From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alex Vong <alexvong1995@gmail.com>
Subject: Re: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}.
Date: Thu, 02 Mar 2017 21:15:29 +0800
Message-ID: <87wpc7bz0u.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="====-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:47164)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <alexvong1995@gmail.com>) id 1cjQaC-0002ke-Q4
	for guix-devel@gnu.org; Thu, 02 Mar 2017 08:15:50 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <alexvong1995@gmail.com>) id 1cjQa8-0000cy-Pf
	for guix-devel@gnu.org; Thu, 02 Mar 2017 08:15:48 -0500
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-patches@gnu.org, guix-devel@gnu.org

--====-=-=
Content-Type: multipart/mixed; boundary="===-=-="

--===-=-=
Content-Type: text/plain

I've just found out we have guix-patches now! We should continue the
discussion in the bug report instead of guix-devel.


--===-=-=
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Bcc: alexvong1995@gmail.com
Return-Path: <alexvong1995@gmail.com>
Received: from debian (n218103180172.netvigator.com. [218.103.180.172])
        by smtp.gmail.com with ESMTPSA id r67sm17067995pfb.125.2017.03.02.04.55.33
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Thu, 02 Mar 2017 04:55:34 -0800 (PST)
From: Alex Vong <alexvong1995@gmail.com>
To: guix-devel@gnu.org
Subject: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}.
Date: Thu, 02 Mar 2017 20:55:25 +0800
Message-ID: <87d1dzdeiq.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"

--==-=-=
Content-Type: multipart/mixed; boundary="=-=-="

--=-=-=
Content-Type: text/plain

Hello,

This patch (applied to core-updates) fixes the two CVEs disclosed recently.

I am currently testing the patch. I think the patch works but it is
still building right now.


--=-=-=
Content-Type: text/x-diff; charset=utf-8
Content-Disposition: inline;
 filename=0001-gnu-mupdf-Fix-CVE-2017-5896-5991.patch
Content-Transfer-Encoding: quoted-printable

From=20a5bb1e9601d8bb3e48fdb521e6d1821dd5d9c833 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Thu, 2 Mar 2017 19:59:05 +0800
Subject: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}.

