Accepting request 572218 from Publishing

OBS-URL: https://build.opensuse.org/request/show/572218 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mupdf?expand=0&rev=32
2018-02-05 09:49:21 +00:00 · 2018-02-05 09:49:21 +00:00 · 7c4b881d64
commit 7c4b881d64
parent f28b01a0d8 a32e43e4ea
5 changed files with 181 additions and 0 deletions
--- a/CVE-2018-6187.patch
+++ b/CVE-2018-6187.patch
@ -0,0 +1,63 @@
 X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=blobdiff_plain;f=source%2Fpdf%2Fpdf-write.c;h=bc67f003025516c04991758ea648f79d00926742;hp=a7326a173a09df3fd4e3adbf3e1842081b6dfea4;hb=3e30fbb7bf5efd88df431e366492356e7eb969ec;hpb=b03def134988da8c800adac1a38a41a1f09a1d89
 Index: mupdf-1.12.0-source/source/pdf/pdf-write.c
 ===================================================================
 --- mupdf-1.12.0-source.orig/source/pdf/pdf-write.c
 +++ mupdf-1.12.0-source/source/pdf/pdf-write.c
@@ -633,7 +633,8 @@ expand_lists(fz_context *ctx, pdf_write_
 {
 	int i;
 -	num++;
 +	/* objects are numbered 0..num and maybe two additional objects for linearization */
 +	num += 3;
 	opts->use_list = fz_resize_array(ctx, opts->use_list, num, sizeof(*opts->use_list));
 	opts->ofs_list = fz_resize_array(ctx, opts->ofs_list, num, sizeof(*opts->ofs_list));
 	opts->gen_list = fz_resize_array(ctx, opts->gen_list, num, sizeof(*opts->gen_list));
@@ -1522,9 +1523,9 @@ static void preloadobjstms(fz_context *c
 {
 	pdf_obj *obj;
 	int num;
 -	int xref_len = pdf_xref_len(ctx, doc);
 -	for (num = 0; num < xref_len; num++)
 +	/* xref_len may change due to repair, so check it every iteration */
 +	for (num = 0; num < pdf_xref_len(ctx, doc); num++)
 	{
 		if (pdf_get_xref_entry(ctx, doc, num)->type == 'o')
 		{
@@ -2755,7 +2756,7 @@ static void initialise_write_state(fz_co
 	opts->continue_on_error = in_opts->continue_on_error;
 	opts->errors = in_opts->errors;
 -	expand_lists(ctx, opts, xref_len + 3);
 +	expand_lists(ctx, opts, xref_len);
 }
 /* Free the resources held by the dynamic write options */
@@ -2889,6 +2890,9 @@ do_pdf_save_document(fz_context *ctx, pd
 		{
 			pdf_ensure_solid_xref(ctx, doc, xref_len);
 			preloadobjstms(ctx, doc);
 +
 +			xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */
 +			expand_lists(ctx, opts, xref_len);
 		}
 		/* Sweep & mark objects from the trailer */
@@ -2897,6 +2901,7 @@ do_pdf_save_document(fz_context *ctx, pd
 		else
 		{
 			xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */
 +			expand_lists(ctx, opts, xref_len);
 			for (num = 0; num < xref_len; num++)
 				opts->use_list[num] = 1;
 		}
@@ -2917,6 +2922,7 @@ do_pdf_save_document(fz_context *ctx, pd
 		if ((opts->do_garbage >= 2 || opts->do_linear) && !opts->do_incremental)
 		{
 			xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */
 +			expand_lists(ctx, opts, xref_len);
 			while (xref_len > 0 && !opts->use_list[xref_len-1])
 				xref_len--;
 		}
--- a/CVE-2018-6192.patch
+++ b/CVE-2018-6192.patch
@ -0,0 +1,38 @@
 From 5e411a99604ff6be5db9e273ee84737204113299 Mon Sep 17 00:00:00 2001
 From: Sebastian Rasmussen <sebras@gmail.com>
 Date: Tue, 30 Jan 2018 02:05:57 +0100
 Subject: [PATCH] Bug 698916: Indirect object numbers must be in range.
