Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package djvulibre [ Reason ] Address CVE-2021-3500 and some other potential security issues by importing Fedora patches. [ Impact ] Programs using libdjvulibre to handle .djvu files will remain vulnerable to crafted input. [ Tests ] n/a [ Risks ] All but one of these patches have been in Fedora for quite some time. The last one is currently in Fedora, but recently. All the patches are very simple: testing and bailing when various error conditions pop up, like a memory allocation failure or page sizes that cause overflow. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing unblock djvulibre/3.5.28-2 ---------------------------------------------------------------- diff -Nru djvulibre-3.5.28/debian/changelog djvulibre-3.5.28/debian/changelog --- djvulibre-3.5.28/debian/changelog 2020-11-23 13:10:15.000000000 +0000 +++ djvulibre-3.5.28/debian/changelog 2021-05-10 18:56:59.000000000 +0100 @@ -1,3 +1,26 @@ +djvulibre (3.5.28-2) unstable; urgency=high + + * bump policy version + * Include Fedora 3.5.27 patches, foward ported, taken from djvulibre.spec in + https://src.fedoraproject.org/rpms/djvulibre.git + - Patch0: djvulibre-3.5.22-cdefs.patch (forward ported) + - #Patch1: djvulibre-3.5.25.3-cflags.patch (disabled in Fedora) + - Patch2: djvulibre-3.5.27-buffer-overflow.patch (UPSTREAMED) + - Patch3: djvulibre-3.5.27-infinite-loop.patch (UPSTREAMED) + - Patch4: djvulibre-3.5.27-stack-overflow.patch (UPSTREAMED) + - Patch5: djvulibre-3.5.27-zero-bytes-check.patch (UPSTREAMED) + - Patch6: djvulibre-3.5.27-export-file.patch (forward ported) + - Patch7: djvulibre-3.5.27-null-dereference.patch (UPSTREAMED) + - Patch8: djvulibre-3.5.27-check-image-size.patch (forward ported) + - Patch9: djvulibre-3.5.27-integer-overflow.patch (forward ported) + - Patch10: djvulibre-3.5.27-check-input-pool.patch (forward ported) + - Patch11: djvulibre-3.5.27-djvuport-stack-overflow.patch (forward ported) + - Patch12: djvulibre-3.5.27-unsigned-short-overflow.patch (forward ported) + These address a number of crashes and security issues, including + CVE-2021-3500 (closes: #988215) + + -- Barak A. Pearlmutter <b...@debian.org> Mon, 10 May 2021 18:56:59 +0100 + djvulibre (3.5.28-1) unstable; urgency=medium [ Leon Bottou ] diff -Nru djvulibre-3.5.28/debian/control djvulibre-3.5.28/debian/control --- djvulibre-3.5.28/debian/control 2020-11-23 13:10:15.000000000 +0000 +++ djvulibre-3.5.28/debian/control 2021-05-10 18:44:15.000000000 +0100 @@ -11,7 +11,7 @@ Vcs-Git: https://salsa.debian.org/debian/djvulibre.git Vcs-Browser: https://salsa.debian.org/debian/djvulibre Homepage: http://djvu.sourceforge.net/ -Standards-Version: 4.5.0 +Standards-Version: 4.5.1 Rules-Requires-Root: no Package: libdjvulibre-dev diff -Nru djvulibre-3.5.28/debian/patches/0001-djvulibre-fedora-Patch0-djvulibre-3.5.22-cdefs.patch.patch djvulibre-3.5.28/debian/patches/0001-djvulibre-fedora-Patch0-djvulibre-3.5.22-cdefs.patch.patch --- djvulibre-3.5.28/debian/patches/0001-djvulibre-fedora-Patch0-djvulibre-3.5.22-cdefs.patch.patch 1970-01-01 01:00:00.000000000 +0100 +++ djvulibre-3.5.28/debian/patches/0001-djvulibre-fedora-Patch0-djvulibre-3.5.22-cdefs.patch.patch 2021-05-10 18:46:09.000000000 +0100 @@ -0,0 +1,21 @@ +From: "Barak A. Pearlmutter" <barak+...