From bc5c7d9419c26b69921c31f68b83cc0d4a602e9595063332e6920b8141824c7d Mon Sep 17 00:00:00 2001 From: Martin Pluskal Date: Fri, 2 Feb 2018 08:01:57 +0000 Subject: [PATCH 1/3] Accepting request 571908 from home:kbabioch:branches:Publishing - Add CVE-2018-6187.patch to fix a heap buffer overflow in in pdf-write.c in the do_pdf_save_document function (CVE-2018-6187 boo#1077407) OBS-URL: https://build.opensuse.org/request/show/571908 OBS-URL: https://build.opensuse.org/package/show/Publishing/mupdf?expand=0&rev=67 --- CVE-2018-6187.patch | 63 +++++++++++++++++++++++++++++++++++++++++++++ mupdf.changes | 6 +++++ mupdf.spec | 2 ++ 3 files changed, 71 insertions(+) create mode 100644 CVE-2018-6187.patch diff --git a/CVE-2018-6187.patch b/CVE-2018-6187.patch new file mode 100644 index 0000000..b0db024 --- /dev/null +++ b/CVE-2018-6187.patch @@ -0,0 +1,63 @@ +X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=blobdiff_plain;f=source%2Fpdf%2Fpdf-write.c;h=bc67f003025516c04991758ea648f79d00926742;hp=a7326a173a09df3fd4e3adbf3e1842081b6dfea4;hb=3e30fbb7bf5efd88df431e366492356e7eb969ec;hpb=b03def134988da8c800adac1a38a41a1f09a1d89 + +Index: mupdf-1.12.0-source/source/pdf/pdf-write.c +=================================================================== +--- mupdf-1.12.0-source.orig/source/pdf/pdf-write.c ++++ mupdf-1.12.0-source/source/pdf/pdf-write.c +@@ -633,7 +633,8 @@ expand_lists(fz_context *ctx, pdf_write_ + { + int i; + +- num++; ++ /* objects are numbered 0..num and maybe two additional objects for linearization */ ++ num += 3; + opts->use_list = fz_resize_array(ctx, opts->use_list, num, sizeof(*opts->use_list)); + opts->ofs_list = fz_resize_array(ctx, opts->ofs_list, num, sizeof(*opts->ofs_list)); + opts->gen_list = fz_resize_array(ctx, opts->gen_list, num, sizeof(*opts->gen_list)); +@@ -1522,9 +1523,9 @@ static void preloadobjstms(fz_context *c + { + pdf_obj *obj; + int num; +- int xref_len = pdf_xref_len(ctx, doc); + +- for (num = 0; num < xref_len; num++) ++ /* xref_len may change due to repair, so check it every iteration */ ++ for (num = 0; num < pdf_xref_len(ctx, doc); num++) + { + if (pdf_get_xref_entry(ctx, doc, num)->type == 'o') + { +@@ -2755,7 +2756,7 @@ static void initialise_write_state(fz_co + opts->continue_on_error = in_opts->continue_on_error; + opts->errors = in_opts->errors; + +- expand_lists(ctx, opts, xref_len + 3); ++ expand_lists(ctx, opts, xref_len); + } + + /* Free the resources held by the dynamic write options */ +@@ -2889,6 +2890,9 @@ do_pdf_save_document(fz_context *ctx, pd + { + pdf_ensure_solid_xref(ctx, doc, xref_len); + preloadobjstms(ctx, doc); ++ ++ xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */ ++ expand_lists(ctx, opts, xref_len); + } + + /* Sweep & mark objects from the trailer */ +@@ -2897,6 +2901,7 @@ do_pdf_save_document(fz_context *ctx, pd + else + { + xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */ ++ expand_lists(ctx, opts, xref_len); + for (num = 0; num < xref_len; num++) + opts->use_list[num] = 1; + } +@@ -2917,6 +2922,7 @@ do_pdf_save_document(fz_context *ctx, pd + if ((opts->do_garbage >= 2 || opts->do_linear) && !opts->do_incremental) + { + xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */ ++ expand_lists(ctx, opts, xref_len); + while (xref_len > 0 && !opts->use_list[xref_len-1]) + xref_len--; + } diff --git a/mupdf.changes b/mupdf.changes index f1dc2fc..d72d751 100644 --- a/mupdf.changes +++ b/mupdf.