diff options
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r-- | gnu/packages/patches/gpsbabel-minizip.patch | 13 | ||||
-rw-r--r-- | gnu/packages/patches/gpsbabel-qstring.patch | 69 | ||||
-rw-r--r-- | gnu/packages/patches/hwloc-tests-without-sysfs.patch | 42 | ||||
-rw-r--r-- | gnu/packages/patches/luajit-symlinks.patch | 25 | ||||
-rw-r--r-- | gnu/packages/patches/mpv-CVE-2018-6360-1.patch | 138 | ||||
-rw-r--r-- | gnu/packages/patches/mpv-CVE-2018-6360-2.patch | 59 | ||||
-rw-r--r-- | gnu/packages/patches/mpv-CVE-2018-6360-3.patch | 84 | ||||
-rw-r--r-- | gnu/packages/patches/mupdf-CVE-2017-17858.patch | 111 | ||||
-rw-r--r-- | gnu/packages/patches/p7zip-CVE-2017-17969.patch | 35 |
9 files changed, 551 insertions, 25 deletions
diff --git a/gnu/packages/patches/gpsbabel-minizip.patch b/gnu/packages/patches/gpsbabel-minizip.patch new file mode 100644 index 0000000000..8f3bb36f57 --- /dev/null +++ b/gnu/packages/patches/gpsbabel-minizip.patch @@ -0,0 +1,13 @@ +Patch taken from https://sources.debian.org/data/main/g/gpsbabel/1.5.3-2/debian/patches/use_minizip. + +--- a/Makefile.in ++++ b/Makefile.in +@@ -120,7 +120,7 @@ LIBOBJS = queue.o route.o waypt.o filter + src/core/usasciicodec.o\ + src/core/ziparchive.o \ + $(GARMIN) $(JEEPS) $(SHAPE) @ZLIB@ $(FMTS) $(FILTERS) +-OBJS = main.o globals.o $(LIBOBJS) @FILEINFO@ ++OBJS = main.o globals.o $(MINIZIP) $(LIBOBJS) @FILEINFO@ + + DEPFILES = $(OBJS:.o=.d) + \ No newline at end of file diff --git a/gnu/packages/patches/gpsbabel-qstring.patch b/gnu/packages/patches/gpsbabel-qstring.patch new file mode 100644 index 0000000000..8ba1a7213b --- /dev/null +++ b/gnu/packages/patches/gpsbabel-qstring.patch @@ -0,0 +1,69 @@ +Extracted from following patch of gpsbabel: +https://github.com/gpsbabel/gpsbabel/commit/604178aa8ad4d3c3ad218df24c1e9a6a1f683bb3 + +From 604178aa8ad4d3c3ad218df24c1e9a6a1f683bb3 Mon Sep 17 00:00:00 2001 +From: Harel Mazor <harel.mazor@gmail.com> +Date: Tue, 24 Jan 2017 00:35:04 +0200 +Subject: [PATCH] Added geojson read capablity, moved magic strings to + constants, fixed windows compilation issues. + +--- a/tef_xml.cc ++++ b/tef_xml.cc +@@ -72,11 +72,11 @@ tef_start(xg_string args, const QXmlStreamAttributes* attrv) + bool valid = false; + + foreach(QXmlStreamAttribute attr, *attrv) { +- if (attr.name().compare("Comment", Qt::CaseInsensitive) == 0) { +- if (attr.value().compare("TourExchangeFormat", Qt::CaseInsensitive) == 0) { ++ if (attr.name().compare(QString("Comment"), Qt::CaseInsensitive) == 0) { ++ if (attr.value().compare(QString("TourExchangeFormat"), Qt::CaseInsensitive) == 0) { + valid = true; + } +- } else if (attr.name().compare("Version", Qt::CaseInsensitive) == 0) { ++ } else if (attr.name().compare(QString("Version"), Qt::CaseInsensitive) == 0) { + version = attr.value().toString().toDouble(); + } + } +@@ -95,9 +95,9 @@ tef_header(xg_string args, const QXmlStreamAttributes* attrv) + { + route = route_head_alloc(); + foreach(QXmlStreamAttribute attr, *attrv) { +- if (attr.name().compare("Name", Qt::CaseInsensitive) == 0) { ++ if (attr.name().compare(QString("Name"), Qt::CaseInsensitive) == 0) { + route->rte_name = attr.value().toString().trimmed(); +- } else if (attr.name().compare("Software", Qt::CaseInsensitive) == 0) { ++ } else if (attr.name().compare(QString("Software"), Qt::CaseInsensitive) == 0) { + route->rte_desc = attr.value().toString().trimmed(); + } + } +@@ -248,20 +248,20 @@ tef_item_start(xg_string args, const QXmlStreamAttributes* attrv) + QString attrstr = attr.value().toString(); + QByteArray attrtext = attrstr.toUtf8(); + +- if (attr.name().compare("SegDescription", Qt::CaseInsensitive) == 0) { ++ if (attr.name().compare(QString("SegDescription"), Qt::CaseInsensitive) == 0) { + wpt_tmp->shortname = attrstr.trimmed(); +- } else if (attr.name().compare("PointDescription", Qt::CaseInsensitive) == 0) { ++ } else if (attr.name().compare(QString("PointDescription"), Qt::CaseInsensitive) == 0) { + wpt_tmp->description = attrstr.trimmed(); +- } else if (attr.name().compare("ViaStation", Qt::CaseInsensitive) == 0 && +- attr.value().compare("true", Qt::CaseInsensitive) == 0) { ++ } else if (attr.name().compare(QString("ViaStation"), Qt::CaseInsensitive) == 0 && ++ attr.value().compare(QString("true"), Qt::CaseInsensitive) == 0) { + wpt_tmp->wpt_flags.fmt_use = 1; /* only a flag */ + + /* new in TEF V2 */ +- } else if (attr.name().compare("Instruction", Qt::CaseInsensitive) == 0) { ++ } else if (attr.name().compare(QString("Instruction"), Qt::CaseInsensitive) == 0) { + wpt_tmp->description = attrstr.trimmed(); +- } else if (attr.name().compare("Altitude", Qt::CaseInsensitive) == 0) { ++ } else if (attr.name().compare(QString("Altitude"), Qt::CaseInsensitive) == 0) { + wpt_tmp->altitude = attrstr.toDouble(); +- } else if (attr.name().compare("TimeStamp", Qt::CaseInsensitive) == 0) { ++ } else if (attr.name().compare(QString("TimeStamp"), Qt::CaseInsensitive) == 0) { + /* nothing for the moment */ + } + } +-- +2.16.1 + diff --git a/gnu/packages/patches/hwloc-tests-without-sysfs.patch b/gnu/packages/patches/hwloc-tests-without-sysfs.patch new file mode 100644 index 0000000000..ea6ec41616 --- /dev/null +++ b/gnu/packages/patches/hwloc-tests-without-sysfs.patch @@ -0,0 +1,42 @@ +Fix a test failure in the build environment, where /sys is missing. +From <https://github.com/bgoglin/hwloc/commit/a2cc4f2e2bf4a8bbdd61b578a62e27e7482799cf.patch>. + +From a2cc4f2e2bf4a8bbdd61b578a62e27e7482799cf Mon Sep 17 00:00:00 2001 +From: Brice Goglin <Brice.Goglin@inria.fr> +Date: Tue, 6 Feb 2018 17:13:26 +0100 +Subject: [PATCH] linux: honor the filtering cores and packages when reading + topology from cpuinfo + +Caused a make check crash in lstopo --filter all:none in chroot without sysfs. + +Thanks to Ludovic Courtes for the report. + +Signed-off-by: Brice Goglin <Brice.Goglin@inria.fr> +--- + hwloc/topology-linux.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/hwloc/topology-linux.c b/hwloc/topology-linux.c +index 290da0d72..e1bbf94e1 100644 +--- a/hwloc/topology-linux.c ++++ b/hwloc/topology-linux.c +@@ -4101,7 +4101,8 @@ look_cpuinfo(struct hwloc_topology *topology, + } + /* create package objects */ + hwloc_debug("%u pkgs%s\n", numpkgs, missingpkg ? ", but some missing package" : ""); +- if (!missingpkg && numpkgs>0) { ++ if (!missingpkg && numpkgs>0 ++ && hwloc_filter_check_keep_object_type(topology, HWLOC_OBJ_PACKAGE)) { + for (i = 0; i < numpkgs; i++) { + struct hwloc_obj *obj = hwloc_alloc_setup_object(topology, HWLOC_OBJ_PACKAGE, Lpkg_to_Ppkg[i]); + int doneinfos = 0; +@@ -4145,7 +4146,8 @@ look_cpuinfo(struct hwloc_topology *topology, + } + /* create Core objects */ + hwloc_debug("%u cores%s\n", numcores, missingcore ? ", but some missing core" : ""); +- if (!missingcore && numcores>0) { ++ if (!missingcore && numcores>0 ++ && hwloc_filter_check_keep_object_type(topology, HWLOC_OBJ_CORE)) { + for (i = 0; i < numcores; i++) { + struct hwloc_obj *obj = hwloc_alloc_setup_object(topology, HWLOC_OBJ_CORE, Lcore_to_Pcore[i]); + obj->cpuset = hwloc_bitmap_alloc(); diff --git a/gnu/packages/patches/luajit-symlinks.patch b/gnu/packages/patches/luajit-symlinks.patch deleted file mode 100644 index 2466c34144..0000000000 --- a/gnu/packages/patches/luajit-symlinks.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 0a54a8f125d7ab508c7c88d5ad4ed1b0c63cb5b6 Mon Sep 17 00:00:00 2001 -From: =?utf8?q?Tom=C3=A1=C5=A1=20=C4=8Cech?