Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Please unblock package mupdf [ Reason ] To fix two CVEs - - https://security-tracker.debian.org/tracker/CVE-2021-37220 - - https://security-tracker.debian.org/tracker/CVE-2020-19609 [ Impact ] Potential denial of service caused by crashes or arbitrary code execution caused by buffer overflow [ Tests ] I tested manually with reproducer files from upstream bug reports. I also did some regression test with some PDF files. [ Risks ] Risks should be low. The changes are cherry-picked from upstream and there weren't any other changes applied by upstream between the two versions. The risk of faulty backport is low. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] The source package src:mupdf produces the following binary packages: - - mupdf - - mupdf-dbgsym - - mupdf-tools - - mupdf-tools-dbgsym - - libmupdf-dev unblock mupdf/1.17.0+ds1-2 -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE2JDTPWFH4vUeM4aHCjk1SrblfeEFAmD6g1sACgkQCjk1Srbl feE/yQ/+KQEr5VOfJhJabt13ZZKLwE2ktpOgU4OwkfwlZy5Z5VoBC+r2WpIdL/TP k1VbDEXgc57Yd+ZlHRe1baIYc9oiz7YnYyGpnUUVLOGrILqKqFOOtWLFpoa3fzwL 9uQu0trzUahJawdQDQq7Fp5GBkA3U/+KCtZ7+f9/33ACVioxv3S3LIsfDLnLztN3 E68ZjdasSXPX3GGWbUgkY7RG8h+47CNb3Vw+4Y50kN3zucM7PjP/8pdc6d4p6SoC B6ad3bGyI1t9leaTwB9XRGDlCPNo1I73LcTNM1Uw9WCuPzSyavnpwL/lEATJLfuQ nsfT3+9yNv+lgCtIEzG/UABFP6FpEqwOcna4zwCRSH78Q3UiICSULEr/nx9H/DRj +vDwuWKXp7+Y/0CwVyJASf9YiSmcj0m2SJ/Z0GHRvytwtpQKEyRVjisYGDb9gJJ0 X/3gTyvwvox6OKY4Oh8qUgdLfPZUUeIAvwTZCRONNXss8SXKvSdopfq1RrdAnNy1 fVCvp9CvsGX34e11ZU0Fnna+9Ze+eAjFykssv3En1hgGdWoIMDNo+aSP68W9GtGb FmxCwP2o39B4Uu7cU8WWcTPe8GgJBFNHZmqW9VBxO/zwFJNBrOM1Mz0aNbKwfsXz X6dW7PlonVR2M0rwhlgRgYp0ir2+hK87HEiQJvbnS5gabTAFyBo= =C38i -----END PGP SIGNATURE-----
diff -Nru mupdf-1.17.0+ds1/debian/changelog mupdf-1.17.0+ds1/debian/changelog --- mupdf-1.17.0+ds1/debian/changelog 2021-02-28 21:40:40.000000000 +0900 +++ mupdf-1.17.0+ds1/debian/changelog 2021-07-23 17:09:37.000000000 +0900 @@ -1,3 +1,11 @@ +mupdf (1.17.0+ds1-2) unstable; urgency=medium + + * Fix buffer overrun in tiff decoder (CVE-2020-19609) (Closes: #991401) + * Stay within hash table max key size in cached color converter + (CVE-2021-37220) (Closes: #991402) + + -- Kan-Ru Chen (陳侃如) <kos...@debian.org> Fri, 23 Jul 2021 17:09:37 +0900 + mupdf (1.17.0+ds1-1.3) unstable; urgency=medium * Non-maintainer upload. diff -Nru mupdf-1.17.0+ds1/debian/patches/0012-tiff-Avoid-limiting-palette-colors-to-8-bits.patch mupdf-1.17.0+ds1/debian/patches/0012-tiff-Avoid-limiting-palette-colors-to-8-bits.patch --- mupdf-1.17.0+ds1/debian/patches/0012-tiff-Avoid-limiting-palette-colors-to-8-bits.patch 1970-01-01 09:00:00.000000000 +0900 +++ mupdf-1.17.0+ds1/debian/patches/0012-tiff-Avoid-limiting-palette-colors-to-8-bits.patch 2021-07-23 16:54:49.000000000 +0900 @@ -0,0 +1,65 @@ +From: Sebastian Rasmussen <seb...@gmail.com> +Date: Fri, 23 Jul 2021 16:32:29 +0900 +Subject: tiff: Avoid limiting palette colors to 8 bits. + +Previously fz_unpack_tile() could not handle >8 bit images, +so palettized tiff colors had to be limited to 8 bits. +Now when fz_unpack_tile() does handles >8 bit images do not +limit the samples in the colormap to 8 bits. + +This fixes Coverity CID 150612. + +Cherry-picked-from: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=666c62d491ca76ade9a281dfe4c4e945cc71f8e8 +--- + source/fitz/load-tiff.