pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: [pkgsrc-2017Q3] pkgsrc/print/mupdf
Module Name: pkgsrc
Committed By: bsiegert
Date: Sat Nov 4 17:48:30 UTC 2017
Modified Files:
pkgsrc/print/mupdf [pkgsrc-2017Q3]: Makefile distinfo
Added Files:
pkgsrc/print/mupdf/patches [pkgsrc-2017Q3]: patch-CVE-2017-14685
patch-CVE-2017-14686 patch-CVE-2017-14687 patch-CVE-2017-15369
patch-CVE-2017-15587
Log Message:
Pullup ticket #5595 - requested by sevan
print/mupdf: security fix
Revisions pulled up:
- print/mupdf/Makefile 1.54
- print/mupdf/distinfo 1.38
- print/mupdf/patches/patch-CVE-2017-14685 1.1
- print/mupdf/patches/patch-CVE-2017-14686 1.1
- print/mupdf/patches/patch-CVE-2017-14687 1.1
- print/mupdf/patches/patch-CVE-2017-15369 1.1
- print/mupdf/patches/patch-CVE-2017-15587 1.1
---
Module Name: pkgsrc
Committed By: leot
Date: Wed Oct 25 11:00:03 UTC 2017
Modified Files:
pkgsrc/print/mupdf: Makefile distinfo
Added Files:
pkgsrc/print/mupdf/patches: patch-CVE-2017-14685
patch-CVE-2017-14686
patch-CVE-2017-14687 patch-CVE-2017-15369 patch-CVE-2017-15587
Log Message:
mupdf: backport patches to fix several possible security issues
Backport patches from upstream to address CVE-2017-14685, CVE-2017-14686,
CVE-2017-14687, CVE-2017-15369 and CVE-2017-15587.
These will not be needed for the next mupdf stable release.
Bump PKGREVISION.
To generate a diff of this commit:
cvs rdiff -u -r1.52.4.1 -r1.52.4.2 pkgsrc/print/mupdf/Makefile
cvs rdiff -u -r1.36.4.1 -r1.36.4.2 pkgsrc/print/mupdf/distinfo
cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/print/mupdf/patches/patch-CVE-2017-14685 \
pkgsrc/print/mupdf/patches/patch-CVE-2017-14686 \
pkgsrc/print/mupdf/patches/patch-CVE-2017-14687 \
pkgsrc/print/mupdf/patches/patch-CVE-2017-15369 \
pkgsrc/print/mupdf/patches/patch-CVE-2017-15587
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/print/mupdf/Makefile
diff -u pkgsrc/print/mupdf/Makefile:1.52.4.1 pkgsrc/print/mupdf/Makefile:1.52.4.2
--- pkgsrc/print/mupdf/Makefile:1.52.4.1 Sun Oct 22 18:12:21 2017
+++ pkgsrc/print/mupdf/Makefile Sat Nov 4 17:48:30 2017
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.52.4.1 2017/10/22 18:12:21 bsiegert Exp $
+# $NetBSD: Makefile,v 1.52.4.2 2017/11/04 17:48:30 bsiegert Exp $
DISTNAME= mupdf-1.11-source
PKGNAME= ${DISTNAME:S/-source//}
-PKGREVISION= 4
+PKGREVISION= 5
CATEGORIES= print
MASTER_SITES= https://mupdf.com/downloads/archive/
Index: pkgsrc/print/mupdf/distinfo
diff -u pkgsrc/print/mupdf/distinfo:1.36.4.1 pkgsrc/print/mupdf/distinfo:1.36.4.2
--- pkgsrc/print/mupdf/distinfo:1.36.4.1 Sun Oct 22 18:12:21 2017
+++ pkgsrc/print/mupdf/distinfo Sat Nov 4 17:48:30 2017
@@ -1,9 +1,14 @@
-$NetBSD: distinfo,v 1.36.4.1 2017/10/22 18:12:21 bsiegert Exp $
+$NetBSD: distinfo,v 1.36.4.2 2017/11/04 17:48:30 bsiegert Exp $
SHA1 (mupdf-1.11-source.tar.gz) = f782d36aaa896319207e81953e5a622201477b5b
RMD160 (mupdf-1.11-source.tar.gz) = 573307473a1ac81aca4519b0e57a7111aae7803f
SHA512 (mupdf-1.11-source.tar.gz) = 501670f540e298a8126806ebbd9db8b29866f663b7bbf26c9ade1933e42f0c00ad410b9d93f3ddbfb3e45c38722869095de28d832fe3fb3703c55cc9a01dbf63