= <sleep_walker@suse.cz> -Date: Wed, 4 Feb 2015 11:32:55 +0100 -Subject: [PATCH 1/2] Provide two symlinks for dynamic library during install - ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index 0891b71..343ecb5 100644 ---- a/Makefile -+++ b/Makefile -@@ -56,7 +56,7 @@ INSTALL_PCNAME= luajit.pc - INSTALL_STATIC= $(INSTALL_LIB)/$(INSTALL_ANAME) - INSTALL_DYN= $(INSTALL_LIB)/$(INSTALL_SONAME) - INSTALL_SHORT1= $(INSTALL_LIB)/$(INSTALL_SOSHORT) --INSTALL_SHORT2= $(INSTALL_LIB)/$(INSTALL_SOSHORT) -+INSTALL_SHORT2= $(INSTALL_LIB)/$(INSTALL_SOSHORT).$(MAJVER) - INSTALL_T= $(INSTALL_BIN)/$(INSTALL_TNAME) - INSTALL_TSYM= $(INSTALL_BIN)/$(INSTALL_TSYMNAME) - INSTALL_PC= $(INSTALL_PKGCONFIG)/$(INSTALL_PCNAME) --- -2.2.2 - diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-1.patch b/gnu/packages/patches/mpv-CVE-2018-6360-1.patch new file mode 100644 index 0000000000..55fc7daaf3 --- /dev/null +++ b/gnu/packages/patches/mpv-CVE-2018-6360-1.patch @@ -0,0 +1,138 @@ +Fix CVE-2018-6360: + +https://github.com/mpv-player/mpv/issues/5456 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360 +https://security-tracker.debian.org/tracker/CVE-2018-6360 + +Patch copied from upstream source repository: + +https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43 + +To apply the patch to mpv 0.28.0 release tarball, hunk #4 is removed. Hunk #4 +checks if 'mpd_url' is safe, but the support for 'mpd_url' is not available +for the 0.28.0 release. So it should be safe to remove hunk #4. + +From e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43 Mon Sep 17 00:00:00 2001 +From: Ricardo Constantino <wiiaboo@gmail.com> +Date: Fri, 26 Jan 2018 01:19:04 +0000 +Subject: [PATCH] ytdl_hook: whitelist protocols from urls retrieved from + youtube-dl + +Not very clean since there's a lot of potential unsafe urls that youtube-dl +can give us, depending on whether it's a single url, split tracks, +playlists, segmented dash, etc. +--- + player/lua/ytdl_hook.lua | 54 +++++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 47 insertions(+), 7 deletions(-) + +diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua +index dd96ecc01d..b480c21625 100644 +--- a/player/lua/ytdl_hook.lua ++++ b/player/lua/ytdl_hook.lua +@@ -16,6 +16,18 @@ local ytdl = { + + local chapter_list = {} + ++function Set (t) ++ local set = {} ++ for _, v in pairs(t) do set[v] = true end ++ return set ++end ++ ++local safe_protos = Set { ++ "http", "https", "ftp", "ftps", ++ "rtmp", "rtmps", "rtmpe", "rtmpt", "rtmpts", "rtmpte", ++ "data" ++} ++ + local function exec(args) + local ret = utils.subprocess({args = args}) + return ret.status, ret.stdout, ret +@@ -183,6 +195,9 @@ local function edl_track_joined(fragments, protocol, is_live, base) + + for i = offset, #fragments do + local fragment = fragments[i] ++ if not url_is_safe(join_url(base, fragment)) then ++ return nil ++ end + table.insert(parts, edl_escape(join_url(base, fragment))) + if fragment.duration then + parts[#parts] = +@@ -208,6 +223,15 @@ local function proto_is_dash(json) + or json["protocol"] == "http_dash_segments" + end + ++local function url_is_safe(url) ++ local proto = type(url) == "string" and url:match("^(.+)://") or nil ++ local safe = proto and safe_protos[proto] ++ if not safe then ++ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url)) ++ end ++ return safe ++end ++ + local function add_single_video(json) + local streamurl = "" + local max_bitrate = 0 +@@ -238,14 +264,18 @@ local function add_single_video(json) + edl_track = edl_track_joined(track.fragments, + track.protocol, json.is_live, + track.fragment_base_url) ++ local url = edl_track or track.url ++ if not url_is_safe(url) then ++ return ++ end + if track.acodec and track.acodec ~= "none" then + -- audio track + mp.commandv("audio-add", +- edl_track or track.url, "auto", ++ url, "auto", + track.format_note or "") + elseif track.vcodec and