Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package mupdf Fixes CVE-2018-16647, CVE-2018-16648 Also fixed the issue that command line usage message was broken. unblock mupdf/1.14.0+ds1-4 -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.0.0-rc8+ (SMP w/8 CPU cores) Kernel taint flags: TAINT_UNSIGNED_MODULE Locale: LANG=zh_TW.UTF-8, LC_CTYPE=zh_TW.UTF-8 (charmap=UTF-8), LANGUAGE=zh_TW.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru mupdf-1.14.0+ds1/debian/changelog mupdf-1.14.0+ds1/debian/changelog --- mupdf-1.14.0+ds1/debian/changelog 2019-01-19 12:01:19.000000000 +0900 +++ mupdf-1.14.0+ds1/debian/changelog 2019-03-16 09:42:00.000000000 +0900 @@ -1,3 +1,18 @@ +mupdf (1.14.0+ds1-4) unstable; urgency=medium + + [ Salvatore Bonaccorso ] + * Avoid being smart about keeping only a single reference to the buffer + (CVE-2018-16647) + (Closes: #924351) + * Fix text used as clip mask in pdfwrite device (CVE-2018-16648) + (Closes: #924351) + * Fix typo in pdf write device + + [ Kan-Ru Chen ] + * Add more options to mupdf wrapper and display usage correctly + + -- Kan-Ru Chen (陳侃如) <kos...@debian.org> Sat, 16 Mar 2019 09:42:00 +0900 + mupdf (1.14.0+ds1-3) unstable; urgency=high * d/patches: import upstream fixes for various bugs. diff -Nru mupdf-1.14.0+ds1/debian/mupdf.sh mupdf-1.14.0+ds1/debian/mupdf.sh --- mupdf-1.14.0+ds1/debian/mupdf.sh 2018-11-04 08:48:05.000000000 +0900 +++ mupdf-1.14.0+ds1/debian/mupdf.sh 2019-03-16 09:38:35.000000000 +0900 @@ -22,27 +22,30 @@ file="" cmd="/usr/lib/mupdf/mupdf-x11" -while getopts p:r:A:C:W:H:S:U: f +while getopts p:r:A:C:W:H:IS:U:X f do case $f in - p|r|A|C|W|H|S|U) + p|r|A|C|W|H|I|S|U|X) cmd="$cmd -$f $OPTARG";; esac done shift `expr $OPTIND - 1` + +test "$1" || exec $cmd + test -f "$1" && file="$1" || ( echo "error: \"$1\" file not found" && exit 1 ) tmp=$(tempfile -s .pdf) case "$file" in - *.gz|*.Z) zcat -- "$file" > "$tmp" && exec 3< "$tmp" && file="$tmp";; - *.xz) xzcat -- "$file" > "$tmp" && exec 3< "$tmp" && file="$tmp";; - *.bz2) bzcat -- "$file" > "$tmp" && exec 3< "$tmp" && file="$tmp";; + *.gz|*.Z) zcat -- "$file" > "$tmp" && file="$tmp";; + *.xz) xzcat -- "$file" > "$tmp" && file="$tmp";; + *.bz2) bzcat -- "$file" > "$tmp" && file="$tmp";; esac trap 'rm -f "$tmp"' EXIT if [ "$file" = "" ]; then $cmd || true else - $cmd "$file" || true + $cmd "$file" $2 || true fi diff -Nru mupdf-1.14.0+ds1/debian/patches/0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch mupdf-1.14.0+ds1/debian/patches/0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch --- mupdf-1.14.0+ds1/debian/patches/0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch 1970-01-01 09:00:00.000000000 +0900 +++ mupdf-1.14.0+ds1/debian/patches/0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch 2019-03-16 08:27:11.000000000 +0900 @@ -0,0 +1,79 @@ +From: Sebastian Rasmussen <seb...