guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/01: gnu: mupdf: Fix CVE-2017-{14685,14686,14687}.


From: Leo Famulari
Subject: 01/01: gnu: mupdf: Fix CVE-2017-{14685,14686,14687}.
Date: Tue, 24 Oct 2017 13:46:33 -0400 (EDT)

lfam pushed a commit to branch master
in repository guix.

commit ae7e24c4210e68b1761dc26bcba20786675ca37d
Author: Leo Famulari <address@hidden>
Date:   Tue Oct 24 13:43:55 2017 -0400

    gnu: mupdf: Fix CVE-2017-{14685,14686,14687}.
    
    * gnu/packages/patches/mupdf-CVE-2017-14685.patch,
    gnu/packages/patches/mupdf-CVE-2017-14686.patch,
    gnu/packages/patches/mupdf-CVE-2017-14687.patch: New files.
    * gnu/local.mk (dist_patch_DATA): Add them.
    * gnu/packages/pdf.scm (mupdf)[source]: Use them.
---
 gnu/local.mk                                    |   3 +
 gnu/packages/patches/mupdf-CVE-2017-14685.patch |  34 +++++++
 gnu/packages/patches/mupdf-CVE-2017-14686.patch |  34 +++++++
 gnu/packages/patches/mupdf-CVE-2017-14687.patch | 130 ++++++++++++++++++++++++
 gnu/packages/pdf.scm                            |   3 +
 5 files changed, 204 insertions(+)

