Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package mupdf
Fixes CVE-2018-16647, CVE-2018-16648
Also fixed the issue that command line usage message was broken.
unblock mupdf/1.14.0+ds1-4
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.0.0-rc8+ (SMP w/8 CPU cores)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=zh_TW.UTF-8, LC_CTYPE=zh_TW.UTF-8 (charmap=UTF-8),
LANGUAGE=zh_TW.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru mupdf-1.14.0+ds1/debian/changelog mupdf-1.14.0+ds1/debian/changelog
--- mupdf-1.14.0+ds1/debian/changelog 2019-01-19 12:01:19.000000000 +0900
+++ mupdf-1.14.0+ds1/debian/changelog 2019-03-16 09:42:00.000000000 +0900
@@ -1,3 +1,18 @@
+mupdf (1.14.0+ds1-4) unstable; urgency=medium
+
+ [ Salvatore Bonaccorso ]
+ * Avoid being smart about keeping only a single reference to the buffer
+ (CVE-2018-16647)
+ (Closes: #924351)
+ * Fix text used as clip mask in pdfwrite device (CVE-2018-16648)
+ (Closes: #924351)
+ * Fix typo in pdf write device
+
+ [ Kan-Ru Chen ]
+ * Add more options to mupdf wrapper and display usage correctly
+
+ -- Kan-Ru Chen (陳侃如) <kos...@debian.org> Sat, 16 Mar 2019 09:42:00 +0900
+
mupdf (1.14.0+ds1-3) unstable; urgency=high
* d/patches: import upstream fixes for various bugs.
diff -Nru mupdf-1.14.0+ds1/debian/mupdf.sh mupdf-1.14.0+ds1/debian/mupdf.sh
--- mupdf-1.14.0+ds1/debian/mupdf.sh 2018-11-04 08:48:05.000000000 +0900
+++ mupdf-1.14.0+ds1/debian/mupdf.sh 2019-03-16 09:38:35.000000000 +0900
@@ -22,27 +22,30 @@
file=""
cmd="/usr/lib/mupdf/mupdf-x11"
-while getopts p:r:A:C:W:H:S:U: f
+while getopts p:r:A:C:W:H:IS:U:X f
do
case $f in
- p|r|A|C|W|H|S|U)
+ p|r|A|C|W|H|I|S|U|X)
cmd="$cmd -$f $OPTARG";;
esac
done
shift `expr $OPTIND - 1`
+
+test "$1" || exec $cmd
+
test -f "$1" && file="$1" ||
( echo "error: \"$1\" file not found" && exit 1 )
tmp=$(tempfile -s .pdf)
case "$file" in
- *.gz|*.Z) zcat -- "$file" > "$tmp" && exec 3< "$tmp" && file="$tmp";;
- *.xz) xzcat -- "$file" > "$tmp" && exec 3< "$tmp" && file="$tmp";;
- *.bz2) bzcat -- "$file" > "$tmp" && exec 3< "$tmp" && file="$tmp";;
+ *.gz|*.Z) zcat -- "$file" > "$tmp" && file="$tmp";;
+ *.xz) xzcat -- "$file" > "$tmp" && file="$tmp";;
+ *.bz2) bzcat -- "$file" > "$tmp" && file="$tmp";;
esac
trap 'rm -f "$tmp"' EXIT
if [ "$file" = "" ]; then
$cmd || true
else
- $cmd "$file" || true
+ $cmd "$file" $2 || true
fi
diff -Nru
mupdf-1.14.0+ds1/debian/patches/0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch
mupdf-1.14.0+ds1/debian/patches/0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch
---
mupdf-1.14.0+ds1/debian/patches/0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch
1970-01-01 09:00:00.000000000 +0900
+++
mupdf-1.14.0+ds1/debian/patches/0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch
2019-03-16 08:27:11.000000000 +0900
@@ -0,0 +1,79 @@
+From: Sebastian Rasmussen <seb...@gmail.com>
+Date: Mon, 1 Oct 2018 15:13:13 +0800
+Subject: Avoid being smart about keeping only a single reference to the
+ buffer.
+Origin:
http://www.ghostscript.com/cgi-bin/findgit.cgi?351c99d8ce23bbf7099dbd52771a095f67e45a2c
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-16647
+Bug-Debian: https://bugs.debian.org/924351
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=699686
+
+When pdf_dev_pop() is called it will drop the reference to the buffer.
+pdf_dev_push_new_buf() will either create a new buffer reference or take a
reference to the existing buffer.
+When pdf_dev_pop() is called unbalance this creates a problem as the
+top level buffer will be unreferenced too many times.
+
+fails-32.pdf
+---
+ source/pdf/pdf-device.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/source/pdf/pdf-device.c b/source/pdf/pdf-device.c
+index 31a7a10f2722..0103e9a7d9be 100644
+--- a/source/pdf/pdf-device.c
++++ b/source/pdf/pdf-device.c
+@@ -66,7 +66,6 @@ struct pdf_device_s
+
+ pdf_document *doc;
+ pdf_obj *resources;
+- fz_buffer *buffer;
+
+ int in_text;
+
+@@ -1061,7 +1060,10 @@ pdf_dev_drop_device(fz_context *ctx, fz_device *dev)
+ int i;
+
+ for (i = pdev->num_gstates-1; i >= 0; i--)
++ {
++ fz_drop_buffer(ctx, pdev->gstates[i].buf);
+ fz_drop_stroke_state(ctx, pdev->gstates[i].stroke_state);
++ }
+
+ for (i = pdev->num_cid_fonts-1; i >= 0; i--)
+ fz_drop_font(ctx, pdev->cid_fonts[i]);
+@@ -1069,7 +1071,6 @@ pdf_dev_drop_device(fz_context *ctx, fz_device *dev)
+ for (i = pdev->num_groups - 1; i >= 0; i--)
+ pdf_drop_obj(ctx, pdev->groups[i].ref);
+
+- fz_drop_buffer(ctx, pdev->buffer);
+ pdf_drop_obj(ctx, pdev->resources);
+ fz_free(ctx, pdev->cid_fonts);
+ fz_free(ctx, pdev->image_indices);
+@@ -1111,10 +1112,13 @@ fz_device *pdf_new_pdf_device(fz_context *ctx,
pdf_document *doc, fz_matrix topc
+ dev->super.begin_tile = pdf_dev_begin_tile;
+ dev->super.end_tile = pdf_dev_end_tile;
+
++ fz_var(buf);
++
+ fz_try(ctx)
+ {
+- dev->buffer = fz_keep_buffer(ctx, buf);
+- if (!buf)
++ if (buf)
++ buf = fz_keep_buffer(ctx, buf);
++ else
+ buf = fz_new_buffer(ctx, 256);
+ dev->doc = doc;
+ dev->resources = pdf_keep_obj(ctx, resources);
+@@ -1136,8 +1140,7 @@ fz_device *pdf_new_pdf_device(fz_context *ctx,
pdf_document *doc, fz_matrix topc
+ }
+ fz_catch(ctx)
+ {
+- if (dev->gstates && dev->buffer == NULL)
+- fz_drop_buffer(ctx, dev->gstates[0].buf);
++ fz_drop_buffer(ctx, buf);
+ fz_free(ctx, dev);
+ fz_rethrow(ctx);
+ }
+--
+2.20.1
+
diff -Nru
mupdf-1.14.0+ds1/debian/patches/0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch
mupdf-1.14.0+ds1/debian/patches/0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch
---
mupdf-1.14.0+ds1/debian/patches/0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch
1970-01-01 09:00:00.000000000 +0900
+++
mupdf-1.14.0+ds1/debian/patches/0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch
2019-03-16 08:27:11.000000000 +0900
@@ -0,0 +1,50 @@
+From: Tor Andersson <tor.anders...@artifex.com>
+Date: Mon, 22 Oct 2018 17:16:35 +0200
+Subject: Fix text used as clip mask in pdfwrite device.
+Origin:
http://www.ghostscript.com/cgi-bin/findgit.cgi?38f883fe129a5e89306252a4676eaaf4bc968824
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-16648
+Bug-Debian: https://bugs.debian.org/924351
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=699685
+
+Push the clip state, and pass the correct text rendering mode state.