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/source/fitz/load-tiff.c b/source/fitz/load-tiff.c +index c7c0bcf..bb69e2f 100644 +--- a/source/fitz/load-tiff.c ++++ b/source/fitz/load-tiff.c +@@ -253,7 +253,7 @@ tiff_expand_colormap(fz_context *ctx, struct tiff *tiff) + if (tiff->imagelength > UINT_MAX / tiff->imagewidth / (tiff->samplesperpixel + 2)) + fz_throw(ctx, FZ_ERROR_GENERIC, "image too large"); + +- stride = tiff->imagewidth * (tiff->samplesperpixel + 2); ++ stride = tiff->imagewidth * (tiff->samplesperpixel + 2) * 2; + + samples = Memento_label(fz_malloc(ctx, stride * tiff->imagelength), "tiff_samples"); + +@@ -269,25 +269,31 @@ tiff_expand_colormap(fz_context *ctx, struct tiff *tiff) + int c = tiff_getcomp(src, x * 2, tiff->bitspersample); + int a = tiff_getcomp(src, x * 2 + 1, tiff->bitspersample); + *dst++ = tiff->colormap[c + 0] >> 8; ++ *dst++ = tiff->colormap[c + 0]; + *dst++ = tiff->colormap[c + maxval] >> 8; ++ *dst++ = tiff->colormap[c + maxval]; + *dst++ = tiff->colormap[c + maxval * 2] >> 8; +- if (tiff->bitspersample <= 8) +- *dst++ = a << (8 - tiff->bitspersample); ++ *dst++ = tiff->colormap[c + maxval * 2]; ++ if (tiff->bitspersample <= 16) ++ *dst++ = a << (16 - tiff->bitspersample); + else +- *dst++ = a >> (tiff->bitspersample - 8); ++ *dst++ = a >> (tiff->bitspersample - 16); + } + else + { + int c = tiff_getcomp(src, x, tiff->bitspersample); + *dst++ = tiff->colormap[c + 0] >> 8; ++ *dst++ = tiff->colormap[c + 0]; + *dst++ = tiff->colormap[c + maxval] >> 8; ++ *dst++ = tiff->colormap[c + maxval]; + *dst++ = tiff->colormap[c + maxval * 2] >> 8; ++ *dst++ = tiff->colormap[c + maxval * 2]; + } + } + } + + tiff->samplesperpixel += 2; +- tiff->bitspersample = 8; ++ tiff->bitspersample = 16; + tiff->stride = stride; + fz_free(ctx, tiff->samples); + tiff->samples = samples; diff -Nru mupdf-1.17.0+ds1/debian/patches/0013-Bug-703076-Fix-buffer-overrun-in-tiff-decoder.patch mupdf-1.17.0+ds1/debian/patches/0013-Bug-703076-Fix-buffer-overrun-in-tiff-decoder.patch --- mupdf-1.17.0+ds1/debian/patches/0013-Bug-703076-Fix-buffer-overrun-in-tiff-decoder.patch 1970-01-01 09:00:00.000000000 +0900 +++ mupdf-1.17.0+ds1/debian/patches/0013-Bug-703076-Fix-buffer-overrun-in-tiff-decoder.patch 2021-07-23 16:54:49.000000000 +0900 @@ -0,0 +1,87 @@ +From: Robin Watts <robin.wa...@artifex.com> +Date: Fri, 23 Jul 2021 16:35:21 +0900 +Subject: Bug 703076: Fix buffer overrun in tiff decoder. + +Harden tiff_expand_colormap against badly formed TIFFs. +Correctly allocate space, and avoid overreading. Skip any excess +input data. + +Cherry-picked-from: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=2c4f11f8dcdbd18c35a65e58cc789be0e46012a8 +--- + source/fitz/load-tiff.c | 42 +++++++++++++++++++++--------------------- + 1 file changed, 21 insertions(+), 21 deletions(-) + +diff --git a/source/fitz/load-tiff.c b/source/fitz/load-tiff.c +index bb69e2f..40db0fe 100644 +--- a/source/fitz/load-tiff.c ++++ b/source/fitz/load-tiff.c +@@ -236,6 +236,7 @@ tiff_expand_colormap(fz_context *ctx, struct tiff *tiff) + unsigned char *src, *dst; + unsigned int x, y; + unsigned int stride; ++ unsigned int srcstride; + + /* colormap has first all red, then all green, then all blue values */ + /* colormap values are 0..65535, bits is 4 or 8 */ +@@ -253,41 +254,40 @@ tiff_expand_colormap(fz_context *ctx, struct tiff *tiff) + if (tiff->imagelength > UINT_MAX / tiff->imagewidth / (tiff->samplesperpixel + 2)) + fz_throw(ctx, FZ_ERROR_GENERIC, "image too large"); + +- stride = tiff->imagewidth * (tiff->samplesperpixel + 2) * 2; ++ srcstride = ((1 + tiff->extrasamples) * tiff->bitspersample + 7) & ~7; ++ if (tiff->stride < 0 || srcstride > (unsigned int)tiff->stride) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "insufficient data for format"); ++ ++ stride = tiff->imagewidth * (3 + !!tiff->extrasamples) * 2; + + samples = Memento_label(fz_malloc(ctx, stride * tiff->imagelength), "tiff_samples"); + + for (y = 0; y < tiff->imagelength; y++) + { ++ int s = 0; + src = tiff->samples + (unsigned int)(tiff->stride * y); + dst = samples + (unsigned int)(stride * y); + + for (x = 0; x < tiff->imagewidth; x++) + { ++ int c = tiff_getcomp(src, s++, tiff->bitspersample); ++ *dst++ = tiff->colormap[c + 0] >> 8; ++ *dst++ = tiff->colormap[c + 0]; ++ *dst++ = tiff->colormap[c + maxval] >> 8; ++ *dst++ = tiff->colormap[c + maxval]; ++ *dst++ = tiff->colormap[c + maxval * 2] >> 8; ++ *dst++ = tiff->colormap[c + maxval * 2]; + if (tiff->extrasamples) + { +- int c = tiff_getcomp(src, x * 2, tiff->bitspersample); +- int a = tiff_getcomp(src, x * 2 + 1, tiff->bitspersample); +- *dst++ = tiff->colormap[c + 0] >> 8; +- *dst++ = tiff->colormap[c + 0]; +- *dst++ = tiff->colormap[c + maxval] >> 8; +- *dst++ = tiff->colormap[c + maxval]; +- *dst++ = tiff->colormap[c + maxval * 2] >> 8; +- *dst++ = tiff->colormap[c + maxval * 2]; ++ /* Assume the first is alpha, and skip the rest. */ ++ int a = tiff_getcomp(src, s++, tiff->bitspersample); + if (tiff->bitspersample <= 16) +- *dst++ = a << (16 - tiff->bitspersample); ++ a = a << (16 - tiff->bitspersample); + else +- *dst++ = a >> (tiff->bitspersample - 16); +- } +- else +- { +- int c = tiff_getcomp(src, x, tiff->bitspersample); +- *dst++ = tiff->colormap[c + 0] >> 8; +- *dst++ = tiff->colormap[c + 0]; +- *dst++ = tiff->colormap[c + maxval] >> 8; +- *dst++ = tiff->colormap[c + maxval]; +- *dst++ = tiff->colormap[c + maxval * 2] >> 8; +- *dst++ = tiff->colormap[c + maxval * 2]; ++ a = a >> (tiff->bitspersample - 16); ++ *dst++ = a >> 8; ++ *dst++ = a; ++ s += tiff->extrasamples-1; + } + } + } diff -Nru mupdf-1.17.0+ds1/debian/patches/0014-Bug-703791-Stay-within-hash-table-max-key-size-in-ca.patch mupdf-1.17.0+ds1/debian/patches/0014-Bug-703791-Stay-within-hash-table-max-key-size-in-ca.patch --- mupdf-1.17.0+ds1/debian/patches/0014-Bug-703791-Stay-within-hash-table-max-key-size-in-ca.patch 1970-01-01 09:00:00.000000000 +0900 +++ mupdf-1.17.0+ds1/debian/patches/0014-Bug-703791-Stay-within-hash-table-max-key-size-in-ca.patch 2021-07-23 16:54:49.000000000 +0900 @@ -0,0 +1,113 @@ +From: Tor Andersson <tor.anders...@artifex.com> +Date: Fri, 23 Jul 2021 16:54:00 +0900 +Subject: Bug 703791: Stay within hash table max key size in cached color + converter. + +Cherry-picked-from: http://git.ghostscript.com/?p=mupdf.git;h=f5712c9949d026e4b891b25837edd2edc166151f +--- + include/mupdf/fitz/hash.h | 2 ++ + source/fitz/colorspace.c | 40 +++++++++++++++++++++++++--------------- + source/fitz/hash.c | 7 +++---- + 3 files changed, 30 insertions(+), 19 deletions(-) + +diff --git a/include/mupdf/fitz/hash.h b/include/mupdf/fitz/hash.h +index ab6159e..6a1b87f 100644 +--- a/include/mupdf/fitz/hash.h ++++ b/include/mupdf/fitz/hash.h +@@ -5,6 +5,8 @@ + #include "mupdf/fitz/context.h" + #include "mupdf/fitz/output.h" + ++#define