From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kei Kebreau Subject: [PATCH] gnu: mupdf: Fix CVE-2016-8674. Date: Tue, 25 Oct 2016 12:53:28 -0400 Message-ID: <87twc0s73r.fsf@openmailbox.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:55408) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bz4yt-0004a7-O6 for guix-devel@gnu.org; Tue, 25 Oct 2016 12:53:45 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bz4yp-0007OY-Pf for guix-devel@gnu.org; Tue, 25 Oct 2016 12:53:43 -0400 Received: from smtp19.openmailbox.org ([62.4.1.53]:55712 helo=smtp4.openmailbox.org) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1bz4yp-0007OK-Ew for guix-devel@gnu.org; Tue, 25 Oct 2016 12:53:39 -0400 List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Fix for https://blogs.gentoo.org/ago/2016/09/22/mupdf-use-after-free-in-pdf_to_num-pdf-object-c/. --=-=-= Content-Type: text/plain Content-Disposition: attachment; filename=0001-gnu-mupdf-Fix-CVE-2016-8674.patch Content-Transfer-Encoding: quoted-printable From=2097312c3c9e13688081aa513d1c94a9fff1274f75 Mon Sep 17 00:00:00 2001 From: Kei Kebreau Date: Tue, 25 Oct 2016 12:49:52 -0400 Subject: [PATCH] gnu: mupdf: Fix CVE-2016-8674. * gnu/packages/patches/mupdf-CVE-2016-8674.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/pdf.scm (mupdf): Use it. =2D-- gnu/local.mk | 1 + gnu/packages/patches/mupdf-CVE-2016-8674.patch | 166 +++++++++++++++++++++= ++++ gnu/packages/pdf.scm | 3 +- 3 files changed, 169 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/mupdf-CVE-2016-8674.patch diff --git a/gnu/local.mk b/gnu/local.mk index 0d400e9..53c2bda 100644 =2D-- a/gnu/local.mk +++ b/gnu/local.mk @@ -711,6 +711,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch \ %D%/packages/patches/mupdf-CVE-2016-6265.patch \ %D%/packages/patches/mupdf-CVE-2016-6525.patch \ + %D%/packages/patches/mupdf-CVE-2016-8674.patch \ %D%/packages/patches/mupen64plus-ui-console-notice.patch \ %D%/packages/patches/musl-CVE-2016-8859.patch \ %D%/packages/patches/mutt-store-references.patch \ diff --git a/gnu/packages/patches/mupdf-CVE-2016-8674.patch b/gnu/packages/= patches/mupdf-CVE-2016-8674.patch new file mode 100644 index 0000000..62e4a02 =2D-- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2016-8674.patch @@ -0,0 +1,166 @@ +Fix CVE-2016-8674 (use-after-free in pdf_to_num()). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-8674 +https://security-tracker.debian.org/tracker/CVE-2016-8674 + +Patch copied from upstream source repository: +http://git.ghostscript.com/?p=3Dmupdf.git;h=3D1e03c06456d997435019fb3526fa= 2d4be7dbc6ec + +diff --git a/include/mupdf/pdf/document.h b/include/mupdf/pdf/document.h +index aabf05f..0078c4a 100644 +--- a/include/mupdf/pdf/document.h ++++ b/include/mupdf/pdf/document.h +@@ -269,6 +269,10 @@ struct pdf_document_s + fz_hash_table *images; + fz_hash_table *fonts; + } resources; ++ ++ int orphans_max; ++ int orphans_count; ++ pdf_obj **orphans; + }; +=20 + /* +diff --git a/include/mupdf/pdf/object.h b/include/mupdf/pdf/object.h +index 5bc3dca..bf57455 100644 +--- a/include/mupdf/pdf/object.h ++++ b/include/mupdf/pdf/object.h +@@ -110,6 +110,7 @@ pdf_obj *pdf_dict_gets(fz_context *ctx, pdf_obj *dict,= const char *key); + pdf_obj *pdf_dict_getsa(fz_context *ctx, pdf_obj *dict, const char *key, = const char *abbrev); + void pdf_dict_put(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *= val); + void pdf_dict_put_drop(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_= obj *val); ++void pdf_dict_get_put_drop(fz_context *ctx, pdf_obj *dict, pdf_obj *key, = pdf_obj *val, pdf_obj **old_val); + void pdf_dict_puts(fz_context *ctx, pdf_obj *dict, const char *key, pdf_o= bj *val); + void pdf_dict_puts_drop(fz_context *ctx, pdf_obj *dict, const char *key, = pdf_obj *val); + void pdf_dict_putp(fz_context *ctx, pdf_obj *dict, const char *path, pdf_= obj *val); +diff --git a/source/pdf/pdf-object.c b/source/pdf/pdf-object.c +index b4e33f3..1c19ba4 100644 +--- a/source/pdf/pdf-object.c ++++ b/source/pdf/pdf-object.c +@@ -1265,11 +1265,14 @@ pdf_dict_geta(fz_context *ctx, pdf_obj *obj, pdf_o= bj *key, pdf_obj *abbrev) + return pdf_dict_get(ctx, obj, abbrev); + } +=20 +-void +-pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val) ++static void ++pdf_dict_get_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *va= l, pdf_obj **old_val) + { + int i; +=20 ++ if (old_val) ++ *old_val =3D NULL; ++ + RESOLVE(obj); + if (!OBJ_IS_DICT(obj)) + fz_throw(ctx, FZ_ERROR_GENERIC, "not a dict (%s)", pdf_objkindstr(obj)); +@@ -1295,7 +1298,10 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj= *key, pdf_obj *val) + { + pdf_obj *d =3D DICT(obj)->items[i].v; + DICT(obj)->items[i].v =3D pdf_keep_obj(ctx, val); +- pdf_drop_obj(ctx, d); ++ if (old_val) ++ *old_val =3D d; ++ else ++ pdf_drop_obj(ctx, d); + } + } + else +@@ -1316,10 +1322,27 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_ob= j *key, pdf_obj *val) + } +=20 + void ++pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val) ++{ ++ pdf_dict_get_put(ctx, obj, key, val, NULL); ++} ++ ++void + pdf_dict_put_drop(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *v= al) + { + fz_try(ctx) +- pdf_dict_put(ctx, obj, key, val); ++ pdf_dict_get_put(ctx, obj, key, val, NULL); ++ fz_always(ctx) ++ pdf_drop_obj(ctx, val); ++ fz_catch(ctx) ++ fz_rethrow(ctx); ++} ++ ++void ++pdf_dict_get_put_drop(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_ob= j *val, pdf_obj **old_val) ++{ ++ fz_try(ctx) ++ pdf_dict_get_put(ctx, obj, key, val, old_val); + fz_always(ctx) + pdf_drop_obj(ctx, val); + fz_catch(ctx) +diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c +index 690bf15..167f609 100644 +--- a/source/pdf/pdf-repair.c ++++ b/source/pdf/pdf-repair.c +@@ -260,6 +260,27 @@ pdf_repair_obj_stm(fz_context *ctx, pdf_document *doc= , int stm_num) + } + } +=20 ++static void ++orphan_object(fz_context *ctx, pdf_document *doc, pdf_obj *obj) ++{ ++ if (doc->orphans_count =3D=3D doc->orphans_max) ++ { ++ int new_max =3D (doc->orphans_max ? doc->orphans_max*2 : 32); ++ ++ fz_try(ctx) ++ { ++ doc->orphans =3D fz_resize_array(ctx, doc->orphans, new_max, sizeof(*d= oc->orphans)); ++ doc->orphans_max =3D new_max; ++ } ++ fz_catch(ctx) ++ { ++ pdf_drop_obj(ctx, obj); ++ fz_rethrow(ctx); ++ } ++ } ++ doc->orphans[doc->orphans_count++] =3D obj; ++} ++ + void + pdf_repair_xref(fz_context *ctx, pdf_document *doc) + { +@@ -528,12 +549,13 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc) + /* correct stream length for unencrypted documents */ + if (!encrypt && list[i].stm_len >=3D 0) + { ++ pdf_obj *old_obj =3D NULL; + dict =3D pdf_load_object(ctx, doc, list[i].num); +=20 + length =3D pdf_new_int(ctx, doc, list[i].stm_len); +- pdf_dict_put(ctx, dict, PDF_NAME_Length, length); +- pdf_drop_obj(ctx, length); +- ++ pdf_dict_get_put_drop(ctx, dict, PDF_NAME_Length, length, &old_obj); ++ if (old_obj) ++ orphan_object(ctx, doc, old_obj); + pdf_drop_obj(ctx, dict); + } + } +diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c +index 7d21775..0cf20d4 100644 +--- a/source/pdf/pdf-xref.c ++++ b/source/pdf/pdf-xref.c +@@ -1620,6 +1620,12 @@ pdf_drop_document_imp(fz_context *ctx, pdf_document= *doc) +=20 + pdf_drop_resource_tables(ctx, doc); +=20 ++ for (i =3D 0; i < doc->orphans_count; i++) ++ { ++ pdf_drop_obj(ctx, doc->orphans[i]); ++ } ++ fz_free(ctx, doc->orphans); ++ + fz_free(ctx, doc); + } + fz_always(ctx) +--=20 +2.9.1 + diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index 461472a..42547df 100644 =2D-- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -489,7 +489,8 @@ extracting content or merging files.") "1k64pdapyj8a336jw3j61fhn0rp4q6az7d0dqp9r5n3d9rgwa5c0")) (patches (search-patches "mupdf-build-with-openjpeg-2.1.patch" "mupdf-CVE-2016-6265.patch" =2D "mupdf-CVE-2016-6525.patch")) + "mupdf-CVE-2016-6525.patch" + "mupdf-CVE-2016-8674.patch")) (modules '((guix build utils))) (snippet ;; Delete all the bundled libraries except for mujs, which is =2D-=20 2.10.1 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJYD44IAAoJEOal7jwZRnoNJLgQALcdYoNS5HpEPq7PfP/yXeto +3k9d4R6R3onyeVZuHjXmY71Tw2PpT2tyfPJXeW+Yx246zl0EfNzrm3J156lQoTm Mg8nXvppAxHaw0rhXLeLMt7qVTvwW+cDzENqDGwqhjY6tUUxOqgMVrZlFjPVhpgo 5GU353o4rl8N79RfFXDWtMIj6vLMydWwIAO/AjZVofboI6y7b5kLh5gO8ufQL6R/ FqTSUMCXJ9hMcC6YJw/gl3FzMoxdd2zr1OkZEk83xlS0HimT3vH4FNqi9TiZOvQR LmqTrVUu/fwrbkaEPFxl4kEqSaGN1wMkuWd0g5E2aL/dCE4KR3a5/uDBjRxOYfS7 FODQCMAHSksapKouNPd1jo3+MhexzmbkWw0Urr2YD9sAqEdLSjN6D7cnyMO0TTPY /b2ptsO/EEz53j0TsUfvySvLsS5TmCmiQqj+z/7jbt1WsTBZAPtmPmYKwZ2csL/f YiJGODuVLb3zukf3H738VXHLCJGFo9tvXWLvQWQzxSRtkZ5Qou5lgKqoL1Ia7MFh mwkU8mBtFyaNbzDSOSmdVIBIMOapcmmRa2DoQ0vU/iSe9i6oPUR2VXlJkUzlkYSz 6oT5MZn+UrZfnEcEjaTBGmIUsmyO0lQGDJRNj4vCeaoagAQSUHqDSaYtpWUPrQOV 4ouL1TM1A8CPi7F9usnq =CoW0 -----END PGP SIGNATURE----- --==-=-=--