From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: [PATCH] gnu: mupdf: Fix some security problems in bundled mujs. Date: Sun, 15 Jan 2017 13:47:17 -0500 Message-ID: <20170115184717.GA29718@jasmine> References: <20170112180655.1588-1-mbakke@fastmail.com> <20170112183017.GB23706@jasmine> <87wpe05adv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <20170112200346.GA11411@jasmine> <87shonai6b.fsf@netris.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="8GpibOaaTibBMecb" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:42193) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cSppr-0001Au-KA for guix-devel@gnu.org; Sun, 15 Jan 2017 13:47:25 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cSppo-0000w3-90 for guix-devel@gnu.org; Sun, 15 Jan 2017 13:47:23 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:52744) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cSppn-0000us-UG for guix-devel@gnu.org; Sun, 15 Jan 2017 13:47:20 -0500 Content-Disposition: inline In-Reply-To: <87shonai6b.fsf@netris.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Mark H Weaver Cc: guix-devel@gnu.org --8GpibOaaTibBMecb Content-Type: multipart/mixed; boundary="nFreZHaLTZJo0R7j" Content-Disposition: inline --nFreZHaLTZJo0R7j Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 12, 2017 at 07:59:40PM -0500, Mark H Weaver wrote: > Here's what we can do: in addition to mupdf itself, we can also add a > graft for cups-filters (our only package that includes mupdf as an > input). The replacement for cups-filters would change its mupdf input > to refer directly to the fixed version of mupdf. >=20 > What do you think? I've attached two patches that should do this. --nFreZHaLTZJo0R7j Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: attachment; filename="0001-gnu-mupdf-Fix-CVE-2016-10132-10133-in-bundled-mujs.patch" Content-Transfer-Encoding: quoted-printable =46rom 4216ccff0b032bdad8c730ba9929b94f389fb19d Mon Sep 17 00:00:00 2001 =46rom: Marius Bakke Date: Thu, 12 Jan 2017 19:06:55 +0100 Subject: [PATCH 1/2] gnu: mupdf: Fix CVE-2016-{10132,10133} in bundled mujs. * gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch, gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/pdf.scm (mupdf)[replacement]: New field. (mupdf/fixed): New variable. --- gnu/local.mk | 2 + .../patches/mupdf-mujs-CVE-2016-10132.patch | 188 +++++++++++++++++= ++++ .../patches/mupdf-mujs-CVE-2016-10133.patch | 36 ++++ gnu/packages/pdf.scm | 15 +- 4 files changed, 240 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch create mode 100644 gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch diff --git a/gnu/local.mk b/gnu/local.mk index 81d774eb6..58554160d 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -755,6 +755,8 @@ dist_patch_DATA =3D \ %D%/packages/patches/multiqc-fix-git-subprocess-error.patch \ %D%/packages/patches/mumps-build-parallelism.patch \ %D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch \ + %D%/packages/patches/mupdf-mujs-CVE-2016-10132.patch \ + %D%/packages/patches/mupdf-mujs-CVE-2016-10133.patch \ %D%/packages/patches/mupen64plus-ui-console-notice.patch \ %D%/packages/patches/musl-CVE-2016-8859.patch \ %D%/packages/patches/mutt-store-references.patch \ diff --git a/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch b/gnu/pac= kages/patches/mupdf-mujs-CVE-2016-10132.patch new file mode 100644 index 000000000..e752e57ec --- /dev/null +++ b/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch @@ -0,0 +1,188 @@ +Fix CVE-2016-10132: + +https://bugs.ghostscript.com/show_bug.cgi?id=3D697381 +http://seclists.org/oss-sec/2017/q1/74 