Hello community, here is the log from the commit of package mupdf for openSUSE:Factory checked in at 2017-08-12 19:33:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mupdf (Old) and /work/SRC/openSUSE:Factory/.mupdf.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mupdf" Sat Aug 12 19:33:06 2017 rev:28 rq:514182 version:1.10a Changes: -------- --- /work/SRC/openSUSE:Factory/mupdf/mupdf.changes 2017-06-07 09:50:49.925613347 +0200 +++ /work/SRC/openSUSE:Factory/.mupdf.new/mupdf.changes 2017-08-12 19:33:07.610771701 +0200 @@ -1,0 +2,8 @@ +Thu Aug 3 08:23:47 UTC 2017 - [email protected] + +- Add CVE-2016-10221.patch, CVE-2016-8728.patch and + CVE-2017-7976.patch to fix CVE-2016-10221, CVE-2016-8728, + CVE-2016-8729 and CVE-2017-7976 + bsc#1032140 bsc#1039850 bsc#1052029 + +------------------------------------------------------------------- New: ---- CVE-2016-10221.patch CVE-2016-8728.patch CVE-2017-7976.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mupdf.spec ++++++ --- /var/tmp/diff_new_pack.UmlgcM/_old 2017-08-12 19:33:09.018574291 +0200 +++ /var/tmp/diff_new_pack.UmlgcM/_new 2017-08-12 19:33:09.022573730 +0200 @@ -37,6 +37,9 @@ Patch8: bsc1023760.patch # PATCH-FIX-UPSTREAM https://bugs.ghostscript.com/show_bug.cgi?id=697958 Patch9: reproducible.patch +Patch10: CVE-2016-8728.patch +Patch11: CVE-2017-7976.patch +Patch12: CVE-2016-10221.patch BuildRequires: freetype-devel BuildRequires: gcc-c++ BuildRequires: jbig2dec-devel @@ -76,6 +79,9 @@ %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 pushd ./thirdparty/mujs %patch2 -p1 ++++++ CVE-2016-10221.patch ++++++ X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=blobdiff_plain;f=source%2Fpdf%2Fpdf-layer.c;h=fc29c9d3e78eefa823cf768a9a37c476ba6f7c20;hp=3296b6c5ad953a1050899ae01021be05b3b08fa3;hb=2590fed7a355a421f062ebd4293df892800fa7ac;hpb=ffc4b61e6baf7a4d4e34c8901ae78ffd57da2530 diff --git a/source/pdf/pdf-layer.c b/source/pdf/pdf-layer.c index 3296b6c..fc29c9d 100644 --- a/source/pdf/pdf-layer.c +++ b/source/pdf/pdf-layer.c @@ -90,7 +90,14 @@ count_entries(fz_context *ctx, pdf_obj *obj) for (i = 0; i < len; i++) { pdf_obj *o = pdf_array_get(ctx, obj, i); - count += (pdf_is_array(ctx, o) ? count_entries(ctx, o) : 1); + if (pdf_mark_obj(ctx, o)) + continue; + fz_try(ctx) + count += (pdf_is_array(ctx, o) ? count_entries(ctx, o) : 1); + fz_always(ctx) + pdf_unmark_obj(ctx, o); + fz_catch(ctx) + fz_rethrow(ctx); } return count; } @@ -106,7 +113,16 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj * pdf_obj *o = pdf_array_get(ctx, order, i); if (pdf_is_array(ctx, o)) { - ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked); + if (pdf_mark_obj(ctx, o)) + continue; + + fz_try(ctx) + ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked); + fz_always(ctx) + pdf_unmark_obj(ctx, o); + fz_catch(ctx) + fz_rethrow(ctx); + continue; } ui->depth = depth; ++++++ CVE-2016-8728.patch ++++++ Index: mupdf-1.10a-source/source/fitz/draw-scale-simple.c =================================================================== --- mupdf-1.10a-source.orig/source/fitz/draw-scale-simple.c +++ mupdf-1.10a-source/source/fitz/draw-scale-simple.c @@ -1294,7 +1294,7 @@ scale_single_row(unsigned char * restric tmp[j] = 128; if (weights->flip) { - dst += (weights->count-1)*n; + dst += (weights->count-1)*nf; for (i=weights->count; i > 0; i--) { min = *contrib++; Index: mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c =================================================================== --- mupdf-1.10a-source.orig/thirdparty/jbig2dec/jbig2_image.c +++ mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c @@ -38,6 +38,13 @@ jbig2_image_new(Jbig2Ctx *ctx, int width int stride; int64_t check; + if (width == 0 || height == 0) { + jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, + "zero width (%d) or height (%d) in jbig2_image_new", + width, height); + return NULL; + } + image = jbig2_new(ctx, Jbig2Image, 1); if (image == NULL) { jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "could not allocate image structure in jbig2_image_new"); ++++++ CVE-2017-7976.patch ++++++ Index: mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c =================================================================== --- mupdf-1.10a-source.orig/thirdparty/jbig2dec/jbig2_image.c +++ mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c @@ -263,7 +263,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2 /* general OR case */ s = ss; d = dd = dst->data + y * dst->stride + leftbyte; - if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) { + if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride || + s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) { return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose"); } if (leftbyte == rightbyte) {