diff --git a/gnu/local.mk b/gnu/local.mk
index d02b250..f2044c9 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -880,6 +880,9 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/mozjs38-version-detection.patch         \
   %D%/packages/patches/mumps-build-parallelism.patch           \
   %D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch     \
+  %D%/packages/patches/mupdf-CVE-2017-14685.patch              \
+  %D%/packages/patches/mupdf-CVE-2017-14686.patch              \
+  %D%/packages/patches/mupdf-CVE-2017-14687.patch              \
   %D%/packages/patches/mupdf-CVE-2017-15587.patch              \
   %D%/packages/patches/mupen64plus-ui-console-notice.patch     \
   %D%/packages/patches/mutt-store-references.patch             \
diff --git a/gnu/packages/patches/mupdf-CVE-2017-14685.patch 
b/gnu/packages/patches/mupdf-CVE-2017-14685.patch
new file mode 100644
index 0000000..3fcce5f
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-14685.patch
@@ -0,0 +1,34 @@
+Fix CVE-2017-14685:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14685
+
+Patch copied from upstream source repository:
+
+https://git.ghostscript.com/?p=mupdf.git;h=ab1a420613dec93c686acbee2c165274e922f82a
+
+From ab1a420613dec93c686acbee2c165274e922f82a Mon Sep 17 00:00:00 2001
+From: Tor Andersson <address@hidden>
+Date: Tue, 19 Sep 2017 15:23:04 +0200
+Subject: [PATCH] Fix 698539: Don't use xps font if it could not be loaded.
+
+xps_load_links_in_glyphs did not cope with font loading failures.
+---
+ source/xps/xps-link.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/source/xps/xps-link.c b/source/xps/xps-link.c
+index c07e0d7..c26a8d9 100644
+--- a/source/xps/xps-link.c
++++ b/source/xps/xps-link.c
+@@ -91,6 +91,8 @@ xps_load_links_in_glyphs(fz_context *ctx, xps_document *doc, 
const fz_matrix *ct
+                       bidi_level = atoi(bidi_level_att);
+ 
+               font = xps_lookup_font(ctx, doc, base_uri, font_uri_att, 
style_att);
++              if (!font)
++                      return;
+               text = xps_parse_glyphs_imp(ctx, doc, &local_ctm, font, 
fz_atof(font_size_att),
+                               fz_atof(origin_x_att), fz_atof(origin_y_att),
+                               is_sideways, bidi_level, indices_att, 
unicode_att);
+-- 
+2.9.1
+
diff --git a/gnu/packages/patches/mupdf-CVE-2017-14686.patch 
b/gnu/packages/patches/mupdf-CVE-2017-14686.patch
new file mode 100644
index 0000000..e462a6f
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-14686.patch
@@ -0,0 +1,34 @@
+Fix CVE-2017-14686:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14686
+
+Patch copied from upstream source repository:
+
+https://git.ghostscript.com/?p=mupdf.git;h=0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1
+
+From 0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <address@hidden>
+Date: Tue, 19 Sep 2017 16:33:38 +0200
+Subject: [PATCH] Fix 698540: Check name, comment and meta size field signs.
+
+---
+ source/fitz/unzip.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/source/fitz/unzip.c b/source/fitz/unzip.c
+index f2d4f32..0bcce0f 100644
+--- a/source/fitz/unzip.c
++++ b/source/fitz/unzip.c
+@@ -141,6 +141,9 @@ static void read_zip_dir_imp(fz_context *ctx, 
fz_zip_archive *zip, int start_off
+               (void) fz_read_int32_le(ctx, file); /* ext file atts */
+               offset = fz_read_int32_le(ctx, file);
+ 
++              if (namesize < 0 || metasize < 0 || commentsize < 0)
++                      fz_throw(ctx, FZ_ERROR_GENERIC, "invalid size in zip 
entry");
++
+               name = fz_malloc(ctx, namesize + 1);
+               n = fz_read(ctx, file, (unsigned char*)name, namesize);
+               if (n < (size_t)namesize)
+-- 
+2.9.1
+
diff --git a/gnu/packages/patches/mupdf-CVE-2017-14687.patch 
b/gnu/packages/patches/mupdf-CVE-2017-14687.patch
new file mode 100644
index 0000000..cdc41df
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-14687.patch
@@ -0,0 +1,130 @@
+Fix CVE-2017-14687:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14687
+
+Patch copied from upstream source repository:
+
+https://git.ghostscript.com/?p=mupdf.git;h=2b16dbd8f73269cb15ca61ece75cf8d2d196ed28
+
+From 2b16dbd8f73269cb15ca61ece75cf8d2d196ed28 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <address@hidden>
+Date: Tue, 19 Sep 2017 17:17:12 +0200
+Subject: [PATCH] Fix 698558: Handle non-tags in tag name comparisons.
+
+Use fz_xml_is_tag instead of fz_xml_tag && !strcmp idiom.
+---
+ source/html/css-apply.c   | 2 +-
+ source/svg/svg-run.c      | 2 +-
+ source/xps/xps-common.c   | 6 +++---
+ source/xps/xps-glyphs.c   | 2 +-
+ source/xps/xps-path.c     | 4 ++--
+ source/xps/xps-resource.c | 2 +-
+ 6 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/source/html/css-apply.c b/source/html/css-apply.c
+index de55490..6a91df0 100644
+--- a/source/html/css-apply.c
++++ b/source/html/css-apply.c
+@@ -328,7 +328,7 @@ match_selector(fz_css_selector *sel, fz_xml *node)
+ 
+       if (sel->name)
+       {
+-              if (strcmp(sel->name, fz_xml_tag(node)))
