Hello community,

here is the log from the commit of package mupdf for openSUSE:Factory checked 
in at 2017-08-12 19:33:06
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mupdf (Old)
 and      /work/SRC/openSUSE:Factory/.mupdf.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "mupdf"

Sat Aug 12 19:33:06 2017 rev:28 rq:514182 version:1.10a

Changes:
--------
--- /work/SRC/openSUSE:Factory/mupdf/mupdf.changes      2017-06-07 
09:50:49.925613347 +0200
+++ /work/SRC/openSUSE:Factory/.mupdf.new/mupdf.changes 2017-08-12 
19:33:07.610771701 +0200
@@ -1,0 +2,8 @@
+Thu Aug  3 08:23:47 UTC 2017 - idon...@suse.com
+
+- Add CVE-2016-10221.patch, CVE-2016-8728.patch and
+  CVE-2017-7976.patch to fix CVE-2016-10221, CVE-2016-8728,
+  CVE-2016-8729 and CVE-2017-7976
+  bsc#1032140 bsc#1039850 bsc#1052029
+
+-------------------------------------------------------------------

New:
----
  CVE-2016-10221.patch
  CVE-2016-8728.patch
  CVE-2017-7976.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ mupdf.spec ++++++
--- /var/tmp/diff_new_pack.UmlgcM/_old  2017-08-12 19:33:09.018574291 +0200
+++ /var/tmp/diff_new_pack.UmlgcM/_new  2017-08-12 19:33:09.022573730 +0200
@@ -37,6 +37,9 @@
 Patch8:         bsc1023760.patch
 # PATCH-FIX-UPSTREAM https://bugs.ghostscript.com/show_bug.cgi?id=697958
 Patch9:         reproducible.patch
+Patch10:        CVE-2016-8728.patch
+Patch11:        CVE-2017-7976.patch
+Patch12:        CVE-2016-10221.patch
 BuildRequires:  freetype-devel
 BuildRequires:  gcc-c++
 BuildRequires:  jbig2dec-devel
@@ -76,6 +79,9 @@
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
 
 pushd ./thirdparty/mujs
 %patch2 -p1

++++++ CVE-2016-10221.patch ++++++
X-Git-Url: 
http://git.ghostscript.com/?p=mupdf.git;a=blobdiff_plain;f=source%2Fpdf%2Fpdf-layer.c;h=fc29c9d3e78eefa823cf768a9a37c476ba6f7c20;hp=3296b6c5ad953a1050899ae01021be05b3b08fa3;hb=2590fed7a355a421f062ebd4293df892800fa7ac;hpb=ffc4b61e6baf7a4d4e34c8901ae78ffd57da2530

diff --git a/source/pdf/pdf-layer.c b/source/pdf/pdf-layer.c
index 3296b6c..fc29c9d 100644
--- a/source/pdf/pdf-layer.c
+++ b/source/pdf/pdf-layer.c
@@ -90,7 +90,14 @@ count_entries(fz_context *ctx, pdf_obj *obj)
        for (i = 0; i < len; i++)
        {
                pdf_obj *o = pdf_array_get(ctx, obj, i);
-               count += (pdf_is_array(ctx, o) ? count_entries(ctx, o) : 1);
+               if (pdf_mark_obj(ctx, o))
+                       continue;
+               fz_try(ctx)
+                       count += (pdf_is_array(ctx, o) ? count_entries(ctx, o) 
: 1);
+               fz_always(ctx)
+                       pdf_unmark_obj(ctx, o);
+               fz_catch(ctx)
+                       fz_rethrow(ctx);
        }
        return count;
 }
@@ -106,7 +113,16 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, 
pdf_ocg_ui *ui, pdf_obj *
                pdf_obj *o = pdf_array_get(ctx, order, i);
                if (pdf_is_array(ctx, o))
                {
-                       ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, 
locked);
+                       if (pdf_mark_obj(ctx, o))
+                               continue;
+
+                       fz_try(ctx)
+                               ui = populate_ui(ctx, desc, ui, o, depth+1, 
rbgroups, locked);
+                       fz_always(ctx)
+                               pdf_unmark_obj(ctx, o);
+                       fz_catch(ctx)
+                               fz_rethrow(ctx);
+
                        continue;
                }
                ui->depth = depth;
++++++ CVE-2016-8728.patch ++++++
Index: mupdf-1.10a-source/source/fitz/draw-scale-simple.c
===================================================================
--- mupdf-1.10a-source.orig/source/fitz/draw-scale-simple.c
+++ mupdf-1.10a-source/source/fitz/draw-scale-simple.c
@@ -1294,7 +1294,7 @@ scale_single_row(unsigned char * restric
                tmp[j] = 128;
        if (weights->flip)
        {
-               dst += (weights->count-1)*n;
+               dst += (weights->count-1)*nf;
                for (i=weights->count; i > 0; i--)
                {
                        min = *contrib++;
Index: mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c
===================================================================
--- mupdf-1.10a-source.orig/thirdparty/jbig2dec/jbig2_image.c
+++ mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c
@@ -38,6 +38,13 @@ jbig2_image_new(Jbig2Ctx *ctx, int width
     int stride;
     int64_t check;
 
+    if (width == 0 || height == 0) {
+        jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1,
+            "zero width (%d) or height (%d) in jbig2_image_new",
+            width, height);
+        return NULL;
+    }
+
     image = jbig2_new(ctx, Jbig2Image, 1);
     if (image == NULL) {
         jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "could not allocate image 
structure in jbig2_image_new");
++++++ CVE-2017-7976.patch ++++++
Index: mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c
===================================================================
--- mupdf-1.10a-source.orig/thirdparty/jbig2dec/jbig2_image.c
+++ mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c
@@ -263,7 +263,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2
     /* general OR case */
     s = ss;
     d = dd = dst->data + y * dst->stride + leftbyte;
-    if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - 
leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
+    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * 
dst->stride > dst->data + dst->height * dst->stride ||
+        s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + 
src->height * src->stride) {
         return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap 
overflow in jbig2_image_compose");
     }
     if (leftbyte == rightbyte) {


Reply via email to