[arch-commits] Commit in mupdf/trunk (3 files)

Levente Polyak anthraxx at archlinux.org
Tue Jan 30 01:59:36 UTC 2018


    Date: Tuesday, January 30, 2018 @ 01:59:35
  Author: anthraxx
Revision: 287906

upgpkg: mupdf 1.12.0-2 (security update)

- CVE-2017-17858
- security roundup from upstream

Added:
  mupdf/trunk/mupdf-1.12.0-security-roundup.patch
  mupdf/trunk/mupdf-CVE-2017-17858.patch
Modified:
  mupdf/trunk/PKGBUILD

-------------------------------------+
 PKGBUILD                            |   10 ++
 mupdf-1.12.0-security-roundup.patch |  131 ++++++++++++++++++++++++++++++++++
 mupdf-CVE-2017-17858.patch          |  101 ++++++++++++++++++++++++++
 3 files changed, 241 insertions(+), 1 deletion(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2018-01-30 01:04:59 UTC (rev 287905)
+++ PKGBUILD	2018-01-30 01:59:35 UTC (rev 287906)
@@ -9,7 +9,7 @@
 pkgbase=mupdf
 pkgname=(libmupdf mupdf mupdf-gl mupdf-tools)
 pkgver=1.12.0
-pkgrel=1
+pkgrel=2
 _openjpeg_version=2.3
 pkgdesc='Lightweight PDF and XPS viewer'
 arch=('x86_64')
@@ -21,10 +21,14 @@
 options=('staticlibs')
 source=("https://mupdf.com/downloads/mupdf-${pkgver/_/}-source.tar.xz"
         '0001-mupdf-openjpeg.patch'
+        "mupdf-1.12.0-security-roundup.patch"
+        "mupdf-CVE-2017-17858.patch"
         'mupdf.desktop'
         'mupdf.xpm')
 sha256sums=('577b3820c6b23d319be91e0e06080263598aa0662d9a7c50af500eb6f003322d'
             'e4be458dabc577e687c3abfa1ae03bd62e8727cfa24f25b8eb23384263486605'
+            '04d0b69d2af9839e3bbaf89af05fadc635312dd4a7f536e087450dc13d3aa180'
+            '61e5528761a1be9361ccbda07faa669070cca8e8ad7320fa82eaa9fd72eb4b01'
             'ccff66979249bd4ab4ba8918660f194eb90eb0ae231b16e36a6cecdcf471883f'
             'a435f44425f5432c074dee745d8fbaeb879038ec1f1ec64f037c74662f09aca8')
 
@@ -31,6 +35,10 @@
 prepare() {
   cd $pkgbase-${pkgver/_/}-source
 
+  # security fixes
+  patch -Np1 < ../mupdf-1.12.0-security-roundup.patch
+  patch -Np1 < ../mupdf-CVE-2017-17858.patch
+
   # remove bundled packages, we want our system libraries
   rm -rf thirdparty/{curl,freeglut,freetype,harfbuzz,jbig2dec,libjpeg,openjpeg,zlib}
 

