Accepting request 575495 from Publishing

OBS-URL: https://build.opensuse.org/request/show/575495
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mupdf?expand=0&rev=34

CVE-2018-1000051.patch

@@ -0,0 +1,79 @@
+From 321ba1de287016b0036bf4a56ce774ad11763384 Mon Sep 17 00:00:00 2001
+From: Sebastian Rasmussen <sebras@gmail.com>
+Date: Tue, 19 Dec 2017 23:47:47 +0100
+Subject: [PATCH] Bug 698825: Do not drop borrowed colorspaces.
+
+Previously the borrowed colorspace was dropped when updating annotation
+appearances, leading to use after free warnings from valgrind/ASAN.
+---
+ source/pdf/pdf-appearance.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/source/pdf/pdf-appearance.c b/source/pdf/pdf-appearance.c
+index 70f684f..d7a1ddd 100644
+--- a/source/pdf/pdf-appearance.c
++++ b/source/pdf/pdf-appearance.c
+@@ -2170,7 +2170,6 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
+ 	fz_device *dev = NULL;
+ 	font_info font_rec;
+ 	fz_text *text = NULL;
+-	fz_colorspace *cs = NULL;
+ 	fz_matrix page_ctm;
+ 
+ 	pdf_page_transform(ctx, annot->page, NULL, &page_ctm);
+@@ -2184,11 +2183,11 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
+ 	fz_var(dlist);
+ 	fz_var(dev);
+ 	fz_var(text);
+-	fz_var(cs);
+ 	fz_try(ctx)
+ 	{
+ 		char *contents = pdf_to_str_buf(ctx, pdf_dict_get(ctx, obj, PDF_NAME_Contents));
+ 		char *da = pdf_to_str_buf(ctx, pdf_dict_get(ctx, obj, PDF_NAME_DA));
++		fz_colorspace *cs;
+ 		fz_point pos;
+ 		fz_rect rect;
+ 
+@@ -2223,7 +2222,6 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
+ 		fz_drop_display_list(ctx, dlist);
+ 		font_info_fin(ctx, &font_rec);
+ 		fz_drop_text(ctx, text);
+-		fz_drop_colorspace(ctx, cs);
+ 	}
+ 	fz_catch(ctx)
+ 	{
+@@ -2359,7 +2357,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
+ 	fz_device *dev = NULL;
+ 	font_info font_rec;
+ 	fz_text *text = NULL;
+-	fz_colorspace *cs = NULL;
+ 	fz_path *path = NULL;
+ 	fz_buffer *fzbuf = NULL;
+ 	fz_matrix page_ctm;
+@@ -2375,7 +2372,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
+ 	fz_var(dlist);
+ 	fz_var(dev);
+ 	fz_var(text);
+-	fz_var(cs);
+ 	fz_var(fzbuf);
+ 	fz_try(ctx)
+ 	{
+@@ -2384,6 +2380,7 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
+ 		fz_rect logo_bounds;
+ 		fz_matrix logo_tm;
+ 		fz_rect rect;
++		fz_colorspace *cs = fz_device_rgb(ctx); /* Borrowed reference */
+ 
+ 		pdf_to_rect(ctx, pdf_dict_get(ctx, annot->obj, PDF_NAME_Rect), &annot_rect);
+ 		rect = annot_rect;
+@@ -2396,7 +2393,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
+ 		fz_bound_path(ctx, path, NULL, &fz_identity, &logo_bounds);
+ 		center_rect_within_rect(&logo_bounds, &rect, &logo_tm);
+ 		fz_concat(&logo_tm, &logo_tm, &page_ctm);
+-		cs = fz_device_rgb(ctx); /* Borrowed reference */
+ 		fz_fill_path(ctx, dev, path, 0, &logo_tm, cs, logo_color, 1.0f, NULL);
+ 
+ 		get_font_info(ctx, doc, dr, da, &font_rec);
+-- 
+2.9.1
+

mupdf.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Feb 12 07:53:53 UTC 2018 - kbabioch@suse.com
+
+- Add CVE-2018-1000051.patch: Fix a Use After Free vulnerability in
+  fz_keep_key_storable that can potentially result in DoS / remote
+  code execution (CVE-2018-1000051 bsc#1080531)
+
 -------------------------------------------------------------------
 Tue Feb  6 14:36:54 UTC 2018 - meissner@suse.com
 

mupdf.spec

@@ -33,6 +33,7 @@ Patch3:         CVE-2017-17858.patch
 Patch4:         CVE-2018-6187.patch
 Patch5:         CVE-2018-6192.patch
 Patch6:         CVE-2018-6544.patch
+Patch7:         CVE-2018-1000051.patch
 BuildRequires:  freetype2-devel
 BuildRequires:  gcc-c++
 BuildRequires:  jbig2dec-devel
@@ -74,6 +75,7 @@ based on mupdf.
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
 
 # do not use the inlined copies of build dpendencies except for mujs
 rm -rf $(ls -d thirdparty/*/ | grep -v mujs)