* Re: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}.
@ 2017-03-02 13:15 Alex Vong
2017-03-02 18:11 ` bug#25935: " Leo Famulari
0 siblings, 1 reply; 4+ messages in thread
From: Alex Vong @ 2017-03-02 13:15 UTC (permalink / raw)
To: guix-patches, guix-devel
[-- Attachment #1.1: Type: text/plain, Size: 122 bytes --]
I've just found out we have guix-patches now! We should continue the
discussion in the bug report instead of guix-devel.
[-- Attachment #1.2: Type: message/rfc822, Size: 10730 bytes --]
[-- Attachment #1.2.1.1.1: Type: text/plain, Size: 180 bytes --]
Hello,
This patch (applied to core-updates) fixes the two CVEs disclosed recently.
I am currently testing the patch. I think the patch works but it is
still building right now.
[-- Attachment #1.2.1.1.2: 0001-gnu-mupdf-Fix-CVE-2017-5896-5991.patch --]
[-- Type: text/x-diff, Size: 8626 bytes --]
From a5bb1e9601d8bb3e48fdb521e6d1821dd5d9c833 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Thu, 2 Mar 2017 19:59:05 +0800
Subject: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}.
* gnu/packages/patches/mupdf-CVE-2017-5896.patch,
gnu/packages/patches/mupdf-CVE-2017-5991.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/pdf.scm (mupdf)[source]: Use it.
---
gnu/local.mk | 2 +
gnu/packages/patches/mupdf-CVE-2017-5896.patch | 63 +++++++++++++++
gnu/packages/patches/mupdf-CVE-2017-5991.patch | 101 +++++++++++++++++++++++++
gnu/packages/pdf.scm | 5 +-
4 files changed, 170 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/mupdf-CVE-2017-5896.patch
create mode 100644 gnu/packages/patches/mupdf-CVE-2017-5991.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 3d9ad7065..d0ec9ea50 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -767,6 +767,8 @@ dist_patch_DATA = \
%D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch \
%D%/packages/patches/mupdf-mujs-CVE-2016-10132.patch \
%D%/packages/patches/mupdf-mujs-CVE-2016-10133.patch \
+ %D%/packages/patches/mupdf-CVE-2017-5896.patch \
+ %D%/packages/patches/mupdf-CVE-2017-5991.patch \
%D%/packages/patches/mupen64plus-ui-console-notice.patch \
%D%/packages/patches/musl-CVE-2016-8859.patch \
%D%/packages/patches/mutt-store-references.patch \
diff --git a/gnu/packages/patches/mupdf-CVE-2017-5896.patch b/gnu/packages/patches/mupdf-CVE-2017-5896.patch
new file mode 100644
index 000000000..1537ecc89
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-5896.patch
@@ -0,0 +1,63 @@
+Fix CVE-2017-5896:
+
+https://bugs.ghostscript.com/show_bug.cgi?id=697515
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5896
+http://www.openwall.com/lists/oss-security/2017/02/10/1
+https://security-tracker.debian.org/tracker/CVE-2017-5896
+https://blogs.gentoo.org/ago/2017/02/09/mupdf-use-after-free-in-fz_subsample_pixmap-pixmap-c/
+
+Patch lifted from upstream source repository:
+
+http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27
+
+From 2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Thu, 9 Feb 2017 07:12:16 -0800
+Subject: [PATCH] bug 697515: Fix out of bounds read in fz_subsample_pixmap
+
+Pointer arithmetic for final special case was going wrong.
