Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi, This fixes three CVEs in atril, two of them fixed in buster via spu (#946819) with the other one not affecting the version in buster. Tested on a stretch VM. debdiff attached and package uploaded. Thanks, Emilio
diff -Nru atril-1.16.1/debian/changelog atril-1.16.1/debian/changelog --- atril-1.16.1/debian/changelog 2017-07-21 06:59:09.000000000 +0200 +++ atril-1.16.1/debian/changelog 2020-07-10 12:35:24.000000000 +0200 @@ -1,3 +1,13 @@ +atril (1.16.1-2+deb9u2) stretch; urgency=medium + + * Non-maintainer upload. + * dvi: Mitigate command injection attacks by quoting filename + (CVE-2017-1000159) + * Fix overflow checks in tiff backend (CVE-2019-1010006) + * tiff: Handle failure from TIFFReadRGBAImageOriented (CVE-2019-11459) + + -- Emilio Pozuelo Monfort <po...@debian.org> Fri, 10 Jul 2020 12:35:24 +0200 + atril (1.16.1-2+deb9u1) stretch-security; urgency=high * Non-maintainer upload diff -Nru atril-1.16.1/debian/patches/03_dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch atril-1.16.1/debian/patches/03_dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch --- atril-1.16.1/debian/patches/03_dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch 1970-01-01 01:00:00.000000000 +0100 +++ atril-1.16.1/debian/patches/03_dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch 2020-07-10 12:18:10.000000000 +0200 @@ -0,0 +1,43 @@ +From: Tobias Mueller <mue...@cryptobitch.de> +Date: Fri, 14 Jul 2017 12:52:14 +0200 +Subject: dvi: Mitigate command injection attacks by quoting filename +Origin: https://gitlab.gnome.org/GNOME/evince/commit/350404c76dc8601e2cdd2636490e2afc83d3090e +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000159 + +With commit 1fcca0b8041de0d6074d7e17fba174da36c65f99 came a DVI backend. +It exports to PDF via the dvipdfm tool. +It calls that tool with the filename of the currently loaded document. +If that filename is cleverly crafted, it can escape the currently +used manual quoting of the filename. Instead of manually quoting the +filename, we use g_shell_quote. + +https://bugzilla.gnome.org/show_bug.cgi?id=784947 +--- + backend/dvi/dvi-document.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/backend/dvi/dvi-document.c b/backend/dvi/dvi-document.c +index 4a896e215273..28877700880f 100644 +--- a/backend/dvi/dvi-document.c ++++ b/backend/dvi/dvi-document.c +@@ -300,12 +300,14 @@ dvi_document_file_exporter_end (EvFileExporter *exporter) + gboolean success; + + DviDocument *dvi_document = DVI_DOCUMENT(exporter); ++ gchar* quoted_filename = g_shell_quote (dvi_document->context->filename); + +- command_line = g_strdup_printf ("dvipdfm %s -o %s \"%s\"", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */ ++ command_line = g_strdup_printf ("dvipdfm %s -o %s %s", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */ + dvi_document->exporter_opts->str, + dvi_document->exporter_filename, +- dvi_document->context->filename); +- ++ quoted_filename); ++ g_free (quoted_filename); ++ + success = g_spawn_command_line_sync (command_line, + NULL, + NULL, +-- +2.25.0 + diff -Nru atril-1.16.1/debian/patches/04_Fix-overflow-checks-in-tiff-backend.patch atril-1.16.1/debian/patches/04_Fix-overflow-checks-in-tiff-backend.patch --- atril-1.16.1/debian/patches/04_Fix-overflow-checks-in-tiff-backend.patch 1970-01-01 01:00:00.000000000 +0100 +++ atril-1.16.1/debian/patches/04_Fix-overflow-checks-in-tiff-backend.patch 2020-07-10 12:18:10.000000000 +0200 @@ -0,0 +1,57 @@ +From: Jason Crain <jcr...@src.gnome.org> +Date: Sat, 2 Dec 2017 20:24:33 -0600 +Subject: [1/2] Fix overflow checks in tiff backend +Origin: https://gitlab.gnome.org/GNOME/evince/commit/e02fe9170ad0ac2fd46c75329c4f1d4502d4a362 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-1010006 + +The overflow checks in tiff_document_render and +tiff_document_get_thumbnail don't work when optimizations are enabled. +Change the checks so they don't rely on undefined behavior. + +https://bugzilla.gnome.org/show_bug.cgi?id=788980 +--- + backend/tiff/tiff-document.