From: Leo Famulari <leo@famulari.name>
To: Mark H Weaver <mhw@netris.org>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH] gnu: mupdf: Fix some security problems in bundled mujs.
Date: Sun, 15 Jan 2017 13:47:17 -0500 [thread overview]
Message-ID: <20170115184717.GA29718@jasmine> (raw)
In-Reply-To: <87shonai6b.fsf@netris.org>
[-- Attachment #1.1: Type: text/plain, Size: 409 bytes --]
On Thu, Jan 12, 2017 at 07:59:40PM -0500, Mark H Weaver wrote:
> Here's what we can do: in addition to mupdf itself, we can also add a
> graft for cups-filters (our only package that includes mupdf as an
> input). The replacement for cups-filters would change its mupdf input
> to refer directly to the fixed version of mupdf.
>
> What do you think?
I've attached two patches that should do this.
[-- Attachment #1.2: 0001-gnu-mupdf-Fix-CVE-2016-10132-10133-in-bundled-mujs.patch --]
[-- Type: text/plain, Size: 10498 bytes --]
From 4216ccff0b032bdad8c730ba9929b94f389fb19d Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Thu, 12 Jan 2017 19:06:55 +0100
Subject: [PATCH 1/2] gnu: mupdf: Fix CVE-2016-{10132,10133} in bundled mujs.
* gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch,
gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/pdf.scm (mupdf)[replacement]: New field.
(mupdf/fixed): New variable.
---
gnu/local.mk | 2 +
.../patches/mupdf-mujs-CVE-2016-10132.patch | 188 +++++++++++++++++++++
.../patches/mupdf-mujs-CVE-2016-10133.patch | 36 ++++
gnu/packages/pdf.scm | 15 +-
4 files changed, 240 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch
create mode 100644 gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 81d774eb6..58554160d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -755,6 +755,8 @@ dist_patch_DATA = \
%D%/packages/patches/multiqc-fix-git-subprocess-error.patch \
%D%/packages/patches/mumps-build-parallelism.patch \
%D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch \
+ %D%/packages/patches/mupdf-mujs-CVE-2016-10132.patch \
+ %D%/packages/patches/mupdf-mujs-CVE-2016-10133.patch \
%D%/packages/patches/mupen64plus-ui-console-notice.patch \
%D%/packages/patches/musl-CVE-2016-8859.patch \
%D%/packages/patches/mutt-store-references.patch \
diff --git a/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch b/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch
new file mode 100644
index 000000000..e752e57ec
--- /dev/null
+++ b/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch
@@ -0,0 +1,188 @@
+Fix CVE-2016-10132:
+
+https://bugs.ghostscript.com/show_bug.cgi?id=697381
+http://seclists.org/oss-sec/2017/q1/74
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10132
+
+Patch lifted from upstream source repository:
+
+http://git.ghostscript.com/?p=mujs.git;h=fd003eceda531e13fbdd1aeb6e9c73156496e569
+
+From fd003eceda531e13fbdd1aeb6e9c73156496e569 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor@ccxvii.net>
+Date: Fri, 2 Dec 2016 14:56:20 -0500
+Subject: [PATCH] Fix 697381: check allocation when compiling regular
+ expressions.
+
+Also use allocator callback function.
