diff options
author | Leo Famulari <leo@famulari.name> | 2018-03-27 18:59:20 -0400 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2018-03-27 19:00:03 -0400 |
commit | 4d99a3215c1cb3eda1e9f1159e6fb87915d7390a (patch) | |
tree | 4b75b0f5e1b7b629e3592a87ffad10212926b55b | |
parent | 5bd43f7fd104b80c3054c24b30489549f7ee7029 (diff) | |
download | guix-4d99a3215c1cb3eda1e9f1159e6fb87915d7390a.tar.gz |
gnu: mupdf: Fix CVE-2018-{6544,1000051}.
* gnu/packages/patches/mupdf-CVE-2018-1000051.patch, gnu/packages/patches/mupdf-CVE-2018-6544.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/pdf.scm (mupdf)[source]: Use them.
-rw-r--r-- | gnu/local.mk | 2 | ||||
-rw-r--r-- | gnu/packages/patches/mupdf-CVE-2018-1000051.patch | 88 | ||||
-rw-r--r-- | gnu/packages/patches/mupdf-CVE-2018-6544.patch | 109 | ||||
-rw-r--r-- | gnu/packages/pdf.scm | 4 |
4 files changed, 202 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 284161fe8a..0575a2fe32 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -929,6 +929,8 @@ dist_patch_DATA = \ %D%/packages/patches/mumps-build-parallelism.patch \ %D%/packages/patches/mupdf-build-with-latest-openjpeg.patch \ %D%/packages/patches/mupdf-CVE-2017-17858.patch \ + %D%/packages/patches/mupdf-CVE-2018-6544.patch \ + %D%/packages/patches/mupdf-CVE-2018-1000051.patch \ %D%/packages/patches/mupen64plus-ui-console-notice.patch \ %D%/packages/patches/mutt-store-references.patch \ %D%/packages/patches/net-tools-bitrot.patch \ diff --git a/gnu/packages/patches/mupdf-CVE-2018-1000051.patch b/gnu/packages/patches/mupdf-CVE-2018-1000051.patch new file mode 100644 index 0000000000..bb78c46f80 --- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2018-1000051.patch @@ -0,0 +1,88 @@ +Fix CVE-2018-1000051: + +https://bugs.ghostscript.com/show_bug.cgi?id=698873 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000051 + +Patch copied from upstream source repository: + +https://git.ghostscript.com/?p=mupdf.git;a=commit;h=321ba1de287016b0036bf4a56ce774ad11763384 + +From 321ba1de287016b0036bf4a56ce774ad11763384 Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen <sebras@gmail.com> +Date: Tue, 19 Dec 2017 23:47:47 +0100 +Subject: [PATCH] Bug 698825: Do not drop borrowed colorspaces. + +Previously the borrowed colorspace was dropped when updating annotation +appearances, leading to use after free warnings from valgrind/ASAN. +--- + source/pdf/pdf-appearance.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/source/pdf/pdf-appearance.c b/source/pdf/pdf-appearance.c +index 70f684f4..d7a1dddd 100644 +--- a/source/pdf/pdf-appearance.c ++++ b/source/pdf/pdf-appearance.c +@@ -2170,7 +2170,6 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p + fz_device *dev = NULL; + font_info font_rec; + fz_text *text = NULL; +- fz_colorspace *cs = NULL; + fz_matrix page_ctm; + + pdf_page_transform(ctx, annot->page, NULL, &page_ctm); +@@ -2184,11 +2183,11 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p + fz_var(dlist); + fz_var(dev); + fz_var(text); +- fz_var(cs); + fz_try(ctx) + { + char *contents = pdf_to_str_buf(ctx, pdf_dict_get(ctx, obj, PDF_NAME_Contents)); + char *da = pdf_to_str_buf(ctx, pdf_dict_get(ctx, obj, PDF_NAME_DA)); ++ fz_colorspace *cs; + fz_point pos; + fz_rect rect; + +@@ -2223,7 +2222,6 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p + fz_drop_display_list(ctx, dlist); + font_info_fin(ctx, &font_rec); + fz_drop_text(ctx, text); +- fz_drop_colorspace(ctx, cs); + } + fz_catch(ctx) + { +@@ -2359,7 +2357,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot + fz_device *dev = NULL; + font_info font_rec; + fz_text *text = NULL; +- fz_colorspace *cs = NULL; + fz_path *path = NULL; + fz_buffer *fzbuf = NULL; + fz_matrix page_ctm; +@@ -2375,7 +2372,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot + fz_var(dlist); + fz_var(dev); + fz_var(text); +- fz_var(cs); + fz_var(fzbuf); + fz_try(ctx) + { +@@ -2384,6 +2380,7 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot + fz_rect logo_bounds; + fz_matrix logo_tm; + fz_rect rect; ++ fz_colorspace *cs = fz_device_rgb(ctx); /* Borrowed reference */ + + pdf_to_rect(ctx, pdf_dict_get(ctx, annot->obj, PDF_NAME_Rect), &annot_rect); + rect = annot_rect; +@@ -2396,7 +2393,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot + fz_bound_path(ctx, path, NULL, &fz_identity, &logo_bounds); + center_rect_within_rect(&logo_bounds, &rect, &logo_tm); + fz_concat(&logo_tm, &logo_tm, &page_ctm); +- cs = fz_device_rgb(ctx); /* Borrowed reference */ + fz_fill_path(ctx, dev, path, 0, &logo_tm, cs, logo_color, 1.0f, NULL); + + get_font_info(ctx, doc, dr, da, &font_rec); +-- +2.16.3 + diff --git a/gnu/packages/patches/mupdf-CVE-2018-6544.patch b/gnu/packages/patches/mupdf-CVE-2018-6544.patch new file mode 100644 index 0000000000..b2c8f849f3 --- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2018-6544.patch @@ -0,0 +1,109 @@ +Fix CVE-2018-6544: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6544 +https://bugs.ghostscript.com/show_bug.cgi?id=698830 +https://bugs.ghostscript.com/show_bug.cgi?id=698965 + +Patches copied from upstream source repository: + +https://git.ghostscript.com/?p=mupdf.git;h=26527eef77b3e51c2258c8e40845bfbc015e405d +https://git.ghostscript.com/?p=mupdf.git;h=b03def134988da8c800adac1a38a41a1f09a1d89 + +From b03def134988da8c800adac1a38a41a1f09a1d89 Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen <sebras@gmail.com> +Date: Thu, 1 Feb 2018 16:36:14 +0100 +Subject: [PATCH] Bug 698830: Avoid recursion when loading object streams + objects. + +If there were indirect references in the object stream dictionary and +one of those indirect references referred to an object inside the object +stream itself, mupdf would previously enter recursion only bounded by the +exception stack. After this commit the object stream is checked if it is +marked immediately after being loaded. If it is marked then we terminate +the recursion at this point, if it is not marked then mark it and +attempt to load the desired object within. We also take care to unmark +the stream object when done or upon exception. +--- + source/pdf/pdf-xref.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c +index 723b543c..ed09094c 100644 +--- a/source/pdf/pdf-xref.c ++++ b/source/pdf/pdf-xref.c +@@ -1576,6 +1576,19 @@ pdf_load_obj_stm(fz_context *ctx, pdf_document *doc, int num, pdf_lexbuf *buf, i + { + objstm = pdf_load_object(ctx, doc, num); + ++ if (pdf_obj_marked(ctx, objstm)) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "recursive object stream lookup"); ++ } ++ fz_catch(ctx) ++ { ++ pdf_drop_obj(ctx, objstm); ++ fz_rethrow(ctx); ++ } ++ ++ fz_try(ctx) ++ { ++ pdf_mark_obj(ctx, objstm); ++ + count = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_N)); + first = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_First)); + +@@ -1655,6 +1668,7 @@ pdf_load_obj_stm(fz_context *ctx, pdf_document *doc, int num, pdf_lexbuf *buf, i + fz_drop_stream(ctx, stm); + fz_free(ctx, ofsbuf); + fz_free(ctx, numbuf); ++ pdf_unmark_obj(ctx, objstm); + pdf_drop_obj(ctx, objstm); + } + fz_catch(ctx) +-- +2.16.3 + +From 26527eef77b3e51c2258c8e40845bfbc015e405d Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen <sebras@gmail.com> +Date: Mon, 29 Jan 2018 02:00:48 +0100 +Subject: [PATCH] Bug 698830: Don't drop unkept stream if running out of error + stack. + +Under normal conditions where fz_keep_stream() is called inside +fz_try() we may call fz_drop_stream() in fz_catch() upon exceptions. +The issue comes when fz_keep_stream() has not yet been called but is +dropped in fz_catch(). This happens in the PDF from the bug when +fz_try() runs out of exception stack, and next the code in fz_catch() +runs, dropping the caller's reference to the filter chain stream! + +The simplest way of fixing this it to always keep the filter chain +stream before fz_try() is called. That way fz_catch() may drop the +stream whether an exception has occurred or if the fz_try() ran out of +exception stack. +--- + source/pdf/pdf-stream.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c +index c89da5c4..c6ba7ad3 100644 +--- a/source/pdf/pdf-stream.c ++++ b/source/pdf/pdf-stream.c +@@ -303,14 +303,13 @@ pdf_open_raw_filter(fz_context *ctx, fz_stream *chain, pdf_document *doc, pdf_ob + *orig_gen = 0; + } + +- fz_var(chain); ++ chain = fz_keep_stream(ctx, chain); + + fz_try(ctx) + { + len = pdf_to_int(ctx, pdf_dict_get(ctx, stmobj, PDF_NAME_Length)); + +- /* don't close chain when we close this filter */ +- chain2 = fz_keep_stream(ctx, chain); ++ chain2 = chain; + chain = NULL; + chain = fz_open_null(ctx, chain2, len, offset); + +-- +2.16.3 + diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index a5d57cd5ec..84b53b00b4 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -574,7 +574,9 @@ extracting content or merging files.") (uri (string-append "https://mupdf.com/downloads/archive/" name "-" version "-source.tar.xz")) (patches (search-patches "mupdf-build-with-latest-openjpeg.patch" - "mupdf-CVE-2017-17858.patch")) + "mupdf-CVE-2017-17858.patch" + "mupdf-CVE-2018-6544.patch" + "mupdf-CVE-2018-1000051.patch")) (sha256 (base32 "0b9j0gqbc3jhmx87r6idcsh8lnb30840c3hyx6dk2gdjqqh3hysp")) |