@gmail.com> +Date: Mon, 1 Oct 2018 15:13:13 +0800 +Subject: Avoid being smart about keeping only a single reference to the + buffer. +Origin: http://www.ghostscript.com/cgi-bin/findgit.cgi?351c99d8ce23bbf7099dbd52771a095f67e45a2c +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-16647 +Bug-Debian: https://bugs.debian.org/924351 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=699686 + +When pdf_dev_pop() is called it will drop the reference to the buffer. +pdf_dev_push_new_buf() will either create a new buffer reference or take a reference to the existing buffer. +When pdf_dev_pop() is called unbalance this creates a problem as the +top level buffer will be unreferenced too many times. + +fails-32.pdf +--- + source/pdf/pdf-device.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/source/pdf/pdf-device.c b/source/pdf/pdf-device.c +index 31a7a10f2722..0103e9a7d9be 100644 +--- a/source/pdf/pdf-device.c ++++ b/source/pdf/pdf-device.c +@@ -66,7 +66,6 @@ struct pdf_device_s + + pdf_document *doc; + pdf_obj *resources; +- fz_buffer *buffer; + + int in_text; + +@@ -1061,7 +1060,10 @@ pdf_dev_drop_device(fz_context *ctx, fz_device *dev) + int i; + + for (i = pdev->num_gstates-1; i >= 0; i--) ++ { ++ fz_drop_buffer(ctx, pdev->gstates[i].buf); + fz_drop_stroke_state(ctx, pdev->gstates[i].stroke_state); ++ } + + for (i = pdev->num_cid_fonts-1; i >= 0; i--) + fz_drop_font(ctx, pdev->cid_fonts[i]); +@@ -1069,7 +1071,6 @@ pdf_dev_drop_device(fz_context *ctx, fz_device *dev) + for (i = pdev->num_groups - 1; i >= 0; i--) + pdf_drop_obj(ctx, pdev->groups[i].ref); + +- fz_drop_buffer(ctx, pdev->buffer); + pdf_drop_obj(ctx, pdev->resources); + fz_free(ctx, pdev->cid_fonts); + fz_free(ctx, pdev->image_indices); +@@ -1111,10 +1112,13 @@ fz_device *pdf_new_pdf_device(fz_context *ctx, pdf_document *doc, fz_matrix topc + dev->super.begin_tile = pdf_dev_begin_tile; + dev->super.end_tile = pdf_dev_end_tile; + ++ fz_var(buf); ++ + fz_try(ctx) + { +- dev->buffer = fz_keep_buffer(ctx, buf); +- if (!buf) ++ if (buf) ++ buf = fz_keep_buffer(ctx, buf); ++ else + buf = fz_new_buffer(ctx, 256); + dev->doc = doc; + dev->resources = pdf_keep_obj(ctx, resources); +@@ -1136,8 +1140,7 @@ fz_device *pdf_new_pdf_device(fz_context *ctx, pdf_document *doc, fz_matrix topc + } + fz_catch(ctx) + { +- if (dev->gstates && dev->buffer == NULL) +- fz_drop_buffer(ctx, dev->gstates[0].buf); ++ fz_drop_buffer(ctx, buf); + fz_free(ctx, dev); + fz_rethrow(ctx); + } +-- +2.20.1 + diff -Nru mupdf-1.14.0+ds1/debian/patches/0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch mupdf-1.14.0+ds1/debian/patches/0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch --- mupdf-1.14.0+ds1/debian/patches/0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch 1970-01-01 09:00:00.000000000 +0900 +++ mupdf-1.14.0+ds1/debian/patches/0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch 2019-03-16 08:27:11.000000000 +0900 @@ -0,0 +1,50 @@ +From: Tor Andersson <tor.anders...@artifex.com> +Date: Mon, 22 Oct 2018 17:16:35 +0200 +Subject: Fix text used as clip mask in pdfwrite device. +Origin: http://www.ghostscript.com/cgi-bin/findgit.cgi?38f883fe129a5e89306252a4676eaaf4bc968824 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-16648 +Bug-Debian: https://bugs.debian.org/924351 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=699685 + +Push the clip state, and pass the correct text rendering mode state. +--- + source/pdf/pdf-device.