From 0f2117f19de425a5fd0b121c5e29cbcc475d28e0c03f08d4efbcee316071a3fa Mon Sep 17 00:00:00 2001 From: Martin Pluskal Date: Fri, 2 Feb 2018 15:44:48 +0000 Subject: [PATCH] Accepting request 572053 from home:kbabioch:branches:Publishing - Add CVE-2018-6544.patch to fix a DoS in pdf_load_obj_stm within in pdf/pdf-xref.c (CVE-2018-6544 boo#1079100) - Add CVE-2018-6192.patch to fix a DoS in pdf_read_new_xref within pdf/pdf-xref.c via crafted PDF file (CVE-2018-6192 boo#1077755) OBS-URL: https://build.opensuse.org/request/show/572053 OBS-URL: https://build.opensuse.org/package/show/Publishing/mupdf?expand=0&rev=68 --- CVE-2018-6192.patch | 91 +++++++++++++++++++++++++++++++++++++++++++++ CVE-2018-6544.patch | 53 ++++++++++++++++++++++++++ mupdf.changes | 9 +++++ mupdf.spec | 4 ++ 4 files changed, 157 insertions(+) create mode 100644 CVE-2018-6192.patch create mode 100644 CVE-2018-6544.patch diff --git a/CVE-2018-6192.patch b/CVE-2018-6192.patch new file mode 100644 index 0000000..d79fb58 --- /dev/null +++ b/CVE-2018-6192.patch @@ -0,0 +1,91 @@ +Index: mupdf-1.12.0-source/source/pdf/pdf-lex.c +=================================================================== +--- mupdf-1.12.0-source.orig/source/pdf/pdf-lex.c ++++ mupdf-1.12.0-source/source/pdf/pdf-lex.c +@@ -151,12 +151,21 @@ lex_number(fz_context *ctx, fz_stream *f + char *e = buf->scratch + buf->size - 1; /* leave space for zero terminator */ + char *isreal = (c == '.' ? s : NULL); + int neg = (c == '-'); ++ int isbad = 0; + + *s++ = c; + ++ c = fz_read_byte(ctx, f); ++ ++ /* skip extra '-' signs at start of number */ ++ if (neg) ++ { ++ while (c == '-') ++ c = fz_read_byte(ctx, f); ++ } ++ + while (s < e) + { +- c = fz_read_byte(ctx, f); + switch (c) + { + case IS_WHITE: +@@ -165,21 +174,27 @@ lex_number(fz_context *ctx, fz_stream *f + goto end; + case EOF: + goto end; +- case '-': +- neg++; +- *s++ = c; +- break; + case '.': ++ if (isreal) ++ isbad = 1; + isreal = s; +- /* Fall through */ ++ *s++ = c; ++ break; ++ case RANGE_0_9: ++ *s++ = c; ++ break; + default: ++ isbad = 1; + *s++ = c; + break; + } ++ c = fz_read_byte(ctx, f); + } + + end: + *s = '\0'; ++ if (isbad) ++ return PDF_TOK_ERROR; + if (isreal) + { + /* We'd like to use the fastest possible atof + +Index: mupdf-1.12.0-source/source/pdf/pdf-parse.c +=================================================================== +--- mupdf-1.12.0-source.orig/source/pdf/pdf-parse.c ++++ mupdf-1.12.0-source/source/pdf/pdf-parse.c +@@ -457,7 +457,8 @@ pdf_parse_array(fz_context *ctx, pdf_doc + break; + + default: +- fz_throw(ctx, FZ_ERROR_SYNTAX, "cannot parse token in array"); ++ pdf_array_push_drop(ctx, ary, pdf_new_null(ctx, doc)); ++ break; + } + } + end: +@@ -547,10 +548,13 @@ pdf_parse_dict(fz_context *ctx, pdf_docu + break; + } + } +- fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid indirect reference in dict"); ++ fz_warn(ctx, "invalid indirect reference in dict"); ++ val = pdf_new_null(ctx, doc); ++ break; + + default: +- fz_throw(ctx, FZ_ERROR_SYNTAX, "unknown