Hello community, here is the log from the commit of package evince for openSUSE:Factory checked in at 2019-06-07 12:17:01 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/evince (Old) and /work/SRC/openSUSE:Factory/.evince.new.4811 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "evince" Fri Jun 7 12:17:01 2019 rev:140 rq:707810 version:3.32.0 Changes: -------- --- /work/SRC/openSUSE:Factory/evince/evince.changes 2019-05-22 10:56:24.862987673 +0200 +++ /work/SRC/openSUSE:Factory/.evince.new.4811/evince.changes 2019-06-07 12:17:06.932814308 +0200 @@ -1,0 +2,7 @@ +Mon Jun 3 18:51:09 UTC 2019 - [email protected] + +- Add CVE-2019-11459.patch: fix display of uninitialized memory if + TiffReadRGBAImageOriented fails (boo#1133037 CVE-2019-11459 + glgo#GNOME/evince#1129). + +------------------------------------------------------------------- New: ---- CVE-2019-11459.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ evince.spec ++++++ --- /var/tmp/diff_new_pack.NWw0CM/_old 2019-06-07 12:17:08.572813787 +0200 +++ /var/tmp/diff_new_pack.NWw0CM/_new 2019-06-07 12:17:08.576813786 +0200 @@ -26,6 +26,8 @@ Group: Productivity/Office/Other URL: https://wiki.gnome.org/Apps/Evince Source0: https://download.gnome.org/sources/evince/3.32/%{name}-%{version}.tar.xz +# PATCH-FIX-UPSTREAM CVE-2019-11459.patch boo#1122607 [email protected] -- fix display of uninitialized memory if TiffReadRGBAImageOriented fails. +Patch0: CVE-2019-11459.patch BuildRequires: fdupes BuildRequires: gcc-c++ ++++++ CVE-2019-11459.patch ++++++ >From 3e38d5ad724a042eebadcba8c2d57b0f48b7a8c7 Mon Sep 17 00:00:00 2001 From: Jason Crain <[email protected]> Date: Mon, 15 Apr 2019 23:06:36 -0600 Subject: [PATCH] tiff: Handle failure from TIFFReadRGBAImageOriented The TIFFReadRGBAImageOriented function returns zero if it was unable to read the image. Return NULL in this case instead of displaying uninitialized memory. Fixes #1129 --- backend/tiff/tiff-document.c | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c index 7715031b..38bb3bd8 100644 --- a/backend/tiff/tiff-document.c +++ b/backend/tiff/tiff-document.c @@ -292,18 +292,22 @@ tiff_document_render (EvDocument *document, g_warning("Failed to allocate memory for rendering."); return NULL; } - + + if (!TIFFReadRGBAImageOriented (tiff_document->tiff, + width, height, + (uint32 *)pixels, + orientation, 0)) { + g_warning ("Failed to read TIFF image."); + g_free (pixels); + return NULL; + } + surface = cairo_image_surface_create_for_data (pixels, CAIRO_FORMAT_RGB24, width, height, rowstride); cairo_surface_set_user_data (surface, &key, pixels, (cairo_destroy_func_t)g_free); - - TIFFReadRGBAImageOriented (tiff_document->tiff, - width, height, - (uint32 *)pixels, - orientation, 0); pop_handlers (); /* Convert the format returned by libtiff to @@ -384,13 +388,17 @@ tiff_document_get_thumbnail (EvDocument *document, if (!pixels) return NULL; + if (!TIFFReadRGBAImageOriented (tiff_document->tiff, + width, height, + (uint32 *)pixels, + ORIENTATION_TOPLEFT, 0)) { + g_free (pixels); + return NULL; + } + pixbuf = gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, TRUE, 8, width, height, rowstride, (GdkPixbufDestroyNotify) g_free, NULL); - TIFFReadRGBAImageOriented (tiff_document->tiff, - width, height, - (uint32 *)pixels, - ORIENTATION_TOPLEFT, 0); pop_handlers (); ev_render_context_compute_scaled_size (rc, width, height * (x_res / y_res), -- 2.20.1
