From: Marius Bakke <mbakke@fastmail.com>
To: Kei Kebreau <kei@openmailbox.org>, Mark H Weaver <mhw@netris.org>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH] gnu: mupdf: Fix CVE-2016-8674.
Date: Wed, 26 Oct 2016 07:11:29 +0100 [thread overview]
Message-ID: <87y41bd4ha.fsf@duckhunt.i-did-not-set--mail-host-address--so-tickle-me> (raw)
In-Reply-To: <874m3z7osh.fsf@openmailbox.org>
[-- Attachment #1.1: Type: text/plain, Size: 771 bytes --]
Kei Kebreau <kei@openmailbox.org> writes:
> Is it frowned upon to revert that commit on its own (it's the third to
> last commit as I write this), or should I attempt to patch on top of it?
I've modified the patch to apply to 1.9a, but it was far from trivial
due to many context changes in upstream git. The attached patch makes
mupdf build at least, and viewing PDF still works...
The interdiff is rather unintelligible, so to verify this you should
compare the final patch with the 1.9a sources.
Ideally we should try and reproduce this vulnerability (and others!)
after applying this patch, but I don't know how to use AFL.
Another option is to simply package up the git version, as there appears
to be no users of mupdf in the tree.
WDYT, is this patch safe?
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 454 bytes --]
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-mupdf-Modify-CVE-2016-8674-patch-to-apply-to-1.9.patch --]
[-- Type: text/x-patch, Size: 6295 bytes --]
From c51f44edf3293aae323eded49dcba750f54607cb Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Wed, 26 Oct 2016 06:39:34 +0100
Subject: [PATCH] gnu: mupdf: Modify CVE-2016-8674 patch to apply to 1.9a.
The fix from upstream did not apply cleanly due to many context changes.
This was adapted by cloning mupdf 1.9a from git and fixing conflicts
after applying our patches and cherry-picking upstream commit 1e03c06.
* gnu/packages/patches/mupdf-CVE-2016-8674.patch: Adapt to 1.9a.
---
gnu/packages/patches/mupdf-CVE-2016-8674.patch | 83 +++++++++++++-------------
1 file changed, 41 insertions(+), 42 deletions(-)
diff --git a/gnu/packages/patches/mupdf-CVE-2016-8674.patch b/gnu/packages/patches/mupdf-CVE-2016-8674.patch
index 62e4a02..2a35619 100644
--- a/gnu/packages/patches/mupdf-CVE-2016-8674.patch
+++ b/gnu/packages/patches/mupdf-CVE-2016-8674.patch
@@ -3,17 +3,17 @@ Fix CVE-2016-8674 (use-after-free in pdf_to_num()).
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8674
https://security-tracker.debian.org/tracker/CVE-2016-8674
-Patch copied from upstream source repository:
+Patch adapted from upstream source repository:
http://git.ghostscript.com/?p=mupdf.git;h=1e03c06456d997435019fb3526fa2d4be7dbc6ec
diff --git a/include/mupdf/pdf/document.h b/include/mupdf/pdf/document.h
-index aabf05f..0078c4a 100644
+index f8ef0cd..e8345b7 100644
--- a/include/mupdf/pdf/document.h
+++ b/include/mupdf/pdf/document.h
-@@ -269,6 +269,10 @@ struct pdf_document_s
- fz_hash_table *images;
- fz_hash_table *fonts;
- } resources;
+@@ -258,6 +258,10 @@ struct pdf_document_s
+ fz_font **type3_fonts;
+
+ pdf_resource_tables *resources;
+
+ int orphans_max;
+ int orphans_count;
@@ -22,10 +22,10 @@ index aabf05f..0078c4a 100644
/*
diff --git a/include/mupdf/pdf/object.h b/include/mupdf/pdf/object.h
-index 5bc3dca..bf57455 100644
+index 346a2f1..02d4119 100644
--- a/include/mupdf/pdf/object.h
+++ b/include/mupdf/pdf/object.h
-@@ -110,6 +110,7 @@ pdf_obj *pdf_dict_gets(fz_context *ctx, pdf_obj *dict, const char *key);
+@@ -109,6 +109,7 @@ pdf_obj *pdf_dict_gets(fz_context *ctx, pdf_obj *dict, const char *key);
pdf_obj *pdf_dict_getsa(fz_context *ctx, pdf_obj *dict, const char *key, const char *abbrev);
void pdf_dict_put(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val);
void pdf_dict_put_drop(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val);
@@ -34,10 +34,10 @@ index 5bc3dca..bf57455 100644
void pdf_dict_puts_drop(fz_context *ctx, pdf_obj *dict, const char *key, pdf_obj *val);
void pdf_dict_putp(fz_context *ctx, pdf_obj *dict, const char *path, pdf_obj *val);
