.org/tracker/CVE-2017-5991
|
||||
|
||||
Patch lifted from upstream source repository:
|
||||
|
||||
http://git.ghostscript.com/?p=mupdf.git;h=1912de5f08e90af1d9d0a9791f58ba3afdb9d465
|
||||
|
||||
From 1912de5f08e90af1d9d0a9791f58ba3afdb9d465 Mon Sep 17 00:00:00 2001
|
||||
From: Robin Watts <robin.watts@artifex.com>
|
||||
Date: Thu, 9 Feb 2017 15:49:15 +0000
|
||||
Subject: [PATCH] Bug 697500: Fix NULL ptr access.
|
||||
|
||||
Cope better with errors during rendering - avoid letting the
|
||||
gstate stack get out of sync.
|
||||
|
||||
This avoids us ever getting into the situation of popping
|
||||
a clip when we should be popping a mask or a group. This was
|
||||
causing an unexpected case in the painting.
|
||||
---
|
||||
source/pdf/pdf-op-run.c | 26 ++++++++++++++++++--------
|
||||
1 file changed, 18 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/source/pdf/pdf-op-run.c b/source/pdf/pdf-op-run.c
|
||||
index a3ea895d..f1eac8d3 100644
|
||||
--- a/source/pdf/pdf-op-run.c
|
||||
+++ b/source/pdf/pdf-op-run.c
|
||||
@@ -1213,6 +1213,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
|
||||
pdf_run_processor *pr = (pdf_run_processor *)proc;
|
||||
pdf_gstate *gstate = NULL;
|
||||
int oldtop = 0;
|
||||
+ int oldbot = -1;
|
||||
fz_matrix local_transform = *transform;
|
||||
softmask_save softmask = { NULL };
|
||||
int gparent_save;
|
||||
@@ -1232,16 +1233,17 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
|
||||
fz_var(cleanup_state);
|
||||
fz_var(gstate);
|
||||
fz_var(oldtop);
|
||||
+ fz_var(oldbot);
|
||||
|
||||
gparent_save = pr->gparent;
|
||||
pr->gparent = pr->gtop;
|
||||
+ oldtop = pr->gtop;
|
||||
|
||||
fz_try(ctx)
|
||||
{
|
||||
pdf_gsave(ctx, pr);
|
||||
|
||||
gstate = pr->gstate + pr->gtop;
|
||||
- oldtop = pr->gtop;
|
||||
|
||||
pdf_xobject_bbox(ctx, xobj, &xobj_bbox);
|
||||
pdf_xobject_matrix(ctx, xobj, &xobj_matrix);
|
||||
@@ -1302,12 +1304,25 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
|
||||
|
||||
doc = pdf_get_bound_document(ctx, xobj->obj);
|
||||
|
||||
+ oldbot = pr->gbot;
|
||||
+ pr->gbot = pr->gtop;
|
||||
+
|
||||
pdf_process_contents(ctx, (pdf_processor*)pr, doc, resources, xobj->obj, NULL);
|
||||
}
|
||||
fz_always(ctx)
|
||||
{
|
||||
+ /* Undo any gstate mismatches due to the pdf_process_contents call */
|
||||
+ if (oldbot != -1)
|
||||
+ {
|
||||
+ while (pr->gtop > pr->gbot)
|
||||
+ {
|
||||
+ pdf_grestore(ctx, pr);
|
||||
+ }
|
||||
+ pr->gbot = oldbot;
|
||||
+ }
|
||||
+
|
||||
if (cleanup_state >= 3)
|
||||
- pdf_grestore(ctx, pr); /* Remove the clippath */
|
||||
+ pdf_grestore(ctx, pr); /* Remove the state we pushed for the clippath */
|
||||
|
||||
/* wrap up transparency stacks */
|
||||
if (transparency)
|
||||
@@ -1341,13 +1356,8 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
|
||||
pr->gstate[pr->gparent].ctm = gparent_save_ctm;
|
||||
pr->gparent = gparent_save;
|
||||
|
||||
- if (gstate)
|
||||
- {
|
||||
- while (oldtop < pr->gtop)
|
||||
- pdf_grestore(ctx, pr);
|
||||
-
|
||||
+ while (oldtop < pr->gtop)
|
||||
pdf_grestore(ctx, pr);
|
||||
- }
|
||||
|
||||
pdf_unmark_obj(ctx, xobj->obj);
|
||||
}
|
||||
--
|
||||
2.12.0
|
||||
|
|
@ -11,6 +11,7 @@
|
|||
;;; Coypright © 2016 Julien Lepiller <julien@lepiller.eu>
|
||||
;;; Copyright © 2016 Arun Isaac <arunisaac@systemreboot.net>
|
||||
;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
|
||||
;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
|
||||
;;;
|
||||
;;; This file is part of GNU Guix.
|
||||
;;;
|
||||
|
@ -550,7 +551,9 @@ (define mupdf/fixed
|
|||
(append
|
||||
(origin-patches (package-source mupdf))
|
||||
(search-patches "mupdf-mujs-CVE-2016-10132.patch"
|
||||
"mupdf-mujs-CVE-2016-10133.patch")))))))
|
||||
"mupdf-mujs-CVE-2016-10133.patch"
|
||||
"mupdf-CVE-2017-5896.patch"
|
||||
"mupdf-CVE-2017-5991.patch")))))))
|
||||
|
||||
(define-public qpdf
|
||||
(package
|
||||
|
|
Loading…
Reference in a new issue