* gnu/packages/patches/mupdf-CVE-2017-5896.patch,
gnu/packages/patches/mupdf-CVE-2017-5991.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/pdf.scm (mupdf)[source]: Use it.
=2D--
 gnu/local.mk                                   |   2 +
 gnu/packages/patches/mupdf-CVE-2017-5896.patch |  63 +++++++++++++++
 gnu/packages/patches/mupdf-CVE-2017-5991.patch | 101 +++++++++++++++++++++=
++++
 gnu/packages/pdf.scm                           |   5 +-
 4 files changed, 170 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/mupdf-CVE-2017-5896.patch
 create mode 100644 gnu/packages/patches/mupdf-CVE-2017-5991.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 3d9ad7065..d0ec9ea50 100644
=2D-- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -767,6 +767,8 @@ dist_patch_DATA =3D						\
   %D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch	\
   %D%/packages/patches/mupdf-mujs-CVE-2016-10132.patch		\
   %D%/packages/patches/mupdf-mujs-CVE-2016-10133.patch		\
+  %D%/packages/patches/mupdf-CVE-2017-5896.patch		\
+  %D%/packages/patches/mupdf-CVE-2017-5991.patch		\
   %D%/packages/patches/mupen64plus-ui-console-notice.patch	\
   %D%/packages/patches/musl-CVE-2016-8859.patch			\
   %D%/packages/patches/mutt-store-references.patch		\
diff --git a/gnu/packages/patches/mupdf-CVE-2017-5896.patch b/gnu/packages/=
patches/mupdf-CVE-2017-5896.patch
new file mode 100644
index 000000000..1537ecc89
=2D-- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-5896.patch
@@ -0,0 +1,63 @@
+Fix CVE-2017-5896:
+
+https://bugs.ghostscript.com/show_bug.cgi?id=3D697515
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-5896
+http://www.openwall.com/lists/oss-security/2017/02/10/1
+https://security-tracker.debian.org/tracker/CVE-2017-5896
+https://blogs.gentoo.org/ago/2017/02/09/mupdf-use-after-free-in-fz_subsamp=
le_pixmap-pixmap-c/
+
+Patch lifted from upstream source repository:
+
+http://git.ghostscript.com/?p=3Dmupdf.git;h=3D2c4e5867ee699b1081527bc6c6ea=
0e99a35a5c27
+
+From 2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Thu, 9 Feb 2017 07:12:16 -0800
+Subject: [PATCH] bug 697515: Fix out of bounds read in fz_subsample_pixmap
+
+Pointer arithmetic for final special case was going wrong.
+---
+ source/fitz/pixmap.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c
+index a8317127..f1291dc2 100644
+--- a/source/fitz/pixmap.c
++++ b/source/fitz/pixmap.c
+@@ -1104,6 +1104,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, i=
nt h, int f, int factor,
+ 	"@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,ba=
ck5,divXY\n"
+ 	"ldr	r4, [r13,#4*22]		@ r4 =3D divXY			\n"
+ 	"ldr	r5, [r13,#4*11]		@ for (nn =3D n; nn > 0; n--) {	\n"
++	"ldr	r8, [r13,#4*17]		@ r8 =3D back4			\n"
+ 	"18:				@				\n"
+ 	"mov	r14,#0			@ r14=3D v =3D 0			\n"
+ 	"sub	r5, r5, r1, LSL #8	@ for (xx =3D x; xx > 0; x--) {	\n"
+@@ -1120,7 +1121,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, i=
nt h, int f, int factor,
+ 	"mul	r14,r4, r14		@ r14=3D v *=3D divX		\n"
+ 	"mov	r14,r14,LSR #16		@ r14=3D v >>=3D 16			\n"
+ 	"strb	r14,[r9], #1		@ *d++ =3D r14			\n"
+-	"sub	r0, r0, r8		@ s -=3D back2			\n"
++	"sub	r0, r0, r8		@ s -=3D back4			\n"
+ 	"subs	r5, r5, #1		@ n--				\n"
+ 	"bgt	18b			@ }				\n"
+ 	"21:				@				\n"
+@@ -1249,6 +1250,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile=
, int factor)
+ 		x +=3D f;
+ 		if (x > 0)
+ 		{
++			int back4 =3D x * n - 1;
+ 			div =3D x * y;
+ 			for (nn =3D n; nn > 0; nn--)
+ 			{
+@@ -1263,7 +1265,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile=
, int factor)
+ 					s -=3D back5;
+ 				}
+ 				*d++ =3D v / div;
+-				s -=3D back2;
++				s -=3D back4;
+ 			}
+ 		}
+ 	}
+--=20
+2.12.0
+
diff --git a/gnu/packages/patches/mupdf-CVE-2017-5991.patch b/gnu/packages/=
patches/mupdf-CVE-2017-5991.patch
new file mode 100644
index 000000000..1fa6dc346
=2D-- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-5991.patch
@@ -0,0 +1,101 @@
+Fix CVE-2017-5991:
+
+https://bugs.ghostscript.com/show_bug.cgi?id=3D697500
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-5991
+https://security-tracker.debian.org/tracker/CVE-2017-5991
+
+Patch lifted from upstream source repository:
+
+http://git.ghostscript.com/?p=3Dmupdf.git;h=3D1912de5f08e90af1d9d0a9791f58=
ba3afdb9d465
+
+From 1912de5f08e90af1d9d0a9791f58ba3afdb9d465 Mon Sep 17 00:00:00 2001
+From: Robin Watts <robin.watts@artifex.com>
+Date: Thu, 9 Feb 2017 15:49:15 +0000
+Subject: [PATCH] Bug 697500: Fix NULL ptr access.
+
+Cope better with errors during rendering - avoid letting the
+gstate stack get out of sync.
+
+This avoids us ever getting into the situation of popping
+a clip when we should be popping a mask or a group. This was
+causing an unexpected case in the painting.
+---
+ source/pdf/pdf-op-run.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/source/pdf/pdf-op-run.c b/source/pdf/pdf-op-run.c
+index a3ea895d..f1eac8d3 100644
+--- a/source/pdf/pdf-op-run.c
++++ b/source/pdf/pdf-op-run.c
+@@ -1213,6 +1213,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *=
proc, pdf_xobject *xobj, pdf
+ 	pdf_run_processor *pr =3D (pdf_run_processor *)proc;
+ 	pdf_gstate *gstate =3D NULL;
+ 	int oldtop =3D 0;
++	int oldbot =3D -1;
+ 	fz_matrix local_transform =3D *transform;
+ 	softmask_save softmask =3D { NULL };
+ 	int gparent_save;
+@@ -1232,16 +1233,17 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor=
 *proc, pdf_xobject *xobj, pdf
+ 	fz_var(cleanup_state);
+ 	fz_var(gstate);
+ 	fz_var(oldtop);
++	fz_var(oldbot);
+=20
+ 	gparent_save =3D pr->gparent;
+ 	pr->gparent =3D pr->gtop;
++	oldtop =3D pr->gtop;
+=20
+ 	fz_try(ctx)
+ 	{
+ 		pdf_gsave(ctx, pr);
+=20
+ 		gstate =3D pr->gstate + pr->gtop;
+-		oldtop =3D pr->gtop;
+=20
+ 		pdf_xobject_bbox(ctx, xobj, &xobj_bbox);
+ 		pdf_xobject_matrix(ctx, xobj, &xobj_matrix);
+@@ -1302,12 +1304,25 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor=
 *proc, pdf_xobject *xobj, pdf
+=20
+ 		doc =3D pdf_get_bound_document(ctx, xobj->obj);
+=20
++		oldbot =3D pr->gbot;
++		pr->gbot =3D pr->gtop;
++
+ 		pdf_process_contents(ctx, (pdf_processor*)pr, doc, resources, xobj->obj=
, NULL);
+ 	}
+ 	fz_always(ctx)
+ 	{
++		/* Undo any gstate mismatches due to the pdf_process_contents call */
++		if (oldbot !=3D -1)
++		{
++			while (pr->gtop > pr->gbot)
++			{
++				pdf_grestore(ctx, pr);
++			}
++			pr->gbot =3D oldbot;
++		}
++
+ 		if (cleanup_state >=3D 3)
+-			pdf_grestore(ctx, pr); /* Remove the clippath */
++			pdf_grestore(ctx, pr); /* Remove the state we pushed for the clippath =
*/
+=20
+ 		/* wrap up transparency stacks */
+ 		if (transparency)
+@@ -1341,13 +1356,8 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor =
*proc, pdf_xobject *xobj, pdf
+ 		pr->gstate[pr->gparent].ctm =3D gparent_save_ctm;
+ 		pr->gparent =3D gparent_save;
+=20
+-		if (gstate)
+-		{
+-			while (oldtop < pr->gtop)
+-				pdf_grestore(ctx, pr);
+-
++		while (oldtop < pr->gtop)
+ 			pdf_grestore(ctx, pr);
+-		}
+=20
+ 		pdf_unmark_obj(ctx, xobj->obj);
+ 	}
+--=20
+2.12.0
+
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index d449b72ee..205b8af2d 100644
=2D-- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -11,6 +11,7 @@
 ;;; Coypright =C2=A9 2016 Julien Lepiller <julien@lepiller.eu>
 ;;; Copyright =C2=A9 2016 Arun Isaac <arunisaac@systemreboot.net>
 ;;; Copyright =C2=A9 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright =C2=A9 2017 Alex Vong <alexvong1995@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -492,7 +493,9 @@ extracting content or merging files.")
           "0dm8wcs8i29aibzkqkrn8kcnk4q0kd1v66pg48h5c3qqp4v1zk5a"))
         (patches (search-patches "mupdf-build-with-openjpeg-2.1.patch"
                                  "mupdf-mujs-CVE-2016-10132.patch"
=2D                                 "mupdf-mujs-CVE-2016-10133.patch"))
+                                 "mupdf-mujs-CVE-2016-10133.patch"
+                                 "mupdf-CVE-2017-5896.patch"
+                                 "mupdf-CVE-2017-5991.patch"))
         (modules '((guix build utils)))
         (snippet
             ;; Delete all the bundled libraries except for mujs, which is
=2D-=20
2.12.0


