Accepting request 569433 from Publishing

- Add CVE-2017-17858.patch to fix an heap-based buffer overflow CVE-2017-17858 bsc#1077161 - Add CVE-2018-5686.patch to fix an infinite loop CVE-2018-5686 bsc#1075936 - Fixes CVE-2017-15369 (bsc#1063413), CVE-2017-15587 (bsc#1064027) OBS-URL: https://build.opensuse.org/request/show/569433 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mupdf?expand=0&rev=31
2018-01-26 12:35:17 +00:00 · 2018-01-26 12:35:17 +00:00 · f28b01a0d8
commit f28b01a0d8
parent 2460b4f9f7 eefddd2a1e
4 changed files with 157 additions and 0 deletions
--- a/CVE-2017-17858.patch
+++ b/CVE-2017-17858.patch
@ -0,0 +1,98 @@
+From 55c3f68d638ac1263a386e0aaa004bb6e8bde731 Mon Sep 17 00:00:00 2001
+From: Sebastian Rasmussen <sebras@gmail.com>
+Date: Mon, 11 Dec 2017 14:09:15 +0100
+Subject: [PATCH] Bugs 698804/698810/698811: Keep PDF object numbers below
+ limit.
+
+This ensures that:
+ * xref tables with objects pointers do not grow out of bounds.
+ * other readers, e.g. Adobe Acrobat can parse PDFs written by mupdf.
+---
+ include/mupdf/pdf/object.h |  3 +++
+ source/pdf/pdf-repair.c    |  5 +----
+ source/pdf/pdf-xref.c      | 21 ++++++++++++---------
+ 3 files changed, 16 insertions(+), 13 deletions(-)
+
+Index: mupdf-1.12.0-source/include/mupdf/pdf/object.h
+===================================================================
+--- mupdf-1.12.0-source.orig/include/mupdf/pdf/object.h
+++ mupdf-1.12.0-source/include/mupdf/pdf/object.h
+@@ -3,6 +3,9 @@
+ 
+ typedef struct pdf_document_s pdf_document;
+ 
+/* Defined in PDF 1.7 according to Acrobat limit. */
+#define PDF_MAX_OBJECT_NUMBER 8388607
+
+ /*
+  * Dynamic objects.
+  * The same type of objects as found in PDF and PostScript.
+Index: mupdf-1.12.0-source/source/pdf/pdf-repair.c
+===================================================================
+--- mupdf-1.12.0-source.orig/source/pdf/pdf-repair.c
+++ mupdf-1.12.0-source/source/pdf/pdf-repair.c
+@@ -6,9 +6,6 @@
+ 
+ /* Scan file for objects and reconstruct xref table */
+ 
+-/* Define in PDF 1.7 to be 8388607, but mupdf is more lenient. */
+-#define MAX_OBJECT_NUMBER (10 << 20)
+-
+ struct entry
+ {
+ 	int num;
+@@ -436,7 +433,7 @@ pdf_repair_xref(fz_context *ctx, pdf_doc
+ 					break;
+ 				}
+ 
+-				if (num <= 0 || num > MAX_OBJECT_NUMBER)
+				if (num <= 0 || num > PDF_MAX_OBJECT_NUMBER)
+ 				{
+ 					fz_warn(ctx, "ignoring object with invalid object number (%d %d R)", num, gen);
+ 					goto have_next_token;
+Index: mupdf-1.12.0-source/source/pdf/pdf-xref.c
+===================================================================
+--- mupdf-1.12.0-source.orig/source/pdf/pdf-xref.c
+++ mupdf-1.12.0-source/source/pdf/pdf-xref.c
+@@ -868,11 +868,12 @@ pdf_read_old_xref(fz_context *ctx, pdf_d
+ 			fz_seek(ctx, file, -(2 + (int)strlen(s)), SEEK_CUR);
+ 		}
+ 
+-		if (ofs < 0)
+-			fz_throw(ctx, FZ_ERROR_GENERIC, "out of range object num in xref: %d", (int)ofs);
+-		if (ofs > INT64_MAX - len)
+-			fz_throw(ctx, FZ_ERROR_GENERIC, "xref section object numbers too big");
+-
+		if (ofs < 0 || ofs > PDF_MAX_OBJECT_NUMBER
+				|| len < 0 || len > PDF_MAX_OBJECT_NUMBER
+				|| ofs + len - 1 > PDF_MAX_OBJECT_NUMBER)
+		{
+			fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range");
+		}
+ 		/* broken pdfs where size in trailer undershoots entries in xref sections */
+ 		if (ofs + len > xref_len)
+ 		{
+@@ -933,10 +934,8 @@ pdf_read_new_xref_section(fz_context *ct
+ 	pdf_xref_entry *table;
+ 	int i, n;
+ 
+-	if (i0 < 0 || i1 < 0 || i0 > INT_MAX - i1)
+-		fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
+-	//if (i0 + i1 > pdf_xref_len(ctx, doc))
+-	//	fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");
+	if (i0 < 0 || i0 > PDF_MAX_OBJECT_NUMBER || i1 < 0 || i1 > PDF_MAX_OBJECT_NUMBER || i0 + i1 - 1 > PDF_MAX_OBJECT_NUMBER)
+		fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range");
+ 
+ 	table = pdf_xref_find_subsection(ctx, doc, i0, i1);
+ 	for (i = i0; i < i0 + i1; i++)
+@@ -2086,6 +2085,10 @@ pdf_create_object(fz_context *ctx, pdf_d
+ 	/* TODO: reuse free object slots by properly linking free object chains in the ofs field */
+ 	pdf_xref_entry *entry;
+ 	int num = pdf_xref_len(ctx, doc);
+
+	if (num > PDF_MAX_OBJECT_NUMBER)
+		fz_throw(ctx, FZ_ERROR_GENERIC, "too many objects stored in pdf");
+
+ 	entry = pdf_get_incremental_xref_entry(ctx, doc, num);
+ 	entry->type = 'f';
+ 	entry->ofs = -1;
--- a/CVE-2018-5686.patch
+++ b/CVE-2018-5686.patch
@ -0,0 +1,42 @@
+X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=blobdiff_plain;f=include%2Fmupdf%2Ffitz%2Fstream.h;h=790a0a83d3850facdceefb3c3e598fdb63d4e14d;hp=cd26be9039c064c8028fd6ca958044d133644e29;hb=b70eb93f6936c03d8af52040bbca4d4a7db39079;hpb=0d7359fbcd331ec0a22ec163dacff953f9817814
+
+Index: mupdf-1.12.0-source/include/mupdf/fitz/stream.h
+===================================================================
+--- mupdf-1.12.0-source.orig/include/mupdf/fitz/stream.h
+++ mupdf-1.12.0-source/include/mupdf/fitz/stream.h
+@@ -335,10 +335,11 @@ static inline size_t fz_available(fz_con
+ 
+ 	if (len)
+ 		return len;
+	if (stm->eof)
+		return 0;
+
+ 	fz_try(ctx)
+-	{
+ 		c = stm->next(ctx, stm, max);
+-	}
+ 	fz_catch(ctx)
+ 	{
+ 		fz_rethrow_if(ctx, FZ_ERROR_TRYLATER);
+@@ -369,10 +370,10 @@ static inline int fz_read_byte(fz_contex
+ 
+ 	if (stm->rp != stm->wp)
+ 		return *stm->rp++;
+	if (stm->eof)
+		return EOF;
+ 	fz_try(ctx)
+-	{
+ 		c = stm->next(ctx, stm, 1);
+-	}
+ 	fz_catch(ctx)
+ 	{
+ 		fz_rethrow_if(ctx, FZ_ERROR_TRYLATER);
+@@ -398,6 +399,8 @@ static inline int fz_peek_byte(fz_contex
+ 
+ 	if (stm->rp != stm->wp)
+ 		return *stm->rp;
+	if (stm->eof)
+		return EOF;
+ 
+ 	c = stm->next(ctx, stm, 1);
+ 	if (c != EOF)
--- a/mupdf.changes
+++ b/mupdf.changes
@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Tue Jan 23 09:12:22 UTC 2018 - kbabioch@suse.com
+
+- Add CVE-2017-17858.patch to fix an heap-based buffer overflow
+  CVE-2017-17858 bsc#1077161 
+
+-------------------------------------------------------------------
+Mon Jan 22 12:20:48 UTC 2018 - idonmez@suse.com
+
+- Add CVE-2018-5686.patch to fix an infinite loop
+  CVE-2018-5686 bsc#1075936
+
 -------------------------------------------------------------------
 Sun Jan 14 03:11:32 UTC 2018 - avindra@opensuse.org

