diff --git a/CVE-2018-1000051.patch b/CVE-2018-1000051.patch new file mode 100644 index 0000000..54bd278 --- /dev/null +++ b/CVE-2018-1000051.patch @@ -0,0 +1,79 @@ +From 321ba1de287016b0036bf4a56ce774ad11763384 Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen +Date: Tue, 19 Dec 2017 23:47:47 +0100 +Subject: [PATCH] Bug 698825: Do not drop borrowed colorspaces. + +Previously the borrowed colorspace was dropped when updating annotation +appearances, leading to use after free warnings from valgrind/ASAN. +--- + source/pdf/pdf-appearance.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/source/pdf/pdf-appearance.c b/source/pdf/pdf-appearance.c +index 70f684f..d7a1ddd 100644 +--- a/source/pdf/pdf-appearance.c ++++ b/source/pdf/pdf-appearance.c +@@ -2170,7 +2170,6 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p + fz_device *dev = NULL; + font_info font_rec; + fz_text *text = NULL; +- fz_colorspace *cs = NULL; + fz_matrix page_ctm; + + pdf_page_transform(ctx, annot->page, NULL, &page_ctm); +@@ -2184,11 +2183,11 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p + fz_var(dlist); + fz_var(dev); + fz_var(text); +- fz_var(cs); + fz_try(ctx) + { + char *contents = pdf_to_str_buf(ctx, pdf_dict_get(ctx, obj, PDF_NAME_Contents)); + char *da = pdf_to_str_buf(ctx, pdf_dict_get(ctx, obj, PDF_NAME_DA)); ++ fz_colorspace *cs; + fz_point pos; + fz_rect rect; + +@@ -2223,7 +2222,6 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p + fz_drop_display_list(ctx, dlist); + font_info_fin(ctx, &font_rec); + fz_drop_text(ctx, text); +- fz_drop_colorspace(ctx, cs); + } + fz_catch(ctx) + { +@@ -2359,7 +2357,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot + fz_device *dev = NULL; + font_info font_rec; + fz_text *text = NULL; +- fz_colorspace *cs = NULL; + fz_path *path = NULL; + fz_buffer *fzbuf = NULL; + fz_matrix page_ctm; +@@ -2375,7 +2372,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot + fz_var(dlist); + fz_var(dev); + fz_var(text); +- fz_var(cs); + fz_var(fzbuf); + fz_try(ctx) + { +@@ -2384,6 +2380,7 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot + fz_rect logo_bounds; + fz_matrix logo_tm; + fz_rect rect; ++ fz_colorspace *cs = fz_device_rgb(ctx); /* Borrowed reference */ + + pdf_to_rect(ctx, pdf_dict_get(ctx, annot->obj, PDF_NAME_Rect), &annot_rect); + rect = annot_rect; +@@ -2396,7 +2393,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot + fz_bound_path(ctx, path, NULL, &fz_identity, &logo_bounds); + center_rect_within_rect(&logo_bounds, &rect, &logo_tm); + fz_concat(&logo_tm, &logo_tm, &page_ctm); +- cs = fz_device_rgb(ctx); /* Borrowed reference */ + fz_fill_path(ctx, dev, path, 0, &logo_tm, cs, logo_color, 1.0f, NULL); + + get_font_info(ctx, doc, dr, da, &font_rec); +-- +2.9.1 + diff --git a/mupdf.changes b/mupdf.changes index 030a520..13e81c5 100644 --- a/mupdf.changes +++ b/mupdf.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Feb 12 07:53:53 UTC 2018 - kbabioch@suse.com + +- Add CVE-2018-1000051.patch: Fix a Use After Free vulnerability in + fz_keep_key_storable that can potentially result in DoS / remote + code execution (CVE-2018-1000051 bsc#1080531) + ------------------------------------------------------------------- Tue Feb 6 14:36:54 UTC 2018 - meissner@suse.com diff --git a/mupdf.spec b/mupdf.spec index 2c19abd..b37568d 100644 --- a/mupdf.spec +++ b/mupdf.spec @@ -33,6 +33,7 @@ Patch3: CVE-2017-17858.patch Patch4: CVE-2018-6187.patch Patch5: CVE-2018-6192.patch Patch6: CVE-2018-6544.patch +Patch7: CVE-2018-1000051.patch BuildRequires: freetype2-devel BuildRequires: gcc-c++ BuildRequires: jbig2dec-devel @@ -74,6 +75,7 @@ based on mupdf. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 # do not use the inlined copies of build dpendencies except for mujs rm -rf $(ls -d thirdparty/*/ | grep -v mujs)