Brian May <[email protected]> writes: > It appears if I can work out how to define SPLASH_CMYK for the build, > then I can fix CVE-2019-10871 too. So I will investigate this > possibility.
Updated patch. diff -Nru poppler-0.26.5/debian/changelog poppler-0.26.5/debian/changelog --- poppler-0.26.5/debian/changelog 2019-09-27 03:13:02.000000000 +1000 +++ poppler-0.26.5/debian/changelog 2019-10-14 17:24:52.000000000 +1100 @@ -1,3 +1,17 @@ +poppler (0.26.5-2+deb8u12) jessie-security; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2019-9959 + JPXStream::init function doesn't check for negative values of + stream length, leading to an Integer Overflow, leading to large + memory request causing DOS. + * CVE-2019-10871 + Fix heap-based buffer over-read in the function + PSOutputDev::checkPageSlice at PSOutputDev.cc by defining + SPLASH_CMYK in builds. + + -- Brian May <[email protected]> Mon, 14 Oct 2019 17:24:52 +1100 + poppler (0.26.5-2+deb8u11) jessie-security; urgency=medium * Non-maintainer upload by the LTS Team. diff -Nru poppler-0.26.5/debian/patches/CVE-2019-9959.patch poppler-0.26.5/debian/patches/CVE-2019-9959.patch --- poppler-0.26.5/debian/patches/CVE-2019-9959.patch 1970-01-01 10:00:00.000000000 +1000 +++ poppler-0.26.5/debian/patches/CVE-2019-9959.patch 2019-10-14 17:19:03.000000000 +1100 @@ -0,0 +1,21 @@ +From 68ef84e5968a4249c2162b839ca6d7975048a557 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid <[email protected]> +Date: Mon, 15 Jul 2019 23:24:22 +0200 +Subject: [PATCH] JPXStream::init: ignore dict Length if clearly broken + +Fixes issue #805 +--- + poppler/JPEG2000Stream.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/poppler/JPEG2000Stream.cc ++++ b/poppler/JPEG2000Stream.cc +@@ -72,7 +72,7 @@ + if (getDict()) getDict()->lookup("Length", &oLen); + + int bufSize = BUFFER_INITIAL_SIZE; +- if (oLen.isInt()) bufSize = oLen.getInt(); ++ if (oLen.isInt() && oLen.getInt() > 0) bufSize = oLen.getInt(); + oLen.free(); + + diff -Nru poppler-0.26.5/debian/patches/series poppler-0.26.5/debian/patches/series --- poppler-0.26.5/debian/patches/series 2019-09-27 03:13:02.000000000 +1000 +++ poppler-0.26.5/debian/patches/series 2019-10-14 17:17:34.000000000 +1100 @@ -40,3 +40,4 @@ CVE-2018-21009.patch CVE-2019-12493.patch CVE-2018-20650.patch +CVE-2019-9959.patch diff -Nru poppler-0.26.5/debian/rules poppler-0.26.5/debian/rules --- poppler-0.26.5/debian/rules 2019-03-09 05:09:06.000000000 +1100 +++ poppler-0.26.5/debian/rules 2019-10-14 17:24:52.000000000 +1100 @@ -19,6 +19,9 @@ # enable all the hardening options export DEB_BUILD_MAINT_OPTIONS = hardening=+all +export DEB_CFLAGS_APPEND = -DSPLASH_CMYK +export DEB_CXXFLAGS_APPEND = -DSPLASH_CMYK + # DEB_* variables DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) -- Brian May <[email protected]>