@pearlmutter.net> +Date: Mon, 10 May 2021 15:43:26 +0100 +Subject: djvulibre-fedora Patch0 djvulibre-3.5.22-cdefs.patch + +--- + libdjvu/GSmartPointer.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libdjvu/GSmartPointer.h b/libdjvu/GSmartPointer.h +index 8a8bb8a..08540f7 100644 +--- a/libdjvu/GSmartPointer.h ++++ b/libdjvu/GSmartPointer.h +@@ -62,6 +62,8 @@ + # pragma interface + #endif + ++#include <cstddef> ++ + /** @name GSmartPointer.h + + Files #"GSmartPointer.h"# and #"GSmartPointer.cpp"# define a smart-pointer diff -Nru djvulibre-3.5.28/debian/patches/0002-djvulibre-fedora-Patch6-djvulibre-3.5.27-export-file.patch djvulibre-3.5.28/debian/patches/0002-djvulibre-fedora-Patch6-djvulibre-3.5.27-export-file.patch --- djvulibre-3.5.28/debian/patches/0002-djvulibre-fedora-Patch6-djvulibre-3.5.27-export-file.patch 1970-01-01 01:00:00.000000000 +0100 +++ djvulibre-3.5.28/debian/patches/0002-djvulibre-fedora-Patch6-djvulibre-3.5.27-export-file.patch 2021-05-10 18:46:09.000000000 +0100 @@ -0,0 +1,24 @@ +From: "Barak A. Pearlmutter" <barak+...@pearlmutter.net> +Date: Mon, 10 May 2021 15:47:32 +0100 +Subject: djvulibre-fedora Patch6 djvulibre-3.5.27-export-file.patch + +--- + desktopfiles/Makefile.am | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/desktopfiles/Makefile.am b/desktopfiles/Makefile.am +index 9e952e1..5b8cae3 100644 +--- a/desktopfiles/Makefile.am ++++ b/desktopfiles/Makefile.am +@@ -32,10 +32,9 @@ if HAVE_CONVERSION_INKSCAPE + convert_icons_process = \ + s=`echo $@ | sed -e 's/[a-z]*\([0-9]*\).*/\1/'`; \ + ${INKSCAPE} \ +---without-gui \ + --export-width=$${s} \ + --export-height=$${s} \ +---export-png=$@ $< ++--export-filename=$@ $< + endif + + if HAVE_CONVERSION_CONVERT diff -Nru djvulibre-3.5.28/debian/patches/0003-djvulibre-fedora-Patch8-djvulibre-3.5.27-check-image.patch djvulibre-3.5.28/debian/patches/0003-djvulibre-fedora-Patch8-djvulibre-3.5.27-check-image.patch --- djvulibre-3.5.28/debian/patches/0003-djvulibre-fedora-Patch8-djvulibre-3.5.27-check-image.patch 1970-01-01 01:00:00.000000000 +0100 +++ djvulibre-3.5.28/debian/patches/0003-djvulibre-fedora-Patch8-djvulibre-3.5.27-check-image.patch 2021-05-10 18:46:09.000000000 +0100 @@ -0,0 +1,24 @@ +From: "Barak A. Pearlmutter" <barak+...@pearlmutter.net> +Date: Mon, 10 May 2021 15:48:24 +0100 +Subject: djvulibre-fedora Patch8 djvulibre-3.5.27-check-image-size.patch + +--- + libdjvu/IW44Image.cpp | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/libdjvu/IW44Image.cpp b/libdjvu/IW44Image.cpp +index e8d4b44..aa3d554 100644 +--- a/libdjvu/IW44Image.cpp ++++ b/libdjvu/IW44Image.cpp +@@ -678,7 +678,11 @@ IW44Image::Map::image(signed char *img8, int rowsize, int pixsep, int fast) + size_t sz = bw * bh; + if (sz / (size_t)bw != (size_t)bh) // multiplication overflow + G_THROW("IW44Image: image size exceeds maximum (corrupted file?)"); ++ if (sz == 0) ++ G_THROW("IW44Image: zero size image (corrupted file?)"); + GPBuffer<short> gdata16(data16,sz); ++ if (data16 == NULL) ++ G_THROW("IW44Image: unable to allocate image data"); + // Copy coefficients + int i; + short *p = data16; diff -Nru