gnu: mupdf: Fix CVE-2018-{6544,1000051}.
* gnu/packages/patches/mupdf-CVE-2018-1000051.patch, gnu/packages/patches/mupdf-CVE-2018-6544.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/pdf.scm (mupdf)[source]: Use them.master
Leo Famulari
parent
5bd43f7fd1
commit
4d99a3215c
|
|
@ -929,6 +929,8 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/mumps-build-parallelism.patch \
|
||||
%D%/packages/patches/mupdf-build-with-latest-openjpeg.patch \
|
||||
%D%/packages/patches/mupdf-CVE-2017-17858.patch \
|
||||
%D%/packages/patches/mupdf-CVE-2018-6544.patch \
|
||||
%D%/packages/patches/mupdf-CVE-2018-1000051.patch \
|
||||
%D%/packages/patches/mupen64plus-ui-console-notice.patch \
|
||||
%D%/packages/patches/mutt-store-references.patch \
|
||||
%D%/packages/patches/net-tools-bitrot.patch \
|
||||
|
|
|
|||
|
|
@ -0,0 +1,88 @@
|
|||
Fix CVE-2018-1000051:
|
||||
|
||||
https://bugs.ghostscript.com/show_bug.cgi?id=698873
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000051
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://git.ghostscript.com/?p=mupdf.git;a=commit;h=321ba1de287016b0036bf4a56ce774ad11763384
|
||||
|
||||
From 321ba1de287016b0036bf4a56ce774ad11763384 Mon Sep 17 00:00:00 2001
|
||||
From: Sebastian Rasmussen <sebras@gmail.com>
|
||||
Date: Tue, 19 Dec 2017 23:47:47 +0100
|
||||
Subject: [PATCH] Bug 698825: Do not drop borrowed colorspaces.
|
||||
|
||||
Previously the borrowed colorspace was dropped when updating annotation
|
||||
appearances, leading to use after free warnings from valgrind/ASAN.
|
||||
---
|
||||
source/pdf/pdf-appearance.c | 8 ++------
|
||||
1 file changed, 2 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/source/pdf/pdf-appearance.c b/source/pdf/pdf-appearance.c
|
||||
index 70f684f4..d7a1dddd 100644
|
||||
--- a/source/pdf/pdf-appearance.c
|
||||
+++ b/source/pdf/pdf-appearance.c
|
||||
@@ -2170,7 +2170,6 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
|
||||
fz_device *dev = NULL;
|
||||
font_info font_rec;
|
||||
fz_text *text = NULL;
|
||||
- fz_colorspace *cs = NULL;
|
||||
fz_matrix page_ctm;
|
||||
|
||||
pdf_page_transform(ctx, annot->page, NULL, &page_ctm);
|
||||
@@ -2184,11 +2183,11 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
|
||||
fz_var(dlist);
|
||||
fz_var(dev);
|
||||
fz_var(text);
|
||||
- fz_var(cs);
|
||||
fz_try(ctx)
|
||||
{
|
||||
char *contents = pdf_to_str_buf(ctx, pdf_dict_get(ctx, obj, PDF_NAME_Contents));
|
||||
char *da = pdf_to_str_buf(ctx, pdf_dict_get(ctx, obj, PDF_NAME_DA));
|
||||
+ fz_colorspace *cs;
|
||||
fz_point pos;
|
||||
fz_rect rect;
|
||||
|
||||
@@ -2223,7 +2222,6 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
|
||||
fz_drop_display_list(ctx, dlist);
|
||||
font_info_fin(ctx, &font_rec);
|
||||
fz_drop_text(ctx, text);
