Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package mupdf Security fixes * CVE-2017-5896: use-after-free in fz_subsample_pixmap() (Closes: #854734) * CVE-2017-5991: NULL pointer dereference in pdf_run_xobject() unblock mupdf/1.9a+ds1-3 -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system)
diff -Nru mupdf-1.9a+ds1/debian/changelog mupdf-1.9a+ds1/debian/changelog --- mupdf-1.9a+ds1/debian/changelog 2016-11-15 00:07:55.000000000 +0800 +++ mupdf-1.9a+ds1/debian/changelog 2017-02-16 23:43:55.000000000 +0800 @@ -1,3 +1,10 @@ +mupdf (1.9a+ds1-3) unstable; urgency=high + + * CVE-2017-5896: use-after-free in fz_subsample_pixmap() (Closes: #854734) + * CVE-2017-5991: NULL pointer dereference in pdf_run_xobject() + + -- Kan-Ru Chen (陳侃如) <kos...@debian.org> Thu, 16 Feb 2017 23:43:55 +0800 + mupdf (1.9a+ds1-2) unstable; urgency=medium * Acknowledge NMU. diff -Nru mupdf-1.9a+ds1/debian/patches/0008-CVE-2016-8674.patch mupdf-1.9a+ds1/debian/patches/0008-CVE-2016-8674.patch --- mupdf-1.9a+ds1/debian/patches/0008-CVE-2016-8674.patch 2016-11-14 23:56:43.000000000 +0800 +++ mupdf-1.9a+ds1/debian/patches/0008-CVE-2016-8674.patch 2017-02-16 23:43:55.000000000 +0800 @@ -1,10 +1,6 @@ -From: Kan-Ru Chen <kos...@debian.org> -Date: Mon, 14 Nov 2016 23:55:28 +0800 -Subject: CVE-2016-8674 - From: Robin Watts <robin.wa...@artifex.com> Date: Thu, 22 Sep 2016 13:44:45 +0100 -Subject: [PATCH] Bug 697015: Avoid object references vanishing during repair. +Subject: Bug 697015: Avoid object references vanishing during repair. A PDF repair can be triggered 'just in time', when we encounter a problem in the file. The idea is that this can happen without diff -Nru mupdf-1.9a+ds1/debian/patches/0009-CVE-2017-5896.patch mupdf-1.9a+ds1/debian/patches/0009-CVE-2017-5896.patch --- mupdf-1.9a+ds1/debian/patches/0009-CVE-2017-5896.patch 1970-01-01 08:00:00.000000000 +0800 +++ mupdf-1.9a+ds1/debian/patches/0009-CVE-2017-5896.patch 2017-02-16 23:43:55.000000000 +0800 @@ -0,0 +1,47 @@ +From: Robin Watts <robin.wa...@artifex.com> +Date: Thu, 9 Feb 2017 07:12:16 -0800 +Subject: bug 697515: Fix out of bounds read in fz_subsample_pixmap + +Pointer arithmetic for final special case was going wrong. +--- + source/fitz/pixmap.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c +index 6897fe3..66eb2b2 100644 +--- a/source/fitz/pixmap.c ++++ b/source/fitz/pixmap.c +@@ -1420,6 +1420,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor, + "@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,back5,divXY\n" + "ldr r4, [r13,#4*22] @ r4 = divXY \n" + "ldr r5, [r13,#4*11] @ for (nn = n; nn > 0; n--) { \n" ++ "ldr r8, [r13,#4*17] @ r8 = back4 \n" + "18: @ \n" + "mov r14,#0 @ r14= v = 0 \n" + "sub r5, r5, r1, LSL #8 @ for (xx = x; xx > 0; x--) { \n" +@@ -1436,7 +1437,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor, + "mul r14,r4, r14 @ r14= v *= divX \n" + "mov r14,r14,LSR #16 @ r14= v >>= 16 \n" + "strb r14,[r9], #1 @ *d++ = r14 \n" +- "sub r0, r0, r8 @ s -= back2 \n" ++ "sub r0, r0, r8 @ s -= back4 \n" + "subs r5, r5, #1 @ n-- \n" + "bgt 18b @ } \n" + "21: @ \n" +@@ -1562,6 +1563,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor) + x += f; + if (x > 0) + { ++ int back4 = x * n - 1; + div = x * y; + for (nn = n; nn > 0; nn--) + { +@@ -1576,7 +1578,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor) + s -= back5; + } + *d++ = v / div; +- s -= back2; ++ s -= back4; + } + } + } diff -Nru mupdf-1.9a+ds1/debian/patches/0010-CVE-2017-5991.patch mupdf-1.9a+ds1/debian/patches/0010-CVE-2017-5991.patch --- mupdf-1.9a+ds1/debian/patches/0010-CVE-2017-5991.patch 1970-01-01 08:00:00.000000000 +0800 +++ mupdf-1.9a+ds1/debian/patches/0010-CVE-2017-5991.patch 2017-02-16 23:43:55.000000000 +0800 @@ -0,0 +1,84 @@ +From: Robin Watts <robin.wa...