pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/print/mupdf mupdf: backport patches to fix several pos...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/4390199795b4
branches:  trunk
changeset: 370836:4390199795b4
user:      leot <leot%pkgsrc.org@localhost>
date:      Wed Oct 25 11:00:03 2017 +0000

description:
mupdf: backport patches to fix several possible security issues

Backport patches from upstream to address CVE-2017-14685, CVE-2017-14686,
CVE-2017-14687, CVE-2017-15369 and CVE-2017-15587.

These will not be needed for the next mupdf stable release.

Bump PKGREVISION.

diffstat:

 print/mupdf/Makefile                     |    4 +-
 print/mupdf/distinfo                     |    7 +-
 print/mupdf/patches/patch-CVE-2017-14685 |   20 ++++++
 print/mupdf/patches/patch-CVE-2017-14686 |   19 +++++
 print/mupdf/patches/patch-CVE-2017-14687 |  101 +++++++++++++++++++++++++++++++
 print/mupdf/patches/patch-CVE-2017-15369 |   39 +++++++++++
 print/mupdf/patches/patch-CVE-2017-15587 |   18 +++++
 7 files changed, 205 insertions(+), 3 deletions(-)

diffs (250 lines):

diff -r 7aabd839a02d -r 4390199795b4 print/mupdf/Makefile
--- a/print/mupdf/Makefile      Wed Oct 25 10:42:13 2017 +0000
+++ b/print/mupdf/Makefile      Wed Oct 25 11:00:03 2017 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.53 2017/10/19 20:32:07 leot Exp $
+# $NetBSD: Makefile,v 1.54 2017/10/25 11:00:03 leot Exp $
 
 DISTNAME=      mupdf-1.11-source
 PKGNAME=       ${DISTNAME:S/-source//}
-PKGREVISION=   4
+PKGREVISION=   5
 CATEGORIES=    print
 MASTER_SITES=  https://mupdf.com/downloads/archive/
 
diff -r 7aabd839a02d -r 4390199795b4 print/mupdf/distinfo
--- a/print/mupdf/distinfo      Wed Oct 25 10:42:13 2017 +0000
+++ b/print/mupdf/distinfo      Wed Oct 25 11:00:03 2017 +0000
@@ -1,9 +1,14 @@
-$NetBSD: distinfo,v 1.37 2017/10/19 20:32:07 leot Exp $
+$NetBSD: distinfo,v 1.38 2017/10/25 11:00:03 leot Exp $
 