|
||||
- fz_drop_colorspace(ctx, cs);
|
||||
}
|
||||
fz_catch(ctx)
|
||||
{
|
||||
@@ -2359,7 +2357,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
|
||||
fz_device *dev = NULL;
|
||||
font_info font_rec;
|
||||
fz_text *text = NULL;
|
||||
- fz_colorspace *cs = NULL;
|
||||
fz_path *path = NULL;
|
||||
fz_buffer *fzbuf = NULL;
|
||||
fz_matrix page_ctm;
|
||||
@@ -2375,7 +2372,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
|
||||
fz_var(dlist);
|
||||
fz_var(dev);
|
||||
fz_var(text);
|
||||
- fz_var(cs);
|
||||
fz_var(fzbuf);
|
||||
fz_try(ctx)
|
||||
{
|
||||
@@ -2384,6 +2380,7 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
|
||||
fz_rect logo_bounds;
|
||||
fz_matrix logo_tm;
|
||||
fz_rect rect;
|
||||
+ fz_colorspace *cs = fz_device_rgb(ctx); /* Borrowed reference */
|
||||
|
||||
pdf_to_rect(ctx, pdf_dict_get(ctx, annot->obj, PDF_NAME_Rect), &annot_rect);
|
||||
rect = annot_rect;
|
||||
@@ -2396,7 +2393,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
|
||||
fz_bound_path(ctx, path, NULL, &fz_identity, &logo_bounds);
|
||||
center_rect_within_rect(&logo_bounds, &rect, &logo_tm);
|
||||
fz_concat(&logo_tm, &logo_tm, &page_ctm);
|
||||
- cs = fz_device_rgb(ctx); /* Borrowed reference */
|
||||
fz_fill_path(ctx, dev, path, 0, &logo_tm, cs, logo_color, 1.0f, NULL);
|
||||
|
||||
get_font_info(ctx, doc, dr, da, &font_rec);
|
||||
--
|
||||
2.16.3
|
||||
|
||||
|
|
@ -0,0 +1,109 @@
|
|||
Fix CVE-2018-6544:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6544
|
||||
https://bugs.ghostscript.com/show_bug.cgi?id=698830
|
||||
https://bugs.ghostscript.com/show_bug.cgi?id=698965
|
||||
|
||||
Patches copied from upstream source repository:
|
||||
|
||||
https://git.ghostscript.com/?p=mupdf.git;h=26527eef77b3e51c2258c8e40845bfbc015e405d
|
||||
https://git.ghostscript.com/?p=mupdf.git;h=b03def134988da8c800adac1a38a41a1f09a1d89
|
||||
|
||||
From b03def134988da8c800adac1a38a41a1f09a1d89 Mon Sep 17 00:00:00 2001
|
||||
From: Sebastian Rasmussen <sebras@gmail.com>
|
||||
Date: Thu, 1 Feb 2018 16:36:14 +0100
|
||||
Subject: [PATCH] Bug 698830: Avoid recursion when loading object streams
|
||||
objects.
|
||||
|
||||
If there were indirect references in the object stream dictionary and
|
||||
one of those indirect references referred to an object inside the object
|
||||
stream itself, mupdf would previously enter recursion only bounded by the
|
||||
exception stack. After this commit the object stream is checked if it is
|
||||
marked immediately after being loaded. If it is marked then we terminate
|
||||
the recursion at this point, if it is not marked then mark it and
|
||||
attempt to load the desired object within. We also take care to unmark
|
||||
the stream object when done or upon exception.