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/source/pdf/pdf-device.c b/source/pdf/pdf-device.c +index 4dd729b8b981..427e3b389e7e 100644 +--- a/source/pdf/pdf-device.c ++++ b/source/pdf/pdf-device.c +@@ -734,9 +734,13 @@ pdf_dev_clip_text(fz_context *ctx, fz_device *dev, const fz_text *text, fz_matri + { + pdf_device *pdev = (pdf_device*)dev; + fz_text_span *span; ++ ++ pdf_dev_end_text(ctx, pdev); ++ pdf_dev_push(ctx, pdev); ++ + for (span = text->head; span; span = span->next) + { +- pdf_dev_begin_text(ctx, pdev, span->trm, 0); ++ pdf_dev_begin_text(ctx, pdev, span->trm, 7); + pdf_dev_ctm(ctx, pdev, ctm); + pdf_dev_font(ctx, pdev, span->font); + pdf_dev_text_span(ctx, pdev, span); +@@ -748,9 +752,13 @@ pdf_dev_clip_stroke_text(fz_context *ctx, fz_device *dev, const fz_text *text, c + { + pdf_device *pdev = (pdf_device*)dev; + fz_text_span *span; ++ ++ pdf_dev_end_text(ctx, pdev); ++ pdf_dev_push(ctx, pdev); ++ + for (span = text->head; span; span = span->next) + { +- pdf_dev_begin_text(ctx, pdev, span->trm, 0); ++ pdf_dev_begin_text(ctx, pdev, span->trm, 7); + pdf_dev_font(ctx, pdev, span->font); + pdf_dev_ctm(ctx, pdev, ctm); + pdf_dev_text_span(ctx, pdev, span); +-- +2.20.1 + diff -Nru mupdf-1.14.0+ds1/debian/patches/0013-Fix-typo-in-pdf-write-device.patch mupdf-1.14.0+ds1/debian/patches/0013-Fix-typo-in-pdf-write-device.patch --- mupdf-1.14.0+ds1/debian/patches/0013-Fix-typo-in-pdf-write-device.patch 1970-01-01 09:00:00.000000000 +0900 +++ mupdf-1.14.0+ds1/debian/patches/0013-Fix-typo-in-pdf-write-device.patch 2019-03-16 08:27:11.000000000 +0900 @@ -0,0 +1,25 @@ +From: Tor Andersson <tor.anders...@artifex.com> +Date: Mon, 22 Oct 2018 16:21:11 +0200 +Subject: Fix typo in pdf write device. +Origin: https://git.kernel.org/linus/fa4cdfca9ec3034dbe54e1cb08c8b97e9ebed46d + +--- + source/pdf/pdf-device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source/pdf/pdf-device.c b/source/pdf/pdf-device.c +index 8d07968992da..31a7a10f2722 100644 +--- a/source/pdf/pdf-device.c ++++ b/source/pdf/pdf-device.c +@@ -1132,7 +1132,7 @@ fz_device *pdf_new_pdf_device(fz_context *ctx, pdf_document *doc, fz_matrix topc + dev->max_gstates = 1; + + if (!fz_is_identity(topctm)) +- fz_append_printf(ctx, buf, "%M cm\n", topctm); ++ fz_append_printf(ctx, buf, "%M cm\n", &topctm); + } + fz_catch(ctx) + { +-- +2.11.0 + diff -Nru mupdf-1.14.0+ds1/debian/patches/series mupdf-1.14.0+ds1/debian/patches/series --- mupdf-1.14.0+ds1/debian/patches/series 2019-01-19 11:39:00.000000000 +0900 +++ mupdf-1.14.0+ds1/debian/patches/series 2019-03-16 08:27:11.000000000 +0900 @@ -8,3 +8,6 @@ 0008-PATCH-Fix-700043-Don-t-assume-a-font-is-t3-just-beca.patch 0009-PATCH-Bug-700442-Add-a-recursion-depth-check-to-prev.patch 0010-PATCH-Throw-when-page-number-is-out-of-range.patch +0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch +0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch +0013-Fix-typo-in-pdf-write-device.patch