An integer overflow was addressed with improved input validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
References: https://nvd.nist.gov/vuln/detail/CVE-2021-30860 Upstream patches: https://gitlab.freedesktop.org/poppler/poppler/-/commit/27354e9d9696ee2bc063910a6c9a6b27c5184a52 Signed-off-by: Yogita Urade <[email protected]> --- .../poppler/poppler/CVE-2021-30860.patch | 40 +++++++++++++++++++ .../poppler/poppler_22.04.0.bb | 3 +- 2 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-support/poppler/poppler/CVE-2021-30860.patch diff --git a/meta-oe/recipes-support/poppler/poppler/CVE-2021-30860.patch b/meta-oe/recipes-support/poppler/poppler/CVE-2021-30860.patch new file mode 100644 index 000000000..3dc4ec1c9 --- /dev/null +++ b/meta-oe/recipes-support/poppler/poppler/CVE-2021-30860.patch @@ -0,0 +1,40 @@ +From 27354e9d9696ee2bc063910a6c9a6b27c5184a52 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid <[email protected]> +Date: Thu, 25 Aug 2022 00:14:22 +0200 +Subject: [PATCH] JBIG2Stream: Fix crash on broken file + +https://github.com/jeffssh/CVE-2021-30860 + +Thanks to David Warren for the heads up + +Upstream-Status: Backport +CVE: CVE-2021-30860 + +Reference to upstream patch: +[https://gitlab.freedesktop.org/poppler/poppler/-/commit/27354e9d9696ee2bc063910a6c9a6b27c5184a52] + +Signed-off-by: Stefan Ghinea <[email protected]> +--- + poppler/JBIG2Stream.cc | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc +index 7099608..5b4110b 100644 +--- a/poppler/JBIG2Stream.cc ++++ b/poppler/JBIG2Stream.cc +@@ -1955,7 +1955,11 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm, bool lossless + for (i = 0; i < nRefSegs; ++i) { + if ((seg = findSegment(refSegs[i]))) { + if (seg->getType() == jbig2SegSymbolDict) { +- numSyms += ((JBIG2SymbolDict *)seg)->getSize(); ++ const unsigned int segSize = ((JBIG2SymbolDict *)seg)->getSize(); ++ if (unlikely(checkedAdd(numSyms, segSize, &numSyms))) { ++ error(errSyntaxError, getPos(), "Too many symbols in JBIG2 text region"); ++ return; ++ } + } else if (seg->getType() == jbig2SegCodeTable) { + codeTables.push_back(seg); + } +-- +2.37.1 + diff --git a/meta-oe/recipes-support/poppler/poppler_22.04.0.bb b/meta-oe/recipes-support/poppler/poppler_22.04.0.bb index b7cdb4f1b..fa87bafad 100644 --- a/meta-oe/recipes-support/poppler/poppler_22.04.0.bb +++ b/meta-oe/recipes-support/poppler/poppler_22.04.0.bb @@ -6,7 +6,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" SRC_URI = "http://poppler.freedesktop.org/${BP}.tar.xz \ file://0001-Do-not-overwrite-all-our-build-flags.patch \ file://basename-include.patch \ - " + file://CVE-2021-30860.patch \ + " SRC_URI[sha256sum] = "813fb4b90e7bda63df53205c548602bae728887a60f4048aae4dbd9b1927deff" DEPENDS = "fontconfig zlib cairo lcms glib-2.0" -- 2.32.0 Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#99685): https://lists.openembedded.org/g/openembedded-devel/message/99685 Mute This Topic: https://lists.openembedded.org/mt/95194281/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
