01/01: gnu: mupdf: Fix CVE-2016-{6265,6525}.

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/01: gnu: mupdf: Fix CVE-2016-{6265,6525}.

From:	Leo Famulari
Subject:	01/01: gnu: mupdf: Fix CVE-2016-{6265,6525}.
Date:	Sat, 27 Aug 2016 21:35:30 +0000 (UTC)

lfam pushed a commit to branch master
in repository guix.

commit 6bd9a3432c796b0affaa7a1d5516963847b37689
Author: Leo Famulari <address@hidden>
Date:   Sat Aug 27 17:31:52 2016 -0400

    gnu: mupdf: Fix CVE-2016-{6265,6525}.
    
    * gnu/packages/patches/mupdf-CVE-2016-6265.patch,
    gnu/packages/patches/mupdf-CVE-2016-6525.patch: New files.
    * gnu/local.mk (dist_patch_DATA): Add them.
    * gnu/packages/pdf.scm (mupdf): Use them.
---
 gnu/local.mk                                   |    2 ++
 gnu/packages/patches/mupdf-CVE-2016-6265.patch |   30 ++++++++++++++++++++++++
 gnu/packages/patches/mupdf-CVE-2016-6525.patch |   21 +++++++++++++++++
 gnu/packages/pdf.scm                           |    2 ++
 4 files changed, 55 insertions(+)

diff --git a/gnu/local.mk b/gnu/local.mk
index b8c5378..98c8848 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -668,6 +668,8 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/mplayer2-theora-fix.patch               \
   %D%/packages/patches/module-init-tools-moduledir.patch       \
   %D%/packages/patches/mumps-build-parallelism.patch           \
+  %D%/packages/patches/mupdf-CVE-2016-6265.patch               \
+  %D%/packages/patches/mupdf-CVE-2016-6525.patch               \
   %D%/packages/patches/mupen64plus-ui-console-notice.patch     \
   %D%/packages/patches/mutt-store-references.patch             \
   %D%/packages/patches/mysql-fix-failing-test.patch            \
diff --git a/gnu/packages/patches/mupdf-CVE-2016-6265.patch 
b/gnu/packages/patches/mupdf-CVE-2016-6265.patch
new file mode 100644
index 0000000..58f5c37
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2016-6265.patch
@@ -0,0 +1,30 @@
+Fix CVE-2016-6265 (use after free in pdf_load_xref()).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6265
+https://security-tracker.debian.org/tracker/CVE-2016-6265
+
+Patch copied from upstream source repository:
+
+http://git.ghostscript.com/?p=mupdf.git;h=fa1936405b6a84e5c9bb440912c23d532772f958
+
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 576c315..3222599 100644
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -1184,8 +1184,14 @@ pdf_load_xref(fz_context *ctx, pdf_document *doc, 
pdf_lexbuf *buf)
+                               fz_throw(ctx, FZ_ERROR_GENERIC, "object offset 
out of range: %d (%d 0 R)", (int)entry->ofs, i);
+               }
+               if (entry->type == 'o')
+-                      if (entry->ofs <= 0 || entry->ofs >= xref_len || 
pdf_get_xref_entry(ctx, doc, entry->ofs)->type != 'n')
+-                              fz_throw(ctx, FZ_ERROR_GENERIC, "invalid 
reference to an objstm that does not exist: %d (%d 0 R)", (int)entry->ofs, i);
++              {
++                      /* Read this into a local variable here, because 
pdf_get_xref_entry
++                       * may solidify the xref, hence invalidating "entry", 
meaning we
++                       * need a stashed value for the throw. */
++                      fz_off_t ofs = entry->ofs;
++                      if (ofs <= 0 || ofs >= xref_len || 
pdf_get_xref_entry(ctx, doc, ofs)->type != 'n')
++                              fz_throw(ctx, FZ_ERROR_GENERIC, "invalid 
reference to an objstm that does not exist: %d (%d 0 R)", (int)ofs, i);
++              }
+       }
+ }
+ 
diff --git a/gnu/packages/patches/mupdf-CVE-2016-6525.patch 
b/gnu/packages/patches/mupdf-CVE-2016-6525.patch
new file mode 100644
index 0000000..370af5a
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2016-6525.patch
@@ -0,0 +1,21 @@
+Fix CVE-2016-6525 (heap overflow in pdf_load_mesh_params()).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6525
+https://security-tracker.debian.org/tracker/CVE-2016-6525
+
+Patch copied from upstream source repository:
+http://git.ghostscript.com/?p=mupdf.git;h=39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e
+
+diff --git a/source/pdf/pdf-shade.c b/source/pdf/pdf-shade.c
+index 7815b3c..6e25efa 100644
+--- a/source/pdf/pdf-shade.c
++++ b/source/pdf/pdf-shade.c
+@@ -206,7 +206,7 @@ pdf_load_mesh_params(fz_context *ctx, pdf_document *doc, 
fz_shade *shade, pdf_ob
+       obj = pdf_dict_get(ctx, dict, PDF_NAME_Decode);
+       if (pdf_array_len(ctx, obj) >= 6)
+       {
+-              n = (pdf_array_len(ctx, obj) - 4) / 2;
++              n = fz_mini(FZ_MAX_COLORS, (pdf_array_len(ctx, obj) - 4) / 2);
+               shade->u.m.x0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 0));
+               shade->u.m.x1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 1));
+               shade->u.m.y0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 2));
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index f9523c6..74e8907 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -474,6 +474,8 @@ extracting content or merging files.")
                             name "-" version "-source.tar.gz"))
         (sha256
           (base32 "01n26cy41lc2fjri63s4js23ixxb4nd37aafry3hz4i4id6wd8x2"))
+        (patches (search-patches "mupdf-CVE-2016-6265.patch"
+                                 "mupdf-CVE-2016-6525.patch"))
         (modules '((guix build utils)))
         (snippet
             ;; Don't build the bundled-in third party libraries.

[Prev in Thread]

Current Thread

[Next in Thread]

branch master updated (b47f751 -> 6bd9a34), Leo Famulari, 2016/08/27
- 01/01: gnu: mupdf: Fix CVE-2016-{6265,6525}., Leo Famulari <=

Prev by Date: branch master updated (b47f751 -> 6bd9a34)
Next by Date: branch core-updates updated (4ea1ad9 -> eba7fab)
Previous by thread: branch master updated (b47f751 -> 6bd9a34)
Next by thread: branch core-updates updated (4ea1ad9 -> eba7fab)
Index(es):
- Date
- Thread