track.vcodec ~= "none" then + -- video track +- streamurl = edl_track or track.url ++ streamurl = url + end + end + +@@ -264,7 +294,13 @@ local function add_single_video(json) + + msg.debug("streamurl: " .. streamurl) + +- mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1)) ++ streamurl = streamurl:gsub("^data:", "data://", 1) ++ ++ if not url_is_safe(streamurl) then ++ return ++ end ++ ++ mp.set_property("stream-open-filename", streamurl) + + mp.set_property("file-local-options/force-media-title", json.title) + +@@ -526,14 +562,18 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function () + site = entry["webpage_url"] + end + +- if not (site:find("https?://") == 1) then +- site = "ytdl://" .. site ++ -- links with only youtube id as returned by --flat-playlist ++ if not site:find("://") then ++ table.insert(playlist, "ytdl://" .. site) ++ elseif url_is_safe(site) then ++ table.insert(playlist, site) + end +- table.insert(playlist, site) + + end + +- mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n")) ++ if #playlist > 0 then ++ mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n")) ++ end + end + + else -- probably a video +-- +2.16.1 + diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-2.patch b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch new file mode 100644 index 0000000000..b37e33a641 --- /dev/null +++ b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch @@ -0,0 +1,59 @@ +Fix CVE-2018-6360: + +https://github.com/mpv-player/mpv/issues/5456 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360 +https://security-tracker.debian.org/tracker/CVE-2018-6360 + +Patch copied from upstream source repository: + +https://github.com/mpv-player/mpv/commit/f8263e82cc74a9ac6530508bec39c7b0dc02568f + +From f8263e82cc74a9ac6530508bec39c7b0dc02568f Mon Sep 17 00:00:00 2001 +From: Ricardo Constantino <wiiaboo@gmail.com> +Date: Fri, 26 Jan 2018 11:26:27 +0000 +Subject: [PATCH] ytdl_hook: move url_is_safe earlier in code + +lua isn't javascript. +--- + player/lua/ytdl_hook.lua | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua +index b480c21625..458c94af38 100644 +--- a/player/lua/ytdl_hook.lua ++++ b/player/lua/ytdl_hook.lua +@@ -84,6 +84,15 @@ local function edl_escape(url) + return "%" .. string.len(url) .. "%" .. url + end + ++local function url_is_safe(url) ++ local proto = type(url) == "string" and url:match("^(.+)://") or nil ++ local safe = proto and safe_protos[proto] ++ if not safe then ++ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url)) ++ end ++ return safe ++end ++ + local function time_to_secs(time_string) + local ret + +@@ -223,15 +232,6 @@ local function proto_is_dash(json) + or json["protocol"] == "http_dash_segments" + end + +-local function url_is_safe(url) +- local proto = type(url) == "string" and url:match("^(.+)://") or nil +- local safe = proto and safe_protos[proto] +- if not safe then +- msg.error(("Ignoring potentially unsafe url: '%s'"):format(url)) +- end +- return safe +-end +- + local function add_single_video(json) + local streamurl = "" + local max_bitrate = 0 +-- +2.16.1 + diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-3.patch b/gnu/packages/patches/mpv-CVE-2018-6360-3.patch new file mode 100644 index 0000000000..dc3e272d37 --- /dev/null +++ b/gnu/packages/patches/mpv-CVE-2018-6360-3.patch @@ -0,0 +1,84 @@ +Fix CVE-2018-6360: + +https://github.com/mpv-player/mpv/issues/5456 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360 +https://security-tracker.debian.org/tracker/CVE-2018-6360 + +Patch copied from upstream source repository: + +https://github.com/mpv-player/mpv/commit/ce42a965330dfeb7d2f6c69ea42d35454105c828 + +From ce42a965330dfeb7d2f6c69ea42d35454105c828 Mon Sep 17 00:00:00 2001 +From: Ricardo Constantino <wiiaboo@gmail.com> +Date: Fri, 26 Jan 2018 18:54:17 +0000 +Subject: [PATCH] ytdl_hook: fix safe url checking with EDL urls + +--- + player/lua/ytdl_hook.lua | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua +index 458c94af38..6c8e78657d 100644 +--- a/player/lua/ytdl_hook.lua ++++ b/player/lua/ytdl_hook.lua +@@ -264,18 +264,17 @@ local function add_single_video(json) + edl_track = edl_track_joined(track.fragments, + track.protocol, json.is_live, + track.fragment_base_url) +- local url = edl_track or track.url +- if not url_is_safe(url) then ++ if not edl_track and not url_is_safe(track.url) then + return + end + if track.acodec and track.acodec ~= "none" then + -- audio track + mp.commandv("audio-add", +- url, "auto", ++ edl_track or track.url, "auto", + track.format_note or "") + elseif track.vcodec and track.vcodec ~= "none" then + -- video track +- streamurl = url ++ streamurl = edl_track or track.url + end + end + +@@ -284,6 +283,9 @@ local function add_single_video(json) + edl_track = edl_track_joined(json.fragments, json.protocol, + json.is_live, json.fragment_base_url) + ++ if not edl_track and not url_is_safe(json.url) then ++ return ++ end + -- normal video or single track + streamurl = edl_track or json.url + set_http_headers(json.http_headers) +@@ -294,13 +296,7 @@ local function add_single_video(json) + + msg.debug("streamurl: " .. streamurl) + +- streamurl = streamurl:gsub("^data:", "data://", 1) +- +- if not url_is_safe(streamurl) then +- return +- end +- +- mp.set_property("stream-open-filename", streamurl) ++ mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1)) + + mp.set_property("file-local-options/force-media-title", json.title) + +@@ -499,6 +495,10 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function () + + msg.debug("EDL: " .. playlist) + ++ if not playlist then ++ return ++ end ++ + -- can't change the http headers for each entry, so use the 1st + if json.entries[1] then + set_http_headers(json.entries[1].http_headers) +-- +2.16.1 + diff --git a/gnu/packages/patches/mupdf-CVE-2017-17858.patch b/gnu/packages/patches/mupdf-CVE-2017-17858.patch new file mode 100644 index 0000000000..66df127509 --- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2017-17858.patch @@ -0,0 +1,111 @@ +Fix CVE-2017-17858: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17858 +https://bugs.ghostscript.com/show_bug.cgi?id=698819 +https://github.com/mzet-/Security-Advisories/blob/master/mzet-adv-2017-01.md + +Patch copied from upstream source repository: + +https://git.ghostscript.com/?p=mupdf.git;a=commit;h=55c3f68d638ac1263a386e0aaa004bb6e8bde731 + +From 55c3f68d638ac1263a386e0aaa004bb6e8bde731 Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen <sebras@gmail.com> +Date: Mon, 11 Dec 2017 14:09:15 +0100 +Subject: [PATCH] Bugs 698804/698810/698811: Keep PDF object numbers below + limit. + +This ensures that: + * xref tables with objects pointers do not grow out of bounds. + * other readers, e.g. Adobe Acrobat can parse PDFs written by mupdf. +--- + include/mupdf/pdf/object.h | 3 +++ + source/pdf/pdf-repair.c | 5 +---- + source/pdf/pdf-xref.c | 21 ++++++++++++--------- + 3 files changed, 16 insertions(+), 13 deletions(-) + +diff --git a/include/mupdf/pdf/object.h b/include/mupdf/pdf/object.h +index 21ed8595..4177112b 100644 +--- a/include/mupdf/pdf/object.h ++++ b/include/mupdf/pdf/object.h +@@ -3,6 +3,9 @@ + + typedef struct pdf_document_s pdf_document; + ++/* Defined in PDF 1.7 according to Acrobat limit. */ ++#define PDF_MAX_OBJECT_NUMBER 8388607 ++ + /* + * Dynamic objects. + * The same type of objects as found in PDF and PostScript. +diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c +index ca149bd3..0c29758e 100644 +--- a/source/pdf/pdf-repair.c ++++ b/source/pdf/pdf-repair.c +@@ -6,9 +6,6 @@ + + /* Scan file for objects and reconstruct xref table */ + +-/* Define in PDF 1.7 to be 8388607, but mupdf is more lenient. */ +-#define MAX_OBJECT_NUMBER (10 << 20) +- + struct entry + { + int num; +@@ -436,7 +433,7 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc) + break; + } + +- if (num <= 0 || num > MAX_OBJECT_NUMBER) ++ if (num <= 0 || num > PDF_MAX_OBJECT_NUMBER) + { + fz_warn(ctx, "ignoring object with invalid object number (%d %d R)", num, gen); + goto have_next_token; +diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c +index 00586dbd..6284e70b 100644 +--- a/source/pdf/pdf-xref.c ++++ b/source/pdf/pdf-xref.c +@@ -868,11 +868,12 @@ pdf_read_old_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf) + fz_seek(ctx, file, -(2 + (int)strlen(s)), SEEK_CUR); + } + +- if (ofs < 0) +- fz_throw(ctx, FZ_ERROR_GENERIC, "out of range object num in xref: %d", (int)ofs); +- if (ofs > INT64_MAX - len) +- fz_throw(ctx, FZ_ERROR_GENERIC, "xref section object numbers too big"); +- ++ if (ofs < 0 || ofs > PDF_MAX_OBJECT_NUMBER ++ || len < 0 || len > PDF_MAX_OBJECT_NUMBER ++ || ofs + len - 1 > PDF_MAX_OBJECT_NUMBER) ++ { ++ fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range"); ++ } + /* broken pdfs where size in trailer undershoots entries in xref sections */ + if (ofs + len > xref_len) + { +@@ -933,10 +934,8 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, in + pdf_xref_entry *table; + int i, n; + +- if (i0 < 0 || i1 < 0 || i0 > INT_MAX - i1) +- fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index"); +- //if (i0 + i1 > pdf_xref_len(ctx, doc)) +- // fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries"); ++ if (i0 < 0 || i0 > PDF_MAX_OBJECT_NUMBER || i1 < 0 || i1 > PDF_MAX_OBJECT_NUMBER || i0 + i1 - 1 > PDF_MAX_OBJECT_NUMBER) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range"); + + table = pdf_xref_find_subsection(ctx, doc, i0, i1); + for (i = i0; i < i0 + i1; i++) +@@ -2086,6 +2085,10 @@ pdf_create_object(fz_context *ctx, pdf_document *doc) + /* TODO: reuse free object slots by properly linking free object chains in the ofs field */ + pdf_xref_entry *entry; + int num = pdf_xref_len(ctx, doc); ++ ++ if (num > PDF_MAX_OBJECT_NUMBER) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "too many objects stored in pdf"); ++ + entry = pdf_get_incremental_xref_entry(ctx, doc, num); + entry->type = 'f'; + entry->ofs = -1; +-- +2.16.1 + diff --git a/gnu/packages/patches/p7zip-CVE-2017-17969.patch b/gnu/packages/patches/p7zip-CVE-2017-17969.patch new file mode 100644 index 0000000000..51c24000e5 --- /dev/null +++ b/gnu/packages/patches/p7zip-CVE-2017-17969.patch @@ -0,0 +1,35 @@ +Fix CVE-2017-17969: + +https://sourceforge.net/p/p7zip/bugs/204/ +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17969 + +Patch copied from Debian. + +Subject: Heap-based buffer overflow in 7zip/Compress/ShrinkDecoder.cpp +Origin: vendor, https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/27d7/attachment/CVE-2017-17969.patch +Forwarded: https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/#27d7 +Bug: https://sourceforge.net/p/p7zip/bugs/204/ +Bug-Debian: https://bugs.debian.org/888297 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17969 +Author: Antoine Beaupré <anarcat@debian.org> +Reviewed-by: Salvatore Bonaccorso <carnil@debian.org> +Last-Update: 2018-02-01 +Applied-Upstream: 18.00-beta + +--- a/CPP/7zip/Compress/ShrinkDecoder.cpp ++++ b/CPP/7zip/Compress/ShrinkDecoder.cpp +@@ -121,8 +121,13 @@ HRESULT CDecoder::CodeReal(ISequentialIn + { + _stack[i++] = _suffixes[cur]; + cur = _parents[cur]; ++ if (cur >= kNumItems || i >= kNumItems) ++ break; + } +- ++ ++ if (cur >= kNumItems || i >= kNumItems) ++ break; ++ + _stack[i++] = (Byte)cur; + lastChar2 = (Byte)cur; + |