 ---
 source/pdf/pdf-parse.c | 2 ++
 source/pdf/pdf-xref.c  | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)
 Index: mupdf-1.12.0-source/source/pdf/pdf-parse.c
 ===================================================================
 --- mupdf-1.12.0-source.orig/source/pdf/pdf-parse.c
 +++ mupdf-1.12.0-source/source/pdf/pdf-parse.c
@@ -616,6 +616,8 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_d
 		fz_throw(ctx, FZ_ERROR_SYNTAX, "expected object number");
 	}
 	num = buf->i;
 +	if (num < 0 || num > PDF_MAX_OBJECT_NUMBER)
 +		fz_throw(ctx, FZ_ERROR_SYNTAX, "object number out of range");
 	tok = pdf_lex(ctx, file, buf);
 	if (tok != PDF_TOK_INT)
 Index: mupdf-1.12.0-source/source/pdf/pdf-xref.c
 ===================================================================
 --- mupdf-1.12.0-source.orig/source/pdf/pdf-xref.c
 +++ mupdf-1.12.0-source/source/pdf/pdf-xref.c
@@ -234,8 +234,8 @@ pdf_xref_entry *pdf_get_populating_xref_
 	}
 	/* Prevent accidental heap underflow */
 -	if (num < 0)
 -		fz_throw(ctx, FZ_ERROR_GENERIC, "object number must not be negative (%d)", num);
 +	if (num < 0 || num > PDF_MAX_OBJECT_NUMBER)
 +		fz_throw(ctx, FZ_ERROR_GENERIC, "object number out of range (%d)", num);
 	/* Return the pointer to the entry in the last section. */
 	xref = &doc->xref_sections[doc->num_xref_sections-1];
--- a/CVE-2018-6544.patch
+++ b/CVE-2018-6544.patch
@ -0,0 +1,53 @@
 Index: mupdf-1.12.0-source/source/pdf/pdf-stream.c
 ===================================================================
 --- mupdf-1.12.0-source.orig/source/pdf/pdf-stream.c
 +++ mupdf-1.12.0-source/source/pdf/pdf-stream.c
@@ -303,14 +303,13 @@ pdf_open_raw_filter(fz_context *ctx, fz_
 		*orig_gen = 0;
 	}
 -	fz_var(chain);
 +	chain = fz_keep_stream(ctx, chain);
 	fz_try(ctx)
 	{
 		len = pdf_to_int(ctx, pdf_dict_get(ctx, stmobj, PDF_NAME_Length));
 -		/* don't close chain when we close this filter */
 -		chain2 = fz_keep_stream(ctx, chain);
 +		chain2 = chain;
 		chain = NULL;
 		chain = fz_open_null(ctx, chain2, len, offset);
 Index: mupdf-1.12.0-source/source/pdf/pdf-xref.c
 ===================================================================
 --- mupdf-1.12.0-source.orig/source/pdf/pdf-xref.c
 +++ mupdf-1.12.0-source/source/pdf/pdf-xref.c
@@ -1595,6 +1595,19 @@ pdf_load_obj_stm(fz_context *ctx, pdf_do
 	{
 		objstm = pdf_load_object(ctx, doc, num);
 +		if (pdf_obj_marked(ctx, objstm))
 +			fz_throw(ctx, FZ_ERROR_GENERIC, "recursive object stream lookup");
 +	}
 +	fz_catch(ctx)
 +	{
 +		pdf_drop_obj(ctx, objstm);
 +		fz_rethrow(ctx);
 +	}
 +
 +	fz_try(ctx)
 +	{
 +		pdf_mark_obj(ctx, objstm);
 +
 		count = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_N));
 		first = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_First));
@@ -1674,6 +1687,7 @@ pdf_load_obj_stm(fz_context *ctx, pdf_do
 		fz_drop_stream(ctx, stm);
 		fz_free(ctx, ofsbuf);
 		fz_free(ctx, numbuf);
 +		pdf_unmark_obj(ctx, objstm);
 		pdf_drop_obj(ctx, objstm);
 	}
 	fz_catch(ctx)
--- a/mupdf.changes
+++ b/mupdf.changes
@ -1,3 +1,24 @@
 -------------------------------------------------------------------
 Fri Feb  2 20:48:34 UTC 2018 - kbabioch@suse.com
 - CVE-2018-6192.patch: Use official fix from usptream (CVE-2018-6192
  boo#1077755)
 -------------------------------------------------------------------
 Fri Feb  2 14:58:40 UTC 2018 - kbabioch@suse.com
 - Add CVE-2018-6544.patch to fix a DoS in pdf_load_obj_stm within in
  pdf/pdf-xref.c (CVE-2018-6544 boo#1079100)
 - Add CVE-2018-6192.patch to fix a DoS in pdf_read_new_xref within
  pdf/pdf-xref.c via crafted PDF file (CVE-2018-6192 boo#1077755)
 -------------------------------------------------------------------
 Fri Feb  2 07:52:06 UTC 2018 - kbabioch@suse.com
 - Add CVE-2018-6187.patch to fix a heap buffer overflow in in pdf-write.c
  in the do_pdf_save_document function (CVE-2018-6187 boo#1077407)
 -------------------------------------------------------------------
 Tue Jan 23 09:12:22 UTC 2018 - kbabioch@suse.com
--- a/mupdf.spec
+++ b/mupdf.spec
@ -30,6 +30,9 @@ Source2:        mupdf.png
 Patch1:         fix-openjpeg-flags.patch
 Patch2:         CVE-2018-5686.patch
 Patch3:         CVE-2017-17858.patch
 Patch4:         CVE-2018-6187.patch
 Patch5:         CVE-2018-6192.patch
 Patch6:         CVE-2018-6544.patch
 BuildRequires:  freetype-devel
 BuildRequires:  gcc-c++
 BuildRequires:  jbig2dec-devel
@ -68,6 +71,9 @@ based on mupdf.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 # do not use the inlined copies of build dpendencies except for mujs
 rm -rf $(ls -d thirdparty/*/ | grep -v mujs)