|
||||
---
|
||||
source/pdf/pdf-xref.c | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
|
||||
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
|
||||
index 723b543c..ed09094c 100644
|
||||
--- a/source/pdf/pdf-xref.c
|
||||
+++ b/source/pdf/pdf-xref.c
|
||||
@@ -1576,6 +1576,19 @@ pdf_load_obj_stm(fz_context *ctx, pdf_document *doc, int num, pdf_lexbuf *buf, i
|
||||
{
|
||||
objstm = pdf_load_object(ctx, doc, num);
|
||||
|
||||
+ if (pdf_obj_marked(ctx, objstm))
|
||||
+ fz_throw(ctx, FZ_ERROR_GENERIC, "recursive object stream lookup");
|
||||
+ }
|
||||
+ fz_catch(ctx)
|
||||
+ {
|
||||
+ pdf_drop_obj(ctx, objstm);
|
||||
+ fz_rethrow(ctx);
|
||||
+ }
|
||||
+
|
||||
+ fz_try(ctx)
|
||||
+ {
|
||||
+ pdf_mark_obj(ctx, objstm);
|
||||
+
|
||||
count = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_N));
|
||||
first = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_First));
|
||||
|
||||
@@ -1655,6 +1668,7 @@ pdf_load_obj_stm(fz_context *ctx, pdf_document *doc, int num, pdf_lexbuf *buf, i
|
||||
fz_drop_stream(ctx, stm);
|
||||
fz_free(ctx, ofsbuf);
|
||||
fz_free(ctx, numbuf);
|
||||
+ pdf_unmark_obj(ctx, objstm);
|
||||
pdf_drop_obj(ctx, objstm);
|
||||
}
|
||||
fz_catch(ctx)
|
||||
--
|
||||
2.16.3
|
||||
|
||||
From 26527eef77b3e51c2258c8e40845bfbc015e405d Mon Sep 17 00:00:00 2001
|
||||
From: Sebastian Rasmussen <sebras@gmail.com>
|
||||
Date: Mon, 29 Jan 2018 02:00:48 +0100
|
||||
Subject: [PATCH] Bug 698830: Don't drop unkept stream if running out of error
|
||||
stack.
|
||||
|
||||
Under normal conditions where fz_keep_stream() is called inside
|
||||
fz_try() we may call fz_drop_stream() in fz_catch() upon exceptions.
|
||||
The issue comes when fz_keep_stream() has not yet been called but is
|
||||
dropped in fz_catch(). This happens in the PDF from the bug when
|
||||
fz_try() runs out of exception stack, and next the code in fz_catch()
|
||||
runs, dropping the caller's reference to the filter chain stream!
|
||||
|
||||
The simplest way of fixing this it to always keep the filter chain
|
||||
stream before fz_try() is called. That way fz_catch() may drop the
|
||||
stream whether an exception has occurred or if the fz_try() ran out of
|
||||
exception stack.
|
||||
---
|
||||
source/pdf/pdf-stream.c | 5 ++---
|
||||
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c
|
||||
index c89da5c4..c6ba7ad3 100644
|
||||
--- a/source/pdf/pdf-stream.c
|
||||
+++ b/source/pdf/pdf-stream.c
|
||||
@@ -303,14 +303,13 @@ pdf_open_raw_filter(fz_context *ctx, fz_stream *chain, pdf_document *doc, pdf_ob
|
||||
*orig_gen = 0;
|
||||
}
|
||||
|
||||
- fz_var(chain);
|
||||
+ chain = fz_keep_stream(ctx, chain);
|
||||
|
||||
fz_try(ctx)
|
||||
{
|
||||
len = pdf_to_int(ctx, pdf_dict_get(ctx, stmobj, PDF_NAME_Length));
|
||||
|
||||
- /* don't close chain when we close this filter */
|
||||
- chain2 = fz_keep_stream(ctx, chain);
|
||||
+ chain2 = chain;
|
||||
chain = NULL;
|
||||
chain = fz_open_null(ctx, chain2, len, offset);
|
||||
|
||||
--
|
||||
2.16.3
|
||||
|
||||
|
|
@ -574,7 +574,9 @@ extracting content or merging files.")
|
|||
(uri (string-append "https://mupdf.com/downloads/archive/"
|
||||
name "-" version "-source.tar.xz"))
|
||||
(patches (search-patches "mupdf-build-with-latest-openjpeg.patch"
|
||||
"mupdf-CVE-2017-17858.patch"))
|
||||
"mupdf-CVE-2017-17858.patch"
|
||||
"mupdf-CVE-2018-6544.patch"
|
||||
"mupdf-CVE-2018-1000051.patch"))
|
||||
(sha256
|
||||
(base32
|
||||
"0b9j0gqbc3jhmx87r6idcsh8lnb30840c3hyx6dk2gdjqqh3hysp"))
|
||||
|
|
|
|||
Reference in New Issue