From 33ad9176ce52511b74d1a1948f9e5c2df12796c789c052d1893d2a3a7447ec18 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Mon, 2 Sep 2019 12:14:18 +0000 Subject: [PATCH] - security update - added patches CVE-2019-15142 [bsc#1146702] + djvulibre-CVE-2019-15142.patch CVE-2019-15143 [bsc#1146569] + djvulibre-CVE-2019-15143.patch CVE-2019-15144 [bsc#1146571] + djvulibre-CVE-2019-15144.patch CVE-2019-15145 [bsc#1146572] + djvulibre-CVE-2019-15145.patch do not segfault when libtiff encounters corrupted TIFF (upstream issue #295) + djvulibre-invalid-tiff.patch OBS-URL: https://build.opensuse.org/package/show/graphics/djvulibre?expand=0&rev=28 --- djvulibre-CVE-2019-15142.patch | 87 +++++++++++++++++++++++++++ djvulibre-CVE-2019-15143.patch | 20 +++++++ djvulibre-CVE-2019-15144.patch | 105 +++++++++++++++++++++++++++++++++ djvulibre-CVE-2019-15145.patch | 22 +++++++ djvulibre-invalid-tiff.patch | 13 ++++ djvulibre.changes | 16 +++++ djvulibre.spec | 33 +++++++++-- 7 files changed, 291 insertions(+), 5 deletions(-) create mode 100644 djvulibre-CVE-2019-15142.patch create mode 100644 djvulibre-CVE-2019-15143.patch create mode 100644 djvulibre-CVE-2019-15144.patch create mode 100644 djvulibre-CVE-2019-15145.patch create mode 100644 djvulibre-invalid-tiff.patch diff --git a/djvulibre-CVE-2019-15142.patch b/djvulibre-CVE-2019-15142.patch new file mode 100644 index 0000000..bf529b0 --- /dev/null +++ b/djvulibre-CVE-2019-15142.patch @@ -0,0 +1,87 @@ +Index: djvulibre-3.5.27/libdjvu/DjVmDir.cpp +=================================================================== +--- djvulibre-3.5.27.orig/libdjvu/DjVmDir.cpp 2014-07-08 23:15:07.000000000 +0200 ++++ djvulibre-3.5.27/libdjvu/DjVmDir.cpp 2019-09-02 13:46:28.076374501 +0200 +@@ -300,36 +300,44 @@ DjVmDir::decode(const GP &gs + memcpy((char*) strings+strings_size, buffer, length); + } + DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n"); +- +- // Copy names into the files ++ int strings_size=strings.size(); ++ strings.resize(strings_size+3); ++ memset((char*) strings+strings_size, 0, 4); ++ ++ // Copy names into the files + const char * ptr=strings; + for(pos=files_list;pos;++pos) + { + GP file=files_list[pos]; +- ++ if (ptr >= (const char*)strings + strings_size) ++ G_THROW( "DjVu document is corrupted (DjVmDir)" ); + file->id=ptr; + ptr+=file->id.length()+1; + if (file->flags & File::HAS_NAME) + { +- file->name=ptr; +- ptr+=file->name.length()+1; +- } else ++ file->name=ptr; ++ ptr+=file->name.length()+1; ++ } ++ else + { + file->name=file->id; + } + if (file->flags & File::HAS_TITLE) + { +- file->title=ptr; +- ptr+=file->title.length()+1; +- } else +- file->title=file->id; +- /* msr debug: multipage file, file->title is null. ++ file->title=ptr; ++ ptr+=file->title.length()+1; ++ } ++ else ++ { ++ file->title=file->id; ++ } ++ /* msr debug: multipage file, file->title is null. + DEBUG_MSG(file->name << ", " << file->id << ", " << file->title << ", " << + file->offset << ", " << file->size << ", " << + file->is_page() << "\n"); */ + } + +- // Check that there is only one file with SHARED_ANNO flag on ++ // Check that there is only one file with SHARED_ANNO flag on + int shared_anno_cnt=0; + for(pos=files_list;pos;++pos) + { +Index: djvulibre-3.5.27/libdjvu/miniexp.cpp +=================================================================== +--- djvulibre-3.5.27.orig/libdjvu/miniexp.cpp 2015-02-11 05:35:37.000000000 +0100 ++++ djvulibre-3.5.27/libdjvu/miniexp.cpp 2019-09-02 13:46:28.072374476 +0200 +@@ -1028,7 +1028,7 @@ print_c_string(const char *s, char *d, i + { + if (char_quoted(c, flags)) + { +- char buffer[10]; ++ char buffer[16]; /* 10+1 */ + static const char *tr1 = "\"\\tnrbf"; + static const char *tr2 = "\"\\\t\n\r\b\f"; + buffer[0] = buffer[1] = 0; +Index: djvulibre-3.5.27/tools/csepdjvu.cpp +=================================================================== +--- djvulibre-3.5.27.orig/tools/csepdjvu.cpp 2014-07-24 23:12:05.000000000 +0200 ++++ djvulibre-3.5.27/tools/csepdjvu.cpp 2019-09-02 13:46:28.072374476 +0200 +@@ -1814,7 +1814,7 @@ main(int argc, const char **argv) + ByteStream::create(GURL::Filename::UTF8(arg),"rb"); + BufferByteStream ibs(*fbs); + do { +- char pagename[16]; ++ char pagename[20]; + sprintf(pagename, "p%04d.djvu", ++pageno); + if (opts.verbose > 1) + DjVuPrintErrorUTF8("%s","--------------------\n"); diff --git a/djvulibre-CVE-2019-15143.patch b/djvulibre-CVE-2019-15143.patch new file mode 100644 index 0000000..b11617d --- /dev/null +++ b/djvulibre-CVE-2019-15143.patch @@ -0,0 +1,20 @@ +diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp +index 0e487f0..c2fdbe4 100644 +--- a/libdjvu/GBitmap.cpp ++++ b/libdjvu/GBitmap.cpp +@@ -890,11 +890,13 @@ GBitmap::read_rle_raw(ByteStream &bs) + int c = 0; + while (n >= 0) + { +- bs.read(&h, 1); ++ if (bs.read(&h, 1) <= 0) ++ G_THROW( ByteStream::EndOfFile ); + int x = h; + if (x >= (int)RUNOVERFLOWVALUE) + { +- bs.read(&h, 1); ++ if (bs.read(&h, 1) <= 0) ++ G_THROW( ByteStream::EndOfFile ); + x = h + ((x - (int)RUNOVERFLOWVALUE) << 8); + } + if (c+x > ncolumns) diff --git a/djvulibre-CVE-2019-15144.patch b/djvulibre-CVE-2019-15144.patch new file mode 100644 index 0000000..24b01fe --- /dev/null +++ b/djvulibre-CVE-2019-15144.patch @@ -0,0 +1,105 @@ +diff --git a/libdjvu/GContainer.h b/libdjvu/GContainer.h +index 96b067c..0140211 100644 +--- a/libdjvu/GContainer.h ++++ b/libdjvu/GContainer.h +@@ -550,52 +550,61 @@ public: + template void + GArrayTemplate::sort(int lo, int hi) + { +- if (hi <= lo) +- return; +- if (hi > hibound || lo hibound || lo=lo) && !(data[j]<=tmp)) +- data[j+1] = data[j]; +- data[j+1] = tmp; ++ for (int i=lo+1; i<=hi; i++) ++ { ++ int j = i; ++ TYPE tmp = data[i]; ++ while ((--j>=lo) && !(data[j]<=tmp)) ++ data[j+1] = data[j]; ++ data[j+1] = tmp; ++ } ++ return; + } +- return; +- } +- // -- determine suitable quick-sort pivot +- TYPE tmp = data[lo]; +- TYPE pivot = data[(lo+hi)/2]; +- if (pivot <= tmp) +- { tmp = pivot; pivot=data[lo]; } +- if (data[hi] <= tmp) +- { pivot = tmp; } +- else if (data[hi] <= pivot) +- { pivot = data[hi]; } +- // -- partition set +- int h = hi; +- int l = lo; +- while (l < h) +- { +- while (! (pivot <= data[l])) l++; +- while (! (data[h] <= pivot)) h--; +- if (l < h) ++ // -- determine median-of-three pivot ++ TYPE tmp = data[lo]; ++ TYPE pivot = data[(lo+hi)/2]; ++ if (pivot <= tmp) ++ { tmp = pivot; pivot=data[lo]; } ++ if (data[hi] <= tmp) ++ { pivot = tmp; } ++ else if (data[hi] <= pivot) ++ { pivot = data[hi]; } ++ // -- partition set ++ int h = hi; ++ int l = lo; ++ while (l < h) + { +- tmp = data[l]; +- data[l] = data[h]; +- data[h] = tmp; +- l = l+1; +- h = h-1; ++ while (! (pivot <= data[l])) l++; ++ while (! (data[h] <= pivot)) h--; ++ if (l < h) ++ { ++ tmp = data[l]; ++ data[l] = data[h]; ++ data[h] = tmp; ++ l = l+1; ++ h = h-1; ++ } ++ } ++ // -- recurse, small partition first ++ // tail-recursion elimination ++ if (h - lo <= hi - l) { ++ sort(lo,h); ++ lo = l; // sort(l,hi) ++ } else { ++ sort(l,hi); ++ hi = h; // sort(lo,h) + } + } +- // -- recursively restart +- sort(lo, h); +- sort(l, hi); + } + + template inline TYPE& diff --git a/djvulibre-CVE-2019-15145.patch b/djvulibre-CVE-2019-15145.patch new file mode 100644 index 0000000..653ef63 --- /dev/null +++ b/djvulibre-CVE-2019-15145.patch @@ -0,0 +1,22 @@ +diff --git