diff --git a/source/pdf/pdf-object.c b/source/pdf/pdf-object.c
-index b4e33f3..1c19ba4 100644
+index f2e4551..a0d0d8e 100644
--- a/source/pdf/pdf-object.c
+++ b/source/pdf/pdf-object.c
-@@ -1265,11 +1265,14 @@ pdf_dict_geta(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *abbrev)
+@@ -1240,9 +1240,13 @@ pdf_dict_geta(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *abbrev)
return pdf_dict_get(ctx, obj, abbrev);
}
@@ -46,27 +46,26 @@ index b4e33f3..1c19ba4 100644
+static void
+pdf_dict_get_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val, pdf_obj **old_val)
{
- int i;
-
++
+ if (old_val)
+ *old_val = NULL;
+
RESOLVE(obj);
- if (!OBJ_IS_DICT(obj))
- fz_throw(ctx, FZ_ERROR_GENERIC, "not a dict (%s)", pdf_objkindstr(obj));
-@@ -1295,7 +1298,10 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
- {
- pdf_obj *d = DICT(obj)->items[i].v;
- DICT(obj)->items[i].v = pdf_keep_obj(ctx, val);
-- pdf_drop_obj(ctx, d);
-+ if (old_val)
-+ *old_val = d;
-+ else
-+ pdf_drop_obj(ctx, d);
+ if (obj >= PDF_OBJ__LIMIT)
+ {
+@@ -1282,7 +1286,10 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
+ {
+ pdf_obj *d = DICT(obj)->items[i].v;
+ DICT(obj)->items[i].v = pdf_keep_obj(ctx, val);
+- pdf_drop_obj(ctx, d);
++ if (old_val)
++ *old_val = d;
++ else
++ pdf_drop_obj(ctx, d);
+ }
}
- }
- else
-@@ -1316,10 +1322,27 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
+ else
+@@ -1305,10 +1312,27 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
}
void
@@ -96,10 +95,10 @@ index b4e33f3..1c19ba4 100644
pdf_drop_obj(ctx, val);
fz_catch(ctx)
diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c
-index 690bf15..167f609 100644
+index fdd4648..212c8b7 100644
--- a/source/pdf/pdf-repair.c
+++ b/source/pdf/pdf-repair.c
-@@ -260,6 +260,27 @@ pdf_repair_obj_stm(fz_context *ctx, pdf_document *doc, int stm_num)
+@@ -259,6 +259,27 @@ pdf_repair_obj_stm(fz_context *ctx, pdf_document *doc, int num, int gen)
}
}
@@ -127,12 +126,12 @@ index 690bf15..167f609 100644
void
pdf_repair_xref(fz_context *ctx, pdf_document *doc)
{
-@@ -528,12 +549,13 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc)
+@@ -520,12 +541,13 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc)
/* correct stream length for unencrypted documents */
if (!encrypt && list[i].stm_len >= 0)
{
+ pdf_obj *old_obj = NULL;
- dict = pdf_load_object(ctx, doc, list[i].num);
+ dict = pdf_load_object(ctx, doc, list[i].num, list[i].gen);
length = pdf_new_int(ctx, doc, list[i].stm_len);
- pdf_dict_put(ctx, dict, PDF_NAME_Length, length);
@@ -145,22 +144,22 @@ index 690bf15..167f609 100644
}
}
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
-index 7d21775..0cf20d4 100644
+index 3de1cd2..6682741 100644
--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
-@@ -1620,6 +1620,12 @@ pdf_drop_document_imp(fz_context *ctx, pdf_document *doc)
+@@ -1626,6 +1626,12 @@ pdf_close_document(fz_context *ctx, pdf_document *doc)
- pdf_drop_resource_tables(ctx, doc);
+ pdf_drop_resource_tables(ctx, doc);
-+ for (i = 0; i < doc->orphans_count; i++)
-+ {
-+ pdf_drop_obj(ctx, doc->orphans[i]);
-+ }
-+ fz_free(ctx, doc->orphans);
++ for (i = 0; i < doc->orphans_count; i++)
++ {
++ pdf_drop_obj(ctx, doc->orphans[i]);
++ }
++ fz_free(ctx, doc->orphans);
+
- fz_free(ctx, doc);
- }
- fz_always(ctx)
+ fz_free(ctx, doc);
+ }
+
--
-2.9.1
+2.10.1
--
2.10.1
next prev parent reply other threads:[~2016-10-26 6:11 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-25 16:53 [PATCH] gnu: mupdf: Fix CVE-2016-8674 Kei Kebreau
2016-10-25 17:12 ` Leo Famulari
2016-10-26 1:46 ` Mark H Weaver
2016-10-26 3:49 ` Kei Kebreau
2016-10-26 6:11 ` Marius Bakke [this message]
2016-10-26 12:45 ` Ludovic Courtès
2016-10-26 14:17 ` Marius Bakke
2016-10-26 9:25 ` Mark H Weaver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y41bd4ha.fsf@duckhunt.i-did-not-set--mail-host-address--so-tickle-me \
--to=mbakke@fastmail.com \
--cc=guix-devel@gnu.org \
--cc=kei@openmailbox.org \
--cc=mhw@netris.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.