+---
+ thirdparty/mujs/jsgc.c | 2 +-
+ thirdparty/mujs/jsregexp.c | 2 +-
+ thirdparty/mujs/jsstate.c | 6 ------
+ thirdparty/mujs/regexp.c | 45 +++++++++++++++++++++++++++++++++++----------
+ thirdparty/mujs/regexp.h | 7 +++++++
+ 5 files changed, 44 insertions(+), 18 deletions(-)
+
+diff --git a/thirdparty/mujs/jsgc.c b/thirdparty/mujs/jsgc.c
+index 4f7e7dc..f80111e 100644
+--- a/thirdparty/mujs/jsgc.c
++++ b/thirdparty/mujs/jsgc.c
+@@ -46,7 +46,7 @@ static void jsG_freeobject(js_State *J, js_Object *obj)
+ jsG_freeproperty(J, obj->head);
+ if (obj->type == JS_CREGEXP) {
+ js_free(J, obj->u.r.source);
+- js_regfree(obj->u.r.prog);
++ js_regfreex(J->alloc, J->actx, obj->u.r.prog);
+ }
+ if (obj->type == JS_CITERATOR)
+ jsG_freeiterator(J, obj->u.iter.head);
+diff --git a/thirdparty/mujs/jsregexp.c b/thirdparty/mujs/jsregexp.c
+index a2d5156..7b09c06 100644
+--- a/thirdparty/mujs/jsregexp.c
++++ b/thirdparty/mujs/jsregexp.c
+@@ -16,7 +16,7 @@ void js_newregexp(js_State *J, const char *pattern, int flags)
+ if (flags & JS_REGEXP_I) opts |= REG_ICASE;
+ if (flags & JS_REGEXP_M) opts |= REG_NEWLINE;
+
+- prog = js_regcomp(pattern, opts, &error);
++ prog = js_regcompx(J->alloc, J->actx, pattern, opts, &error);
+ if (!prog)
+ js_syntaxerror(J, "regular expression: %s", error);
+
+diff --git a/thirdparty/mujs/jsstate.c b/thirdparty/mujs/jsstate.c
+index 638cab3..fd5bcf6 100644
+--- a/thirdparty/mujs/jsstate.c
++++ b/thirdparty/mujs/jsstate.c
+@@ -9,12 +9,6 @@
+
+ static void *js_defaultalloc(void *actx, void *ptr, int size)
+ {
+- if (size == 0) {
+- free(ptr);
+- return NULL;
+- }
+- if (!ptr)
+- return malloc((size_t)size);
+ return realloc(ptr, (size_t)size);
+ }
+
+diff --git a/thirdparty/mujs/regexp.c b/thirdparty/mujs/regexp.c
+index 9852be2..01c18a3 100644
+--- a/thirdparty/mujs/regexp.c
++++ b/thirdparty/mujs/regexp.c
+@@ -807,23 +807,31 @@ static void dumpprog(Reprog *prog)
+ }
+ #endif
+
+-Reprog *regcomp(const char *pattern, int cflags, const char **errorp)
++Reprog *regcompx(void *(*alloc)(void *ctx, void *p, int n), void *ctx,
++ const char *pattern, int cflags, const char **errorp)
+ {
+ struct cstate g;
+ Renode *node;
+ Reinst *split, *jump;
+ int i;
+
+- g.prog = malloc(sizeof (Reprog));
+- g.pstart = g.pend = malloc(sizeof (Renode) * strlen(pattern) * 2);
++ g.pstart = NULL;
++ g.prog = NULL;
+
+ if (setjmp(g.kaboom)) {
+ if (errorp) *errorp = g.error;
+- free(g.pstart);
+- free(g.prog);
++ alloc(ctx, g.pstart, 0);
++ alloc(ctx, g.prog, 0);
+ return NULL;
+ }
+
++ g.prog = alloc(ctx, NULL, sizeof (Reprog));
++ if (!g.prog)
++ die(&g, "cannot allocate regular expression");
++ g.pstart = g.pend = alloc(ctx, NULL, sizeof (Renode) * strlen(pattern) * 2);
++ if (!g.pstart)
++ die(&g, "cannot allocate regular expression parse list");
++
+ g.source = pattern;
+ g.ncclass = 0;
+ g.nsub = 1;
+@@ -840,7 +848,9 @@ Reprog *regcomp(const char *pattern, int cflags, const char **errorp)
+ die(&g, "syntax error");
+
+ g.prog->nsub = g.nsub;
+- g.prog->start = g.prog->end = malloc((count(node) + 6) * sizeof (Reinst));
++ g.prog->start = g.prog->end = alloc(ctx, NULL, (count(node) + 6) * sizeof (Reinst));
++ if (!g.prog->start)
++ die(&g, "cannot allocate regular expression instruction list");
+
+ split = emit(g.prog, I_SPLIT);
+ split->x = split + 3;
+@@ -859,20 +869,35 @@ Reprog *regcomp(const char *pattern, int cflags, const char **errorp)
+ dumpprog(g.prog);
+ #endif
+
+- free(g.pstart);
++ alloc(ctx, g.pstart, 0);
+
+ if (errorp) *errorp = NULL;
+ return g.prog;
+ }
+
+-void regfree(Reprog *prog)
