rpm/mupdf
SHA256
1
0
Fork 0
forked from pool/mupdf
Code Pull Requests Activity

Accepting request 575490 from home:kbabioch:branches:Publishing

Browse Source 
- Add CVE-2018-1000051.patch: Fix a Use After Free vulnerability in
  fz_keep_key_storable that can potentially result in DoS / remote
  code execution (CVE-2018-1000051 bsc#1080531)

OBS-URL: https://build.opensuse.org/request/show/575490
OBS-URL: https://build.opensuse.org/package/show/Publishing/mupdf?expand=0&rev=73
This commit is contained in:
Martin Pluskal 2018-02-12 08:07:18 +00:00 committed by Git OBS Bridge
parent ddd842c3fa
commit 9409e1cfe2
3 changed files with 88 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
CVE-2018-1000051.patch Normal file
View File

@ -0,0 +1,79 @@
From 321ba1de287016b0036bf4a56ce774ad11763384 Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Tue, 19 Dec 2017 23:47:47 +0100
Subject: [PATCH] Bug 698825: Do not drop borrowed colorspaces.
Previously the borrowed colorspace was dropped when updating annotation
appearances, leading to use after free warnings from valgrind/ASAN.
---
source/pdf/pdf-appearance.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/source/pdf/pdf-appearance.c b/source/pdf/pdf-appearance.c
index 70f684f..d7a1ddd 100644
--- a/source/pdf/pdf-appearance.c
+++ b/source/pdf/pdf-appearance.c
@@ -2170,7 +2170,6 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
fz_device *dev = NULL;
font_info font_rec;
fz_text *text = NULL;
- fz_colorspace *cs = NULL;
fz_matrix page_ctm;
pdf_page_transform(ctx, annot->page, NULL, &page_ctm);
@@ -2184,11 +2183,11 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
fz_var(dlist);
fz_var(dev);
fz_var(text);
- fz_var(cs);
fz_try(ctx)
{
char *contents = pdf_to_str_buf(ctx, pdf_dict_get(ctx, obj, PDF_NAME_Contents));
char *da = pdf_to_str_buf(ctx, pdf_dict_get(ctx, obj, PDF_NAME_DA));
+ fz_colorspace *cs;
fz_point pos;
fz_rect rect;
@@ -2223,7 +2222,6 @@ void pdf_update_free_text_annot_appearance(fz_context *ctx, pdf_document *doc, p
fz_drop_display_list(ctx, dlist);
font_info_fin(ctx, &font_rec);
fz_drop_text(ctx, text);
- fz_drop_colorspace(ctx, cs);
}
fz_catch(ctx)
{
@@ -2359,7 +2357,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
fz_device *dev = NULL;
font_info font_rec;
fz_text *text = NULL;
- fz_colorspace *cs = NULL;
fz_path *path = NULL;
fz_buffer *fzbuf = NULL;
fz_matrix page_ctm;
@@ -2375,7 +2372,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
fz_var(dlist);
fz_var(dev);
fz_var(text);
- fz_var(cs);
fz_var(fzbuf);
fz_try(ctx)
{
@@ -2384,6 +2380,7 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
fz_rect logo_bounds;
fz_matrix logo_tm;
fz_rect rect;
+ fz_colorspace *cs = fz_device_rgb(ctx); /* Borrowed reference */
pdf_to_rect(ctx, pdf_dict_get(ctx, annot->obj, PDF_NAME_Rect), &annot_rect);
rect = annot_rect;
@@ -2396,7 +2393,6 @@ void pdf_set_signature_appearance(fz_context *ctx, pdf_document *doc, pdf_annot
fz_bound_path(ctx, path, NULL, &fz_identity, &logo_bounds);
center_rect_within_rect(&logo_bounds, &rect, &logo_tm);
fz_concat(&logo_tm, &logo_tm, &page_ctm);
- cs = fz_device_rgb(ctx); /* Borrowed reference */
fz_fill_path(ctx, dev, path, 0, &logo_tm, cs, logo_color, 1.0f, NULL);
get_font_info(ctx, doc, dr, da, &font_rec);
--
2.9.1

7
mupdf.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon Feb 12 07:53:53 UTC 2018 - kbabioch@suse.com
- Add CVE-2018-1000051.patch: Fix a Use After Free vulnerability in
fz_keep_key_storable that can potentially result in DoS / remote
code execution (CVE-2018-1000051 bsc#1080531)
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Feb 6 14:36:54 UTC 2018 - meissner@suse.com Tue Feb 6 14:36:54 UTC 2018 - meissner@suse.com

2
mupdf.spec
View File

@ -33,6 +33,7 @@ Patch3: CVE-2017-17858.patch
Patch4: CVE-2018-6187.patch Patch4: CVE-2018-6187.patch
Patch5: CVE-2018-6192.patch Patch5: CVE-2018-6192.patch
Patch6: CVE-2018-6544.patch Patch6: CVE-2018-6544.patch
Patch7: CVE-2018-1000051.patch
BuildRequires: freetype2-devel BuildRequires: freetype2-devel
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: jbig2dec-devel BuildRequires: jbig2dec-devel
@ -74,6 +75,7 @@ based on mupdf.
%patch4 -p1 %patch4 -p1
%patch5 -p1 %patch5 -p1
%patch6 -p1 %patch6 -p1
%patch7 -p1
# do not use the inlined copies of build dpendencies except for mujs # do not use the inlined copies of build dpendencies except for mujs
rm -rf $(ls -d thirdparty/*/ | grep -v mujs) rm -rf $(ls -d thirdparty/*/ | grep -v mujs)