@ -30,6 +42,7 @@ Sun Jan 14 03:11:32 UTC 2018 - avindra@opensuse.org
 - rebase fix-openjpeg-flags.patch
 - drop reproducible.patch
  * fixed upstream in 081d4c72430e3077a05499c783d9fbe24361b368
+- Fixes CVE-2017-15369 (bsc#1063413), CVE-2017-15587 (bsc#1064027)

 -------------------------------------------------------------------
 Fri Nov 10 08:15:18 UTC 2017 - aloisio@gmx.com
--- a/mupdf.spec
+++ b/mupdf.spec
@ -28,6 +28,8 @@ Source0:        https://mupdf.com/downloads/mupdf-%{version}-source.tar.xz#/%{na
 Source1:        mupdf.desktop
 Source2:        mupdf.png
 Patch1:         fix-openjpeg-flags.patch
+Patch2:         CVE-2018-5686.patch
+Patch3:         CVE-2017-17858.patch
 BuildRequires:  freetype-devel
 BuildRequires:  gcc-c++
 BuildRequires:  jbig2dec-devel
@ -64,6 +66,8 @@ based on mupdf.
 %prep
 %setup -q -n %{name}-%{version}-source
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1

 # do not use the inlined copies of build dpendencies except for mujs
 rm -rf $(ls -d thirdparty/*/ | grep -v mujs)