 SHA1 (mupdf-1.11-source.tar.gz) = f782d36aaa896319207e81953e5a622201477b5b
 RMD160 (mupdf-1.11-source.tar.gz) = 573307473a1ac81aca4519b0e57a7111aae7803f
 SHA512 (mupdf-1.11-source.tar.gz) = 501670f540e298a8126806ebbd9db8b29866f663b7bbf26c9ade1933e42f0c00ad410b9d93f3ddbfb3e45c38722869095de28d832fe3fb3703c55cc9a01dbf63
 Size (mupdf-1.11-source.tar.gz) = 40156070 bytes
+SHA1 (patch-CVE-2017-14685) = c84be44c21ca29e0d0a455e0d7efe9a38ac46fb5
+SHA1 (patch-CVE-2017-14686) = b573adc7baa25a2f8b2068b1833f4cc17f38f3eb
+SHA1 (patch-CVE-2017-14687) = 651efafea77050216645ded2e2d3592970713b74
+SHA1 (patch-CVE-2017-15369) = 37bc5e52c67591b04640c03f5a227c278a26aa11
+SHA1 (patch-CVE-2017-15587) = 3bdafc7647148b0b29d37804a14306ea4458a529
 SHA1 (patch-Makethird) = a4d1bb3c8d509a84803c9b60521fd9b6b17b9717
 SHA1 (patch-ab) = a18b1e5b82454bdf06e23185e619b7f8c7a24290
 SHA1 (patch-ac) = c2decf6eae4c6343636439c7d7f6621826fc4e3c
diff -r 7aabd839a02d -r 4390199795b4 print/mupdf/patches/patch-CVE-2017-14685
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/print/mupdf/patches/patch-CVE-2017-14685  Wed Oct 25 11:00:03 2017 +0000
@@ -0,0 +1,20 @@
+$NetBSD: patch-CVE-2017-14685,v 1.1 2017/10/25 11:00:03 leot Exp $
+
+Fix 698539: Don't use xps font if it could not be loaded.
+(AKA CVE-2017-14685)
+
+xps_load_links_in_glyphs did not cope with font loading failures.
+
+From upstream commit ab1a420613dec93c686acbee2c165274e922f82a
+
+--- source/xps/xps-link.c.orig
++++ source/xps/xps-link.c
+@@ -91,6 +91,8 @@ xps_load_links_in_glyphs(fz_context *ctx, xps_document *doc, const fz_matrix *ct
+                       bidi_level = atoi(bidi_level_att);
+ 
+               font = xps_lookup_font(ctx, doc, base_uri, font_uri_att, style_att);
++              if (!font)
++                      return;
+               text = xps_parse_glyphs_imp(ctx, doc, &local_ctm, font, fz_atof(font_size_att),
+                               fz_atof(origin_x_att), fz_atof(origin_y_att),
+                               is_sideways, bidi_level, indices_att, unicode_att);
diff -r 7aabd839a02d -r 4390199795b4 print/mupdf/patches/patch-CVE-2017-14686
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/print/mupdf/patches/patch-CVE-2017-14686  Wed Oct 25 11:00:03 2017 +0000
@@ -0,0 +1,19 @@
+$NetBSD: patch-CVE-2017-14686,v 1.1 2017/10/25 11:00:03 leot Exp $
+
+Fix bug 698540: Check name, comment and meta size field signs.
+(AKA CVE-2017-14686)
+
+From upstream commit 0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1
+
+--- source/fitz/unzip.c.orig
++++ source/fitz/unzip.c
+@@ -141,6 +141,9 @@ static void read_zip_dir_imp(fz_context *ctx, fz_zip_archive *zip, int start_off
+               (void) fz_read_int32_le(ctx, file); /* ext file atts */
+               offset = fz_read_int32_le(ctx, file);
+ 
++              if (namesize < 0 || metasize < 0 || commentsize < 0)
++                      fz_throw(ctx, FZ_ERROR_GENERIC, "invalid size in zip entry");
++
+               name = fz_malloc(ctx, namesize + 1);
+               n = fz_read(ctx, file, (unsigned char*)name, namesize);
+               if (n < (size_t)namesize)
diff -r 7aabd839a02d -r 4390199795b4 print/mupdf/patches/patch-CVE-2017-14687
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/print/mupdf/patches/patch-CVE-2017-14687  Wed Oct 25 11:00:03 2017 +0000
@@ -0,0 +1,101 @@
+$NetBSD: patch-CVE-2017-14687,v 1.1 2017/10/25 11:00:03 leot Exp $
+
+Fix 698558: Handle non-tags in tag name comparisons.
+(AKA CVE-2017-14687)
+
+Use fz_xml_is_tag instead of fz_xml_tag && !strcmp idiom.
+
+From upstream commit 2b16dbd8f73269cb15ca61ece75cf8d2d196ed28
+
+--- source/html/css-apply.c.orig
++++ source/html/css-apply.c
+@@ -328,7 +328,7 @@ match_selector(fz_css_selector *sel, fz_xml *node)
+ 
+       if (sel->name)
+       {
+-              if (strcmp(sel->name, fz_xml_tag(node)))
++              if (!fz_xml_is_tag(node, sel->name))
+                       return 0;
+       }
+ 
+--- source/svg/svg-run.c.orig
++++ source/svg/svg-run.c
+@@ -1044,7 +1044,7 @@ svg_run_use(fz_context *ctx, fz_device *dev, svg_document *doc, fz_xml *root, co
+               fz_xml *linked = fz_tree_lookup(ctx, doc->idmap, xlink_href_att + 1);
+               if (linked)
+               {
+-                      if (!strcmp(fz_xml_tag(linked), "symbol"))
++                      if (fz_xml_is_tag(linked, "symbol"))
+                               svg_run_use_symbol(ctx, dev, doc, root, linked, &local_state);
+                       else
+                               svg_run_element(ctx, dev, doc, linked, &local_state);
+--- source/xps/xps-common.c.orig
++++ source/xps/xps-common.c
+@@ -47,7 +47,7 @@ xps_parse_brush(fz_context *ctx, xps_document *doc, const fz_matrix *ctm, const
+       else if (fz_xml_is_tag(node, "RadialGradientBrush"))
+               xps_parse_radial_gradient_brush(ctx, doc, ctm, area, base_uri, dict, node);
+       else
+-              fz_warn(ctx, "unknown brush tag: %s", fz_xml_tag(node));
++              fz_warn(ctx, "unknown brush tag");
+ }
+ 
+ void
+@@ -85,7 +85,7 @@ xps_begin_opacity(fz_context *ctx, xps_document *doc, const fz_matrix *ctm, cons
+       if (opacity_att)