+---
+ source/fitz/pixmap.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c
+index a8317127..f1291dc2 100644
+--- a/source/fitz/pixmap.c
++++ b/source/fitz/pixmap.c
+@@ -1104,6 +1104,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
+ "@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,back5,divXY\n"
+ "ldr r4, [r13,#4*22] @ r4 = divXY \n"
+ "ldr r5, [r13,#4*11] @ for (nn = n; nn > 0; n--) { \n"
++ "ldr r8, [r13,#4*17] @ r8 = back4 \n"
+ "18: @ \n"
+ "mov r14,#0 @ r14= v = 0 \n"
+ "sub r5, r5, r1, LSL #8 @ for (xx = x; xx > 0; x--) { \n"
+@@ -1120,7 +1121,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
+ "mul r14,r4, r14 @ r14= v *= divX \n"
+ "mov r14,r14,LSR #16 @ r14= v >>= 16 \n"
+ "strb r14,[r9], #1 @ *d++ = r14 \n"
+- "sub r0, r0, r8 @ s -= back2 \n"
++ "sub r0, r0, r8 @ s -= back4 \n"
+ "subs r5, r5, #1 @ n-- \n"
+ "bgt 18b @ } \n"
+ "21: @ \n"
+@@ -1249,6 +1250,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
+ x += f;
+ if (x > 0)
+ {
++ int back4 = x * n - 1;
+ div = x * y;
+ for (nn = n; nn > 0; nn--)
+ {
+@@ -1263,7 +1265,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
+ s -= back5;
+ }
+ *d++ = v / div;
+- s -= back2;
++ s -= back4;
+ }
+ }
+ }
+--
+2.12.0
+
diff --git a/gnu/packages/patches/mupdf-CVE-2017-5991.patch b/gnu/packages/patches/mupdf-CVE-2017-5991.patch
new file mode 100644
index 000000000..1fa6dc346
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-5991.patch
@@ -0,0 +1,101 @@
+Fix CVE-2017-5991:
+
+https://bugs.ghostscript.com/show_bug.cgi?id=697500
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5991
+https://security-tracker.debian.org/tracker/CVE-2017-5991
+
+Patch lifted from upstream source repository:
+
+http://git.ghostscript.com/?p=mupdf.git;h=1912de5f08e90af1d9d0a9791f58ba3afdb9d465
+
+From 1912de5f08e90af1d9d0a9791f58ba3afdb9d465 Mon Sep 17 00:00:00 2001
+From: Robin Watts <robin.watts@artifex.com>
+Date: Thu, 9 Feb 2017 15:49:15 +0000
+Subject: [PATCH] Bug 697500: Fix NULL ptr access.
+
+Cope better with errors during rendering - avoid letting the
+gstate stack get out of sync.
+
+This avoids us ever getting into the situation of popping
+a clip when we should be popping a mask or a group. This was
+causing an unexpected case in the painting.
+---
+ source/pdf/pdf-op-run.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/source/pdf/pdf-op-run.c b/source/pdf/pdf-op-run.c
+index a3ea895d..f1eac8d3 100644
+--- a/source/pdf/pdf-op-run.c
++++ b/source/pdf/pdf-op-run.c
+@@ -1213,6 +1213,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ pdf_run_processor *pr = (pdf_run_processor *)proc;
+ pdf_gstate *gstate = NULL;
+ int oldtop = 0;
++ int oldbot = -1;
+ fz_matrix local_transform = *transform;
+ softmask_save softmask = { NULL };
+ int gparent_save;
+@@ -1232,16 +1233,17 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ fz_var(cleanup_state);
+ fz_var(gstate);
+ fz_var(oldtop);
++ fz_var(oldbot);
+
+ gparent_save = pr->gparent;
+ pr->gparent = pr->gtop;
++ oldtop = pr->gtop;
+
+ fz_try(ctx)
+ {
+ pdf_gsave(ctx, pr);
+
+ gstate = pr->gstate + pr->gtop;
+- oldtop = pr->gtop;
+
+ pdf_xobject_bbox(ctx, xobj, &xobj_bbox);
+ pdf_xobject_matrix(ctx, xobj, &xobj_matrix);
+@@ -1302,12 +1304,25 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+
+ doc = pdf_get_bound_document(ctx, xobj->obj);
+
++ oldbot = pr->gbot;
++ pr->gbot = pr->gtop;
++
+ pdf_process_contents(ctx, (pdf_processor*)pr, doc, resources, xobj->obj, NULL);
+ }
+ fz_always(ctx)
+ {
++ /* Undo any gstate mismatches due to the pdf_process_contents call */
++ if (oldbot != -1)
++ {
++ while (pr->gtop > pr->gbot)
++ {
++ pdf_grestore(ctx, pr);
++ }
++ pr->gbot = oldbot;
++ }
++
+ if (cleanup_state >= 3)
+- pdf_grestore(ctx, pr); /* Remove the clippath */
++ pdf_grestore(ctx, pr); /* Remove the state we pushed for the clippath */
+
+ /* wrap up transparency stacks */
+ if (transparency)
+@@ -1341,13 +1356,8 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ pr->gstate[pr->gparent].ctm = gparent_save_ctm;
+ pr->gparent = gparent_save;
+
+- if (gstate)
+- {
+- while (oldtop < pr->gtop)
+- pdf_grestore(ctx, pr);
+-
++ while (oldtop < pr->gtop)
+ pdf_grestore(ctx, pr);
+- }
+
+ pdf_unmark_obj(ctx, xobj->obj);
+ }
+--
+2.12.0
+
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index d449b72ee..205b8af2d 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -11,6 +11,7 @@
;;; Coypright © 2016 Julien Lepiller <julien@lepiller.eu>
;;; Copyright © 2016 Arun Isaac <arunisaac@systemreboot.net>
;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -492,7 +493,9 @@ extracting content or merging files.")