token in dict"); ++ val = pdf_new_null(ctx, doc); ++ break; + } + + pdf_dict_put(ctx, dict, key, val); diff --git a/CVE-2018-6544.patch b/CVE-2018-6544.patch new file mode 100644 index 0000000..ff81e36 --- /dev/null +++ b/CVE-2018-6544.patch @@ -0,0 +1,53 @@ +Index: mupdf-1.12.0-source/source/pdf/pdf-stream.c +=================================================================== +--- mupdf-1.12.0-source.orig/source/pdf/pdf-stream.c ++++ mupdf-1.12.0-source/source/pdf/pdf-stream.c +@@ -303,14 +303,13 @@ pdf_open_raw_filter(fz_context *ctx, fz_ + *orig_gen = 0; + } + +- fz_var(chain); ++ chain = fz_keep_stream(ctx, chain); + + fz_try(ctx) + { + len = pdf_to_int(ctx, pdf_dict_get(ctx, stmobj, PDF_NAME_Length)); + +- /* don't close chain when we close this filter */ +- chain2 = fz_keep_stream(ctx, chain); ++ chain2 = chain; + chain = NULL; + chain = fz_open_null(ctx, chain2, len, offset); + +Index: mupdf-1.12.0-source/source/pdf/pdf-xref.c +=================================================================== +--- mupdf-1.12.0-source.orig/source/pdf/pdf-xref.c ++++ mupdf-1.12.0-source/source/pdf/pdf-xref.c +@@ -1595,6 +1595,19 @@ pdf_load_obj_stm(fz_context *ctx, pdf_do + { + objstm = pdf_load_object(ctx, doc, num); + ++ if (pdf_obj_marked(ctx, objstm)) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "recursive object stream lookup"); ++ } ++ fz_catch(ctx) ++ { ++ pdf_drop_obj(ctx, objstm); ++ fz_rethrow(ctx); ++ } ++ ++ fz_try(ctx) ++ { ++ pdf_mark_obj(ctx, objstm); ++ + count = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_N)); + first = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_First)); + +@@ -1674,6 +1687,7 @@ pdf_load_obj_stm(fz_context *ctx, pdf_do + fz_drop_stream(ctx, stm); + fz_free(ctx, ofsbuf); + fz_free(ctx, numbuf); ++ pdf_unmark_obj(ctx, objstm); + pdf_drop_obj(ctx, objstm); + } + fz_catch(ctx) diff --git a/mupdf.changes b/mupdf.changes index d72d751..6804e75 100644 --- a/mupdf.changes +++ b/mupdf.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Fri Feb 2 14:58:40 UTC 2018 - kbabioch@suse.com + +- Add CVE-2018-6544.patch to fix a DoS in pdf_load_obj_stm within in + pdf/pdf-xref.c (CVE-2018-6544 boo#1079100) + +- Add CVE-2018-6192.patch to fix a DoS in pdf_read_new_xref within + pdf/pdf-xref.c via crafted PDF file (CVE-2018-6192 boo#1077755) + ------------------------------------------------------------------- Fri Feb 2 07:52:06 UTC 2018 - kbabioch@suse.com diff --git a/mupdf.spec b/mupdf.spec index da76292..8ea5fc4 100644 --- a/mupdf.spec +++ b/mupdf.spec @@ -31,6 +31,8 @@ Patch1: fix-openjpeg-flags.patch Patch2: CVE-2018-5686.patch Patch3: CVE-2017-17858.patch Patch4: CVE-2018-6187.patch +Patch5: CVE-2018-6192.patch +Patch6: CVE-2018-6544.patch BuildRequires: freetype-devel BuildRequires: gcc-c++ BuildRequires: jbig2dec-devel @@ -70,6 +72,8 @@ based on mupdf. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 # do not use the inlined copies of build dpendencies except for mujs rm -rf $(ls -d thirdparty/*/ | grep -v mujs)