01/01: gnu: mupdf: Fix CVE-2017-17858.

guix-commits
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/01: gnu: mupdf: Fix CVE-2017-17858.

From:	Leo Famulari
Subject:	01/01: gnu: mupdf: Fix CVE-2017-17858.
Date:	Wed, 7 Feb 2018 21:20:30 -0500 (EST)
lfam pushed a commit to branch master
in repository guix.

commit 0b18c0b0de9aabb12b4c1503303e4dde410f6470
Author: Leo Famulari <address@hidden>
Date:   Wed Feb 7 03:01:11 2018 -0500

    gnu: mupdf: Fix CVE-2017-17858.
    
    * gnu/packages/patches/mupdf-CVE-2017-17858.patch: New file.
    * gnu/local.mk (dist_patch_DATA): Add it.
    * gnu/packages/pdf.scm (mupdf)[source]: Use it.
---
 gnu/local.mk                                    |   1 +
 gnu/packages/patches/mupdf-CVE-2017-17858.patch | 111 ++++++++++++++++++++++++
 gnu/packages/pdf.scm                            |   3 +-
 3 files changed, 114 insertions(+), 1 deletion(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index ca400da..4213508 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -921,6 +921,7 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/mozjs38-version-detection.patch         \
   %D%/packages/patches/mumps-build-parallelism.patch           \
   %D%/packages/patches/mupdf-build-with-latest-openjpeg.patch  \
+  %D%/packages/patches/mupdf-CVE-2017-17858.patch              \
   %D%/packages/patches/mupen64plus-ui-console-notice.patch     \
   %D%/packages/patches/mutt-store-references.patch             \
   %D%/packages/patches/ncurses-CVE-2017-10684-10685.patch      \
diff --git a/gnu/packages/patches/mupdf-CVE-2017-17858.patch 
b/gnu/packages/patches/mupdf-CVE-2017-17858.patch
new file mode 100644
index 0000000..66df127
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-17858.patch
@@ -0,0 +1,111 @@
+Fix CVE-2017-17858:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17858
+https://bugs.ghostscript.com/show_bug.cgi?id=698819
+https://github.com/mzet-/Security-Advisories/blob/master/mzet-adv-2017-01.md
+
+Patch copied from upstream source repository:
+
+https://git.ghostscript.com/?p=mupdf.git;a=commit;h=55c3f68d638ac1263a386e0aaa004bb6e8bde731
+
+From 55c3f68d638ac1263a386e0aaa004bb6e8bde731 Mon Sep 17 00:00:00 2001
+From: Sebastian Rasmussen <address@hidden>
+Date: Mon, 11 Dec 2017 14:09:15 +0100
+Subject: [PATCH] Bugs 698804/698810/698811: Keep PDF object numbers below
+ limit.
+
+This ensures that:
+ * xref tables with objects pointers do not grow out of bounds.
+ * other readers, e.g. Adobe Acrobat can parse PDFs written by mupdf.
+---
+ include/mupdf/pdf/object.h |  3 +++
+ source/pdf/pdf-repair.c    |  5 +----
+ source/pdf/pdf-xref.c      | 21 ++++++++++++---------
+ 3 files changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/include/mupdf/pdf/object.h b/include/mupdf/pdf/object.h
+index 21ed8595..4177112b 100644
+--- a/include/mupdf/pdf/object.h
++++ b/include/mupdf/pdf/object.h
+@@ -3,6 +3,9 @@
+ 
+ typedef struct pdf_document_s pdf_document;
+ 
++/* Defined in PDF 1.7 according to Acrobat limit. */
++#define PDF_MAX_OBJECT_NUMBER 8388607
++
+ /*
+  * Dynamic objects.
+  * The same type of objects as found in PDF and PostScript.
+diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c
+index ca149bd3..0c29758e 100644
+--- a/source/pdf/pdf-repair.c
++++ b/source/pdf/pdf-repair.c
+@@ -6,9 +6,6 @@
+ 
+ /* Scan file for objects and reconstruct xref table */
+ 
+-/* Define in PDF 1.7 to be 8388607, but mupdf is more lenient. */
+-#define MAX_OBJECT_NUMBER (10 << 20)
+-
+ struct entry
+ {
+       int num;
+@@ -436,7 +433,7 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc)
+                                       break;
+                               }
+ 
+-                              if (num <= 0 || num > MAX_OBJECT_NUMBER)
