Your message dated Sat, 09 Oct 2021 12:11:43 +0100
with message-id
<896b7609401ceb0e1c537222e26587ea2351415d.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in the 10.11 point release
has caused the Debian Bug report #989530,
regarding buster-pu: package mupdf/1.14.0+ds1-4+deb10u3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
989530: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989530
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
Dear Stable Release Team,
At #983104, I have prepared a NMU RFS to fix two CVEs in mupdf for buster that are already fixed in
bullseye/sid. The security team asked me to hand in a Stable Proposed Updates request for it.
The debdiff for the NMU is attached.
Thanks,
Bastian
diff -Nru mupdf-1.14.0+ds1/debian/changelog mupdf-1.14.0+ds1/debian/changelog
--- mupdf-1.14.0+ds1/debian/changelog 2020-11-07 10:20:45.000000000 +0100
+++ mupdf-1.14.0+ds1/debian/changelog 2021-02-19 08:55:54.000000000 +0100
@@ -1,3 +1,13 @@
+mupdf (1.14.0+ds1-4+deb10u3) stable-proposed-updates; urgency=high
+
+ * Non-maintainer upload.
+ * Avoid a use-after-free in fz_drop_band_writer (CVE-2020-16600)
+ (Closes: #989526)
+ * Fix double free of object during linearization (CVE-2021-3407)
+ (Closes: #983684)
+
+ -- Bastian Germann <[email protected]> Fri, 19 Feb 2021 08:55:54
+0100
+
mupdf (1.14.0+ds1-4+deb10u2) buster-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru
mupdf-1.14.0+ds1/debian/patches/0017-Bug-702253-Avoid-a-use-after-free-in-fz_drop_band_writer.patch
mupdf-1.14.0+ds1/debian/patches/0017-Bug-702253-Avoid-a-use-after-free-in-fz_drop_band_writer.patch
---
mupdf-1.14.0+ds1/debian/patches/0017-Bug-702253-Avoid-a-use-after-free-in-fz_drop_band_writer.patch
1970-01-01 01:00:00.000000000 +0100
+++
mupdf-1.14.0+ds1/debian/patches/0017-Bug-702253-Avoid-a-use-after-free-in-fz_drop_band_writer.patch
2021-02-19 00:54:26.000000000 +0100
@@ -0,0 +1,34 @@
+From: theshoals <[email protected]>
+Date: Mon, 4 May 2020 03:33:40 -0400
+Origin:
http://git.ghostscript.com/?p=mupdf.git;h=96751b25462f83d6e16a9afaf8980b0c3f979c8b
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=702253
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-16600
+Subject: Bug 702253: Avoid a use-after-free in fz_drop_band_writer
+
+A use-after-free would occur when a valid page was followed by
+a page with invalid pixmap dimensions, causing bander --
+a static -- to point to previously freed memory instead of a new
+band_writer.
+---
+ source/tools/mudraw.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/source/tools/mudraw.c b/source/tools/mudraw.c
+index d17506d37..36536bd2c 100644
+--- a/source/tools/mudraw.c
++++ b/source/tools/mudraw.c
+@@ -920,7 +920,14 @@ static void dodrawpage(fz_context *ctx, fz_page *page,
fz_display_list *list, in
+ fz_always(ctx)
+ {
+ if (output_format != OUT_PCLM)
++ {
+ fz_drop_band_writer(ctx, bander);
++ /* bander must be set to NULL to avoid
use-after-frees. A use-after-free
++ * would occur when a valid page was followed
by a page with invalid
++ * pixmap dimensions, causing bander -- a
static -- to point to previously
++ * freed memory instead of a new band_writer. */
++ bander = NULL;
++ }
+ fz_drop_bitmap(ctx, bit);
+ bit = NULL;
+ if (num_workers > 0)
diff -Nru
mupdf-1.14.0+ds1/debian/patches/0018-Bug-703366-Fix-double-free-of-object-during-lineariz.patch
mupdf-1.14.0+ds1/debian/patches/0018-Bug-703366-Fix-double-free-of-object-during-lineariz.patch
---
mupdf-1.14.0+ds1/debian/patches/0018-Bug-703366-Fix-double-free-of-object-during-lineariz.patch
1970-01-01 01:00:00.000000000 +0100
+++
mupdf-1.14.0+ds1/debian/patches/0018-Bug-703366-Fix-double-free-of-object-during-lineariz.patch
2021-02-19 08:55:54.000000000 +0100
@@ -0,0 +1,51 @@
+From: Robin Watts <[email protected]>
+Date: Fri, 22 Jan 2021 17:05:15 +0000
+Subject: Bug 703366: Fix double free of object during linearization.
+origin:
http://git.ghostscript.com/?p=mupdf.git;h=cee7cefc610d42fd383b3c80c12cbc675443176a
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=703366
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3407
+Bug-Debian: https://bugs.debian.org/983684
+
+This appears to happen because we parse an illegal object from
+a broken file and assign it to object 0, which is defined to
+be free.
+
+Here, we fix the parsing code so this can't happen.
+---
+ source/pdf/pdf-parse.c | 6 ++++++
+ source/pdf/pdf-xref.c | 2 ++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/source/pdf/pdf-parse.c b/source/pdf/pdf-parse.c
+index 7abc8c3d41aa..5761c3351773 100644
+--- a/source/pdf/pdf-parse.c
++++ b/source/pdf/pdf-parse.c
+@@ -749,6 +749,12 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_document *doc,
+ fz_throw(ctx, FZ_ERROR_SYNTAX, "expected generation number (%d
? obj)", num);
+ }
+ gen = buf->i;
++ if (gen < 0 || gen >= 65536)
++ {
++ if (try_repair)
++ *try_repair = 1;
++ fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid generation number
(%d)", gen);
++ }
+
+ tok = pdf_lex(ctx, file, buf);
+ if (tok != PDF_TOK_OBJ)
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 1b2bdcd59d70..30197b4b8577 100644
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -1190,6 +1190,8 @@ pdf_read_new_xref(fz_context *ctx, pdf_document *doc,
pdf_lexbuf *buf)
+ {
+ ofs = fz_tell(ctx, doc->file);
+ trailer = pdf_parse_ind_obj(ctx, doc, doc->file, buf, &num,
&gen, &stm_ofs, NULL);
++ if (num == 0)
++ fz_throw(ctx, FZ_ERROR_GENERIC, "Trailer object number
cannot be 0\n");
+ }
+ fz_catch(ctx)
+ {
+--
+2.30.0
+
diff -Nru mupdf-1.14.0+ds1/debian/patches/series
mupdf-1.14.0+ds1/debian/patches/series
--- mupdf-1.14.0+ds1/debian/patches/series 2020-11-07 10:20:45.000000000
+0100
+++ mupdf-1.14.0+ds1/debian/patches/series 2021-02-19 08:55:54.000000000
+0100
@@ -14,3 +14,5 @@
0014-Bug-701118-Handle-appending-large-display-list-nodes.patch
0015-Bug-701118-Limit-size-of-begin-layer-nodes-in-displa.patch
0016-Bug-702857-Detect-avoid-overflow-when-calculating-si.patch
+0017-Bug-702253-Avoid-a-use-after-free-in-fz_drop_band_writer.patch
+0018-Bug-703366-Fix-double-free-of-object-during-lineariz.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.11
Hi,
The updates relating to these bugs were included in this morning's
10.11 point release for buster.
Regards,
Adam
--- End Message ---