a/libdjvu/GBitmap.h b/libdjvu/GBitmap.h +index e8e0c9b..ca89a19 100644 +--- a/libdjvu/GBitmap.h ++++ b/libdjvu/GBitmap.h +@@ -566,7 +566,7 @@ GBitmap::operator[](int row) + { + if (!bytes) + uncompress(); +- if (row<0 || row>=nrows) { ++ if (row<0 || row>=nrows || !bytes) { + #ifndef NDEBUG + if (zerosize < bytes_per_row + border) + G_THROW( ERR_MSG("GBitmap.zero_small") ); +@@ -581,7 +581,7 @@ GBitmap::operator[](int row) const + { + if (!bytes) + ((GBitmap*)this)->uncompress(); +- if (row<0 || row>=nrows) { ++ if (row<0 || row>=nrows || !bytes) { + #ifndef NDEBUG + if (zerosize < bytes_per_row + border) + G_THROW( ERR_MSG("GBitmap.zero_small") ); diff --git a/djvulibre-invalid-tiff.patch b/djvulibre-invalid-tiff.patch new file mode 100644 index 0000000..2b69c56 --- /dev/null +++ b/djvulibre-invalid-tiff.patch @@ -0,0 +1,13 @@ +diff --git a/tools/cjb2.cpp b/tools/cjb2.cpp +index 3da3ea8..701238d 100644 +--- a/tools/cjb2.cpp ++++ b/tools/cjb2.cpp +@@ -744,6 +744,8 @@ read_tiff(CCImage &rimg, ByteStream *bs, cjb2opts &opts) + readproc, writeproc, seekproc, + closeproc, sizeproc, + mapproc, unmapproc ); ++ if (! tiff) ++ G_THROW("Tiff image is corrupted (cannot open)"); + // bitonal + uint16 bps = 0, spp = 0; + TIFFGetFieldDefaulted(tiff, TIFFTAG_BITSPERSAMPLE, &bps); diff --git a/djvulibre.changes b/djvulibre.changes index 949b135..02c487e 100644 --- a/djvulibre.changes +++ b/djvulibre.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Mon Sep 2 12:13:57 UTC 2019 - pgajdos@suse.com + +- security update +- added patches + CVE-2019-15142 [bsc#1146702] + + djvulibre-CVE-2019-15142.patch + CVE-2019-15143 [bsc#1146569] + + djvulibre-CVE-2019-15143.patch + CVE-2019-15144 [bsc#1146571] + + djvulibre-CVE-2019-15144.patch + CVE-2019-15145 [bsc#1146572] + + djvulibre-CVE-2019-15145.patch + do not segfault when libtiff encounters corrupted TIFF (upstream issue #295) + + djvulibre-invalid-tiff.patch + ------------------------------------------------------------------- Tue Jan 8 23:17:00 UTC 2019 - Stefan BrĂ¼ns diff --git a/djvulibre.spec b/djvulibre.spec index c29f631..4788988 100644 --- a/djvulibre.spec +++ b/djvulibre.spec @@ -1,7 +1,7 @@ # # spec file for package djvulibre # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,21 +12,33 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # +%define asan_build 0 + %define libname lib%{name}21 Name: djvulibre Version: 3.5.27 Release: 0 Summary: An Open Source Implementation of DjVu -License: GPL-2.0+ +License: GPL-2.0-or-later Group: Productivity/Graphics/Other Url: http://djvu.sourceforge.net Source: http://downloads.sourceforge.net/djvu/%{name}-%{version}.tar.gz # PATCH-FIX-UPSTREAM -- https://sourceforge.net/p/djvu/djvulibre-git/ci/ff8e5b68f856a7fe17c9aa33d0f2220f4ba6b40c/ Patch0: reproducible.patch +# CVE-2019-15143 [bsc#1146569] +Patch1: djvulibre-CVE-2019-15143.patch +# CVE-2019-15144 [bsc#1146571] +Patch2: djvulibre-CVE-2019-15144.patch +# CVE-2019-15145 [bsc#1146572] +Patch3: djvulibre-CVE-2019-15145.patch +# CVE-2019-15142 [bsc#1146702] +Patch4: djvulibre-CVE-2019-15142.patch +# do not segfault when libtiff encounters corrupted TIFF (upstream issue #295) +Patch5: djvulibre-invalid-tiff.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: hicolor-icon-theme @@ -111,10 +123,21 @@ This package contains documentation %prep %setup -q %patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build -%configure - +%configure \ + --disable-silent-rules +%if %{asan_build} +sed -i -e 's/\(^CFLAGS.*\)/\1 -fsanitize=address/' \ + -e 's/\(^CXXFLAGS.*\)/\1 -fsanitize=address/' \ + -e 's/\(^LIBS =.*\)/\1 -lasan/' \ + Makefile */Makefile +%endif make %{?_smp_mflags} %install