+               opacity = fz_atof(opacity_att);
+ 
+-      if (opacity_mask_tag && !strcmp(fz_xml_tag(opacity_mask_tag), "SolidColorBrush"))
++      if (fz_xml_is_tag(opacity_mask_tag, "SolidColorBrush"))
+       {
+               char *scb_opacity_att = fz_xml_att(opacity_mask_tag, "Opacity");
+               char *scb_color_att = fz_xml_att(opacity_mask_tag, "Color");
+@@ -129,7 +129,7 @@ xps_end_opacity(fz_context *ctx, xps_document *doc, char *base_uri, xps_resource
+ 
+       if (opacity_mask_tag)
+       {
+-              if (strcmp(fz_xml_tag(opacity_mask_tag), "SolidColorBrush"))
++              if (!fz_xml_is_tag(opacity_mask_tag, "SolidColorBrush"))
+                       fz_pop_clip(ctx, dev);
+       }
+ }
+--- source/xps/xps-glyphs.c.orig
++++ source/xps/xps-glyphs.c
+@@ -592,7 +592,7 @@ xps_parse_glyphs(fz_context *ctx, xps_document *doc, const fz_matrix *ctm,
+ 
+       /* If it's a solid color brush fill/stroke do a simple fill */
+ 
+-      if (fill_tag && !strcmp(fz_xml_tag(fill_tag), "SolidColorBrush"))
++      if (fz_xml_is_tag(fill_tag, "SolidColorBrush"))
+       {
+               fill_opacity_att = fz_xml_att(fill_tag, "Opacity");
+               fill_att = fz_xml_att(fill_tag, "Color");
+--- source/xps/xps-path.c.orig
++++ source/xps/xps-path.c
+@@ -879,14 +879,14 @@ xps_parse_path(fz_context *ctx, xps_document *doc, const fz_matrix *ctm, char *b
+       if (!data_att && !data_tag)
+               return;
+ 
+-      if (fill_tag && !strcmp(fz_xml_tag(fill_tag), "SolidColorBrush"))
++      if (fz_xml_is_tag(fill_tag, "SolidColorBrush"))
+       {
+               fill_opacity_att = fz_xml_att(fill_tag, "Opacity");
+               fill_att = fz_xml_att(fill_tag, "Color");
+               fill_tag = NULL;
+       }
+ 
+-      if (stroke_tag && !strcmp(fz_xml_tag(stroke_tag), "SolidColorBrush"))
++      if (fz_xml_is_tag(stroke_tag, "SolidColorBrush"))
+       {
+               stroke_opacity_att = fz_xml_att(stroke_tag, "Opacity");
+               stroke_att = fz_xml_att(stroke_tag, "Color");
+--- source/xps/xps-resource.c.orig
++++ source/xps/xps-resource.c
+@@ -84,7 +84,7 @@ xps_parse_remote_resource_dictionary(fz_context *ctx, xps_document *doc, char *b
+       if (!xml)
+               return NULL;
+ 
+-      if (strcmp(fz_xml_tag(xml), "ResourceDictionary"))
++      if (!fz_xml_is_tag(xml, "ResourceDictionary"))
+       {
+               fz_drop_xml(ctx, xml);
+               fz_throw(ctx, FZ_ERROR_GENERIC, "expected ResourceDictionary element");
diff -r 7aabd839a02d -r 4390199795b4 print/mupdf/patches/patch-CVE-2017-15369
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/print/mupdf/patches/patch-CVE-2017-15369  Wed Oct 25 11:00:03 2017 +0000
@@ -0,0 +1,39 @@
+$NetBSD: patch-CVE-2017-15369,v 1.1 2017/10/25 11:00:03 leot Exp $
+
+Bug 698592: Mark variable fz_var(), avoiding optimization.
+(AKA CVE-2017-15369)
+
+The change in 2707fa9e8e6d17d794330e719dec1b08161fb045
+in build_filter_chain() allows for the variable chain
+to reside in a register, which means that the bug is
+likely to only be visible if built under optimization.
+
+First the chain variable is transferred to chain2, then
+set to NULL, then when an exception occurs in build_filter()
+the filter chain will be freed by build_filter(). Next
+the expectation is that execution proceeds to fz_catch()
+where fz_drop_stream() would be called with chain == NULL.
+
+However due to the chain variable residing in a register,
+its value is not NULL as expected, but was reset to its
+original value upon the exception (since they use setjmp()),
+hence fz_drop_stream() is called with a non-NULL value.
+
+Marking the chain variable with fz_var() prevents the
+compiler from allowing the chain variable to reside in
+a register and hence its value will remain NULL and
+never be reset.
+
+From upstream commit c2663e51238ec8256da7fc61ad580db891d9fe9a
+
+--- source/pdf/pdf-stream.c.orig
++++ source/pdf/pdf-stream.c
+@@ -246,6 +246,8 @@ build_filter_chain(fz_context *ctx, fz_stream *chain, pdf_document *doc, pdf_obj
+       pdf_obj *p;
+       int i, n;
+ 
++      fz_var(chain);
++
+       fz_try(ctx)
+       {
+               n = pdf_array_len(ctx, fs);
diff -r 7aabd839a02d -r 4390199795b4 print/mupdf/patches/patch-CVE-2017-15587
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/print/mupdf/patches/patch-CVE-2017-15587  Wed Oct 25 11:00:03 2017 +0000
@@ -0,0 +1,18 @@
+$NetBSD: patch-CVE-2017-15587,v 1.1 2017/10/25 11:00:03 leot Exp $
+
+Check for integer overflow when validating new style xref Index.
+(AKA CVE-2017-15587)
+
+From upstream commit 82df2631d7d0446b206ea6b434ea609b6c28b0e8
+
+--- source/pdf/pdf-xref.c.orig
++++ source/pdf/pdf-xref.c
+@@ -924,7 +924,7 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, fz
+       pdf_xref_entry *table;
+       int i, n;
+ 
+-      if (i0 < 0 || i1 < 0)
++      if (i0 < 0 || i1 < 0 || (i0+i1) < 0)
+               fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
+       //if (i0 + i1 > pdf_xref_len(ctx, doc))
+       //      fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");



Home | Main Index | Thread Index | Old Index