djvulibre-3.5.28/debian/patches/0004-djvulibre-fedora-Patch9-djvulibre-3.5.27-interger-ov.patch djvulibre-3.5.28/debian/patches/0004-djvulibre-fedora-Patch9-djvulibre-3.5.27-interger-ov.patch --- djvulibre-3.5.28/debian/patches/0004-djvulibre-fedora-Patch9-djvulibre-3.5.27-interger-ov.patch 1970-01-01 01:00:00.000000000 +0100 +++ djvulibre-3.5.28/debian/patches/0004-djvulibre-fedora-Patch9-djvulibre-3.5.27-interger-ov.patch 2021-05-10 18:46:09.000000000 +0100 @@ -0,0 +1,31 @@ +From: "Barak A. Pearlmutter" <barak+...@pearlmutter.net> +Date: Mon, 10 May 2021 15:48:53 +0100 +Subject: djvulibre-fedora Patch9 djvulibre-3.5.27-interger-overflow.patch + +--- + tools/ddjvu.cpp | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp +index 7109952..2f3e0f9 100644 +--- a/tools/ddjvu.cpp ++++ b/tools/ddjvu.cpp +@@ -70,6 +70,7 @@ + #include <locale.h> + #include <fcntl.h> + #include <errno.h> ++#include <stdint.h> + + #ifdef UNIX + # include <sys/time.h> +@@ -394,7 +395,9 @@ render(ddjvu_page_t *page, int pageno) + rowsize = rrect.w; + else + rowsize = rrect.w * 3; +- if (! (image = (char*)malloc(rowsize * rrect.h))) ++ if ((size_t)rowsize > SIZE_MAX / rrect.h) ++ die(i18n("Integer overflow when allocating image buffer for page %d"), pageno); ++ if (! (image = (char*)malloc((size_t)rowsize * rrect.h))) + die(i18n("Cannot allocate image buffer for page %d"), pageno); + + /* Render */ diff -Nru djvulibre-3.5.28/debian/patches/0005-djvulibre-fedora-Patch10-djvulibre-3.5.27-check-inpu.patch djvulibre-3.5.28/debian/patches/0005-djvulibre-fedora-Patch10-djvulibre-3.5.27-check-inpu.patch --- djvulibre-3.5.28/debian/patches/0005-djvulibre-fedora-Patch10-djvulibre-3.5.27-check-inpu.patch 1970-01-01 01:00:00.000000000 +0100 +++ djvulibre-3.5.28/debian/patches/0005-djvulibre-fedora-Patch10-djvulibre-3.5.27-check-inpu.patch 2021-05-10 18:46:09.000000000 +0100 @@ -0,0 +1,21 @@ +From: "Barak A. Pearlmutter" <barak+...@pearlmutter.net> +Date: Mon, 10 May 2021 15:49:14 +0100 +Subject: djvulibre-fedora Patch10 djvulibre-3.5.27-check-input-pool.patch + +--- + libdjvu/DataPool.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libdjvu/DataPool.cpp b/libdjvu/DataPool.cpp +index 5fcbedf..4c2eaf0 100644 +--- a/libdjvu/DataPool.cpp ++++ b/libdjvu/DataPool.cpp +@@ -791,6 +791,8 @@ DataPool::create(const GP<DataPool> & pool, int start, int length) + DEBUG_MSG("DataPool::DataPool: pool=" << (void *)((DataPool *)pool) << " start=" << start << " length= " << length << "\n"); + DEBUG_MAKE_INDENT(3); + ++ if (!pool) G_THROW( ERR_MSG("DataPool.zero_DataPool") ); ++ + DataPool *xpool=new DataPool(); + GP<DataPool> retval=xpool; + xpool->init(); diff -Nru djvulibre-3.5.28/debian/patches/0006-djvulibre-fedora-Patch11-djvulibre-3.5.27-djvuport-s.patch djvulibre-3.5.28/debian/patches/0006-djvulibre-fedora-Patch11-djvulibre-3.5.27-djvuport-s.patch --- djvulibre-3.5.28/debian/patches/0006-djvulibre-fedora-Patch11-djvulibre-3.5.27-djvuport-s.patch 1970-01-01 01:00:00.000000000 +0100 +++ djvulibre-3.5.28/debian/patches/0006-djvulibre-fedora-Patch11-djvulibre-3.5.27-djvuport-s.patch 2021-05-10 18:46:09.000000000 +0100 @@ -0,0 +1,46 @@ +From: "Barak A. Pearlmutter" <barak+...