- security update
- added patches fix CVE-2021-32490 [bsc#1185895], Out of bounds write in function DJVU:filter_bv() via crafted djvu file + djvulibre-CVE-2021-32490.patch fix CVE-2021-32491 [bsc#1185900], Integer overflow in function render() in tools/ddjvu via crafted djvu file + djvulibre-CVE-2021-32491.patch fix CVE-2021-32492 [bsc#1185904], Out of bounds read in function DJVU:DataPool:has_data() via crafted djvu file + djvulibre-CVE-2021-32492.patch fix CVE-2021-32493 [bsc#1185905], Heap buffer overflow in function DJVU:GBitmap:decode() via crafted djvu file + djvulibre-CVE-2021-32493.patch OBS-URL: https://build.opensuse.org/package/show/graphics/djvulibre?expand=0&rev=38
This commit is contained in:
parent
fbacb4469d
commit
cd84a81a7d
16
djvulibre-CVE-2021-32490.patch
Normal file
16
djvulibre-CVE-2021-32490.patch
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
Index: djvulibre-3.5.28/libdjvu/IW44Image.cpp
|
||||||
|
===================================================================
|
||||||
|
--- djvulibre-3.5.28.orig/libdjvu/IW44Image.cpp 2020-11-20 17:57:32.000000000 +0100
|
||||||
|
+++ djvulibre-3.5.28/libdjvu/IW44Image.cpp 2021-05-11 15:14:54.034421423 +0200
|
||||||
|
@@ -678,7 +678,11 @@ IW44Image::Map::image(signed char *img8,
|
||||||
|
size_t sz = bw * bh;
|
||||||
|
if (sz / (size_t)bw != (size_t)bh) // multiplication overflow
|
||||||
|
G_THROW("IW44Image: image size exceeds maximum (corrupted file?)");
|
||||||
|
+ if (sz == 0)
|
||||||
|
+ G_THROW("IW44Image: zero size image (corrupted file?)");
|
||||||
|
GPBuffer<short> gdata16(data16,sz);
|
||||||
|
+ if (data16 == NULL)
|
||||||
|
+ G_THROW("IW44Image: unable to allocate image data");
|
||||||
|
// Copy coefficients
|
||||||
|
int i;
|
||||||
|
short *p = data16;
|
23
djvulibre-CVE-2021-32491.patch
Normal file
23
djvulibre-CVE-2021-32491.patch
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
Index: djvulibre-3.5.28/tools/ddjvu.cpp
|
||||||
|
===================================================================
|
||||||
|
--- djvulibre-3.5.28.orig/tools/ddjvu.cpp 2020-11-20 17:57:32.000000000 +0100
|
||||||
|
+++ djvulibre-3.5.28/tools/ddjvu.cpp 2021-05-11 15:14:54.038421444 +0200
|
||||||
|
@@ -70,6 +70,7 @@
|
||||||
|
#include <locale.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
#include <errno.h>
|
||||||
|
+#include <stdint.h>
|
||||||
|
|
||||||
|
#ifdef UNIX
|
||||||
|
# include <sys/time.h>
|
||||||
|
@@ -394,7 +395,9 @@ render(ddjvu_page_t *page, int pageno)
|
||||||
|
rowsize = rrect.w;
|
||||||
|
else
|
||||||
|
rowsize = rrect.w * 3;
|
||||||
|
- if (! (image = (char*)malloc(rowsize * rrect.h)))
|
||||||
|
+ if ((size_t) rowsize > SIZE_MAX / rrect.h)
|
||||||
|
+ die(i18n("Integer overflow when allocating image buffer for page %d"), pageno);
|
||||||
|
+ if (! (image = (char*)malloc((size_t) rowsize * rrect.h)))
|
||||||
|
die(i18n("Cannot allocate image buffer for page %d"), pageno);
|
||||||
|
|
||||||
|
/* Render */
|
12
djvulibre-CVE-2021-32492.patch
Normal file
12
djvulibre-CVE-2021-32492.patch
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
--- a/libdjvu/DataPool.cpp
|
||||||
|
+++ a/libdjvu/DataPool.cpp
|
||||||
|
@@ -791,6 +791,8 @@ DataPool::create(const GP<DataPool> & pool, int start, int length)
|
||||||
|
DEBUG_MSG("DataPool::DataPool: pool=" << (void *)((DataPool *)pool) << " start=" << start << " length= " << length << "\n");
|
||||||
|
DEBUG_MAKE_INDENT(3);
|
||||||
|
|
||||||
|
+ if (!pool) G_THROW( ERR_MSG("DataPool.zero_DataPool") );
|
||||||
|
+
|
||||||
|
DataPool *xpool=new DataPool();
|
||||||
|
GP<DataPool> retval=xpool;
|
||||||
|
xpool->init();
|
||||||
|
|
20
djvulibre-CVE-2021-32493.patch
Normal file