Size (mupdf-1.11-source.tar.gz) = 40156070 bytes
+SHA1 (patch-CVE-2017-14685) = c84be44c21ca29e0d0a455e0d7efe9a38ac46fb5
+SHA1 (patch-CVE-2017-14686) = b573adc7baa25a2f8b2068b1833f4cc17f38f3eb
+SHA1 (patch-CVE-2017-14687) = 651efafea77050216645ded2e2d3592970713b74
+SHA1 (patch-CVE-2017-15369) = 37bc5e52c67591b04640c03f5a227c278a26aa11
+SHA1 (patch-CVE-2017-15587) = 3bdafc7647148b0b29d37804a14306ea4458a529
SHA1 (patch-Makethird) = a4d1bb3c8d509a84803c9b60521fd9b6b17b9717
SHA1 (patch-ab) = a18b1e5b82454bdf06e23185e619b7f8c7a24290
SHA1 (patch-ac) = c2decf6eae4c6343636439c7d7f6621826fc4e3c
Added files:
Index: pkgsrc/print/mupdf/patches/patch-CVE-2017-14685
diff -u /dev/null pkgsrc/print/mupdf/patches/patch-CVE-2017-14685:1.1.2.2
--- /dev/null Sat Nov 4 17:48:30 2017
+++ pkgsrc/print/mupdf/patches/patch-CVE-2017-14685 Sat Nov 4 17:48:30 2017
@@ -0,0 +1,20 @@
+$NetBSD: patch-CVE-2017-14685,v 1.1.2.2 2017/11/04 17:48:30 bsiegert Exp $
+
+Fix 698539: Don't use xps font if it could not be loaded.
+(AKA CVE-2017-14685)
+
+xps_load_links_in_glyphs did not cope with font loading failures.
+
+From upstream commit ab1a420613dec93c686acbee2c165274e922f82a
+
+--- source/xps/xps-link.c.orig
++++ source/xps/xps-link.c
+@@ -91,6 +91,8 @@ xps_load_links_in_glyphs(fz_context *ctx, xps_document *doc, const fz_matrix *ct
+ bidi_level = atoi(bidi_level_att);
+
+ font = xps_lookup_font(ctx, doc, base_uri, font_uri_att, style_att);
++ if (!font)
++ return;
+ text = xps_parse_glyphs_imp(ctx, doc, &local_ctm, font, fz_atof(font_size_att),
+ fz_atof(origin_x_att), fz_atof(origin_y_att),
+ is_sideways, bidi_level, indices_att, unicode_att);
Index: pkgsrc/print/mupdf/patches/patch-CVE-2017-14686
diff -u /dev/null pkgsrc/print/mupdf/patches/patch-CVE-2017-14686:1.1.2.2
--- /dev/null Sat Nov 4 17:48:30 2017
+++ pkgsrc/print/mupdf/patches/patch-CVE-2017-14686 Sat Nov 4 17:48:30 2017
@@ -0,0 +1,19 @@
+$NetBSD: patch-CVE-2017-14686,v 1.1.2.2 2017/11/04 17:48:30 bsiegert Exp $
+
+Fix bug 698540: Check name, comment and meta size field signs.
+(AKA CVE-2017-14686)
+
+From upstream commit 0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1
+
+--- source/fitz/unzip.c.orig
++++ source/fitz/unzip.c
+@@ -141,6 +141,9 @@ static void read_zip_dir_imp(fz_context *ctx, fz_zip_archive *zip, int start_off
+ (void) fz_read_int32_le(ctx, file); /* ext file atts */
+ offset = fz_read_int32_le(ctx, file);
+
++ if (namesize < 0 || metasize < 0 || commentsize < 0)
++ fz_throw(ctx, FZ_ERROR_GENERIC, "invalid size in zip entry");
++
+ name = fz_malloc(ctx, namesize + 1);
+ n = fz_read(ctx, file, (unsigned char*)name, namesize);
+ if (n < (size_t)namesize)
Index: pkgsrc/print/mupdf/patches/patch-CVE-2017-14687
diff -u /dev/null pkgsrc/print/mupdf/patches/patch-CVE-2017-14687:1.1.2.2
--- /dev/null Sat Nov 4 17:48:30 2017
+++ pkgsrc/print/mupdf/patches/patch-CVE-2017-14687 Sat Nov 4 17:48:30 2017
@@ -0,0 +1,101 @@
+$NetBSD: patch-CVE-2017-14687,v 1.1.2.2 2017/11/04 17:48:30 bsiegert Exp $
+
+Fix 698558: Handle non-tags in tag name comparisons.