++                              if (num <= 0 || num > PDF_MAX_OBJECT_NUMBER)
+                               {
+                                       fz_warn(ctx, "ignoring object with 
invalid object number (%d %d R)", num, gen);
+                                       goto have_next_token;
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 00586dbd..6284e70b 100644
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -868,11 +868,12 @@ pdf_read_old_xref(fz_context *ctx, pdf_document *doc, 
pdf_lexbuf *buf)
+                       fz_seek(ctx, file, -(2 + (int)strlen(s)), SEEK_CUR);
+               }
+ 
+-              if (ofs < 0)
+-                      fz_throw(ctx, FZ_ERROR_GENERIC, "out of range object 
num in xref: %d", (int)ofs);
+-              if (ofs > INT64_MAX - len)
+-                      fz_throw(ctx, FZ_ERROR_GENERIC, "xref section object 
numbers too big");
+-
++              if (ofs < 0 || ofs > PDF_MAX_OBJECT_NUMBER
++                              || len < 0 || len > PDF_MAX_OBJECT_NUMBER
++                              || ofs + len - 1 > PDF_MAX_OBJECT_NUMBER)
++              {
++                      fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object 
numbers are out of range");
++              }
+               /* broken pdfs where size in trailer undershoots entries in 
xref sections */
+               if (ofs + len > xref_len)
+               {
+@@ -933,10 +934,8 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document 
*doc, fz_stream *stm, in
+       pdf_xref_entry *table;
+       int i, n;
+ 
+-      if (i0 < 0 || i1 < 0 || i0 > INT_MAX - i1)
+-              fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry 
index");
+-      //if (i0 + i1 > pdf_xref_len(ctx, doc))
+-      //      fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many 
entries");
++      if (i0 < 0 || i0 > PDF_MAX_OBJECT_NUMBER || i1 < 0 || i1 > 
PDF_MAX_OBJECT_NUMBER || i0 + i1 - 1 > PDF_MAX_OBJECT_NUMBER)
++              fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers 
are out of range");
+ 
+       table = pdf_xref_find_subsection(ctx, doc, i0, i1);
+       for (i = i0; i < i0 + i1; i++)
+@@ -2086,6 +2085,10 @@ pdf_create_object(fz_context *ctx, pdf_document *doc)
+       /* TODO: reuse free object slots by properly linking free object chains 
in the ofs field */
+       pdf_xref_entry *entry;
+       int num = pdf_xref_len(ctx, doc);
++
++      if (num > PDF_MAX_OBJECT_NUMBER)
++              fz_throw(ctx, FZ_ERROR_GENERIC, "too many objects stored in 
pdf");
++
+       entry = pdf_get_incremental_xref_entry(ctx, doc, num);
+       entry->type = 'f';
+       entry->ofs = -1;
+-- 
+2.16.1
+
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index 96773da..9730e61 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -584,7 +584,8 @@ extracting content or merging files.")
         (method url-fetch)
         (uri (string-append "https://mupdf.com/downloads/archive/";
                             name "-" version "-source.tar.xz"))
-        (patches (search-patches "mupdf-build-with-latest-openjpeg.patch"))
+        (patches (search-patches "mupdf-build-with-latest-openjpeg.patch"
+                                 "mupdf-CVE-2017-17858.patch"))
         (sha256
          (base32
           "0b9j0gqbc3jhmx87r6idcsh8lnb30840c3hyx6dk2gdjqqh3hysp"))
[Prev in Thread]
Current Thread
[Next in Thread]
branch master updated (b617a9f -> 0b18c0b), Leo Famulari, 2018/02/07
- 01/01: gnu: mupdf: Fix CVE-2017-17858., Leo Famulari <=
Prev by Date: branch master updated (b617a9f -> 0b18c0b)
Next by Date: 05/05: gnu: nim: Update to 0.17.2.
Previous by thread: branch master updated (b617a9f -> 0b18c0b)
Next by thread: branch master updated (0b18c0b -> c283778)
Index(es):
- Date
- Thread