"0dm8wcs8i29aibzkqkrn8kcnk4q0kd1v66pg48h5c3qqp4v1zk5a"))
(patches (search-patches "mupdf-build-with-openjpeg-2.1.patch"
"mupdf-mujs-CVE-2016-10132.patch"
- "mupdf-mujs-CVE-2016-10133.patch"))
+ "mupdf-mujs-CVE-2016-10133.patch"
+ "mupdf-CVE-2017-5896.patch"
+ "mupdf-CVE-2017-5991.patch"))
(modules '((guix build utils)))
(snippet
;; Delete all the bundled libraries except for mujs, which is
--
2.12.0
[-- Attachment #1.2.1.1.3: Type: text/plain, Size: 14 bytes --]
Cheers,
Alex
[-- Attachment #1.2.1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: bug#25935: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}.
2017-03-02 13:15 [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991} Alex Vong
@ 2017-03-02 18:11 ` Leo Famulari
2017-03-03 6:04 ` Alex Vong
0 siblings, 1 reply; 4+ messages in thread
From: Leo Famulari @ 2017-03-02 18:11 UTC (permalink / raw)
To: Alex Vong; +Cc: guix-devel, 25935
[-- Attachment #1: Type: text/plain, Size: 258 bytes --]
On Thu, Mar 02, 2017 at 09:15:29PM +0800, Alex Vong wrote:
> This patch (applied to core-updates) fixes the two CVEs disclosed recently.
Can you send a patch for the master branch instead? The patches should
be applied to mupdf/fixed in (gnu packages pdf).
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: bug#25935: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}.
2017-03-02 18:11 ` bug#25935: " Leo Famulari
@ 2017-03-03 6:04 ` Alex Vong
2017-03-03 9:55 ` Leo Famulari
0 siblings, 1 reply; 4+ messages in thread
From: Alex Vong @ 2017-03-03 6:04 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel, 25935
[-- Attachment #1.1: Type: text/plain, Size: 328 bytes --]
Leo Famulari <leo@famulari.name> writes:
> On Thu, Mar 02, 2017 at 09:15:29PM +0800, Alex Vong wrote:
>> This patch (applied to core-updates) fixes the two CVEs disclosed recently.
>
> Can you send a patch for the master branch instead? The patches should
> be applied to mupdf/fixed in (gnu packages pdf).
Sure, here it is:
[-- Attachment #1.2: 0001-gnu-mupdf-Fix-CVE-2017-5896-5991.patch --]
[-- Type: text/x-diff, Size: 8462 bytes --]
From 24ceef58b2ebb70d45c01e7e1bc43cc2056f8705 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Thu, 2 Mar 2017 19:59:05 +0800
Subject: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}.
* gnu/packages/patches/mupdf-CVE-2017-5896.patch,
gnu/packages/patches/mupdf-CVE-2017-5991.patch: New files.
* gnu/packages/pdf.scm (mupdf/fixed)[source]: Add patches.
* gnu/local.mk (dist_patch_DATA): Add them.
---
gnu/local.mk | 2 +
gnu/packages/patches/mupdf-CVE-2017-5896.patch | 63 +++++++++++++++
gnu/packages/patches/mupdf-CVE-2017-5991.patch | 101 +++++++++++++++++++++++++
gnu/packages/pdf.scm | 5 +-
4 files changed, 170 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/mupdf-CVE-2017-5896.patch
create mode 100644 gnu/packages/patches/mupdf-CVE-2017-5991.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 406e0dc96..584ab75a5 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -764,6 +764,8 @@ dist_patch_DATA = \
%D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch \
%D%/packages/patches/mupdf-mujs-CVE-2016-10132.patch \
%D%/packages/patches/mupdf-mujs-CVE-2016-10133.patch \
+ %D%/packages/patches/mupdf-CVE-2017-5896.patch \
+ %D%/packages/patches/mupdf-CVE-2017-5991.patch \
%D%/packages/patches/mupen64plus-ui-console-notice.patch \
%D%/packages/patches/musl-CVE-2016-8859.patch \
%D%/packages/patches/mutt-store-references.patch \
diff --git a/gnu/packages/patches/mupdf-CVE-2017-5896.patch b/gnu/packages/patches/mupdf-CVE-2017-5896.patch
new file mode 100644
index 000000000..1537ecc89
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-5896.patch
@@ -0,0 +1,63 @@
+Fix CVE-2017-5896:
+
+https://bugs.ghostscript.com/show_bug.cgi?id=697515
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5896
+http://www.openwall.com/lists/oss-security/2017/02/10/1
+https://security-tracker.debian.org/tracker/CVE-2017-5896
+https://blogs.gentoo.org/ago/2017/02/09/mupdf-use-after-free-in-fz_subsample_pixmap-pixmap-c/
+
+Patch lifted from upstream source repository:
+
+http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27
+
+From 2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Thu, 9 Feb 2017 07:12:16 -0800
+Subject: [PATCH] bug 697515: Fix out of bounds read in fz_subsample_pixmap
+
+Pointer arithmetic for final special case was going wrong.
