From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: [PATCH 1/1] gnu: poppler: Fix CVE-2015-8868. Date: Sat, 30 Apr 2016 14:23:21 -0400 Message-ID: References: Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:40852) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1awZYc-0006gH-Nl for guix-devel@gnu.org; Sat, 30 Apr 2016 14:24:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1awZYL-0002l4-HC for guix-devel@gnu.org; Sat, 30 Apr 2016 14:23:53 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:46730) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1awZYJ-0002hg-5s for guix-devel@gnu.org; Sat, 30 Apr 2016 14:23:41 -0400 Received: from jasmine.lan (c-50-191-78-78.hsd1.pa.comcast.net [50.191.78.78]) by mail.messagingengine.com (Postfix) with ESMTPA id 90718C00016 for ; Sat, 30 Apr 2016 14:23:27 -0400 (EDT) In-Reply-To: In-Reply-To: References: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org * gnu/packages/pdf.scm (poppler)[replacement]: New field. (poppler/fixed): New variable. * gnu/packages/patches/poppler-CVE-2015-8868.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + gnu/packages/patches/poppler-CVE-2015-8868.patch | 30 ++++++++++++++++++++++++ gnu/packages/pdf.scm | 8 +++++++ 3 files changed, 39 insertions(+) create mode 100644 gnu/packages/patches/poppler-CVE-2015-8868.patch diff --git a/gnu/local.mk b/gnu/local.mk index 7556fa7..e45405f 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -681,6 +681,7 @@ dist_patch_DATA = \ gnu/packages/patches/plink-1.07-unclobber-i.patch \ gnu/packages/patches/plotutils-libpng-jmpbuf.patch \ gnu/packages/patches/polkit-drop-test.patch \ + gnu/packages/patches/poppler-CVE-2015-8868.patch \ gnu/packages/patches/portaudio-audacity-compat.patch \ gnu/packages/patches/procmail-ambiguous-getline-debian.patch \ gnu/packages/patches/pt-scotch-build-parallelism.patch \ diff --git a/gnu/packages/patches/poppler-CVE-2015-8868.patch b/gnu/packages/patches/poppler-CVE-2015-8868.patch new file mode 100644 index 0000000..ac78d32 --- /dev/null +++ b/gnu/packages/patches/poppler-CVE-2015-8868.patch @@ -0,0 +1,30 @@ +Fixes CVE-2015-8868 (heap overflow). + +Upstream source: +https://cgit.freedesktop.org/poppler/poppler/commit/?id=b3425dd3261679958cd56c0f71995c15d2124433 + +From b3425dd3261679958cd56c0f71995c15d2124433 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Tue, 22 Dec 2015 22:50:33 +0100 +Subject: Do not crash on invalid files + +Bug #93476 + +diff --git a/poppler/Function.cc b/poppler/Function.cc +index 67283df..ee5afc1 100644 +--- a/poppler/Function.cc ++++ b/poppler/Function.cc +@@ -577,6 +577,10 @@ ExponentialFunction::ExponentialFunction(Object *funcObj, Dict *dict) { + goto err2; + } + n = obj1.arrayGetLength(); ++ if (unlikely(n > funcMaxOutputs)) { ++ error(errSyntaxError, -1, "Function's C0 array is wrong length"); ++ n = funcMaxOutputs; ++ } + for (i = 0; i < n; ++i) { + obj1.arrayGet(i, &obj2); + if (!obj2.isNum()) { +-- +cgit v0.10.2 + diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index 1d33be8..8f9f5dd 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -53,6 +53,7 @@ (package (name "poppler") (version "0.37.0") + (replacement poppler/fixed) (source (origin (method url-fetch) (uri (string-append "https://poppler.freedesktop.org/poppler-" @@ -104,6 +105,13 @@ (license license:gpl2+) (home-page "http://poppler.freedesktop.org/"))) +(define poppler/fixed + (package + (inherit poppler) + (source (origin + (inherit (package-source poppler)) + (patches (search-patches "poppler-CVE-2015-8868.patch")))))) + (define-public poppler-qt4 (package (inherit poppler) (name "poppler-qt4") -- 2.7.4