From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: v2: OpenJPEG security fixes (CVE-2016-{5157,7163}) Date: Fri, 9 Sep 2016 16:26:39 -0400 Message-ID: <20160909202639.GA2000@jasmine> References: <20160909180458.GA2732@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="tsOsTdHNUZQcU9Ye" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:54409) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1biSO5-0004VP-5r for guix-devel@gnu.org; Fri, 09 Sep 2016 16:27:03 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1biSO1-00042g-M2 for guix-devel@gnu.org; Fri, 09 Sep 2016 16:27:01 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:58142) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1biSO0-000424-C8 for guix-devel@gnu.org; Fri, 09 Sep 2016 16:26:57 -0400 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id E6C6EF2985 for ; Fri, 9 Sep 2016 16:26:45 -0400 (EDT) Content-Disposition: inline In-Reply-To: <20160909180458.GA2732@jasmine> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --tsOsTdHNUZQcU9Ye Content-Type: multipart/mixed; boundary="3MwIy2ne0vdjdPXF" Content-Disposition: inline --3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Sep 09, 2016 at 02:04:58PM -0400, Leo Famulari wrote: > Also, the fix for CVE-2016-5157 does not apply to openjpeg-2.0. I'd like > to investigate this issue separately. The only user of openjpeg-2.0 is > mupdf. I think the best thing to do is update mupdf to the latest upstream release, 1.9a, make it use openjpeg@2.1, and remove openjpeg-2.0. Please see attached. These patches should be applied on top of the patches in the email that I am replying to. --3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-gnu-mupdf-Update-to-1.9a.patch" Content-Transfer-Encoding: quoted-printable =46rom a357edf0f568acf937f2cd9f0e97269221aee3f2 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Fri, 9 Sep 2016 16:08:02 -0400 Subject: [PATCH 1/2] gnu: mupdf: Update to 1.9a. * gnu/packages/pdf.scm (mupdf): Update to 1.9a. [source]: Use "mupdf-build-with-openjpeg-2.1.patch". Adjust snippet to preserve bundled 'thirdparty/mujs'. [inputs]: Add harfbuzz. Replace openjpeg-2.0 with openjpeg. * gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + .../patches/mupdf-build-with-openjpeg-2.1.patch | 38 ++++++++++++++++++= ++++ gnu/packages/pdf.scm | 26 +++++++++++---- 3 files changed, 59 insertions(+), 6 deletions(-) create mode 100644 gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch diff --git a/gnu/local.mk b/gnu/local.mk index eab58f6..515ca35 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -681,6 +681,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/mplayer2-theora-fix.patch \ %D%/packages/patches/module-init-tools-moduledir.patch \ %D%/packages/patches/mumps-build-parallelism.patch \ + %D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch \ %D%/packages/patches/mupdf-CVE-2016-6265.patch \ %D%/packages/patches/mupdf-CVE-2016-6525.patch \ %D%/packages/patches/mupen64plus-ui-console-notice.patch \ diff --git a/gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch b/gnu= /packages/patches/mupdf-build-with-openjpeg-2.1.patch new file mode 100644 index 0000000..cd8136b --- /dev/null +++ b/gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch @@ -0,0 +1,38 @@ +Make it possible to build MuPDF with OpenJPEG 2.1, which is the latest +release series and contains many important bug fixes. + +Patch adapted from Debian: + +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D745246 + +And related to this upstream commit: + +http://git.ghostscript.com/?p=3Dmupdf.git;a=3Dcommit;h=3Df88bfe2e62dbadb96= d4f52d7aa025f0a516078da + +diff --git a/source/fitz/load-jpx.c b/source/fitz/load-jpx.c +index 6b92e5c..72dea50 100644 +--- a/source/fitz/load-jpx.c ++++ b/source/fitz/load-jpx.c +@@ -1,13 +1,5 @@ + #include "mupdf/fitz.h" +=20 +-/* Without the definition of OPJ_STATIC, compilation fails on windows +- * due to the use of __stdcall. We believe it is required on some +- * linux toolchains too. */ +-#define OPJ_STATIC +-#ifndef _MSC_VER +-#define OPJ_HAVE_STDINT_H +-#endif +- + #include +=20 + static void fz_opj_error_callback(const char *msg, void *client_data) +@@ -117,7 +109,7 @@ fz_load_jpx(fz_context *ctx, unsigned char *data, int = size, fz_colorspace *defcs + opj_stream_set_read_function(stream, fz_opj_stream_read); + opj_stream_set_skip_function(stream, fz_opj_stream_skip); + opj_stream_set_seek_function(stream, fz_opj_stream_seek); +- opj_stream_set_user_data(stream, &sb); ++ opj_stream_set_user_data(stream, &sb, NULL); + /* Set the length to avoid an assert */ + opj_stream_set_user_data_length(stream, size); +=20 diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index 74e8907..98cc92e 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -53,6 +53,7 @@ #:use-module (gnu packages perl) #:use-module (gnu packages python) #:use-module (gnu packages tls) + #:use-module (gnu packages javascript) #:use-module (srfi srfi-1)) =20 (define-public poppler @@ -466,29 +467,42 @@ extracting content or merging files.") (define-public mupdf (package (name "mupdf") - (version "1.8") + (version "1.9a") (source (origin (method url-fetch) (uri (string-append "http://mupdf.com/downloads/archive/" name "-" version "-source.tar.gz")) (sha256 - (base32 "01n26cy41lc2fjri63s4js23ixxb4nd37aafry3hz4i4id6wd8x2")) - (patches (search-patches "mupdf-CVE-2016-6265.patch" + (base32 + "1k64pdapyj8a336jw3j61fhn0rp4q6az7d0dqp9r5n3d9rgwa5c0")) + (patches (search-patches "mupdf-build-with-openjpeg-2.1.patch" + "mupdf-CVE-2016-6265.patch" "mupdf-CVE-2016-6525.patch")) (modules '((guix build utils))) (snippet - ;; Don't build the bundled-in third party libraries. - '(delete-file-recursively "thirdparty")))) + ;; Delete all the bundled libraries except for mujs, which is + ;; developed by the same team as mupdf and has no releases. + ;; TODO Package mujs and don't use the bundled copy. + '(for-each delete-file-recursively + '("thirdparty/curl" + "thirdparty/freetype" + "thirdparty/glfw" + "thirdparty/harfbuzz" + "thirdparty/jbig2dec" + "thirdparty/jpeg" + "thirdparty/openjpeg" + "thirdparty/zlib"))))) (build-system gnu-build-system) (inputs `(("curl" ,curl) ("freetype" ,freetype) + ("harfbuzz" ,harfbuzz) ("jbig2dec" ,jbig2dec) ("libjpeg" ,libjpeg) ("libx11" ,libx11) ("libxext" ,libxext) - ("openjpeg" ,openjpeg-2.0) + ("openjpeg" ,openjpeg) ("openssl" ,openssl) ("zlib" ,zlib))) (native-inputs --=20 2.10.0 --3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0002-gnu-Remove-openjpeg-2.0.patch" Content-Transfer-Encoding: quoted-printable =46rom 8c201fd0392bee804bf11f7c07f4817e3766becd Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Fri, 9 Sep 2016 16:24:12 -0400 Subject: [PATCH 2/2] gnu: Remove openjpeg-2.0. * gnu/packages/image.scm (openjpeg-2.0): Remove variable. --- gnu/packages/image.scm | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index fe21d23..8d3c01f 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -416,22 +416,6 @@ error-resilience, a Java-viewer for j2k-images, ...") (home-page "https://github.com/uclouvain/openjpeg") (license license:bsd-2))) =20 -(define-public openjpeg-2.0 - (package (inherit openjpeg) - (name "openjpeg") - (version "2.0.1") - (source - (origin - (method url-fetch) - (uri - (string-append "mirror://sourceforge/openjpeg.mirror/" version "/" - name "-" version ".tar.gz")) - (sha256 - (base32 "1c2xc3nl2mg511b63rk7hrckmy14681p1m44mzw3n1fyqnjm0b0z")) - (patches (search-patches "openjpeg-use-after-free-fix.patch" - "openjpeg-CVE-2015-6581.patch" - "openjpeg-CVE-2016-7163.patch")))))) - (define-public openjpeg-1 (package (inherit openjpeg) (name "openjpeg") --=20 2.10.0 --3MwIy2ne0vdjdPXF-- --tsOsTdHNUZQcU9Ye Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJX0xr5AAoJECZG+jC6yn8IkaEQAJqZEfFKur9nBuBa1DHQOIS5 F8zRz8yCdXSHIzzi+hA6FUSElGrCdXMK1MIK9qkXYJ6ZZ2Tg7cahXnzok+h/fuKp R+H2VQPVRzDyOLe/ROlOUlW6ThUKyLbxtgR7mfee5AZnBnz2ISpoBQH6u8e9jbTC 5hbWZdmJ4BtA17x0tn1dKEhmCd9w0oiStefDxnRaaVtbhGqXUleWCbrdqEO/VWSY AbWg8TG6uypDlXGaOC83+2ABNU500gqUY+1bletdPcJwlPOrxSKL50vxRWAIgrZR QUwzmWYKotg1P79Zrf7X12hkHh4FVVz0x5WsGGSypNgvqQRtUD6acuy2V2AnmhDf ieGNAYvrDFkOdPJtw4oNVYSNetyzFc6aoUMe1ScOR8nMUIIGVGkN4Ix+EI2vQ33I wTfncdOh7o2JMxf3SWFCu0ER57TxXx73na+3AeRdCuRZZHBdZlkzTScy4423PFoK VSfkndQqXi204CUm1WEViwuUAvRD4Zwjf0EQoA9c6+F5ZDKiwIcaucrEe/BuGfO+ nML0G7DMBj4jrBubvtpaKyR/Wyjxpx9nmOK+PmqMytM9o7UHRNv1r34wRmMUhV2O dzMHnlz9BGhw5UqdfsIW1lnK3pb/ZC2HxWKSSLr7fJv82r9ME3m/JVXiQwTONiLu BGXt7dMPICR0voQJ0xI1 =SPVp -----END PGP SIGNATURE----- --tsOsTdHNUZQcU9Ye--