+(AKA CVE-2017-14687)
+
+Use fz_xml_is_tag instead of fz_xml_tag && !strcmp idiom.
+
+From upstream commit 2b16dbd8f73269cb15ca61ece75cf8d2d196ed28
+
+--- source/html/css-apply.c.orig
++++ source/html/css-apply.c
+@@ -328,7 +328,7 @@ match_selector(fz_css_selector *sel, fz_xml *node)
+
+ if (sel->name)
+ {
+- if (strcmp(sel->name, fz_xml_tag(node)))
++ if (!fz_xml_is_tag(node, sel->name))
+ return 0;
+ }
+
+--- source/svg/svg-run.c.orig
++++ source/svg/svg-run.c
+@@ -1044,7 +1044,7 @@ svg_run_use(fz_context *ctx, fz_device *dev, svg_document *doc, fz_xml *root, co
+ fz_xml *linked = fz_tree_lookup(ctx, doc->idmap, xlink_href_att + 1);
+ if (linked)
+ {
+- if (!strcmp(fz_xml_tag(linked), "symbol"))
++ if (fz_xml_is_tag(linked, "symbol"))
+ svg_run_use_symbol(ctx, dev, doc, root, linked, &local_state);
+ else
+ svg_run_element(ctx, dev, doc, linked, &local_state);
+--- source/xps/xps-common.c.orig
++++ source/xps/xps-common.c
+@@ -47,7 +47,7 @@ xps_parse_brush(fz_context *ctx, xps_document *doc, const fz_matrix *ctm, const
+ else if (fz_xml_is_tag(node, "RadialGradientBrush"))
+ xps_parse_radial_gradient_brush(ctx, doc, ctm, area, base_uri, dict, node);
+ else
+- fz_warn(ctx, "unknown brush tag: %s", fz_xml_tag(node));
++ fz_warn(ctx, "unknown brush tag");
+ }
+
+ void
+@@ -85,7 +85,7 @@ xps_begin_opacity(fz_context *ctx, xps_document *doc, const fz_matrix *ctm, cons
+ if (opacity_att)
+ opacity = fz_atof(opacity_att);
+
+- if (opacity_mask_tag && !strcmp(fz_xml_tag(opacity_mask_tag), "SolidColorBrush"))
++ if (fz_xml_is_tag(opacity_mask_tag, "SolidColorBrush"))
+ {
+ char *scb_opacity_att = fz_xml_att(opacity_mask_tag, "Opacity");
+ char *scb_color_att = fz_xml_att(opacity_mask_tag, "Color");
+@@ -129,7 +129,7 @@ xps_end_opacity(fz_context *ctx, xps_document *doc, char *base_uri, xps_resource
+
+ if (opacity_mask_tag)
+ {
+- if (strcmp(fz_xml_tag(opacity_mask_tag), "SolidColorBrush"))
++ if (!fz_xml_is_tag(opacity_mask_tag, "SolidColorBrush"))
+ fz_pop_clip(ctx, dev);
+ }
+ }
+--- source/xps/xps-glyphs.c.orig
++++ source/xps/xps-glyphs.c
+@@ -592,7 +592,7 @@ xps_parse_glyphs(fz_context *ctx, xps_document *doc, const fz_matrix *ctm,
+
+ /* If it's a solid color brush fill/stroke do a simple fill */
+
+- if (fill_tag && !strcmp(fz_xml_tag(fill_tag), "SolidColorBrush"))
++ if (fz_xml_is_tag(fill_tag, "SolidColorBrush"))
+ {
+ fill_opacity_att = fz_xml_att(fill_tag, "Opacity");
+ fill_att = fz_xml_att(fill_tag, "Color");
+--- source/xps/xps-path.c.orig
++++ source/xps/xps-path.c
+@@ -879,14 +879,14 @@ xps_parse_path(fz_context *ctx, xps_document *doc, const fz_matrix *ctm, char *b
+ if (!data_att && !data_tag)
+ return;
+
+- if (fill_tag && !strcmp(fz_xml_tag(fill_tag), "SolidColorBrush"))
++ if (fz_xml_is_tag(fill_tag, "SolidColorBrush"))
+ {
+ fill_opacity_att = fz_xml_att(fill_tag, "Opacity");
+ fill_att = fz_xml_att(fill_tag, "Color");
+ fill_tag = NULL;
+ }
+
+- if (stroke_tag && !strcmp(fz_xml_tag(stroke_tag), "SolidColorBrush"))
++ if (fz_xml_is_tag(stroke_tag, "SolidColorBrush"))
+ {
+ stroke_opacity_att = fz_xml_att(stroke_tag, "Opacity");
