From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Re: [PATCH] gnu: mupdf: Fix some security problems in bundled mujs.
Date: Fri, 13 Jan 2017 12:34:28 -0500
Message-ID: <20170113173428.GA27117@jasmine>
References: <20170112180655.1588-1-mbakke@fastmail.com>
	<20170112183017.GB23706@jasmine>
	<87wpe05adv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<20170112200346.GA11411@jasmine> <87shonai6b.fsf@netris.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="IJpNTDwzlM2Ie8A6"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:59798)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cS5kM-0000vs-BA
	for guix-devel@gnu.org; Fri, 13 Jan 2017 12:34:39 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cS5kJ-0005iP-71
	for guix-devel@gnu.org; Fri, 13 Jan 2017 12:34:38 -0500
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:59028)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <leo@famulari.name>) id 1cS5kJ-0005i3-1y
	for guix-devel@gnu.org; Fri, 13 Jan 2017 12:34:35 -0500
Content-Disposition: inline
In-Reply-To: <87shonai6b.fsf@netris.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Mark H Weaver <mhw@netris.org>
Cc: guix-devel@gnu.org


--IJpNTDwzlM2Ie8A6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jan 12, 2017 at 07:59:40PM -0500, Mark H Weaver wrote:
> Leo Famulari <leo@famulari.name> writes:
> > If we can't graft it, we should build it on a branch on Hydra.
>=20
> Here's what we can do: in addition to mupdf itself, we can also add a
> graft for cups-filters (our only package that includes mupdf as an
> input).  The replacement for cups-filters would change its mupdf input
> to refer directly to the fixed version of mupdf.
>=20
> What do you think?

That's a good idea, and I started implementing it, but then I wondered
how cups-filters was actually using mupdf. The cups-filters package is
only 3.7 MB, while libmupdf.a is 44 MB.

It turns out that the built cups-filters doesn't refer to mupdf at all;
mupdf is not protected from the garbage collector if you install
cups-filters.

I found two source files that use mupdf, 'filter/mupdftoraster.c' and
'filter/pdftops.c'.

=46rom the cups-filters ./configure summary [0]:

------
mutool:          yes
mutool-path:     system
ippfind-path:    system
imagefilters:    yes
jpeg:            yes
pdftocairo-path: system
pdftops:         hybrid
------

The pdftops hybrid mode uses Poppler and Ghostscript, so we're not
affected here:

------
  if (renderer =3D=3D HYBRID)
  {
    if (make_model[0] &&
        (!strncasecmp(make_model, "Brother", 7) ||
         !strncasecmp(make_model, "Dell", 4) ||
         strcasestr(make_model, "Minolta") ||
         (!strncasecmp(make_model, "Apple", 5) &&
          (ptr =3D strcasestr(make_model, "LaserWriter")) &&
          (ptr =3D strcasestr(ptr + 11, "12")) &&
          (ptr =3D strcasestr(ptr + 2, "640")))))
    {   =20
      fprintf(stderr, "DEBUG: Switching to Poppler's pdftops instead of Gho=
stscript for Brother, Minolta, Konica Minolta, Dell, and Apple LaserWriter =
12/640 to work around bugs in the printer's PS interpreters\n");
      renderer =3D PDFTOPS;
    }   =20
    else=20
      renderer =3D GS;
[...]
------
source:
<http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/annota=
te/head:/filter/pdftops.c#L467>

'filter/mupdfraster.c' involves the use of the mutool program. Does
the configuration option 'mutool-path: system' mean that it looks for
mutool on PATH?

config.log [1] has:
#define CUPS_MUTOOL "mutool"

And I can't find a store reference for mupdf with `hexdump -C
lib/cups/filter/mupdftoraster`; that's only file that `grep -ri mutool`
matches.=20

Should we make cups-filters refer to mutool by an absolute path?

[0]
https://mirror.hydra.gnu.org/log/xlb7k5l3l4gq12z4fmg5i59y5hdzn472-cups-filt=
ers-1.13.1

[1]
config.log also has this line:

#define CUPS_POPPLER_PDFTOPS "/usr/bin/pdftops"'

This does get into the built 'lib/cups/filter/pdftops'.

--IJpNTDwzlM2Ie8A6
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlh5D6EACgkQJkb6MLrK
fwhoYhAA2BLXBjzjFA1/ca/F57T1OuG5HHhSDRV5BAwqZS0UKLxpAFk17sGU25hk
HJ7PQo5Qm3jXY3ENiu/ZYNtJDKt1ADiX0OKm/vX4SNTUNWYdT0uv5oIG5K9DPYpM
GegQSz+LR6yRKJmijRppUTtkHxXFlaByaxojGT0NLuj/cqOZHlUGGlTjVs3oC6Xs
vSoCZR5iKjv6h0MO5AtGHXGy3VEkSOwr9LkHIv71rUV1BLdIVX/5nUdi7Jbxgsw3
6Mf5ygSxY6ja6vcEGPXPFrdSPAQWhJp71g6z8BGsiH7WleIZptr1aeyr+wjeUpX/
OX/tiz6656TfBmMMzfg2DAtK+oGJyyCneKKtxENjGvQXN5Qf4rt6UtHlQBlJ4t28
ekH4PqLQs2cvw6Pb++ol+apFC5I6YEP6g0AYmus7CvUPpVT/6bHqV8AxyGbkZKas
No45CpmohFANCdIfwQ8HVXG6PN+oI1wSAXPwQPJcBQflPF0vY9OjDQLopOA4zF8K
L3GSJlj7BAv8DZ1rrt5Jv6ZGGSg8n/hHczw5ETOmnos2RRSNxxajo4YXn6xtghx1
hx4CCEgOffZ70TnPzNeqJw02YEAM8epVPN0X/xuAS0O00a8H7vQOkQV2QKEQ4tTD
s4I6eW4rmLaXUHUiZeG6Fs1/QcnsJUM8BEyWqg5CLW6Av8jbyEs=
=rp9N
-----END PGP SIGNATURE-----

--IJpNTDwzlM2Ie8A6--