20
djvulibre-CVE-2021-32493.patch
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
--- a/libdjvu/GBitmap.cpp
|
||||||
|
+++ a/libdjvu/GBitmap.cpp
|
||||||
|
@@ -69,6 +69,7 @@
|
||||||
|
#include <stddef.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
+#include <climits>
|
||||||
|
|
||||||
|
// - Author: Leon Bottou, 05/1997
|
||||||
|
|
||||||
|
@@ -1284,6 +1285,8 @@ GBitmap::decode(unsigned char *runs)
|
||||||
|
// initialize pixel array
|
||||||
|
if (nrows==0 || ncolumns==0)
|
||||||
|
G_THROW( ERR_MSG("GBitmap.not_init") );
|
||||||
|
+ if (ncolumns > USHRT_MAX - border)
|
||||||
|
+ G_THROW("GBitmap: row size exceeds maximum (corrupted file?)");
|
||||||
|
bytes_per_row = ncolumns + border;
|
||||||
|
if (runs==0)
|
||||||
|
G_THROW( ERR_MSG("GBitmap.null_arg") );
|
||||||
|
|
@ -1,3 +1,17 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed May 12 10:09:21 UTC 2021 - pgajdos@suse.com
|
||||||
|
|
||||||
|
- security update
|
||||||
|
- added patches
|
||||||
|
fix CVE-2021-32490 [bsc#1185895], Out of bounds write in function DJVU:filter_bv() via crafted djvu file
|
||||||
|
+ djvulibre-CVE-2021-32490.patch
|
||||||
|
fix CVE-2021-32491 [bsc#1185900], Integer overflow in function render() in tools/ddjvu via crafted djvu file
|
||||||
|
+ djvulibre-CVE-2021-32491.patch
|
||||||
|
fix CVE-2021-32492 [bsc#1185904], Out of bounds read in function DJVU:DataPool:has_data() via crafted djvu file
|
||||||
|
+ djvulibre-CVE-2021-32492.patch
|
||||||
|
fix CVE-2021-32493 [bsc#1185905], Heap buffer overflow in function DJVU:GBitmap:decode() via crafted djvu file
|
||||||
|
+ djvulibre-CVE-2021-32493.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Dec 21 16:26:45 UTC 2020 - Atri Bhattacharya <badshah400@gmail.com>
|
Mon Dec 21 16:26:45 UTC 2020 - Atri Bhattacharya <badshah400@gmail.com>
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package djvulibre
|
# spec file for package djvulibre
|
||||||
#
|
#
|
||||||
# Copyright (c) 2020 SUSE LLC
|
# Copyright (c) 2021 SUSE LLC
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -27,6 +27,14 @@ License: GPL-2.0-or-later
|
|||||||
Group: Productivity/Graphics/Other
|
Group: Productivity/Graphics/Other
|
||||||
URL: http://djvu.sourceforge.net
|
URL: http://djvu.sourceforge.net
|
||||||
Source: http://downloads.sourceforge.net/djvu/%{name}-%{version}.tar.gz
|
Source: http://downloads.sourceforge.net/djvu/%{name}-%{version}.tar.gz
|
||||||
|
# CVE-2021-32490 [bsc#1185895], Out of bounds write in function DJVU:filter_bv() via crafted djvu file
|
||||||
|
Patch0: djvulibre-CVE-2021-32490.patch
|
||||||
|
# CVE-2021-32491 [bsc#1185900], Integer overflow in function render() in tools/ddjvu via crafted djvu file
|
||||||
|
Patch1: djvulibre-CVE-2021-32491.patch
|
||||||
|
# CVE-2021-32492 [bsc#1185904], Out of bounds read in function DJVU:DataPool:has_data() via crafted djvu file
|
||||||
|
Patch2: djvulibre-CVE-2021-32492.patch
|
||||||
|
# CVE-2021-32493 [bsc#1185905], Heap buffer overflow in function DJVU:GBitmap:decode() via crafted djvu file
|
||||||
|
Patch3: djvulibre-CVE-2021-32493.patch
|
||||||
BuildRequires: fdupes
|
BuildRequires: fdupes
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
BuildRequires: hicolor-icon-theme
|
BuildRequires: hicolor-icon-theme
|
||||||
@ -79,6 +87,10 @@ This package contains the documentation.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
%patch0 -p1
|
||||||
|
%patch1 -p1
|
||||||
|
%patch2 -p1
|
||||||
|
%patch3 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# configure script missing; generate using autogen.sh
|
# configure script missing; generate using autogen.sh
|
||||||
|
Loading…
Reference in New Issue
Block a user