+ stroke_att = fz_xml_att(stroke_tag, "Color");
+--- source/xps/xps-resource.c.orig
++++ source/xps/xps-resource.c
+@@ -84,7 +84,7 @@ xps_parse_remote_resource_dictionary(fz_context *ctx, xps_document *doc, char *b
+ if (!xml)
+ return NULL;
+
+- if (strcmp(fz_xml_tag(xml), "ResourceDictionary"))
++ if (!fz_xml_is_tag(xml, "ResourceDictionary"))
+ {
+ fz_drop_xml(ctx, xml);
+ fz_throw(ctx, FZ_ERROR_GENERIC, "expected ResourceDictionary element");
Index: pkgsrc/print/mupdf/patches/patch-CVE-2017-15369
diff -u /dev/null pkgsrc/print/mupdf/patches/patch-CVE-2017-15369:1.1.2.2
--- /dev/null Sat Nov 4 17:48:30 2017
+++ pkgsrc/print/mupdf/patches/patch-CVE-2017-15369 Sat Nov 4 17:48:30 2017
@@ -0,0 +1,39 @@
+$NetBSD: patch-CVE-2017-15369,v 1.1.2.2 2017/11/04 17:48:30 bsiegert Exp $
+
+Bug 698592: Mark variable fz_var(), avoiding optimization.
+(AKA CVE-2017-15369)
+
+The change in 2707fa9e8e6d17d794330e719dec1b08161fb045
+in build_filter_chain() allows for the variable chain
+to reside in a register, which means that the bug is
+likely to only be visible if built under optimization.
+
+First the chain variable is transferred to chain2, then
+set to NULL, then when an exception occurs in build_filter()
+the filter chain will be freed by build_filter(). Next
+the expectation is that execution proceeds to fz_catch()
+where fz_drop_stream() would be called with chain == NULL.
+
+However due to the chain variable residing in a register,
+its value is not NULL as expected, but was reset to its
+original value upon the exception (since they use setjmp()),
+hence fz_drop_stream() is called with a non-NULL value.
+
+Marking the chain variable with fz_var() prevents the
+compiler from allowing the chain variable to reside in
+a register and hence its value will remain NULL and
+never be reset.
+
+From upstream commit c2663e51238ec8256da7fc61ad580db891d9fe9a
+
+--- source/pdf/pdf-stream.c.orig
++++ source/pdf/pdf-stream.c
+@@ -246,6 +246,8 @@ build_filter_chain(fz_context *ctx, fz_stream *chain, pdf_document *doc, pdf_obj
+ pdf_obj *p;
+ int i, n;
+
++ fz_var(chain);
++
+ fz_try(ctx)
+ {
+ n = pdf_array_len(ctx, fs);
Index: pkgsrc/print/mupdf/patches/patch-CVE-2017-15587
diff -u /dev/null pkgsrc/print/mupdf/patches/patch-CVE-2017-15587:1.1.2.2
--- /dev/null Sat Nov 4 17:48:30 2017
+++ pkgsrc/print/mupdf/patches/patch-CVE-2017-15587 Sat Nov 4 17:48:30 2017
@@ -0,0 +1,18 @@
+$NetBSD: patch-CVE-2017-15587,v 1.1.2.2 2017/11/04 17:48:30 bsiegert Exp $
+
+Check for integer overflow when validating new style xref Index.
+(AKA CVE-2017-15587)
+
+From upstream commit 82df2631d7d0446b206ea6b434ea609b6c28b0e8
+
+--- source/pdf/pdf-xref.c.orig
++++ source/pdf/pdf-xref.c
+@@ -924,7 +924,7 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, fz
+ pdf_xref_entry *table;
+ int i, n;
+
+- if (i0 < 0 || i1 < 0)
++ if (i0 < 0 || i1 < 0 || (i0+i1) < 0)
+ fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
+ //if (i0 + i1 > pdf_xref_len(ctx, doc))
+ // fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");
Home |
Main Index |
Thread Index |
Old Index