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-10132 + +Patch lifted from upstream source repository: + +http://git.ghostscript.com/?p=3Dmujs.git;h=3Dfd003eceda531e13fbdd1aeb6e9c7= 3156496e569 + +From fd003eceda531e13fbdd1aeb6e9c73156496e569 Mon Sep 17 00:00:00 2001 +From: Tor Andersson +Date: Fri, 2 Dec 2016 14:56:20 -0500 +Subject: [PATCH] Fix 697381: check allocation when compiling regular + expressions. + +Also use allocator callback function. +--- + thirdparty/mujs/jsgc.c | 2 +- + thirdparty/mujs/jsregexp.c | 2 +- + thirdparty/mujs/jsstate.c | 6 ------ + thirdparty/mujs/regexp.c | 45 +++++++++++++++++++++++++++++++++++------= ---- + thirdparty/mujs/regexp.h | 7 +++++++ + 5 files changed, 44 insertions(+), 18 deletions(-) + +diff --git a/thirdparty/mujs/jsgc.c b/thirdparty/mujs/jsgc.c +index 4f7e7dc..f80111e 100644 +--- a/thirdparty/mujs/jsgc.c ++++ b/thirdparty/mujs/jsgc.c +@@ -46,7 +46,7 @@ static void jsG_freeobject(js_State *J, js_Object *obj) + jsG_freeproperty(J, obj->head); + if (obj->type =3D=3D JS_CREGEXP) { + js_free(J, obj->u.r.source); +- js_regfree(obj->u.r.prog); ++ js_regfreex(J->alloc, J->actx, obj->u.r.prog); + } + if (obj->type =3D=3D JS_CITERATOR) + jsG_freeiterator(J, obj->u.iter.head); +diff --git a/thirdparty/mujs/jsregexp.c b/thirdparty/mujs/jsregexp.c +index a2d5156..7b09c06 100644 +--- a/thirdparty/mujs/jsregexp.c ++++ b/thirdparty/mujs/jsregexp.c +@@ -16,7 +16,7 @@ void js_newregexp(js_State *J, const char *pattern, int = flags) + if (flags & JS_REGEXP_I) opts |=3D REG_ICASE; + if (flags & JS_REGEXP_M) opts |=3D REG_NEWLINE; +=20 +- prog =3D js_regcomp(pattern, opts, &error); ++ prog =3D js_regcompx(J->alloc, J->actx, pattern, opts, &error); + if (!prog) + js_syntaxerror(J, "regular expression: %s", error); +=20 +diff --git a/thirdparty/mujs/jsstate.c b/thirdparty/mujs/jsstate.c +index 638cab3..fd5bcf6 100644 +--- a/thirdparty/mujs/jsstate.c ++++ b/thirdparty/mujs/jsstate.c +@@ -9,12 +9,6 @@ +=20 + static void *js_defaultalloc(void *actx, void *ptr, int size) + { +- if (size =3D=3D 0) { +- free(ptr); +- return NULL; +- } +- if (!ptr) +- return malloc((size_t)size); + return realloc(ptr, (size_t)size); + } +=20 +diff --git a/thirdparty/mujs/regexp.c b/thirdparty/mujs/regexp.c +index 9852be2..01c18a3 100644 +--- a/thirdparty/mujs/regexp.c ++++ b/thirdparty/mujs/regexp.c +@@ -807,23 +807,31 @@ static void dumpprog(Reprog *prog) + } + #endif +=20 +-Reprog *regcomp(const char *pattern, int cflags, const char **errorp) ++Reprog *regcompx(void *(*alloc)(void *ctx, void *p, int n), void *ctx, ++ const char *pattern, int cflags, const char **errorp) + { + struct cstate g; + Renode *node; + Reinst *split, *jump; + int i; +=20 +- g.prog =3D malloc(sizeof (Reprog)); +- g.pstart =3D g.pend =3D malloc(sizeof (Renode) * strlen(pattern) * 2); ++ g.pstart =3D NULL; ++ g.prog =3D NULL; +=20 + if (setjmp(g.kaboom)) { + if (errorp) *errorp =3D g.error; +- free(g.pstart); +- free(g.prog); ++ alloc(ctx, g.pstart, 0); ++ alloc(ctx, g.prog, 0); + return NULL; + } +=20 ++ g.prog =3D alloc(ctx, NULL, sizeof (Reprog)); ++ if (!g.prog) ++ die(&g, "cannot allocate regular expression"); ++ g.pstart =3D g.pend =3D alloc(ctx, NULL, sizeof (Renode) * strlen(patter= n) * 2); ++ if (!g.pstart) ++ die(&g, "cannot allocate regular expression parse list"); ++ + g.source =3D pattern; + g.ncclass =3D 0; + g.nsub =3D 1; +@@ -840,7 +848,9 @@ Reprog *regcomp(const char *pattern, int cflags, const= char **errorp) + die(&g, "syntax error"); +=20 + g.prog->nsub =3D g.nsub; +- g.prog->start =3D g.prog->end =3D malloc((count(node) + 6) * sizeof (Rei= nst)); ++ g.prog->start =3D g.prog->end =3D alloc(ctx, NULL, (count(node) + 6) * s= izeof (Reinst)); ++ if (!g.prog->start) ++ die(&g, "cannot allocate regular expression instruction list"); +=20 + split =3D emit(g.prog, I_SPLIT); + split->x =3D split + 3; +@@ -859,20 +869,35 @@ Reprog *regcomp(const char *pattern, int cflags, con= st char **errorp) + dumpprog(g.prog); + #endif +=20 +- free(g.pstart); ++ alloc(ctx, g.pstart, 0); +=20 + if (errorp) *errorp =3D NULL; + return g.prog; + } +=20 +-void regfree(Reprog *prog) ++void regfreex(void *(*alloc)(void *ctx, void *p, int n), void *ctx, Repro= g *prog) + { + if (prog) { +- free(prog->start); +- free(prog); ++ alloc(ctx, prog->start, 0); ++ alloc(ctx, prog, 0); + } + } +=20 ++static void *default_alloc(void *ctx, void *p, int n) ++{ ++ return realloc(p, (size_t)n); ++} ++ ++Reprog *regcomp(const char *pattern, int cflags, const char **errorp) ++{ ++ return regcompx(default_alloc, NULL, pattern, cflags, errorp); ++} ++ ++void regfree(Reprog *prog) ++{ ++ regfreex(default_alloc, NULL, prog); ++} ++ + /* Match */ +=20 + static int isnewline(int c) +diff --git a/thirdparty/mujs/regexp.h b/thirdparty/mujs/regexp.h +index 4bb4615..6bb73e8 100644 +--- a/thirdparty/mujs/regexp.h ++++ b/thirdparty/mujs/regexp.h +@@ -1,6 +1,8 @@ + #ifndef regexp_h + #define regexp_h +=20 ++#define regcompx js_regcompx ++#define regfreex js_regfreex + #define regcomp js_regcomp + #define regexec js_regexec + #define regfree js_regfree +@@ -8,6 +10,11 @@ + typedef struct Reprog Reprog; + typedef struct Resub Resub; +=20 ++Reprog *regcompx(void *(*alloc)(void *ctx, void *p, int n), void *ctx, ++ const char *pattern, int cflags, const char **errorp); ++void regfreex(void *(*alloc)(void *ctx, void *p, int n), void *ctx, ++ Reprog *prog); ++ + Reprog *regcomp(const char *pattern, int cflags, const char **errorp); + int regexec(Reprog *prog, const char *string, Resub *sub, int eflags); + void regfree(Reprog *prog); +--=20 +2.9.1 + diff --git a/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch b/gnu/pac= kages/patches/mupdf-mujs-CVE-2016-10133.patch new file mode 100644 index 000000000..d73849262 --- /dev/null +++ b/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch @@ -0,0 +1,36 @@ +Fix CVE-2016-10133: + +https://bugs.ghostscript.com/show_bug.cgi?id=3D697401 +http://seclists.org/oss-sec/2017/q1/74 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-10133 + +Patch lifted from upstream source repository: + +https://git.ghostscript.com/?p=3Dmujs.git;h=3D77ab465f1c394bb77f00966cd950= 650f3f53cb24 + +From 77ab465f1c394bb77f00966cd950650f3f53cb24 Mon Sep 17 00:00:00 2001 +From: Tor Andersson +Date: Thu, 12 Jan 2017 14:47:01 +0100 +Subject: [PATCH] Fix 697401: Error when dropping extra arguments to + lightweight functions. + +--- + thirdparty/mujs/jsrun.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/thirdparty/mujs/jsrun.c b/thirdparty/mujs/jsrun.c +index ee80845..782a6f9 100644 +--- a/thirdparty/mujs/jsrun.c ++++ b/thirdparty/mujs/jsrun.c +@@ -937,7 +937,7 @@ static void jsR_calllwfunction(js_State *J, int n, js_= Function *F, js_Environmen + jsR_savescope(J, scope); +=20 + if (n > F->numparams) { +- js_pop(J, F->numparams - n); ++ js_pop(J, n - F->numparams); + n =3D F->numparams; + } + for (i =3D n; i < F->varlen; ++i) +--=20 +2.9.1 + diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index 9b3571e67..5efc5e6d1 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -6,10 +6,11 @@ ;;; Copyright =A9 2016 Roel Janssen ;;; Coypright =A9 2016 ng0 ;;; Coypright =A9 2016 Efraim Flashner -;;; Coypright =A9 2016 Marius Bakke +;;; Coypright =A9 2016, 