--=-=-=
Content-Type: text/plain


Cheers,
Alex

--=-=-=--

--==-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAli4Fj0ACgkQxYq4eRf1
Ea41bBAAnVkCNn16x2ufCYbHB64ogc3pplEEL7hLY74IWRfCEYCj+AjhmqcJbDRS
U7os4Owj+0crlk1qHUgFWojQpCxET73m3/pjm51srKgpZFlvrnGoSm6JSSgjrwTQ
U56xazfnszN1CveesA5MVqSgaHeIV6A8w57snNSKbAzNXLEDhYqskNKZ2DbN8kCi
b/LcvCMaBrAW1GE1exsst1DWnW7WExaWmNBJIbgwWbp0qvPTj073LcK43MoE5Fuh
wsa9XDrSSYjfvYzQXuaItYQZbXcqa+oPloM4e1Lw5gBLXB/F7wfWIGRGsEQcPl+F
gfL5Jfu6/bZJVhrfBVeCd1RVCbhhOZYySQC/ZvMp89ax+JI+9eSzRRlOLRtP3ZuT
WWa2gXi2w88GxucXLPh+OZcRMyAabV1YGciDUCb4fWBjRcO/C3Rw6z+QIH+veW6q
obObrA6/Kmctjgm/8xvtw381YnI3Hy0pqDoLX/Wcn29G8IYF1u87ASqA6f5PmroX
EUQsDcfqlmhfOaAQog1XfartwnQZaKDdCxLVo1VMVDW5pNcCBk/+4TY5/h5SgLPE
OqPTKimhJj3nARsHcawqO5juooYE2aoRkRqzAmX2TZfok8V7HCvxAPAM6hz1owoh
f3VWZh4p6lKMwWuI+DX6F3SoJTIr6u4gFB4+9C/zwoTN7pBLP6g=
=QY9G
-----END PGP SIGNATURE-----
--==-=-=--

--===-=-=--

--====-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAli4GvEACgkQxYq4eRf1
Ea4I4Q//d0oG3jWyp0u0fXnViIGCQupajQa0p81w+RQIwuyEDXAY2m5gJudOcaoq
Ly5jApCz1DaJ+6merw/wUZ9zY+5DB4/TelDYbH/o38UXq81MwavkSsDbGuZrxFCV
4AytbYrx2bpVtsrYRRbzbzfl8XroI0FX4NK8mVq5+5c+GMwETJDw4QYpRPEL4+cR
jw40XwlHQZFvGs2kAUzKHYdb0niBCj/4mEp7Ap+IrDBIr1b6GUyf9DOyzH5vXoKN
u0sK5pHPhY05fiYg7NCQ56koyJDlQwJt2g4JryKC7RaxitLgxRgHB8cMfGTirkYi
YxDS6aNyYh9bRq+MbXW3eeO3gIEtaPjTYuemRLgDuwRWkWVdLSQyPjMXnIo4dXcP
rjW2h+pgYjHfmdc+UGA2c5nKwnXWEYStAo88QVg1BIIZVyg9PZLoshVWydeBua3s
/QWAoysN3Q1Eso2WQqxSrh6h13gd5T7/4J1HimhJdsDENxVA9UqJBZ6M/v5tLiKQ
z22f/o96V6jloPGUbRwP/BjhNbeHXv38mw6TOzPHlFOsMLVl1rvZUCYqfV+4KNBZ
T0K9x5s70iiY4JvhtzjzMCbWabRJbn0B6BKJ139XDitAZTDi8tg16uFwjuo3eIwg
mDbEJ7YEgUkbpfrc6DkuF9LWBEPXNxQ/tM0Cp0NZnU4nMXXz0hs=
=vudq
-----END PGP SIGNATURE-----
--====-=-=--