@artifex.com> +Date: Thu, 16 Feb 2017 23:28:37 +0800 +Subject: Bug 697500: Fix NULL ptr access. + +Cope better with errors during rendering - avoid letting the +gstate stack get out of sync. + +This avoids us ever getting into the situation of popping +a clip when we should be popping a mask or a group. This was +causing an unexpected case in the painting. +--- + source/pdf/pdf-op-run.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/source/pdf/pdf-op-run.c b/source/pdf/pdf-op-run.c +index 593afe2..9c0d0c8 100644 +--- a/source/pdf/pdf-op-run.c ++++ b/source/pdf/pdf-op-run.c +@@ -1201,6 +1201,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf + pdf_run_processor *pr = (pdf_run_processor *)proc; + pdf_gstate *gstate = NULL; + int oldtop = 0; ++ int oldbot = -1; + fz_matrix local_transform = *transform; + softmask_save softmask = { NULL }; + int gparent_save; +@@ -1216,6 +1217,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf + fz_var(cleanup_state); + fz_var(gstate); + fz_var(oldtop); ++ fz_var(oldbot); + + gparent_save = pr->gparent; + pr->gparent = pr->gtop; +@@ -1225,7 +1227,6 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf + pdf_gsave(ctx, pr); + + gstate = pr->gstate + pr->gtop; +- oldtop = pr->gtop; + + /* apply xobject's transform matrix */ + fz_concat(&local_transform, &xobj->matrix, &local_transform); +@@ -1276,12 +1277,25 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf + if (!resources) + resources = page_resources; + ++ oldbot = pr->gbot; ++ pr->gbot = pr->gtop; ++ + pdf_process_contents(ctx, (pdf_processor*)pr, xobj->document, resources, xobj->contents, NULL); + } + fz_always(ctx) + { ++ /* Undo any gstate mismatches due to the pdf_process_contents call */ ++ if (oldbot != -1) ++ { ++ while (pr->gtop > pr->gbot) ++ { ++ pdf_grestore(ctx, pr); ++ } ++ pr->gbot = oldbot; ++ } ++ + if (cleanup_state >= 3) +- pdf_grestore(ctx, pr); /* Remove the clippath */ ++ pdf_grestore(ctx, pr); /* Remove the state we pushed for the clippath */ + + /* wrap up transparency stacks */ + if (xobj->transparency) +@@ -1315,13 +1329,8 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf + pr->gstate[pr->gparent].ctm = gparent_save_ctm; + pr->gparent = gparent_save; + +- if (gstate) +- { +- while (oldtop < pr->gtop) +- pdf_grestore(ctx, pr); +- ++ while (oldtop < pr->gtop) + pdf_grestore(ctx, pr); +- } + + pdf_unmark_obj(ctx, xobj->me); + } diff -Nru mupdf-1.9a+ds1/debian/patches/series mupdf-1.9a+ds1/debian/patches/series --- mupdf-1.9a+ds1/debian/patches/series 2016-11-14 23:56:43.000000000 +0800 +++ mupdf-1.9a+ds1/debian/patches/series 2017-02-16 23:43:55.000000000 +0800 @@ -6,3 +6,5 @@ 0006-CVE-2016-6265.patch 0007-CVE-2016-6525.patch 0008-CVE-2016-8674.patch +0009-CVE-2017-5896.patch +0010-CVE-2017-5991.patch
mupdf_1.9a+ds1-3.debdiff.sig
Description: Binary data