2017 Marius Bakke ;;; Coypright =A9 2016 Ludovic Court=E8s ;;; Coypright =A9 2016 Julien Lepiller ;;; Copyright =A9 2016 Arun Isaac +;;; Copyright =A9 2017 Leo Famulari ;;; ;;; This file is part of GNU Guix. ;;; @@ -538,6 +539,18 @@ line tools for batch rendering (pdfdraw), rewriting fi= les (pdfclean), and examining the file structure (pdfshow).") (license license:agpl3+))) =20 +(define mupdf/fixed + (package + (inherit mupdf) + (source + (origin + (inherit (package-source mupdf)) + (patches + (append + (origin-patches (package-source mupdf)) + (search-patches "mupdf-mujs-CVE-2016-10132.patch" + "mupdf-mujs-CVE-2016-10133.patch"))))))) + (define-public qpdf (package (name "qpdf") --=20 2.11.0 --nFreZHaLTZJo0R7j Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: attachment; filename="0002-gnu-cups-filters-Fix-CVE-2016-10132-10133-in-statica.patch" Content-Transfer-Encoding: quoted-printable =46rom a656359de1e7d0a76414888a59c8a0a8782e875f Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Sun, 15 Jan 2017 13:38:48 -0500 Subject: [PATCH 2/2] gnu: cups-filters: Fix CVE-2016-{10132,10133} in statically linked mupdf. The vulnerabilities are the MuJS that is bundled with MuPDF. * gnu/packages/cups.scm (cups-filters)[replacement]: New field. (cups-filters/fixed): New variable. --- gnu/packages/cups.scm | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/gnu/packages/cups.scm b/gnu/packages/cups.scm index ca1695835..95d57a4f3 100644 --- a/gnu/packages/cups.scm +++ b/gnu/packages/cups.scm @@ -3,6 +3,7 @@ ;;; Copyright =A9 2015, 2016 Ludovic Court=E8s ;;; Copyright =A9 2015, 2016 Efraim Flashner ;;; Copyright =A9 2016 Danny Milosavljevic +;;; Copyright =A9 2017 Leo Famulari ;;; ;;; This file is part of GNU Guix. ;;; @@ -51,6 +52,7 @@ (define-public cups-filters (package (name "cups-filters") + (replacement cups-filters/fixed) (version "1.13.1") (source(origin (method url-fetch) @@ -133,6 +135,27 @@ filters for the PDF-centric printing workflow introduc= ed by OpenPrinting.") license:lgpl2.0+ license:expat)))) =20 +(define cups-filters/fixed + (package + (inherit cups-filters) + (inputs + `(("avahi" ,avahi) + ("fontconfig" ,fontconfig) + ("freetype" ,freetype) + ("font-dejavu" ,font-dejavu) ; also needed by test suite + ("ghostscript" ,(force ghostscript/cups)) + ("ijs" ,ijs) + ("dbus" ,dbus) + ("lcms" ,lcms) + ("libjpeg" ,libjpeg) + ("libpng" ,libpng) + ("libtiff" ,libtiff) + ("mupdf" ,(@@ (gnu packages pdf) mupdf/fixed)) + ("glib" ,glib) + ("qpdf" ,qpdf) + ("poppler" ,poppler) + ("cups-minimal" ,cups-minimal))))) + ;; CUPS on non-MacOS systems requires cups-filters. Since cups-filters al= so ;; depends on CUPS libraries and binaries, cups-minimal has been added to ;; satisfy this dependency. --=20 2.11.0 --nFreZHaLTZJo0R7j-- --8GpibOaaTibBMecb Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlh7w7UACgkQJkb6MLrK fwhdFg//fNTjk+0/H028xqCddIJduS1lz7R+cUtt9sKkLD0qjLsrTx2ORtMvRFJA 0mQYeICv9hg/JiPT8ckuYf5UI5qo4IOtFp+8l/oyylEkfGRGvpH92UPUKDBg89hA UAlduZql8sh0Cv4SnUOrkR47rIXm94EofK6VZTzY6nvJQ5h7s8ONjY0O+tVZZPJ6 1I75a8pqgpK7gMK+/u9adlXMd2wokyD8WZA8OWKdMK/gsuPOEeNgtYFxHNbzDR9n vp6aYfRIj5V8cukBgdpFwdq7+w2PmoeTdaaMWTKH3N2svi8Q7YdOzjXs5gnsGY5A yP9OxlFmM/OxYJtLla+a6vWOLB3QkUn7H+rlK0b/d2ZpVDylHdFhEqhFSpZybEPh oetS5Fm6eF4umAp43q/2/b85G0GXydvaRfvaV3snmZ1KCpyX9fLNhIUOGSyugA6n nOxqTvOOERXDbrzKgjYZJSN05EvkdXLLOlTZeYwwl/sVlucSSYwQKLgoYOh98j19 l6npq+e1H3UiIwScM39szqvQnCfbSqNrBUp065n3iRlFOeouNLoyCjNQuzeYFKgz q2l1m2r3NlAU8XGc7rRAZ/3lSDGY0xt41gHl+blZoYAaELH2+w+CcP84E7zv7HVX 46A2PWNjouLVxEzCT3SJspPrI5htHtAPM/QHapRqzjXrfI1nWXw= =elCr -----END PGP SIGNATURE----- --8GpibOaaTibBMecb--