Added: mupdf-1.12.0-security-roundup.patch
===================================================================
--- mupdf-1.12.0-security-roundup.patch	                        (rev 0)
+++ mupdf-1.12.0-security-roundup.patch	2018-01-30 01:59:35 UTC (rev 287906)
@@ -0,0 +1,131 @@
+From 22339500c243e564eadf564b5ae2925e1caf44a9 Mon Sep 17 00:00:00 2001
+From: Sebastian Rasmussen <sebras at gmail.com>
+Date: Sun, 21 Jan 2018 21:08:07 +0100
+Subject: [PATCH] Bug 698889: Handle unterminated PDF arrays gracefully.
+
+Thanks to oss-fuzz for reporting this.
+---
+ source/pdf/pdf-parse.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+From 2a1611030030e18010a0ab1d69eda0359eb5f585 Mon Sep 17 00:00:00 2001
+From: Sebastian Rasmussen <sebras at gmail.com>
+Date: Wed, 13 Dec 2017 21:14:19 +0100
+Subject: [PATCH] Validate that /Size in trailer is in range.
+
+---
+ source/pdf/pdf-xref.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+From 5722ebc5823381ee57c525cbc0d4dc627009979d Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson at artifex.com>
+Date: Fri, 1 Dec 2017 16:25:39 +0100
+Subject: [PATCH] Fix 698787: avoid using "system()" to copy files.
+
+---
+ platform/x11/x11_main.c | 35 ++++++++++++++++++++++++++++++-----
+ 1 file changed, 30 insertions(+), 5 deletions(-)
+
+From d9bc8c6f7fb2e3ec7035bebaaee0edcf59287705 Mon Sep 17 00:00:00 2001
+From: Sebastian Rasmussen <sebras at gmail.com>
+Date: Mon, 22 Jan 2018 17:56:20 +0100
+Subject: [PATCH] Bug 698885: When parsing PDF version, make sure to initialize
+ buffer.
+
+Thanks to oss-fuzz for reporting this.
+---
+ source/pdf/pdf-xref.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source/pdf/pdf-parse.c b/source/pdf/pdf-parse.c
+index ff741dc..7904ebd 100644
+--- a/source/pdf/pdf-parse.c
++++ b/source/pdf/pdf-parse.c
+@@ -401,6 +401,9 @@ pdf_parse_array(fz_context *ctx, pdf_document *doc, fz_stream *file, pdf_lexbuf
+ 
+ 			switch (tok)
+ 			{
++			case PDF_TOK_EOF:
++				fz_throw(ctx, FZ_ERROR_SYNTAX, "array not closed before end of file");
++
+ 			case PDF_TOK_CLOSE_ARRAY:
+ 				op = ary;
+ 				goto end;
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index f2ba5a5..392adf3 100644
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -748,8 +748,8 @@ pdf_xref_size_from_old_trailer(fz_context *ctx, pdf_document *doc, pdf_lexbuf *b
+ 		trailer = pdf_parse_dict(ctx, doc, doc->file, buf);
+ 
+ 		size = pdf_to_int(ctx, pdf_dict_get(ctx, trailer, PDF_NAME_Size));
+-		if (!size)
+-			fz_throw(ctx, FZ_ERROR_GENERIC, "trailer missing Size entry");
++		if (size < 0 || size > PDF_MAX_OBJECT_NUMBER + 1)
++			fz_throw(ctx, FZ_ERROR_GENERIC, "trailer Size entry out of range");
+ 	}
+ 	fz_always(ctx)
+ 	{
+diff --git a/platform/x11/x11_main.c b/platform/x11/x11_main.c
+index fe2daa8..edbb9fa 100644
+--- a/platform/x11/x11_main.c
++++ b/platform/x11/x11_main.c
+@@ -317,13 +317,38 @@ void winreplacefile(char *source, char *target)
+ 
+ void wincopyfile(char *source, char *target)
+ {
+-	char *buf = malloc(strlen(source)+strlen(target)+5);
+-	if (buf)
++	FILE *in, *out;
++	char buf[32 << 10];
++	int n;
++
++	in = fopen(source, "rb");
++	if (!in)
++	{
++		winerror(&gapp, "cannot open source file for copying");
++		return;
++	}
++	out = fopen(target, "wb");
++	if (!out)
++	{
++		winerror(&gapp, "cannot open target file for copying");
++		fclose(in);
++		return;
++	}
++
++	for (;;)
+ 	{
+-		sprintf(buf, "cp %s %s", source, target);
+-		system(buf);
+-		free(buf);
++		n = fread(buf, 1, sizeof buf, in);
++		fwrite(buf, 1, n, out);
++		if (n < sizeof buf)
++		{
++			if (ferror(in))
++				winerror(&gapp, "cannot read data from source file");
++			break;
++		}
+ 	}
++
++	fclose(out);
++	fclose(in);
+ }
+ 
+ void cleanup(pdfapp_t *app)
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 392adf3..4997ebe 100644
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -590,7 +590,7 @@ pdf_load_version(fz_context *ctx, pdf_document *doc)
+ 
+ 	fz_seek(ctx, doc->file, 0, SEEK_SET);
+ 	fz_read_line(ctx, doc->file, buf, sizeof buf);
+-	if (memcmp(buf, "%PDF-", 5) != 0)
++	if (strlen(buf) < 5 || memcmp(buf, "%PDF-", 5) != 0)
+ 		fz_throw(ctx, FZ_ERROR_GENERIC, "cannot recognize version marker");
+ 
+ 	doc->version = 10 * (fz_atof(buf+5) + 0.05f);
+-- 
+2.9.1

Added: mupdf-CVE-2017-17858.patch
===================================================================
--- mupdf-CVE-2017-17858.patch	                        (rev 0)
+++ mupdf-CVE-2017-17858.patch	2018-01-30 01:59:35 UTC (rev 287906)
@@ -0,0 +1,101 @@
+From 55c3f68d638ac1263a386e0aaa004bb6e8bde731 Mon Sep 17 00:00:00 2001
+From: Sebastian Rasmussen <sebras at gmail.com>
+Date: Mon, 11 Dec 2017 14:09:15 +0100
+Subject: [PATCH] Bugs 698804/698810/698811: Keep PDF object numbers below
+ limit.
+
+This ensures that:
+ * xref tables with objects pointers do not grow out of bounds.
+ * other readers, e.g. Adobe Acrobat can parse PDFs written by mupdf.
+---
+ include/mupdf/pdf/object.h |  3 +++
+ source/pdf/pdf-repair.c    |  5 +----
+ source/pdf/pdf-xref.c      | 21 ++++++++++++---------
+ 3 files changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/include/mupdf/pdf/object.h b/include/mupdf/pdf/object.h
+index 21ed859..4177112 100644
+--- a/include/mupdf/pdf/object.h
++++ b/include/mupdf/pdf/object.h
+@@ -3,6 +3,9 @@
+ 
+ typedef struct pdf_document_s pdf_document;
+ 
++/* Defined in PDF 1.7 according to Acrobat limit. */
++#define PDF_MAX_OBJECT_NUMBER 8388607
++
+ /*
+  * Dynamic objects.
+  * The same type of objects as found in PDF and PostScript.
+diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c
+index ca149bd..0c29758 100644
+--- a/source/pdf/pdf-repair.c
++++ b/source/pdf/pdf-repair.c
+@@ -6,9 +6,6 @@
+ 
+ /* Scan file for objects and reconstruct xref table */
+ 
+-/* Define in PDF 1.7 to be 8388607, but mupdf is more lenient. */
+-#define MAX_OBJECT_NUMBER (10 << 20)
+-
+ struct entry
+ {
+ 	int num;
+@@ -436,7 +433,7 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc)
+ 					break;
+ 				}
+ 
+-				if (num <= 0 || num > MAX_OBJECT_NUMBER)
++				if (num <= 0 || num > PDF_MAX_OBJECT_NUMBER)
+ 				{
+ 					fz_warn(ctx, "ignoring object with invalid object number (%d %d R)", num, gen);
+ 					goto have_next_token;
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 00586db..6284e70 100644
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -868,11 +868,12 @@ pdf_read_old_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
+ 			fz_seek(ctx, file, -(2 + (int)strlen(s)), SEEK_CUR);
+ 		}
+ 
+-		if (ofs < 0)
+-			fz_throw(ctx, FZ_ERROR_GENERIC, "out of range object num in xref: %d", (int)ofs);
+-		if (ofs > INT64_MAX - len)
+-			fz_throw(ctx, FZ_ERROR_GENERIC, "xref section object numbers too big");
+-
++		if (ofs < 0 || ofs > PDF_MAX_OBJECT_NUMBER
++				|| len < 0 || len > PDF_MAX_OBJECT_NUMBER
++				|| ofs + len - 1 > PDF_MAX_OBJECT_NUMBER)
++		{
++			fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range");
++		}
+ 		/* broken pdfs where size in trailer undershoots entries in xref sections */
+ 		if (ofs + len > xref_len)
+ 		{
+@@ -933,10 +934,8 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, in
+ 	pdf_xref_entry *table;
+ 	int i, n;
+ 
+-	if (i0 < 0 || i1 < 0 || i0 > INT_MAX - i1)
+-		fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
+-	//if (i0 + i1 > pdf_xref_len(ctx, doc))
+-	//	fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");
++	if (i0 < 0 || i0 > PDF_MAX_OBJECT_NUMBER || i1 < 0 || i1 > PDF_MAX_OBJECT_NUMBER || i0 + i1 - 1 > PDF_MAX_OBJECT_NUMBER)
++		fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range");
+ 
+ 	table = pdf_xref_find_subsection(ctx, doc, i0, i1);
+ 	for (i = i0; i < i0 + i1; i++)
+@@ -2086,6 +2085,10 @@ pdf_create_object(fz_context *ctx, pdf_document *doc)
+ 	/* TODO: reuse free object slots by properly linking free object chains in the ofs field */
+ 	pdf_xref_entry *entry;
+ 	int num = pdf_xref_len(ctx, doc);
++
++	if (num > PDF_MAX_OBJECT_NUMBER)
++		fz_throw(ctx, FZ_ERROR_GENERIC, "too many objects stored in pdf");
++
+ 	entry = pdf_get_incremental_xref_entry(ctx, doc, num);
+ 	entry->type = 'f';
+ 	entry->ofs = -1;
+-- 
+2.9.1
+



More information about the arch-commits mailing list