Control: tags 877379 + patch
Control: tags 877379 + pending
Dear maintainer,
I've prepared an NMU for mupdf (versioned as 1.11+ds1-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
diff -Nru mupdf-1.11+ds1/debian/changelog mupdf-1.11+ds1/debian/changelog
--- mupdf-1.11+ds1/debian/changelog 2017-09-24 08:56:00.0 +0200
+++ mupdf-1.11+ds1/debian/changelog 2017-10-08 10:37:23.0 +0200
@@ -1,3 +1,14 @@
+mupdf (1.11+ds1-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Don't use xps font if it could not be loaded (CVE-2017-14685)
+(Closes: #877379)
+ * Check name, comment and meta size field signs (CVE-2017-14686)
+(Closes: #877379)
+ * Handle non-tags in tag name comparisons (CVE-2017-14687) (Closes: #877379)
+
+ -- Salvatore Bonaccorso Sun, 08 Oct 2017 10:37:23 +0200
+
mupdf (1.11+ds1-1) unstable; urgency=medium
* New upstream version 1.11+ds1
diff -Nru mupdf-1.11+ds1/debian/patches/0003-Fix-698539-Don-t-use-xps-font-if-it-could-not-be-loa.patch mupdf-1.11+ds1/debian/patches/0003-Fix-698539-Don-t-use-xps-font-if-it-could-not-be-loa.patch
--- mupdf-1.11+ds1/debian/patches/0003-Fix-698539-Don-t-use-xps-font-if-it-could-not-be-loa.patch 1970-01-01 01:00:00.0 +0100
+++ mupdf-1.11+ds1/debian/patches/0003-Fix-698539-Don-t-use-xps-font-if-it-could-not-be-loa.patch 2017-10-08 10:37:23.0 +0200
@@ -0,0 +1,29 @@
+From: Tor Andersson
+Date: Tue, 19 Sep 2017 15:23:04 +0200
+Subject: Fix 698539: Don't use xps font if it could not be loaded.
+Origin: http://git.ghostscript.com/?p=mupdf.git;a=commit;h=ab1a420613dec93c686acbee2c165274e922f82a
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14685
+Bug-Debian: https://bugs.debian.org/877379
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=698539
+
+xps_load_links_in_glyphs did not cope with font loading failures.
+---
+ source/xps/xps-link.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/source/xps/xps-link.c b/source/xps/xps-link.c
+index c07e0d76..c26a8d99 100644
+--- a/source/xps/xps-link.c
b/source/xps/xps-link.c
+@@ -91,6 +91,8 @@ xps_load_links_in_glyphs(fz_context *ctx, xps_document *doc, const fz_matrix *ct
+ bidi_level = atoi(bidi_level_att);
+
+ font = xps_lookup_font(ctx, doc, base_uri, font_uri_att, style_att);
++ if (!font)
++ return;
+ text = xps_parse_glyphs_imp(ctx, doc, _ctm, font, fz_atof(font_size_att),
+ fz_atof(origin_x_att), fz_atof(origin_y_att),
+ is_sideways, bidi_level, indices_att, unicode_att);
+--
+2.11.0
+
diff -Nru mupdf-1.11+ds1/debian/patches/0004-Fix-698540-Check-name-comment-and-meta-size-field-si.patch mupdf-1.11+ds1/debian/patches/0004-Fix-698540-Check-name-comment-and-meta-size-field-si.patch
--- mupdf-1.11+ds1/debian/patches/0004-Fix-698540-Check-name-comment-and-meta-size-field-si.patch 1970-01-01 01:00:00.0 +0100
+++ mupdf-1.11+ds1/debian/patches/0004-Fix-698540-Check-name-comment-and-meta-size-field-si.patch 2017-10-08 10:37:23.0 +0200
@@ -0,0 +1,29 @@
+From: Tor Andersson
+Date: Tue, 19 Sep 2017 16:33:38 +0200
+Subject: Fix 698540: Check name, comment and meta size field signs.
+Origin: http://git.ghostscript.com/?p=mupdf.git;a=commit;h=0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14686
+Bug-Debian: https://bugs.debian.org/877379
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=698540
+
+---
+ source/fitz/unzip.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/source/fitz/unzip.c b/source/fitz/unzip.c
+index f2d4f322..0bcce0fd 100644
+--- a/source/fitz/unzip.c
b/source/fitz/unzip.c
+@@ -141,6 +141,9 @@ static void read_zip_dir_imp(fz_context *ctx, fz_zip_archive *zip, int start_off
+ (void) fz_read_int32_le(ctx, file); /* ext file atts */
+ offset = fz_read_int32_le(ctx, file);
+
++ if (namesize < 0 || metasize < 0 || commentsize < 0)
++ fz_throw(ctx, FZ_ERROR_GENERIC, "invalid size in zip entry");
++
+ name = fz_malloc(ctx, namesize + 1);
+ n = fz_read(ctx, file, (unsigned char*)name, namesize);
+ if (n < (size_t)namesize)
+--
+2.11.0
+
diff -Nru mupdf-1.11+ds1/debian/patches/0005-Fix-698558-Handle-non-tags-in-tag-name-comparisons.patch mupdf-1.11+ds1/debian/patches/0005-Fix-698558-Handle-non-tags-in-tag-name-comparisons.patch
--- mupdf-1.11+ds1/debian/patches/0005-Fix-698558-Handle-non-tags-in-tag-name-comparisons.patch 1970-01-01 01:00:00.0 +0100
+++ mupdf-1.11+ds1/debian/patches/0005-Fix-698558-Handle-non-tags-in-tag-name-comparisons.patch 2017-10-08 10:37:23.0 +0200
@@ -0,0 +1,125 @@
+From: Tor Andersson
+Date: Tue, 19 Sep 2017 17:17:12 +0200
+Subject: Fix 698558: Handle non-tags in tag name comparisons.
+Origin: http://git.ghostscript.com/?p=mupdf.git;a=commit;h=2b16dbd8f73269cb15ca61ece75cf8d2d196ed28