++void regfreex(void *(*alloc)(void *ctx, void *p, int n), void *ctx, Reprog *prog)
+ {
+ if (prog) {
+- free(prog->start);
+- free(prog);
++ alloc(ctx, prog->start, 0);
++ alloc(ctx, prog, 0);
+ }
+ }
+
++static void *default_alloc(void *ctx, void *p, int n)
++{
++ return realloc(p, (size_t)n);
++}
++
++Reprog *regcomp(const char *pattern, int cflags, const char **errorp)
++{
++ return regcompx(default_alloc, NULL, pattern, cflags, errorp);
++}
++
++void regfree(Reprog *prog)
++{
++ regfreex(default_alloc, NULL, prog);
++}
++
+ /* Match */
+
+ static int isnewline(int c)
+diff --git a/thirdparty/mujs/regexp.h b/thirdparty/mujs/regexp.h
+index 4bb4615..6bb73e8 100644
+--- a/thirdparty/mujs/regexp.h
++++ b/thirdparty/mujs/regexp.h
+@@ -1,6 +1,8 @@
+ #ifndef regexp_h
+ #define regexp_h
+
++#define regcompx js_regcompx
++#define regfreex js_regfreex
+ #define regcomp js_regcomp
+ #define regexec js_regexec
+ #define regfree js_regfree
+@@ -8,6 +10,11 @@
+ typedef struct Reprog Reprog;
+ typedef struct Resub Resub;
+
++Reprog *regcompx(void *(*alloc)(void *ctx, void *p, int n), void *ctx,
++ const char *pattern, int cflags, const char **errorp);
++void regfreex(void *(*alloc)(void *ctx, void *p, int n), void *ctx,
++ Reprog *prog);
++
+ Reprog *regcomp(const char *pattern, int cflags, const char **errorp);
+ int regexec(Reprog *prog, const char *string, Resub *sub, int eflags);
+ void regfree(Reprog *prog);
+--
+2.9.1
+
diff --git a/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch b/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch
new file mode 100644
index 000000000..d73849262
--- /dev/null
+++ b/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch
@@ -0,0 +1,36 @@
+Fix CVE-2016-10133:
+
+https://bugs.ghostscript.com/show_bug.cgi?id=697401
+http://seclists.org/oss-sec/2017/q1/74
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10133
+
+Patch lifted from upstream source repository:
+
+https://git.ghostscript.com/?p=mujs.git;h=77ab465f1c394bb77f00966cd950650f3f53cb24
+
+From 77ab465f1c394bb77f00966cd950650f3f53cb24 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@gmail.com>
+Date: Thu, 12 Jan 2017 14:47:01 +0100
+Subject: [PATCH] Fix 697401: Error when dropping extra arguments to
+ lightweight functions.
+
+---
+ thirdparty/mujs/jsrun.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/thirdparty/mujs/jsrun.c b/thirdparty/mujs/jsrun.c
+index ee80845..782a6f9 100644
+--- a/thirdparty/mujs/jsrun.c
++++ b/thirdparty/mujs/jsrun.c
+@@ -937,7 +937,7 @@ static void jsR_calllwfunction(js_State *J, int n, js_Function *F, js_Environmen
+ jsR_savescope(J, scope);
+
+ if (n > F->numparams) {
+- js_pop(J, F->numparams - n);
++ js_pop(J, n - F->numparams);
+ n = F->numparams;
+ }
+ for (i = n; i < F->varlen; ++i)
+--
+2.9.1
+
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index 9b3571e67..5efc5e6d1 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -6,10 +6,11 @@
;;; Copyright © 2016 Roel Janssen <roel@gnu.org>
;;; Coypright © 2016 ng0 <ng0@we.make.ritual.n0.is>
;;; Coypright © 2016 Efraim Flashner <efraim@flashner.co.il>
-;;; Coypright © 2016 Marius Bakke <mbakke@fastmail.com>
+;;; Coypright © 2016, 2017 Marius Bakke <mbakke@fastmail.com>
;;; Coypright © 2016 Ludovic Courtès <ludo@gnu.org>
;;; Coypright © 2016 Julien Lepiller <julien@lepiller.eu>
;;; Copyright © 2016 Arun Isaac <arunisaac@systemreboot.net>
+;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -538,6 +539,18 @@ line tools for batch rendering (pdfdraw), rewriting files (pdfclean),
and examining the file structure (pdfshow).")