+---
+ source/pdf/pdf-device.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/source/pdf/pdf-device.c b/source/pdf/pdf-device.c
+index 4dd729b8b981..427e3b389e7e 100644
+--- a/source/pdf/pdf-device.c
++++ b/source/pdf/pdf-device.c
+@@ -734,9 +734,13 @@ pdf_dev_clip_text(fz_context *ctx, fz_device *dev, const
fz_text *text, fz_matri
+ {
+ pdf_device *pdev = (pdf_device*)dev;
+ fz_text_span *span;
++
++ pdf_dev_end_text(ctx, pdev);
++ pdf_dev_push(ctx, pdev);
++
+ for (span = text->head; span; span = span->next)
+ {
+- pdf_dev_begin_text(ctx, pdev, span->trm, 0);
++ pdf_dev_begin_text(ctx, pdev, span->trm, 7);
+ pdf_dev_ctm(ctx, pdev, ctm);
+ pdf_dev_font(ctx, pdev, span->font);
+ pdf_dev_text_span(ctx, pdev, span);
+@@ -748,9 +752,13 @@ pdf_dev_clip_stroke_text(fz_context *ctx, fz_device *dev,
const fz_text *text, c
+ {
+ pdf_device *pdev = (pdf_device*)dev;
+ fz_text_span *span;
++
++ pdf_dev_end_text(ctx, pdev);
++ pdf_dev_push(ctx, pdev);
++
+ for (span = text->head; span; span = span->next)
+ {
+- pdf_dev_begin_text(ctx, pdev, span->trm, 0);
++ pdf_dev_begin_text(ctx, pdev, span->trm, 7);
+ pdf_dev_font(ctx, pdev, span->font);
+ pdf_dev_ctm(ctx, pdev, ctm);
+ pdf_dev_text_span(ctx, pdev, span);
+--
+2.20.1
+
diff -Nru
mupdf-1.14.0+ds1/debian/patches/0013-Fix-typo-in-pdf-write-device.patch
mupdf-1.14.0+ds1/debian/patches/0013-Fix-typo-in-pdf-write-device.patch
--- mupdf-1.14.0+ds1/debian/patches/0013-Fix-typo-in-pdf-write-device.patch
1970-01-01 09:00:00.000000000 +0900
+++ mupdf-1.14.0+ds1/debian/patches/0013-Fix-typo-in-pdf-write-device.patch
2019-03-16 08:27:11.000000000 +0900
@@ -0,0 +1,25 @@
+From: Tor Andersson <tor.anders...@artifex.com>
+Date: Mon, 22 Oct 2018 16:21:11 +0200
+Subject: Fix typo in pdf write device.
+Origin: https://git.kernel.org/linus/fa4cdfca9ec3034dbe54e1cb08c8b97e9ebed46d
+
+---
+ source/pdf/pdf-device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source/pdf/pdf-device.c b/source/pdf/pdf-device.c
+index 8d07968992da..31a7a10f2722 100644
+--- a/source/pdf/pdf-device.c
++++ b/source/pdf/pdf-device.c
+@@ -1132,7 +1132,7 @@ fz_device *pdf_new_pdf_device(fz_context *ctx,
pdf_document *doc, fz_matrix topc
+ dev->max_gstates = 1;
+
+ if (!fz_is_identity(topctm))
+- fz_append_printf(ctx, buf, "%M cm\n", topctm);
++ fz_append_printf(ctx, buf, "%M cm\n", &topctm);
+ }
+ fz_catch(ctx)
+ {
+--
+2.11.0
+
diff -Nru mupdf-1.14.0+ds1/debian/patches/series
mupdf-1.14.0+ds1/debian/patches/series
--- mupdf-1.14.0+ds1/debian/patches/series 2019-01-19 11:39:00.000000000
+0900
+++ mupdf-1.14.0+ds1/debian/patches/series 2019-03-16 08:27:11.000000000
+0900
@@ -8,3 +8,6 @@
0008-PATCH-Fix-700043-Don-t-assume-a-font-is-t3-just-beca.patch
0009-PATCH-Bug-700442-Add-a-recursion-depth-check-to-prev.patch
0010-PATCH-Throw-when-page-number-is-out-of-range.patch
+0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch
+0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch
+0013-Fix-typo-in-pdf-write-device.patch