+---
+ source/fitz/pixmap.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c
+index a8317127..f1291dc2 100644
+--- a/source/fitz/pixmap.c
++++ b/source/fitz/pixmap.c
+@@ -1104,6 +1104,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
+ "@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,back5,divXY\n"
+ "ldr r4, [r13,#4*22] @ r4 = divXY \n"
+ "ldr r5, [r13,#4*11] @ for (nn = n; nn > 0; n--) { \n"
++ "ldr r8, [r13,#4*17] @ r8 = back4 \n"
+ "18: @ \n"
+ "mov r14,#0 @ r14= v = 0 \n"
+ "sub r5, r5, r1, LSL #8 @ for (xx = x; xx > 0; x--) { \n"
+@@ -1120,7 +1121,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
+ "mul r14,r4, r14 @ r14= v *= divX \n"
+ "mov r14,r14,LSR #16 @ r14= v >>= 16 \n"
+ "strb r14,[r9], #1 @ *d++ = r14 \n"
+- "sub r0, r0, r8 @ s -= back2 \n"
++ "sub r0, r0, r8 @ s -= back4 \n"
+ "subs r5, r5, #1 @ n-- \n"
+ "bgt 18b @ } \n"
+ "21: @ \n"
+@@ -1249,6 +1250,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
+ x += f;
+ if (x > 0)
+ {
++ int back4 = x * n - 1;
+ div = x * y;
+ for (nn = n; nn > 0; nn--)
+ {
+@@ -1263,7 +1265,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
+ s -= back5;
+ }
+ *d++ = v / div;
+- s -= back2;
++ s -= back4;
+ }
+ }
+ }
+--
+2.12.0
+
diff --git a/gnu/packages/patches/mupdf-CVE-2017-5991.patch b/gnu/packages/patches/mupdf-CVE-2017-5991.patch
new file mode 100644
index 000000000..1fa6dc346
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-5991.patch
@@ -0,0 +1,101 @@
+Fix CVE-2017-5991:
+
+https://bugs.ghostscript.com/show_bug.cgi?id=697500
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5991
+https://security-tracker.debian.org/tracker/CVE-2017-5991
+
+Patch lifted from upstream source repository:
+
+http://git.ghostscript.com/?p=mupdf.git;h=1912de5f08e90af1d9d0a9791f58ba3afdb9d465
+
+From 1912de5f08e90af1d9d0a9791f58ba3afdb9d465 Mon Sep 17 00:00:00 2001
+From: Robin Watts <robin.watts@artifex.com>
+Date: Thu, 9 Feb 2017 15:49:15 +0000
+Subject: [PATCH] Bug 697500: Fix NULL ptr access.
+
+Cope better with errors during rendering - avoid letting the
+gstate stack get out of sync.
+
+This avoids us ever getting into the situation of popping
+a clip when we should be popping a mask or a group. This was
+causing an unexpected case in the painting.
+---
+ source/pdf/pdf-op-run.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/source/pdf/pdf-op-run.c b/source/pdf/pdf-op-run.c
+index a3ea895d..f1eac8d3 100644
+--- a/source/pdf/pdf-op-run.c
++++ b/source/pdf/pdf-op-run.c
+@@ -1213,6 +1213,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ pdf_run_processor *pr = (pdf_run_processor *)proc;
+ pdf_gstate *gstate = NULL;
+ int oldtop = 0;
++ int oldbot = -1;
+ fz_matrix local_transform = *transform;
+ softmask_save softmask = { NULL };
+ int gparent_save;
+@@ -1232,16 +1233,17 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ fz_var(cleanup_state);
+ fz_var(gstate);
+ fz_var(oldtop);
++ fz_var(oldbot);
+
+ gparent_save = pr->gparent;
+ pr->gparent = pr->gtop;
++ oldtop = pr->gtop;
+
+ fz_try(ctx)
+ {
+ pdf_gsave(ctx, pr);
+
+ gstate = pr->gstate + pr->gtop;
+- oldtop = pr->gtop;
+
+ pdf_xobject_bbox(ctx, xobj, &xobj_bbox);
+ pdf_xobject_matrix(ctx, xobj, &xobj_matrix);
+@@ -1302,12 +1304,25 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+
+ doc = pdf_get_bound_document(ctx, xobj->obj);
+
++ oldbot = pr->gbot;
++ pr->gbot = pr->gtop;
++
+ pdf_process_contents(ctx, (pdf_processor*)pr, doc, resources, xobj->obj, NULL);
+ }
+ fz_always(ctx)
+ {
++ /* Undo any gstate mismatches due to the pdf_process_contents call */
++ if (oldbot != -1)
++ {
++ while (pr->gtop > pr->gbot)
++ {
++ pdf_grestore(ctx, pr);
++ }
++ pr->gbot = oldbot;
++ }
++
+ if (cleanup_state >= 3)
+- pdf_grestore(ctx, pr); /* Remove the clippath */
++ pdf_grestore(ctx, pr); /* Remove the state we pushed for the clippath */
+
+ /* wrap up transparency stacks */
+ if (transparency)
+@@ -1341,13 +1356,8 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ pr->gstate[pr->gparent].ctm = gparent_save_ctm;
+ pr->gparent = gparent_save;
+
+- if (gstate)
+- {
+- while (oldtop < pr->gtop)
+- pdf_grestore(ctx, pr);
+-
++ while (oldtop < pr->gtop)
+ pdf_grestore(ctx, pr);
+- }
+
+ pdf_unmark_obj(ctx, xobj->obj);
+ }
+--
+2.12.0
+
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index a229d689d..13dbd0ecd 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -11,6 +11,7 @@
;;; Coypright © 2016 Julien Lepiller <julien@lepiller.eu>
;;; Copyright © 2016 Arun Isaac <arunisaac@systemreboot.net>
;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -550,7 +551,9 @@ and examining the file structure (pdfshow).")
(append
(origin-patches (package-source mupdf))
(search-patches "mupdf-mujs-CVE-2016-10132.patch"
- "mupdf-mujs-CVE-2016-10133.patch")))))))
+ "mupdf-mujs-CVE-2016-10133.patch"
+ "mupdf-CVE-2017-5896.patch"
+ "mupdf-CVE-2017-5991.patch")))))))
(define-public qpdf
(package
--
2.12.0
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: bug#25935: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}.
2017-03-03 6:04 ` Alex Vong
@ 2017-03-03 9:55 ` Leo Famulari
0 siblings, 0 replies; 4+ messages in thread
From: Leo Famulari @ 2017-03-03 9:55 UTC (permalink / raw)
To: Alex Vong; +Cc: guix-devel, 25935
[-- Attachment #1: Type: text/plain, Size: 883 bytes --]
On Fri, Mar 03, 2017 at 02:04:11PM +0800, Alex Vong wrote:
> Leo Famulari <leo@famulari.name> writes:
>
> > On Thu, Mar 02, 2017 at 09:15:29PM +0800, Alex Vong wrote:
> >> This patch (applied to core-updates) fixes the two CVEs disclosed recently.
> >
> > Can you send a patch for the master branch instead? The patches should
> > be applied to mupdf/fixed in (gnu packages pdf).
>
> Sure, here it is:
>
> From 24ceef58b2ebb70d45c01e7e1bc43cc2056f8705 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Thu, 2 Mar 2017 19:59:05 +0800
> Subject: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}.
>
> * gnu/packages/patches/mupdf-CVE-2017-5896.patch,
> gnu/packages/patches/mupdf-CVE-2017-5991.patch: New files.
> * gnu/packages/pdf.scm (mupdf/fixed)[source]: Add patches.
> * gnu/local.mk (dist_patch_DATA): Add them.
Thanks, pushed!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-03-03 9:55 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-03-02 13:15 [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991} Alex Vong
2017-03-02 18:11 ` bug#25935: " Leo Famulari
2017-03-03 6:04 ` Alex Vong
2017-03-03 9:55 ` Leo Famulari
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).