++              if (!fz_xml_is_tag(node, sel->name))
+                       return 0;
+       }
+ 
+diff --git a/source/svg/svg-run.c b/source/svg/svg-run.c
+index f974c67..5302c64 100644
+--- a/source/svg/svg-run.c
++++ b/source/svg/svg-run.c
+@@ -1044,7 +1044,7 @@ svg_run_use(fz_context *ctx, fz_device *dev, 
svg_document *doc, fz_xml *root, co
+               fz_xml *linked = fz_tree_lookup(ctx, doc->idmap, xlink_href_att 
+ 1);
+               if (linked)
+               {
+-                      if (!strcmp(fz_xml_tag(linked), "symbol"))
++                      if (fz_xml_is_tag(linked, "symbol"))
+                               svg_run_use_symbol(ctx, dev, doc, root, linked, 
&local_state);
+                       else
+                               svg_run_element(ctx, dev, doc, linked, 
&local_state);
+diff --git a/source/xps/xps-common.c b/source/xps/xps-common.c
+index cc7fed9..f2f9b93 100644
+--- a/source/xps/xps-common.c
++++ b/source/xps/xps-common.c
+@@ -47,7 +47,7 @@ xps_parse_brush(fz_context *ctx, xps_document *doc, const 
fz_matrix *ctm, const
+       else if (fz_xml_is_tag(node, "RadialGradientBrush"))
+               xps_parse_radial_gradient_brush(ctx, doc, ctm, area, base_uri, 
dict, node);
+       else
+-              fz_warn(ctx, "unknown brush tag: %s", fz_xml_tag(node));
++              fz_warn(ctx, "unknown brush tag");
+ }
+ 
+ void
+@@ -85,7 +85,7 @@ xps_begin_opacity(fz_context *ctx, xps_document *doc, const 
fz_matrix *ctm, cons
+       if (opacity_att)
+               opacity = fz_atof(opacity_att);
+ 
+-      if (opacity_mask_tag && !strcmp(fz_xml_tag(opacity_mask_tag), 
"SolidColorBrush"))
++      if (fz_xml_is_tag(opacity_mask_tag, "SolidColorBrush"))
+       {
+               char *scb_opacity_att = fz_xml_att(opacity_mask_tag, "Opacity");
+               char *scb_color_att = fz_xml_att(opacity_mask_tag, "Color");
+@@ -129,7 +129,7 @@ xps_end_opacity(fz_context *ctx, xps_document *doc, char 
*base_uri, xps_resource
+ 
+       if (opacity_mask_tag)
+       {
+-              if (strcmp(fz_xml_tag(opacity_mask_tag), "SolidColorBrush"))
++              if (!fz_xml_is_tag(opacity_mask_tag, "SolidColorBrush"))
+                       fz_pop_clip(ctx, dev);
+       }
+ }
+diff --git a/source/xps/xps-glyphs.c b/source/xps/xps-glyphs.c
+index 29dc5b3..5b26d78 100644
+--- a/source/xps/xps-glyphs.c
++++ b/source/xps/xps-glyphs.c
+@@ -592,7 +592,7 @@ xps_parse_glyphs(fz_context *ctx, xps_document *doc, const 
fz_matrix *ctm,
+ 
+       /* If it's a solid color brush fill/stroke do a simple fill */
+ 
+-      if (fill_tag && !strcmp(fz_xml_tag(fill_tag), "SolidColorBrush"))
++      if (fz_xml_is_tag(fill_tag, "SolidColorBrush"))
+       {
+               fill_opacity_att = fz_xml_att(fill_tag, "Opacity");
+               fill_att = fz_xml_att(fill_tag, "Color");
+diff --git a/source/xps/xps-path.c b/source/xps/xps-path.c
+index 6faeb0c..021d202 100644
+--- a/source/xps/xps-path.c
++++ b/source/xps/xps-path.c
+@@ -879,14 +879,14 @@ xps_parse_path(fz_context *ctx, xps_document *doc, const 
fz_matrix *ctm, char *b
+       if (!data_att && !data_tag)
+               return;
+ 
+-      if (fill_tag && !strcmp(fz_xml_tag(fill_tag), "SolidColorBrush"))
++      if (fz_xml_is_tag(fill_tag, "SolidColorBrush"))
+       {
+               fill_opacity_att = fz_xml_att(fill_tag, "Opacity");
+               fill_att = fz_xml_att(fill_tag, "Color");
+               fill_tag = NULL;
+       }
+ 
+-      if (stroke_tag && !strcmp(fz_xml_tag(stroke_tag), "SolidColorBrush"))
++      if (fz_xml_is_tag(stroke_tag, "SolidColorBrush"))
+       {
+               stroke_opacity_att = fz_xml_att(stroke_tag, "Opacity");
+               stroke_att = fz_xml_att(stroke_tag, "Color");
+diff --git a/source/xps/xps-resource.c b/source/xps/xps-resource.c
+index c2292e6..8e81ab8 100644
+--- a/source/xps/xps-resource.c
++++ b/source/xps/xps-resource.c
+@@ -84,7 +84,7 @@ xps_parse_remote_resource_dictionary(fz_context *ctx, 
xps_document *doc, char *b
+       if (!xml)
+               return NULL;
+ 
+-      if (strcmp(fz_xml_tag(xml), "ResourceDictionary"))
++      if (!fz_xml_is_tag(xml, "ResourceDictionary"))
+       {
+               fz_drop_xml(ctx, xml);
+               fz_throw(ctx, FZ_ERROR_GENERIC, "expected ResourceDictionary 
element");
+-- 
+2.9.1
+
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index ceaccdd..f3df7c1 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -576,6 +576,9 @@ extracting content or merging files.")
          (base32
           "02phamcchgsmvjnb3ir7r5sssvx9fcrscn297z73b82n1jl79510"))
         (patches (search-patches "mupdf-build-with-openjpeg-2.1.patch"
+                                 "mupdf-CVE-2017-14685.patch"
+                                 "mupdf-CVE-2017-14686.patch"
+                                 "mupdf-CVE-2017-14687.patch"
                                  "mupdf-CVE-2017-15587.patch"))
         (modules '((guix build utils)))
         (snippet



reply via email to

[Prev in Thread] Current Thread [Next in Thread]