Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package djvulibre for openSUSE:Factory checked in at 2021-05-15 23:15:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/djvulibre (Old) and /work/SRC/openSUSE:Factory/.djvulibre.new.2988 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "djvulibre" Sat May 15 23:15:32 2021 rev:41 rq:892460 version:3.5.28 Changes: -------- --- /work/SRC/openSUSE:Factory/djvulibre/djvulibre.changes 2020-12-30 17:11:17.525165032 +0100 +++ /work/SRC/openSUSE:Factory/.djvulibre.new.2988/djvulibre.changes 2021-05-15 23:16:39.432626038 +0200 @@ -1,0 +2,14 @@ +Wed May 12 10:09:21 UTC 2021 - pgaj...@suse.com + +- security update +- added patches + fix CVE-2021-32490 [bsc#1185895], Out of bounds write in function DJVU:filter_bv() via crafted djvu file + + djvulibre-CVE-2021-32490.patch + fix CVE-2021-32491 [bsc#1185900], Integer overflow in function render() in tools/ddjvu via crafted djvu file + + djvulibre-CVE-2021-32491.patch + fix CVE-2021-32492 [bsc#1185904], Out of bounds read in function DJVU:DataPool:has_data() via crafted djvu file + + djvulibre-CVE-2021-32492.patch + fix CVE-2021-32493 [bsc#1185905], Heap buffer overflow in function DJVU:GBitmap:decode() via crafted djvu file + + djvulibre-CVE-2021-32493.patch + +------------------------------------------------------------------- New: ---- djvulibre-CVE-2021-32490.patch djvulibre-CVE-2021-32491.patch djvulibre-CVE-2021-32492.patch djvulibre-CVE-2021-32493.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ djvulibre.spec ++++++ --- /var/tmp/diff_new_pack.kfiloo/_old 2021-05-15 23:16:40.004623804 +0200 +++ /var/tmp/diff_new_pack.kfiloo/_new 2021-05-15 23:16:40.008623789 +0200 @@ -1,7 +1,7 @@ # # spec file for package djvulibre # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -27,6 +27,14 @@ Group: Productivity/Graphics/Other URL: http://djvu.sourceforge.net Source: http://downloads.sourceforge.net/djvu/%{name}-%{version}.tar.gz +# CVE-2021-32490 [bsc#1185895], Out of bounds write in function DJVU:filter_bv() via crafted djvu file +Patch0: djvulibre-CVE-2021-32490.patch +# CVE-2021-32491 [bsc#1185900], Integer overflow in function render() in tools/ddjvu via crafted djvu file +Patch1: djvulibre-CVE-2021-32491.patch +# CVE-2021-32492 [bsc#1185904], Out of bounds read in function DJVU:DataPool:has_data() via crafted djvu file +Patch2: djvulibre-CVE-2021-32492.patch +# CVE-2021-32493 [bsc#1185905], Heap buffer overflow in function DJVU:GBitmap:decode() via crafted djvu file +Patch3: djvulibre-CVE-2021-32493.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: hicolor-icon-theme @@ -79,6 +87,10 @@ %prep %setup -q +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build # configure script missing; generate using autogen.sh ++++++ djvulibre-3.5.28.tar.gz ++++++ ++++ 56704 lines of diff (skipped) ++++++ djvulibre-CVE-2021-32490.patch ++++++ Index: djvulibre-3.5.28/libdjvu/IW44Image.cpp =================================================================== --- djvulibre-3.5.28.orig/libdjvu/IW44Image.cpp 2020-11-20 17:57:32.000000000 +0100 +++ djvulibre-3.5.28/libdjvu/IW44Image.cpp 2021-05-11 15:14:54.034421423 +0200 @@ -678,7 +678,11 @@ IW44Image::Map::image(signed char *img8, size_t sz = bw * bh; if (sz / (size_t)bw != (size_t)bh) // multiplication overflow G_THROW("IW44Image: image size exceeds maximum (corrupted file?)"); + if (sz == 0) + G_THROW("IW44Image: zero size image (corrupted file?)"); GPBuffer<short> gdata16(data16,sz); + if (data16 == NULL) + G_THROW("IW44Image: unable to allocate image data"); // Copy coefficients int i; short *p = data16; ++++++ djvulibre-CVE-2021-32491.patch ++++++ Index: djvulibre-3.5.28/tools/ddjvu.cpp =================================================================== --- djvulibre-3.5.28.orig/tools/ddjvu.cpp 2020-11-20 17:57:32.000000000 +0100 +++ djvulibre-3.5.28/tools/ddjvu.cpp 2021-05-11 15:14:54.038421444 +0200 @@ -70,6 +70,7 @@ #include <locale.h> #include <fcntl.h> #include <errno.h> +#include <stdint.h> #ifdef UNIX # include <sys/time.h> @@ -394,7 +395,9 @@ render(ddjvu_page_t *page, int pageno) rowsize = rrect.w; else rowsize = rrect.w * 3; - if (! (image = (char*)malloc(rowsize * rrect.h))) + if ((size_t) rowsize > SIZE_MAX / rrect.h) + die(i18n("Integer overflow when allocating image buffer for page %d"), pageno); + if (! (image = (char*)malloc((size_t) rowsize * rrect.h))) die(i18n("Cannot allocate image buffer for page %d"), pageno); /* Render */ ++++++ djvulibre-CVE-2021-32492.patch ++++++ --- a/libdjvu/DataPool.cpp +++ a/libdjvu/DataPool.cpp @@ -791,6 +791,8 @@ DataPool::create(const GP<DataPool> & pool, int start, int length) DEBUG_MSG("DataPool::DataPool: pool=" << (void *)((DataPool *)pool) << " start=" << start << " length= " << length << "\n"); DEBUG_MAKE_INDENT(3); + if (!pool) G_THROW( ERR_MSG("DataPool.zero_DataPool") ); + DataPool *xpool=new DataPool(); GP<DataPool> retval=xpool; xpool->init(); ++++++ djvulibre-CVE-2021-32493.patch ++++++ --- a/libdjvu/GBitmap.cpp +++ a/libdjvu/GBitmap.cpp @@ -69,6 +69,7 @@ #include <stddef.h> #include <stdlib.h> #include <string.h> +#include <climits> // - Author: Leon Bottou, 05/1997 @@ -1284,6 +1285,8 @@ GBitmap::decode(unsigned char *runs) // initialize pixel array if (nrows==0 || ncolumns==0) G_THROW( ERR_MSG("GBitmap.not_init") ); + if (ncolumns > USHRT_MAX - border) + G_THROW("GBitmap: row size exceeds maximum (corrupted file?)"); bytes_per_row = ncolumns + border; if (runs==0) G_THROW( ERR_MSG("GBitmap.null_arg") );
