Hello community, here is the log from the commit of package mupdf for openSUSE:Factory checked in at 2018-02-05 10:49:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mupdf (Old) and /work/SRC/openSUSE:Factory/.mupdf.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mupdf" Mon Feb 5 10:49:21 2018 rev:32 rq:572218 version:1.12.0 Changes: -------- --- /work/SRC/openSUSE:Factory/mupdf/mupdf.changes 2018-01-26 13:35:22.932832924 +0100 +++ /work/SRC/openSUSE:Factory/.mupdf.new/mupdf.changes 2018-02-05 10:49:22.142534534 +0100 @@ -1,0 +2,21 @@ +Fri Feb 2 20:48:34 UTC 2018 - [email protected] + +- CVE-2018-6192.patch: Use official fix from usptream (CVE-2018-6192 + boo#1077755) + +------------------------------------------------------------------- +Fri Feb 2 14:58:40 UTC 2018 - [email protected] + +- Add CVE-2018-6544.patch to fix a DoS in pdf_load_obj_stm within in + pdf/pdf-xref.c (CVE-2018-6544 boo#1079100) + +- Add CVE-2018-6192.patch to fix a DoS in pdf_read_new_xref within + pdf/pdf-xref.c via crafted PDF file (CVE-2018-6192 boo#1077755) + +------------------------------------------------------------------- +Fri Feb 2 07:52:06 UTC 2018 - [email protected] + +- Add CVE-2018-6187.patch to fix a heap buffer overflow in in pdf-write.c + in the do_pdf_save_document function (CVE-2018-6187 boo#1077407) + +------------------------------------------------------------------- New: ---- CVE-2018-6187.patch CVE-2018-6192.patch CVE-2018-6544.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mupdf.spec ++++++ --- /var/tmp/diff_new_pack.NOOhEt/_old 2018-02-05 10:49:23.314479670 +0100 +++ /var/tmp/diff_new_pack.NOOhEt/_new 2018-02-05 10:49:23.318479482 +0100 @@ -30,6 +30,9 @@ Patch1: fix-openjpeg-flags.patch Patch2: CVE-2018-5686.patch Patch3: CVE-2017-17858.patch +Patch4: CVE-2018-6187.patch +Patch5: CVE-2018-6192.patch +Patch6: CVE-2018-6544.patch BuildRequires: freetype-devel BuildRequires: gcc-c++ BuildRequires: jbig2dec-devel @@ -68,6 +71,9 @@ %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 # do not use the inlined copies of build dpendencies except for mujs rm -rf $(ls -d thirdparty/*/ | grep -v mujs) ++++++ CVE-2018-6187.patch ++++++ X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=blobdiff_plain;f=source%2Fpdf%2Fpdf-write.c;h=bc67f003025516c04991758ea648f79d00926742;hp=a7326a173a09df3fd4e3adbf3e1842081b6dfea4;hb=3e30fbb7bf5efd88df431e366492356e7eb969ec;hpb=b03def134988da8c800adac1a38a41a1f09a1d89 Index: mupdf-1.12.0-source/source/pdf/pdf-write.c =================================================================== --- mupdf-1.12.0-source.orig/source/pdf/pdf-write.c +++ mupdf-1.12.0-source/source/pdf/pdf-write.c @@ -633,7 +633,8 @@ expand_lists(fz_context *ctx, pdf_write_ { int i; - num++; + /* objects are numbered 0..num and maybe two additional objects for linearization */ + num += 3; opts->use_list = fz_resize_array(ctx, opts->use_list, num, sizeof(*opts->use_list)); opts->ofs_list = fz_resize_array(ctx, opts->ofs_list, num, sizeof(*opts->ofs_list)); opts->gen_list = fz_resize_array(ctx, opts->gen_list, num, sizeof(*opts->gen_list)); @@ -1522,9 +1523,9 @@ static void preloadobjstms(fz_context *c { pdf_obj *obj; int num; - int xref_len = pdf_xref_len(ctx, doc); - for (num = 0; num < xref_len; num++) + /* xref_len may change due to repair, so check it every iteration */ + for (num = 0; num < pdf_xref_len(ctx, doc); num++) { if (pdf_get_xref_entry(ctx, doc, num)->type == 'o') { @@ -2755,7 +2756,7 @@ static void initialise_write_state(fz_co opts->continue_on_error = in_opts->continue_on_error; opts->errors = in_opts->errors; - expand_lists(ctx, opts, xref_len + 3); + expand_lists(ctx, opts, xref_len); } /* Free the resources held by the dynamic write options */ @@ -2889,6 +2890,9 @@ do_pdf_save_document(fz_context *ctx, pd { pdf_ensure_solid_xref(ctx, doc, xref_len); preloadobjstms(ctx, doc); + + xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */ + expand_lists(ctx, opts, xref_len); } /* Sweep & mark objects from the trailer */ @@ -2897,6 +2901,7 @@ do_pdf_save_document(fz_context *ctx, pd else { xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */ + expand_lists(ctx, opts, xref_len); for (num = 0; num < xref_len; num++) opts->use_list[num] = 1; } @@ -2917,6 +2922,7 @@ do_pdf_save_document(fz_context *ctx, pd if ((opts->do_garbage >= 2 || opts->do_linear) && !opts->do_incremental) { xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */ + expand_lists(ctx, opts, xref_len); while (xref_len > 0 && !opts->use_list[xref_len-1]) xref_len--; } ++++++ CVE-2018-6192.patch ++++++ >From 5e411a99604ff6be5db9e273ee84737204113299 Mon Sep 17 00:00:00 2001 From: Sebastian Rasmussen <[email protected]> Date: Tue, 30 Jan 2018 02:05:57 +0100 Subject: [PATCH] Bug 698916: Indirect object numbers must be in range. --- source/pdf/pdf-parse.c | 2 ++ source/pdf/pdf-xref.c | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) Index: mupdf-1.12.0-source/source/pdf/pdf-parse.c =================================================================== --- mupdf-1.12.0-source.orig/source/pdf/pdf-parse.c +++ mupdf-1.12.0-source/source/pdf/pdf-parse.c @@ -616,6 +616,8 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_d fz_throw(ctx, FZ_ERROR_SYNTAX, "expected object number"); } num = buf->i; + if (num < 0 || num > PDF_MAX_OBJECT_NUMBER) + fz_throw(ctx, FZ_ERROR_SYNTAX, "object number out of range"); tok = pdf_lex(ctx, file, buf); if (tok != PDF_TOK_INT) Index: mupdf-1.12.0-source/source/pdf/pdf-xref.c =================================================================== --- mupdf-1.12.0-source.orig/source/pdf/pdf-xref.c +++ mupdf-1.12.0-source/source/pdf/pdf-xref.c @@ -234,8 +234,8 @@ pdf_xref_entry *pdf_get_populating_xref_ } /* Prevent accidental heap underflow */ - if (num < 0) - fz_throw(ctx, FZ_ERROR_GENERIC, "object number must not be negative (%d)", num); + if (num < 0 || num > PDF_MAX_OBJECT_NUMBER) + fz_throw(ctx, FZ_ERROR_GENERIC, "object number out of range (%d)", num); /* Return the pointer to the entry in the last section. */ xref = &doc->xref_sections[doc->num_xref_sections-1]; ++++++ CVE-2018-6544.patch ++++++ Index: mupdf-1.12.0-source/source/pdf/pdf-stream.c =================================================================== --- mupdf-1.12.0-source.orig/source/pdf/pdf-stream.c +++ mupdf-1.12.0-source/source/pdf/pdf-stream.c @@ -303,14 +303,13 @@ pdf_open_raw_filter(fz_context *ctx, fz_ *orig_gen = 0; } - fz_var(chain); + chain = fz_keep_stream(ctx, chain); fz_try(ctx) { len = pdf_to_int(ctx, pdf_dict_get(ctx, stmobj, PDF_NAME_Length)); - /* don't close chain when we close this filter */ - chain2 = fz_keep_stream(ctx, chain); + chain2 = chain; chain = NULL; chain = fz_open_null(ctx, chain2, len, offset); Index: mupdf-1.12.0-source/source/pdf/pdf-xref.c =================================================================== --- mupdf-1.12.0-source.orig/source/pdf/pdf-xref.c +++ mupdf-1.12.0-source/source/pdf/pdf-xref.c @@ -1595,6 +1595,19 @@ pdf_load_obj_stm(fz_context *ctx, pdf_do { objstm = pdf_load_object(ctx, doc, num); + if (pdf_obj_marked(ctx, objstm)) + fz_throw(ctx, FZ_ERROR_GENERIC, "recursive object stream lookup"); + } + fz_catch(ctx) + { + pdf_drop_obj(ctx, objstm); + fz_rethrow(ctx); + } + + fz_try(ctx) + { + pdf_mark_obj(ctx, objstm); + count = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_N)); first = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_First)); @@ -1674,6 +1687,7 @@ pdf_load_obj_stm(fz_context *ctx, pdf_do fz_drop_stream(ctx, stm); fz_free(ctx, ofsbuf); fz_free(ctx, numbuf); + pdf_unmark_obj(ctx, objstm); pdf_drop_obj(ctx, objstm); } fz_catch(ctx)
