From 539bd8944bc2a0a953b7d393ca29ef34e9dfb5235a49dad4e44f09ca44db1aef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= Date: Mon, 22 Jan 2018 12:19:50 +0000 Subject: [PATCH 1/4] Add missing changes OBS-URL: https://build.opensuse.org/package/show/Publishing/mupdf?expand=0&rev=62 --- mupdf.changes | 1 + 1 file changed, 1 insertion(+) diff --git a/mupdf.changes b/mupdf.changes index c9ea027..b2be24f 100644 --- a/mupdf.changes +++ b/mupdf.changes @@ -30,6 +30,7 @@ Sun Jan 14 03:11:32 UTC 2018 - avindra@opensuse.org - rebase fix-openjpeg-flags.patch - drop reproducible.patch * fixed upstream in 081d4c72430e3077a05499c783d9fbe24361b368 +- Fixes CVE-2017-15369 (bsc#1063413), CVE-2017-15587 (bsc#1064027) ------------------------------------------------------------------- Fri Nov 10 08:15:18 UTC 2017 - aloisio@gmx.com From c2a31ad6be87b5f2aea27d85cbc2c2b7ad2b05b8de32ac156001b26d3317f880 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= Date: Mon, 22 Jan 2018 12:24:25 +0000 Subject: [PATCH 2/4] - Add CVE-2018-5686.patch to fix an infinite loop CVE-2018-5686 bsc#1075936 OBS-URL: https://build.opensuse.org/package/show/Publishing/mupdf?expand=0&rev=63 --- CVE-2018-5686.patch | 42 ++++++++++++++++++++++++++++++++++++++++++ mupdf.changes | 6 ++++++ mupdf.spec | 2 ++ 3 files changed, 50 insertions(+) create mode 100644 CVE-2018-5686.patch diff --git a/CVE-2018-5686.patch b/CVE-2018-5686.patch new file mode 100644 index 0000000..e94b59a --- /dev/null +++ b/CVE-2018-5686.patch @@ -0,0 +1,42 @@ +X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=blobdiff_plain;f=include%2Fmupdf%2Ffitz%2Fstream.h;h=790a0a83d3850facdceefb3c3e598fdb63d4e14d;hp=cd26be9039c064c8028fd6ca958044d133644e29;hb=b70eb93f6936c03d8af52040bbca4d4a7db39079;hpb=0d7359fbcd331ec0a22ec163dacff953f9817814 + +Index: mupdf-1.12.0-source/include/mupdf/fitz/stream.h +=================================================================== +--- mupdf-1.12.0-source.orig/include/mupdf/fitz/stream.h ++++ mupdf-1.12.0-source/include/mupdf/fitz/stream.h +@@ -335,10 +335,11 @@ static inline size_t fz_available(fz_con + + if (len) + return len; ++ if (stm->eof) ++ return 0; ++ + fz_try(ctx) +- { + c = stm->next(ctx, stm, max); +- } + fz_catch(ctx) + { + fz_rethrow_if(ctx, FZ_ERROR_TRYLATER); +@@ -369,10 +370,10 @@ static inline int fz_read_byte(fz_contex + + if (stm->rp != stm->wp) + return *stm->rp++; ++ if (stm->eof) ++ return EOF; + fz_try(ctx) +- { + c = stm->next(ctx, stm, 1); +- } + fz_catch(ctx) + { + fz_rethrow_if(ctx, FZ_ERROR_TRYLATER); +@@ -398,6 +399,8 @@ static inline int fz_peek_byte(fz_contex + + if (stm->rp != stm->wp) + return *stm->rp; ++ if (stm->eof) ++ return EOF; + + c = stm->next(ctx, stm, 1); + if (c != EOF) diff --git a/mupdf.changes b/mupdf.changes index b2be24f..0fc6742 100644 --- a/mupdf.changes +++ b/mupdf.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Jan 22 12:20:48 UTC 2018 - idonmez@suse.com + +- Add CVE-2018-5686.patch to fix an infinite loop + CVE-2018-5686 bsc#1075936 + ------------------------------------------------------------------- Sun Jan 14 03:11:32 UTC 2018 - avindra@opensuse.org diff --git a/mupdf.spec b/mupdf.spec index f462e66..79b7115 100644 --- a/mupdf.spec +++ b/mupdf.spec @@ -28,6 +28,7 @@ Source0: https://mupdf.com/downloads/mupdf-%{version}-source.tar.xz#/%{na Source1: mupdf.desktop Source2: mupdf.png Patch1: fix-openjpeg-flags.patch +Patch2: CVE-2018-5686.patch BuildRequires: freetype-devel BuildRequires: gcc-c++ BuildRequires: jbig2dec-devel @@ -64,6 +65,7 @@ based on mupdf. %prep %setup -q -n %{name}-%{version}-source %patch1 -p1 +%patch2 -p1 # do not use the inlined copies of build dpendencies except for mujs rm -rf $(ls -d thirdparty/*/ | grep -v mujs) From 65c179307cb9e64112a4cb22b74ebb3d352307ff16a1f80a5d7f4c4c749da913 Mon Sep 17 00:00:00 2001 From: Martin Pluskal Date: Tue, 23 Jan 2018 09:32:39 +0000 Subject: [PATCH 3/4] Accepting request 568499 from home:kbabioch:branches:Publishing - Add CVE-2018-17858.patch to fix an heap-based buffer overflow CVE-2018-17858 bsc#1077161 OBS-URL: https://build.opensuse.org/request/show/568499 OBS-URL: https://build.opensuse.org/package/show/Publishing/mupdf?expand=0&rev=64 --- CVE-2017-17858.patch | 98 ++++++++++++++++++++++++++++++++++++++++++++ mupdf.changes | 6 +++ mupdf.spec | 2 + 3 files changed, 106 insertions(+) create mode 100644 CVE-2017-17858.patch diff --git a/CVE-2017-17858.patch b/CVE-2017-17858.patch new file mode 100644 index 0000000..f208b42 --- /dev/null +++ b/CVE-2017-17858.patch @@ -0,0 +1,98 @@ +From 55c3f68d638ac1263a386e0aaa004bb6e8bde731 Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen +Date: Mon, 11 Dec 2017 14:09:15 +0100 +Subject: [PATCH] Bugs 698804/698810/698811: Keep PDF object numbers below + limit. + +This ensures that: + * xref tables with objects pointers do not grow out of bounds. + * other readers, e.g. Adobe Acrobat can parse PDFs written by mupdf. +--- + include/mupdf/pdf/object.h | 3 +++ + source/pdf/pdf-repair.c | 5 +---- + source/pdf/pdf-xref.c | 21 ++++++++++++--------- + 3 files changed, 16 insertions(+), 13 deletions(-) + +Index: mupdf-1.12.0-source/include/mupdf/pdf/object.h +=================================================================== +--- mupdf-1.12.0-source.orig/include/mupdf/pdf/object.h ++++ mupdf-1.12.0-source/include/mupdf/pdf/object.h +@@ -3,6 +3,9 @@ + + typedef struct pdf_document_s pdf_document; + ++/* Defined in PDF 1.7 according to Acrobat limit. */ ++#define PDF_MAX_OBJECT_NUMBER 8388607 ++ + /* + * Dynamic objects. + * The same type of objects as found in PDF and PostScript. +Index: mupdf-1.12.0-source/source/pdf/pdf-repair.c +=================================================================== +--- mupdf-1.12.0-source.orig/source/pdf/pdf-repair.c ++++ mupdf-1.12.0-source/source/pdf/pdf-repair.c +@@ -6,9 +6,6 @@ + + /* Scan file for objects and reconstruct xref table */ + +-/* Define in PDF 1.7 to be 8388607, but mupdf is more lenient. */ +-#define MAX_OBJECT_NUMBER (10 << 20) +- + struct entry + { + int num; +@@ -436,7 +433,7 @@ pdf_repair_xref(fz_context *ctx, pdf_doc + break; + } + +- if (num <= 0 || num > MAX_OBJECT_NUMBER) ++ if (num <= 0 || num > PDF_MAX_OBJECT_NUMBER) + { + fz_warn(ctx, "ignoring object with invalid object number (%d %d R)", num, gen); + goto have_next_token; +Index: mupdf-1.12.0-source/source/pdf/pdf-xref.c +=================================================================== +--- mupdf-1.12.0-source.orig/source/pdf/pdf-xref.c ++++ mupdf-1.12.0-source/source/pdf/pdf-xref.c +@@ -868,11 +868,12 @@ pdf_read_old_xref(fz_context *ctx, pdf_d + fz_seek(ctx, file, -(2 + (int)strlen(s)), SEEK_CUR); + } + +- if (ofs < 0) +- fz_throw(ctx, FZ_ERROR_GENERIC, "out of range object num in xref: %d", (int)ofs); +- if (ofs > INT64_MAX - len) +- fz_throw(ctx, FZ_ERROR_GENERIC, "xref section object numbers too big"); +- ++ if (ofs < 0 || ofs > PDF_MAX_OBJECT_NUMBER ++ || len < 0 || len > PDF_MAX_OBJECT_NUMBER ++ || ofs + len - 1 > PDF_MAX_OBJECT_NUMBER) ++ { ++ fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range"); ++ } + /* broken pdfs where size in trailer undershoots entries in xref sections */ + if (ofs + len > xref_len) + { +@@ -933,10 +934,8 @@ pdf_read_new_xref_section(fz_context *ct + pdf_xref_entry *table; + int i, n; + +- if (i0 < 0 || i1 < 0 || i0 > INT_MAX - i1) +- fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index"); +- //if (i0 + i1 > pdf_xref_len(ctx, doc)) +- // fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries"); ++ if (i0 < 0 || i0 > PDF_MAX_OBJECT_NUMBER || i1 < 0 || i1 > PDF_MAX_OBJECT_NUMBER || i0 + i1 - 1 > PDF_MAX_OBJECT_NUMBER) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range"); + + table = pdf_xref_find_subsection(ctx, doc, i0, i1); + for (i = i0; i < i0 + i1; i++) +@@ -2086,6 +2085,10 @@ pdf_create_object(fz_context *ctx, pdf_d + /* TODO: reuse free object slots by properly linking free object chains in the ofs field */ + pdf_xref_entry *entry; + int num = pdf_xref_len(ctx, doc); ++ ++ if (num > PDF_MAX_OBJECT_NUMBER) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "too many objects stored in pdf"); ++ + entry = pdf_get_incremental_xref_entry(ctx, doc, num); + entry->type = 'f'; + entry->ofs = -1; diff --git a/mupdf.changes b/mupdf.changes index 0fc6742..ffc6237 100644 --- a/mupdf.changes +++ b/mupdf.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Jan 23 09:12:22 UTC 2018 - kbabioch@suse.com + +- Add CVE-2018-17858.patch to fix an heap-based buffer overflow + CVE-2018-17858 bsc#1077161 + ------------------------------------------------------------------- Mon Jan 22 12:20:48 UTC 2018 - idonmez@suse.com diff --git a/mupdf.spec b/mupdf.spec index 79b7115..b56c092 100644 --- a/mupdf.spec +++ b/mupdf.spec @@ -29,6 +29,7 @@ Source1: mupdf.desktop Source2: mupdf.png Patch1: fix-openjpeg-flags.patch Patch2: CVE-2018-5686.patch +Patch3: CVE-2017-17858.patch BuildRequires: freetype-devel BuildRequires: gcc-c++ BuildRequires: jbig2dec-devel @@ -66,6 +67,7 @@ based on mupdf. %setup -q -n %{name}-%{version}-source %patch1 -p1 %patch2 -p1 +%patch3 -p1 # do not use the inlined copies of build dpendencies except for mujs rm -rf $(ls -d thirdparty/*/ | grep -v mujs) From eefddd2a1e7fdf9ad3a26c935403b61071fc41f431ee50847f0bfef856dc0c22 Mon Sep 17 00:00:00 2001 From: Martin Pluskal Date: Tue, 23 Jan 2018 10:10:43 +0000 Subject: [PATCH 4/4] Accepting request 568512 from home:kbabioch:branches:Publishing Fixed CVE number (typo beforehand) OBS-URL: https://build.opensuse.org/request/show/568512 OBS-URL: https://build.opensuse.org/package/show/Publishing/mupdf?expand=0&rev=65 --- mupdf.changes | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mupdf.changes b/mupdf.changes index ffc6237..f1dc2fc 100644 --- a/mupdf.changes +++ b/mupdf.changes @@ -1,8 +1,8 @@ ------------------------------------------------------------------- Tue Jan 23 09:12:22 UTC 2018 - kbabioch@suse.com -- Add CVE-2018-17858.patch to fix an heap-based buffer overflow - CVE-2018-17858 bsc#1077161 +- Add CVE-2017-17858.patch to fix an heap-based buffer overflow + CVE-2017-17858 bsc#1077161 ------------------------------------------------------------------- Mon Jan 22 12:20:48 UTC 2018 - idonmez@suse.com