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Feb 2 07:52:06 UTC 2018 - kbabioch@suse.com + +- Add CVE-2018-6187.patch to fix a heap buffer overflow in in pdf-write.c + in the do_pdf_save_document function (CVE-2018-6187 boo#1077407) + ------------------------------------------------------------------- Tue Jan 23 09:12:22 UTC 2018 - kbabioch@suse.com diff --git a/mupdf.spec b/mupdf.spec index b56c092..da76292 100644 --- a/mupdf.spec +++ b/mupdf.spec @@ -30,6 +30,7 @@ Source2: mupdf.png Patch1: fix-openjpeg-flags.patch Patch2: CVE-2018-5686.patch Patch3: CVE-2017-17858.patch +Patch4: CVE-2018-6187.patch BuildRequires: freetype-devel BuildRequires: gcc-c++ BuildRequires: jbig2dec-devel @@ -68,6 +69,7 @@ based on mupdf. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 # do not use the inlined copies of build dpendencies except for mujs rm -rf $(ls -d thirdparty/*/ | grep -v mujs) From 0f2117f19de425a5fd0b121c5e29cbcc475d28e0c03f08d4efbcee316071a3fa Mon Sep 17 00:00:00 2001 From: Martin Pluskal Date: Fri, 2 Feb 2018 15:44:48 +0000 Subject: [PATCH 2/3] Accepting request 572053 from home:kbabioch:branches:Publishing - Add CVE-2018-6544.patch to fix a DoS in pdf_load_obj_stm within in pdf/pdf-xref.c (CVE-2018-6544 boo#1079100) - Add CVE-2018-6192.patch to fix a DoS in pdf_read_new_xref within pdf/pdf-xref.c via crafted PDF file (CVE-2018-6192 boo#1077755) OBS-URL: https://build.opensuse.org/request/show/572053 OBS-URL: https://build.opensuse.org/package/show/Publishing/mupdf?expand=0&rev=68 --- CVE-2018-6192.patch | 91 +++++++++++++++++++++++++++++++++++++++++++++ CVE-2018-6544.patch | 53 ++++++++++++++++++++++++++ mupdf.changes | 9 +++++ mupdf.spec | 4 ++ 4 files changed, 157 insertions(+) create mode 100644 CVE-2018-6192.patch create mode 100644 CVE-2018-6544.patch diff --git a/CVE-2018-6192.patch b/CVE-2018-6192.patch new file mode 100644 index 0000000..d79fb58 --- /dev/null +++ b/CVE-2018-6192.patch @@ -0,0 +1,91 @@ +Index: mupdf-1.12.0-source/source/pdf/pdf-lex.c +=================================================================== +--- mupdf-1.12.0-source.orig/source/pdf/pdf-lex.c ++++ mupdf-1.12.0-source/source/pdf/pdf-lex.c +@@ -151,12 +151,21 @@ lex_number(fz_context *ctx, fz_stream *f + char *e = buf->scratch + buf->size - 1; /* leave space for zero terminator */ + char *isreal = (c == '.' ? s : NULL); + int neg = (c == '-'); ++ int isbad = 0; + + *s++ = c; + ++ c = fz_read_byte(ctx, f); ++ ++ /* skip extra '-' signs at start of number */ ++ if (neg) ++ { ++ while (c == '-') ++ c = fz_read_byte(ctx, f); ++ } ++ + while (s < e) + { +- c = fz_read_byte(ctx, f); + switch (c) + { + case IS_WHITE: +@@ -165,21 +174,27 @@ lex_number(fz_context *ctx, fz_stream *f + goto end; + case EOF: + goto end; +- case '-': +- neg++; +- *s++ = c; +- break; + case '.': ++ if (isreal) ++ isbad = 1; + isreal = s; +- /* Fall through */ ++ *s++ = c; ++ break; ++ case RANGE_0_9: ++ *s++ = c; ++ break; + default: ++ isbad = 1; + *s++ = c; + break; + } ++ c = fz_read_byte(ctx, f); + } + + end: + *s = '\0'; ++ if (isbad) ++ return PDF_TOK_ERROR; + if (isreal) + { + /* We'd like to use the fastest possible atof + +Index: mupdf-1.12.0-source/source/pdf/pdf-parse.c +=================================================================== +--- mupdf-1.12.0-source.orig/source/pdf/pdf-parse.c ++++ mupdf-1.12.0-source/source/pdf/pdf-parse.c +@@ -457,7 +457,8 @@ pdf_parse_array(fz_context *ctx, pdf_doc + break; + + default: +- fz_throw(ctx, FZ_ERROR_SYNTAX, "cannot parse token in array"); ++ pdf_array_push_drop(ctx, ary, pdf_new_null(ctx, doc)); ++ break; + } + } + end: +@@ -547,10 +548,13 @@ pdf_parse_dict(fz_context *ctx, pdf_docu + break; + } + } +- fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid indirect reference in dict"); ++ fz_warn(ctx, "invalid indirect reference in dict"); ++ val = pdf_new_null(ctx, doc); ++ break; + + default: +- fz_throw(ctx, FZ_ERROR_SYNTAX, "unknown token in dict"); ++ val = pdf_new_null(ctx, doc); ++ break; + } + + pdf_dict_put(ctx, dict, key, val); diff --git a/CVE-2018-6544.patch b/CVE-2018-6544.patch new file mode 100644 index 0000000..ff81e36 --- /dev/null +++ b/CVE-2018-6544.patch @@ -0,0 +1,53 @@ +Index: mupdf-1.12.0-source/source/pdf/pdf-stream.c +=================================================================== +--- mupdf-1.12.0-source.orig/source/pdf/pdf-stream.c ++++ mupdf-1.12.0-source/source/pdf/pdf-stream.c +@@ -303,14 +303,13 @@ pdf_open_raw_filter(fz_context *ctx, fz_ + *orig_gen = 0; + } + +- fz_var(chain); ++ chain = fz_keep_stream(ctx, chain); + + fz_try(ctx) + { + len = pdf_to_int(ctx, pdf_dict_get(ctx, stmobj, PDF_NAME_Length)); + +- /* don't close chain when we close this filter */ +- chain2 = fz_keep_stream(ctx, chain); ++ chain2 = chain; + chain = NULL; + chain = fz_open_null(ctx, chain2, len, offset); + +Index: mupdf-1.12.0-source/source/pdf/pdf-xref.c +=================================================================== +--- mupdf-1.12.0-source.orig/source/pdf/pdf-xref.c ++++ mupdf-1.12.0-source/source/pdf/pdf-xref.c +@@ -1595,6 +1595,19 @@ pdf_load_obj_stm(fz_context *ctx, pdf_do + { + objstm = pdf_load_object(ctx, doc, num); + ++ if (pdf_obj_marked(ctx, objstm)) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "recursive object stream lookup"); ++ } ++ fz_catch(ctx) ++ { ++ pdf_drop_obj(ctx, objstm); ++ fz_rethrow(ctx); ++ } ++ ++ fz_try(ctx) ++ { ++ pdf_mark_obj(ctx, objstm); ++ + count = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_N)); + first = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_First)); + +@@ -1674,6 +1687,7 @@ pdf_load_obj_stm(fz_context *ctx, pdf_do + fz_drop_stream(ctx, stm); + fz_free(ctx, ofsbuf); + fz_free(ctx, numbuf); ++ pdf_unmark_obj(ctx, objstm); + pdf_drop_obj(ctx, objstm); + } + fz_catch(ctx) diff --git a/mupdf.changes b/mupdf.changes index d72d751..6804e75 100644 --- a/mupdf.changes +++ b/mupdf.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Fri Feb 2 14:58:40 UTC 2018 - kbabioch@suse.com + +- Add CVE-2018-6544.patch to fix a DoS in pdf_load_obj_stm within in + pdf/pdf-xref.c (CVE-2018-6544 boo#1079100) + +- Add CVE-2018-6192.patch to fix a DoS in pdf_read_new_xref within + pdf/pdf-xref.c via crafted PDF file (CVE-2018-6192 boo#1077755) + ------------------------------------------------------------------- Fri Feb 2 07:52:06 UTC 2018 - kbabioch@suse.com diff --git a/mupdf.spec b/mupdf.spec index da76292..8ea5fc4 100644 --- a/mupdf.spec +++ b/mupdf.spec @@ -31,6 +31,8 @@ Patch1: fix-openjpeg-flags.patch Patch2: CVE-2018-5686.patch Patch3: CVE-2017-17858.patch Patch4: CVE-2018-6187.patch +Patch5: CVE-2018-6192.patch +Patch6: CVE-2018-6544.patch BuildRequires: freetype-devel BuildRequires: gcc-c++ BuildRequires: jbig2dec-devel @@ -70,6 +72,8 @@ based on mupdf. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 # do not use the inlined copies of build dpendencies except for mujs rm -rf $(ls -d thirdparty/*/ | grep -v mujs) From a32e43e4eacdd543452846329c04eaeeb18cacd7dd36a3fa6f8cc718341641a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Sat, 3 Feb 2018 12:13:35 +0000 Subject: [PATCH 3/3] Accepting request 572213 from home:kbabioch:branches:Publishing - CVE-2018-6192.patch: Use official fix from usptream (CVE-2018-6192 boo#1077755) OBS-URL: https://build.opensuse.org/request/show/572213 OBS-URL: https://build.opensuse.org/package/show/Publishing/mupdf?expand=0&rev=69 --- CVE-2018-6192.patch | 113 ++++++++++++-------------------------------- mupdf.changes | 6 +++ 2 files changed, 36 insertions(+), 83 deletions(-) diff --git a/CVE-2018-6192.patch b/CVE-2018-6192.patch index d79fb58..f302c34 100644 --- a/CVE-2018-6192.patch +++ b/CVE-2018-6192.patch @@ -1,91 +1,38 @@ -Index: mupdf-1.12.0-source/source/pdf/pdf-lex.c -=================================================================== ---- mupdf-1.12.0-source.orig/source/pdf/pdf-lex.c -+++ mupdf-1.12.0-source/source/pdf/pdf-lex.c -@@ -151,12 +151,21 @@ lex_number(fz_context *ctx, fz_stream *f - char *e = buf->scratch + buf->size - 1; /* leave space for zero terminator */ - char *isreal = (c == '.' ? s : NULL); - int neg = (c == '-'); -+ int isbad = 0; - - *s++ = c; - -+ c = fz_read_byte(ctx, f); -+ -+ /* skip extra '-' signs at start of number */ -+ if (neg) -+ { -+ while (c == '-') -+ c = fz_read_byte(ctx, f); -+ } -+ - while (s < e) - { -- c = fz_read_byte(ctx, f); - switch (c) - { - case IS_WHITE: -@@ -165,21 +174,27 @@ lex_number(fz_context *ctx, fz_stream *f - goto end; - case EOF: - goto end; -- case '-': -- neg++; -- *s++ = c; -- break; - case '.': -+ if (isreal) -+ isbad = 1; - isreal = s; -- /* Fall through */ -+ *s++ = c; -+ break; -+ case RANGE_0_9: -+ *s++ = c; -+ break; - default: -+ isbad = 1; - *s++ = c; - break; - } -+ c = fz_read_byte(ctx, f); - } - - end: - *s = '\0'; -+ if (isbad) -+ return PDF_TOK_ERROR; - if (isreal) - { - /* We'd like to use the fastest possible atof +From 5e411a99604ff6be5db9e273ee84737204113299 Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen +Date: Tue, 30 Jan 2018 02:05:57 +0100 +Subject: [PATCH] Bug 698916: Indirect object numbers must be in range. + +--- + source/pdf/pdf-parse.c | 2 ++ + source/pdf/pdf-xref.c | 4 ++-- + 2 files changed, 4 insertions(+), 2 deletions(-) Index: mupdf-1.12.0-source/source/pdf/pdf-parse.c =================================================================== --- mupdf-1.12.0-source.orig/source/pdf/pdf-parse.c +++ mupdf-1.12.0-source/source/pdf/pdf-parse.c -@@ -457,7 +457,8 @@ pdf_parse_array(fz_context *ctx, pdf_doc - break; +@@ -616,6 +616,8 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_d + fz_throw(ctx, FZ_ERROR_SYNTAX, "expected object number"); + } + num = buf->i; ++ if (num < 0 || num > PDF_MAX_OBJECT_NUMBER) ++ fz_throw(ctx, FZ_ERROR_SYNTAX, "object number out of range"); - default: -- fz_throw(ctx, FZ_ERROR_SYNTAX, "cannot parse token in array"); -+ pdf_array_push_drop(ctx, ary, pdf_new_null(ctx, doc)); -+ break; - } - } - end: -@@ -547,10 +548,13 @@ pdf_parse_dict(fz_context *ctx, pdf_docu - break; - } - } -- fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid indirect reference in dict"); -+ fz_warn(ctx, "invalid indirect reference in dict"); -+ val = pdf_new_null(ctx, doc); -+ break; + tok = pdf_lex(ctx, file, buf); + if (tok != PDF_TOK_INT) +Index: mupdf-1.12.0-source/source/pdf/pdf-xref.c +=================================================================== +--- mupdf-1.12.0-source.orig/source/pdf/pdf-xref.c ++++ mupdf-1.12.0-source/source/pdf/pdf-xref.c +@@ -234,8 +234,8 @@ pdf_xref_entry *pdf_get_populating_xref_ + } - default: -- fz_throw(ctx, FZ_ERROR_SYNTAX, "unknown token in dict"); -+ val = pdf_new_null(ctx, doc); -+ break; - } + /* Prevent accidental heap underflow */ +- if (num < 0) +- fz_throw(ctx, FZ_ERROR_GENERIC, "object number must not be negative (%d)", num); ++ if (num < 0 || num > PDF_MAX_OBJECT_NUMBER) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "object number out of range (%d)", num); - pdf_dict_put(ctx, dict, key, val); + /* Return the pointer to the entry in the last section. */ + xref = &doc->xref_sections[doc->num_xref_sections-1]; diff --git a/mupdf.changes b/mupdf.changes index 6804e75..015b5c3 100644 --- a/mupdf.changes +++ b/mupdf.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Feb 2 20:48:34 UTC 2018 - kbabioch@suse.com + +- CVE-2018-6192.patch: Use official fix from usptream (CVE-2018-6192 + boo#1077755) + ------------------------------------------------------------------- Fri Feb 2 14:58:40 UTC 2018 - kbabioch@suse.com