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c +index 8f40934ee766..7bf95c2bbd7b 100644 +--- a/backend/tiff/tiff-document.c ++++ b/backend/tiff/tiff-document.c +@@ -284,12 +284,12 @@ tiff_document_render (EvDocument *document, + return NULL; + } + +- bytes = height * rowstride; +- if (bytes / rowstride != height) { ++ if (height >= INT_MAX / rowstride) { + g_warning("Overflow while rendering document."); + /* overflow */ + return NULL; + } ++ bytes = height * rowstride; + + pixels = g_try_malloc (bytes); + if (!pixels) { +@@ -374,15 +374,15 @@ tiff_document_get_thumbnail (EvDocument *document, + if (width <= 0 || height <= 0) + return NULL; + +- rowstride = width * 4; +- if (rowstride / 4 != width) ++ if (width >= INT_MAX / 4) + /* overflow */ + return NULL; ++ rowstride = width * 4; + +- bytes = height * rowstride; +- if (bytes / rowstride != height) ++ if (height >= INT_MAX / rowstride) + /* overflow */ + return NULL; ++ bytes = height * rowstride; + + pixels = g_try_malloc (bytes); + if (!pixels) +-- +2.25.0 + diff -Nru atril-1.16.1/debian/patches/06_tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch atril-1.16.1/debian/patches/06_tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch --- atril-1.16.1/debian/patches/06_tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch 1970-01-01 01:00:00.000000000 +0100 +++ atril-1.16.1/debian/patches/06_tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch 2020-07-10 12:32:25.000000000 +0200 @@ -0,0 +1,70 @@ +From: Jason Crain <jcr...@src.gnome.org> +Date: Mon, 15 Apr 2019 23:06:36 -0600 +Subject: tiff: Handle failure from TIFFReadRGBAImageOriented +Origin: https://gitlab.gnome.org/GNOME/evince/commit/3e38d5ad724a042eebadcba8c2d57b0f48b7a8c7 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11459 +Bug-Debian: https://bugs.debian.org/927820 +Bug: https://gitlab.gnome.org/GNOME/evince/issues/1129 + +The TIFFReadRGBAImageOriented function returns zero if it was unable to +read the image. Return NULL in this case instead of displaying +uninitialized memory. + +Fixes #1129 +--- + backend/tiff/tiff-document.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +--- a/backend/tiff/tiff-document.c ++++ b/backend/tiff/tiff-document.c +@@ -280,18 +280,22 @@ tiff_document_render (EvDocument *d + g_warning("Failed to allocate memory for rendering."); + return NULL; + } +- ++ ++ if (!TIFFReadRGBAImageOriented (tiff_document->tiff, ++ width, height, ++ (uint32 *)pixels, ++ orientation, 0)) { ++ g_warning ("Failed to read TIFF image."); ++ g_free (pixels); ++ return NULL; ++ } ++ + surface = cairo_image_surface_create_for_data (pixels, + CAIRO_FORMAT_RGB24, + width, height, + rowstride); + cairo_surface_set_user_data (surface, &key, + pixels, (cairo_destroy_func_t)g_free); +- +- TIFFReadRGBAImageOriented (tiff_document->tiff, +- width, height, +- (uint32 *)pixels, +- orientation, 0); + pop_handlers (); + + /* Convert the format returned by libtiff to +@@ -370,13 +374,17 @@ tiff_document_render_pixbuf (EvDocument + if (!pixels) + return NULL; + ++ if (!TIFFReadRGBAImageOriented (tiff_document->tiff, ++ width, height, ++ (uint32 *)pixels, ++ ORIENTATION_TOPLEFT, 0)) { ++ g_free (pixels); ++ return NULL; ++ } ++ + pixbuf = gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, TRUE, 8, + width, height, rowstride, + (GdkPixbufDestroyNotify) g_free, NULL); +- TIFFReadRGBAImageOriented (tiff_document->tiff, +- width, height, +- (uint32 *)pixels, +- ORIENTATION_TOPLEFT, 0); + pop_handlers (); + + scaled_pixbuf = gdk_pixbuf_scale_simple (pixbuf, diff -Nru atril-1.16.1/debian/patches/series atril-1.16.1/debian/patches/series --- atril-1.16.1/debian/patches/series 2017-07-19 13:58:54.000000000 +0200 +++ atril-1.16.1/debian/patches/series 2020-07-10 12:32:17.000000000 +0200 @@ -1 +1,4 @@ 0001-CVE-2017-1000083-comics-Remove-support-for-tar-and-tar-like-command.patch +03_dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch +04_Fix-overflow-checks-in-tiff-backend.patch +06_tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch