guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/01: gnu: mupdf: Fix CVE-2017-{5896,5991}.


From: Leo Famulari
Subject: 01/01: gnu: mupdf: Fix CVE-2017-{5896,5991}.
Date: Fri, 3 Mar 2017 04:55:00 -0500 (EST)

lfam pushed a commit to branch master
in repository guix.

commit 92ae98e2a0c2ffc807111dbf7616df47a9d3b31c
Author: Alex Vong <address@hidden>
Date:   Thu Mar 2 19:59:05 2017 +0800

    gnu: mupdf: Fix CVE-2017-{5896,5991}.
    
    * gnu/packages/patches/mupdf-CVE-2017-5896.patch,
    gnu/packages/patches/mupdf-CVE-2017-5991.patch: New files.
    * gnu/packages/pdf.scm (mupdf/fixed)[source]: Add patches.
    * gnu/local.mk (dist_patch_DATA): Add them.
    
    Signed-off-by: Leo Famulari <address@hidden>
---
 gnu/local.mk                                   |   2 +
 gnu/packages/patches/mupdf-CVE-2017-5896.patch |  63 +++++++++++++++
 gnu/packages/patches/mupdf-CVE-2017-5991.patch | 101 +++++++++++++++++++++++++
 gnu/packages/pdf.scm                           |   5 +-
 4 files changed, 170 insertions(+), 1 deletion(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index 406e0dc..584ab75 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -764,6 +764,8 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch     \
   %D%/packages/patches/mupdf-mujs-CVE-2016-10132.patch         \
   %D%/packages/patches/mupdf-mujs-CVE-2016-10133.patch         \
+  %D%/packages/patches/mupdf-CVE-2017-5896.patch               \
+  %D%/packages/patches/mupdf-CVE-2017-5991.patch               \
   %D%/packages/patches/mupen64plus-ui-console-notice.patch     \
   %D%/packages/patches/musl-CVE-2016-8859.patch                        \
   %D%/packages/patches/mutt-store-references.patch             \
diff --git a/gnu/packages/patches/mupdf-CVE-2017-5896.patch 
b/gnu/packages/patches/mupdf-CVE-2017-5896.patch
new file mode 100644
index 0000000..1537ecc
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-5896.patch
@@ -0,0 +1,63 @@
+Fix CVE-2017-5896:
+
+https://bugs.ghostscript.com/show_bug.cgi?id=697515
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5896
+http://www.openwall.com/lists/oss-security/2017/02/10/1
+https://security-tracker.debian.org/tracker/CVE-2017-5896
+https://blogs.gentoo.org/ago/2017/02/09/mupdf-use-after-free-in-fz_subsample_pixmap-pixmap-c/
+
+Patch lifted from upstream source repository:
+
+http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27
+
+From 2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 Mon Sep 17 00:00:00 2001
+From: Robin Watts <address@hidden>
+Date: Thu, 9 Feb 2017 07:12:16 -0800
+Subject: [PATCH] bug 697515: Fix out of bounds read in fz_subsample_pixmap
+
+Pointer arithmetic for final special case was going wrong.
+---
+ source/fitz/pixmap.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c
+index a8317127..f1291dc2 100644
+--- a/source/fitz/pixmap.c
++++ b/source/fitz/pixmap.c
+@@ -1104,6 +1104,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int 
h, int f, int factor,
+       
"@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,back5,divXY\n"
+       "ldr    r4, [r13,#4*22]         @ r4 = divXY                    \n"
+       "ldr    r5, [r13,#4*11]         @ for (nn = n; nn > 0; n--) {   \n"
++      "ldr    r8, [r13,#4*17]         @ r8 = back4                    \n"
+       "18:                            @                               \n"
+       "mov    r14,#0                  @ r14= v = 0                    \n"
+       "sub    r5, r5, r1, LSL #8      @ for (xx = x; xx > 0; x--) {   \n"
+@@ -1120,7 +1121,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int 
h, int f, int factor,
+       "mul    r14,r4, r14             @ r14= v *= divX                \n"
+       "mov    r14,r14,LSR #16         @ r14= v >>= 16                 \n"
+       "strb   r14,[r9], #1            @ *d++ = r14                    \n"
+-      "sub    r0, r0, r8              @ s -= back2                    \n"
++      "sub    r0, r0, r8              @ s -= back4                    \n"
+       "subs   r5, r5, #1              @ n--                           \n"
+       "bgt    18b                     @ }                             \n"
+       "21:                            @                               \n"
+@@ -1249,6 +1250,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, 
int factor)
+               x += f;
+               if (x > 0)
+               {
++                      int back4 = x * n - 1;
+                       div = x * y;
+                       for (nn = n; nn > 0; nn--)
+                       {
+@@ -1263,7 +1265,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, 
int factor)
+                                       s -= back5;
+                               }
+                               *d++ = v / div;
+-                              s -= back2;
++                              s -= back4;