FZ_HASH_TABLE_KEY_LENGTH 48 ++ + /** + Generic hash-table with fixed-length keys. + +diff --git a/source/fitz/colorspace.c b/source/fitz/colorspace.c +index b095a7c..200f264 100644 +--- a/source/fitz/colorspace.c ++++ b/source/fitz/colorspace.c +@@ -990,23 +990,30 @@ typedef struct fz_cached_color_converter + static void fz_cached_color_convert(fz_context *ctx, fz_color_converter *cc_, const float *ss, float *ds) + { + fz_cached_color_converter *cc = cc_->opaque; +- float *val = fz_hash_find(ctx, cc->hash, ss); +- int n = cc->base.ds->n * sizeof(float); +- +- if (val) ++ if (cc->hash) + { +- memcpy(ds, val, n); +- return; +- } ++ float *val = fz_hash_find(ctx, cc->hash, ss); ++ int n = cc->base.ds->n * sizeof(float); + +- cc->base.convert(ctx, &cc->base, ss, ds); ++ if (val) ++ { ++ memcpy(ds, val, n); ++ return; ++ } + +- val = Memento_label(fz_malloc_array(ctx, cc->base.ds->n, float), "cached_color_convert"); +- memcpy(val, ds, n); +- fz_try(ctx) +- fz_hash_insert(ctx, cc->hash, ss, val); +- fz_catch(ctx) +- fz_free(ctx, val); ++ cc->base.convert(ctx, &cc->base, ss, ds); ++ ++ val = Memento_label(fz_malloc_array(ctx, cc->base.ds->n, float), "cached_color_convert"); ++ memcpy(val, ds, n); ++ fz_try(ctx) ++ fz_hash_insert(ctx, cc->hash, ss, val); ++ fz_catch(ctx) ++ fz_free(ctx, val); ++ } ++ else ++ { ++ cc->base.convert(ctx, &cc->base, ss, ds); ++ } + } + + void fz_init_cached_color_converter(fz_context *ctx, fz_color_converter *cc, fz_colorspace *ss, fz_colorspace *ds, fz_colorspace *is, fz_color_params params) +@@ -1025,7 +1032,10 @@ void fz_init_cached_color_converter(fz_context *ctx, fz_color_converter *cc, fz_ + fz_try(ctx) + { + fz_find_color_converter(ctx, &cached->base, ss, ds, is, params); +- cached->hash = fz_new_hash_table(ctx, 256, n * sizeof(float), -1, fz_free); ++ if (n * sizeof(float) <= FZ_HASH_TABLE_KEY_LENGTH) ++ cached->hash = fz_new_hash_table(ctx, 256, n * sizeof(float), -1, fz_free); ++ else ++ fz_warn(ctx, "colorspace has too many components to be cached"); + } + fz_catch(ctx) + { +diff --git a/source/fitz/hash.c b/source/fitz/hash.c +index c787f9e..0ff320e 100644 +--- a/source/fitz/hash.c ++++ b/source/fitz/hash.c +@@ -11,11 +11,9 @@ + and removed frequently. + */ + +-enum { MAX_KEY_LEN = 48 }; +- + typedef struct + { +- unsigned char key[MAX_KEY_LEN]; ++ unsigned char key[FZ_HASH_TABLE_KEY_LENGTH]; + void *val; + } fz_hash_entry; + +@@ -50,7 +48,8 @@ fz_new_hash_table(fz_context *ctx, int initialsize, int keylen, int lock, fz_has + { + fz_hash_table *table; + +- assert(keylen <= MAX_KEY_LEN); ++ if (keylen > FZ_HASH_TABLE_KEY_LENGTH) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "hash table key length too large"); + + table = fz_malloc_struct(ctx, fz_hash_table); + table->keylen = keylen; diff -Nru mupdf-1.17.0+ds1/debian/patches/series mupdf-1.17.0+ds1/debian/patches/series --- mupdf-1.17.0+ds1/debian/patches/series 2021-02-28 21:40:40.000000000 +0900 +++ mupdf-1.17.0+ds1/debian/patches/series 2021-07-23 16:54:49.000000000 +0900 @@ -9,3 +9,6 @@ 0010-Prevent-thirdparty-archive-build.patch 0011-Bug-702857-Detect-avoid-overflow-when-calculating-si.patch 0012-Bug-703366-Fix-double-free-of-object-during-lineariz.patch +0012-tiff-Avoid-limiting-palette-colors-to-8-bits.patch +0013-Bug-703076-Fix-buffer-overrun-in-tiff-decoder.patch +0014-Bug-703791-Stay-within-hash-table-max-key-size-in-ca.patch