@pearlmutter.net> +Date: Mon, 10 May 2021 15:49:55 +0100 +Subject: djvulibre-fedora Patch11 + djvulibre-3.5.27-djvuport-stack-overflow.patch + +--- + libdjvu/DjVuPort.cpp | 9 +++++++++ + libdjvu/DjVuPort.h | 1 + + 2 files changed, 10 insertions(+) + +diff --git a/libdjvu/DjVuPort.cpp b/libdjvu/DjVuPort.cpp +index 2b3e0d2..a377920 100644 +--- a/libdjvu/DjVuPort.cpp ++++ b/libdjvu/DjVuPort.cpp +@@ -507,10 +507,19 @@ GP<DjVuFile> + DjVuPortcaster::id_to_file(const DjVuPort * source, const GUTF8String &id) + { + GPList<DjVuPort> list; ++ ++ if (!!opening_id && opening_id == id) ++ G_THROW("DjVuPortcaster: recursive opening of the same file (corrupted file?)"); ++ else ++ opening_id = id; ++ + compute_closure(source, list, true); + GP<DjVuFile> file; + for(GPosition pos=list;pos;++pos) + if ((file=list[pos]->id_to_file(source, id))) break; ++ ++ opening_id = GUTF8String(); ++ + return file; + } + +diff --git a/libdjvu/DjVuPort.h b/libdjvu/DjVuPort.h +index e2b3125..313dc2b 100644 +--- a/libdjvu/DjVuPort.h ++++ b/libdjvu/DjVuPort.h +@@ -484,6 +484,7 @@ private: + const DjVuPort *dst, int distance); + void compute_closure(const DjVuPort *src, GPList<DjVuPort> &list, + bool sorted=false); ++ GUTF8String opening_id; + }; + + diff -Nru djvulibre-3.5.28/debian/patches/0007-djvulibre-fedora-Patch12-djvulibre-3.5.27-unsigned-s.patch djvulibre-3.5.28/debian/patches/0007-djvulibre-fedora-Patch12-djvulibre-3.5.27-unsigned-s.patch --- djvulibre-3.5.28/debian/patches/0007-djvulibre-fedora-Patch12-djvulibre-3.5.27-unsigned-s.patch 1970-01-01 01:00:00.000000000 +0100 +++ djvulibre-3.5.28/debian/patches/0007-djvulibre-fedora-Patch12-djvulibre-3.5.27-unsigned-s.patch 2021-05-10 18:46:09.000000000 +0100 @@ -0,0 +1,30 @@ +From: "Barak A. Pearlmutter" <barak+...@pearlmutter.net> +Date: Mon, 10 May 2021 15:50:19 +0100 +Subject: djvulibre-fedora Patch12 + djvulibre-3.5.27-unsigned-short-overflow.patch + +--- + libdjvu/GBitmap.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp +index c2fdbe4..3d552a6 100644 +--- a/libdjvu/GBitmap.cpp ++++ b/libdjvu/GBitmap.cpp +@@ -69,6 +69,7 @@ + #include <stddef.h> + #include <stdlib.h> + #include <string.h> ++#include <limits.h> + + // - Author: Leon Bottou, 05/1997 + +@@ -1284,6 +1285,8 @@ GBitmap::decode(unsigned char *runs) + // initialize pixel array + if (nrows==0 || ncolumns==0) + G_THROW( ERR_MSG("GBitmap.not_init") ); ++ if (ncolumns > USHRT_MAX - border) ++ G_THROW("GBitmap: row size exceeds maximum (corrupted file?)"); + bytes_per_row = ncolumns + border; + if (runs==0) + G_THROW( ERR_MSG("GBitmap.null_arg") ); diff -Nru djvulibre-3.5.28/debian/patches/series djvulibre-3.5.28/debian/patches/series --- djvulibre-3.5.28/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ djvulibre-3.5.28/debian/patches/series 2021-05-10 18:46:09.000000000 +0100 @@ -0,0 +1,7 @@ +0001-djvulibre-fedora-Patch0-djvulibre-3.5.22-cdefs.patch.patch +0002-djvulibre-fedora-Patch6-djvulibre-3.5.27-export-file.patch +0003-djvulibre-fedora-Patch8-djvulibre-3.5.27-check-image.patch +0004-djvulibre-fedora-Patch9-djvulibre-3.5.27-interger-ov.patch +0005-djvulibre-fedora-Patch10-djvulibre-3.5.27-check-inpu.patch +0006-djvulibre-fedora-Patch11-djvulibre-3.5.27-djvuport-s.patch +0007-djvulibre-fedora-Patch12-djvulibre-3.5.27-unsigned-s.patch