+                       }
+               }
+       }
+-- 
+2.12.0
+
diff --git a/gnu/packages/patches/mupdf-CVE-2017-5991.patch 
b/gnu/packages/patches/mupdf-CVE-2017-5991.patch
new file mode 100644
index 0000000..1fa6dc3
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-5991.patch
@@ -0,0 +1,101 @@
+Fix CVE-2017-5991:
+
+https://bugs.ghostscript.com/show_bug.cgi?id=697500
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5991
+https://security-tracker.debian.org/tracker/CVE-2017-5991
+
+Patch lifted from upstream source repository:
+
+http://git.ghostscript.com/?p=mupdf.git;h=1912de5f08e90af1d9d0a9791f58ba3afdb9d465
+
+From 1912de5f08e90af1d9d0a9791f58ba3afdb9d465 Mon Sep 17 00:00:00 2001
+From: Robin Watts <address@hidden>
+Date: Thu, 9 Feb 2017 15:49:15 +0000
+Subject: [PATCH] Bug 697500: Fix NULL ptr access.
+
+Cope better with errors during rendering - avoid letting the
+gstate stack get out of sync.
+
+This avoids us ever getting into the situation of popping
+a clip when we should be popping a mask or a group. This was
+causing an unexpected case in the painting.
+---
+ source/pdf/pdf-op-run.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/source/pdf/pdf-op-run.c b/source/pdf/pdf-op-run.c
+index a3ea895d..f1eac8d3 100644
+--- a/source/pdf/pdf-op-run.c
++++ b/source/pdf/pdf-op-run.c
+@@ -1213,6 +1213,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor 
*proc, pdf_xobject *xobj, pdf
+       pdf_run_processor *pr = (pdf_run_processor *)proc;
+       pdf_gstate *gstate = NULL;
+       int oldtop = 0;
++      int oldbot = -1;
+       fz_matrix local_transform = *transform;
+       softmask_save softmask = { NULL };
+       int gparent_save;
+@@ -1232,16 +1233,17 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor 
*proc, pdf_xobject *xobj, pdf
+       fz_var(cleanup_state);
+       fz_var(gstate);
+       fz_var(oldtop);
++      fz_var(oldbot);
+ 
+       gparent_save = pr->gparent;
+       pr->gparent = pr->gtop;
++      oldtop = pr->gtop;
+ 
+       fz_try(ctx)
+       {
+               pdf_gsave(ctx, pr);
+ 
+               gstate = pr->gstate + pr->gtop;
+-              oldtop = pr->gtop;
+ 
+               pdf_xobject_bbox(ctx, xobj, &xobj_bbox);
+               pdf_xobject_matrix(ctx, xobj, &xobj_matrix);
+@@ -1302,12 +1304,25 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor 
*proc, pdf_xobject *xobj, pdf
+ 
+               doc = pdf_get_bound_document(ctx, xobj->obj);
+ 
++              oldbot = pr->gbot;
++              pr->gbot = pr->gtop;
++
+               pdf_process_contents(ctx, (pdf_processor*)pr, doc, resources, 
xobj->obj, NULL);
+       }
+       fz_always(ctx)
+       {
++              /* Undo any gstate mismatches due to the pdf_process_contents 
call */
++              if (oldbot != -1)
++              {
++                      while (pr->gtop > pr->gbot)
++                      {
++                              pdf_grestore(ctx, pr);
++                      }
++                      pr->gbot = oldbot;
++              }
++
+               if (cleanup_state >= 3)
+-                      pdf_grestore(ctx, pr); /* Remove the clippath */
++                      pdf_grestore(ctx, pr); /* Remove the state we pushed 
for the clippath */
+ 
+               /* wrap up transparency stacks */
+               if (transparency)
+@@ -1341,13 +1356,8 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor 
*proc, pdf_xobject *xobj, pdf
+               pr->gstate[pr->gparent].ctm = gparent_save_ctm;
+               pr->gparent = gparent_save;
+ 
+-              if (gstate)
+-              {
+-                      while (oldtop < pr->gtop)
+-                              pdf_grestore(ctx, pr);
+-
++              while (oldtop < pr->gtop)
+                       pdf_grestore(ctx, pr);
+-              }
+ 
+               pdf_unmark_obj(ctx, xobj->obj);
+       }
+-- 
+2.12.0
+
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index a229d68..13dbd0e 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -11,6 +11,7 @@
 ;;; Coypright © 2016 Julien Lepiller <address@hidden>
 ;;; Copyright © 2016 Arun Isaac <address@hidden>
 ;;; Copyright © 2017 Leo Famulari <address@hidden>
+;;; Copyright © 2017 Alex Vong <address@hidden>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -550,7 +551,9 @@ and examining the file structure (pdfshow).")
           (append
             (origin-patches (package-source mupdf))
             (search-patches "mupdf-mujs-CVE-2016-10132.patch"
-                            "mupdf-mujs-CVE-2016-10133.patch")))))))
+                            "mupdf-mujs-CVE-2016-10133.patch"
+                            "mupdf-CVE-2017-5896.patch"
+                            "mupdf-CVE-2017-5991.patch")))))))
 
 (define-public qpdf
   (package



reply via email to

[Prev in Thread] Current Thread [Next in Thread]