(license license:agpl3+)))
+(define mupdf/fixed
+ (package
+ (inherit mupdf)
+ (source
+ (origin
+ (inherit (package-source mupdf))
+ (patches
+ (append
+ (origin-patches (package-source mupdf))
+ (search-patches "mupdf-mujs-CVE-2016-10132.patch"
+ "mupdf-mujs-CVE-2016-10133.patch")))))))
+
(define-public qpdf
(package
(name "qpdf")
--
2.11.0
[-- Attachment #1.3: 0002-gnu-cups-filters-Fix-CVE-2016-10132-10133-in-statica.patch --]
[-- Type: text/plain, Size: 2291 bytes --]
From a656359de1e7d0a76414888a59c8a0a8782e875f Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Sun, 15 Jan 2017 13:38:48 -0500
Subject: [PATCH 2/2] gnu: cups-filters: Fix CVE-2016-{10132,10133} in
statically linked mupdf.
The vulnerabilities are the MuJS that is bundled with MuPDF.
* gnu/packages/cups.scm (cups-filters)[replacement]: New field.
(cups-filters/fixed): New variable.
---
gnu/packages/cups.scm | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/gnu/packages/cups.scm b/gnu/packages/cups.scm
index ca1695835..95d57a4f3 100644
--- a/gnu/packages/cups.scm
+++ b/gnu/packages/cups.scm
@@ -3,6 +3,7 @@
;;; Copyright © 2015, 2016 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016 Danny Milosavljevic <dannym@scratchpost.org>
+;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -51,6 +52,7 @@
(define-public cups-filters
(package
(name "cups-filters")
+ (replacement cups-filters/fixed)
(version "1.13.1")
(source(origin
(method url-fetch)
@@ -133,6 +135,27 @@ filters for the PDF-centric printing workflow introduced by OpenPrinting.")
license:lgpl2.0+
license:expat))))
+(define cups-filters/fixed
+ (package
+ (inherit cups-filters)
+ (inputs
+ `(("avahi" ,avahi)
+ ("fontconfig" ,fontconfig)
+ ("freetype" ,freetype)
+ ("font-dejavu" ,font-dejavu) ; also needed by test suite
+ ("ghostscript" ,(force ghostscript/cups))
+ ("ijs" ,ijs)
+ ("dbus" ,dbus)
+ ("lcms" ,lcms)
+ ("libjpeg" ,libjpeg)
+ ("libpng" ,libpng)
+ ("libtiff" ,libtiff)
+ ("mupdf" ,(@@ (gnu packages pdf) mupdf/fixed))
+ ("glib" ,glib)
+ ("qpdf" ,qpdf)
+ ("poppler" ,poppler)
+ ("cups-minimal" ,cups-minimal)))))
+
;; CUPS on non-MacOS systems requires cups-filters. Since cups-filters also
;; depends on CUPS libraries and binaries, cups-minimal has been added to
;; satisfy this dependency.
--
2.11.0
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2017-01-15 18:47 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-12 18:06 [PATCH] gnu: mupdf: Fix some security problems in bundled mujs Marius Bakke
2017-01-12 18:30 ` Leo Famulari
2017-01-12 19:46 ` Marius Bakke
2017-01-12 20:03 ` Leo Famulari
2017-01-13 0:59 ` Mark H Weaver
2017-01-13 17:34 ` Leo Famulari
2017-01-15 8:20 ` Mark H Weaver
2017-01-15 18:47 ` Leo Famulari [this message]
2017-01-15 19:05 ` Marius Bakke
2017-01-15 20:49 ` Leo Famulari
2017-01-15 20:56 ` Marius Bakke
2017-01-15 23:05 ` Mark H Weaver
2017-01-16 1:27 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170115184717.GA29718@jasmine \
--to=leo@famulari.name \
--cc=guix-devel@gnu.org \
--cc=mhw@netris.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).