GNU bug report logs -
#25935
[PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}.
Previous Next
Reported by: Alex Vong <alexvong1995 <at> gmail.com>
Date: Thu, 2 Mar 2017 13:17:01 UTC
Severity: normal
Tags: patch
Done: Alex Vong <alexvong1995 <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 25935 in the body.
You can then email your comments to 25935 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#25935; Package
guix-patches.
(Thu, 02 Mar 2017 13:17:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Alex Vong <alexvong1995 <at> gmail.com>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Thu, 02 Mar 2017 13:17:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
I've just found out we have guix-patches now! We should continue the
discussion in the bug report instead of guix-devel.
[Message part 2 (message/rfc822, inline)]
[Message part 3 (text/plain, inline)]
Hello,
This patch (applied to core-updates) fixes the two CVEs disclosed recently.
I am currently testing the patch. I think the patch works but it is
still building right now.
[0001-gnu-mupdf-Fix-CVE-2017-5896-5991.patch (text/x-diff, inline)]
From a5bb1e9601d8bb3e48fdb521e6d1821dd5d9c833 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995 <at> gmail.com>
Date: Thu, 2 Mar 2017 19:59:05 +0800
Subject: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}.
* gnu/packages/patches/mupdf-CVE-2017-5896.patch,
gnu/packages/patches/mupdf-CVE-2017-5991.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/pdf.scm (mupdf)[source]: Use it.
---
gnu/local.mk | 2 +
gnu/packages/patches/mupdf-CVE-2017-5896.patch | 63 +++++++++++++++
gnu/packages/patches/mupdf-CVE-2017-5991.patch | 101 +++++++++++++++++++++++++
gnu/packages/pdf.scm | 5 +-
4 files changed, 170 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/mupdf-CVE-2017-5896.patch
create mode 100644 gnu/packages/patches/mupdf-CVE-2017-5991.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 3d9ad7065..d0ec9ea50 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -767,6 +767,8 @@ dist_patch_DATA = \
%D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch \
%D%/packages/patches/mupdf-mujs-CVE-2016-10132.patch \
%D%/packages/patches/mupdf-mujs-CVE-2016-10133.patch \
+ %D%/packages/patches/mupdf-CVE-2017-5896.patch \
+ %D%/packages/patches/mupdf-CVE-2017-5991.patch \
%D%/packages/patches/mupen64plus-ui-console-notice.patch \
%D%/packages/patches/musl-CVE-2016-8859.patch \
%D%/packages/patches/mutt-store-references.patch \
diff --git a/gnu/packages/patches/mupdf-CVE-2017-5896.patch b/gnu/packages/patches/mupdf-CVE-2017-5896.patch
new file mode 100644
index 000000000..1537ecc89
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-5896.patch
@@ -0,0 +1,63 @@
+Fix CVE-2017-5896:
+
+https://bugs.ghostscript.com/show_bug.cgi?id=697515
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5896
+http://www.openwall.com/lists/oss-security/2017/02/10/1
+https://security-tracker.debian.org/tracker/CVE-2017-5896
+https://blogs.gentoo.org/ago/2017/02/09/mupdf-use-after-free-in-fz_subsample_pixmap-pixmap-c/
+
+Patch lifted from upstream source repository:
+
+http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27
+
+From 2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts <at> artifex.com>
+Date: Thu, 9 Feb 2017 07:12:16 -0800
+Subject: [PATCH] bug 697515: Fix out of bounds read in fz_subsample_pixmap
+
+Pointer arithmetic for final special case was going wrong.
+---
+ source/fitz/pixmap.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c
+index a8317127..f1291dc2 100644
+--- a/source/fitz/pixmap.c
++++ b/source/fitz/pixmap.c
+@@ -1104,6 +1104,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
+ "@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,back5,divXY\n"
+ "ldr r4, [r13,#4*22] @ r4 = divXY \n"
+ "ldr r5, [r13,#4*11] @ for (nn = n; nn > 0; n--) { \n"
++ "ldr r8, [r13,#4*17] @ r8 = back4 \n"
+ "18: @ \n"
+ "mov r14,#0 @ r14= v = 0 \n"
+ "sub r5, r5, r1, LSL #8 @ for (xx = x; xx > 0; x--) { \n"
+@@ -1120,7 +1121,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
+ "mul r14,r4, r14 @ r14= v *= divX \n"
+ "mov r14,r14,LSR #16 @ r14= v >>= 16 \n"
+ "strb r14,[r9], #1 @ *d++ = r14 \n"
+- "sub r0, r0, r8 @ s -= back2 \n"
++ "sub r0, r0, r8 @ s -= back4 \n"
+ "subs r5, r5, #1 @ n-- \n"
+ "bgt 18b @ } \n"
+ "21: @ \n"
+@@ -1249,6 +1250,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
+ x += f;
+ if (x > 0)
+ {
++ int back4 = x * n - 1;
+ div = x * y;
+ for (nn = n; nn > 0; nn--)
+ {
+@@ -1263,7 +1265,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
+ s -= back5;
+ }
+ *d++ = v / div;
+- s -= back2;
++ s -= back4;
+ }
+ }
+ }
+--
+2.12.0
+
diff --git a/gnu/packages/patches/mupdf-CVE-2017-5991.patch b/gnu/packages/patches/mupdf-CVE-2017-5991.patch
new file mode 100644
index 000000000..1fa6dc346
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-5991.patch
@@ -0,0 +1,101 @@
+Fix CVE-2017-5991:
+
+https://bugs.ghostscript.com/show_bug.cgi?id=697500
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5991
+https://security-tracker.debian.org/tracker/CVE-2017-5991
+
+Patch lifted from upstream source repository:
+
+http://git.ghostscript.com/?p=mupdf.git;h=1912de5f08e90af1d9d0a9791f58ba3afdb9d465
+
+From 1912de5f08e90af1d9d0a9791f58ba3afdb9d465 Mon Sep 17 00:00:00 2001
+From: Robin Watts <robin.watts <at> artifex.com>
+Date: Thu, 9 Feb 2017 15:49:15 +0000
+Subject: [PATCH] Bug 697500: Fix NULL ptr access.
+
+Cope better with errors during rendering - avoid letting the
+gstate stack get out of sync.
+
+This avoids us ever getting into the situation of popping
+a clip when we should be popping a mask or a group. This was
+causing an unexpected case in the painting.
+---
+ source/pdf/pdf-op-run.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/source/pdf/pdf-op-run.c b/source/pdf/pdf-op-run.c
+index a3ea895d..f1eac8d3 100644
+--- a/source/pdf/pdf-op-run.c
++++ b/source/pdf/pdf-op-run.c
+@@ -1213,6 +1213,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ pdf_run_processor *pr = (pdf_run_processor *)proc;
+ pdf_gstate *gstate = NULL;
+ int oldtop = 0;
++ int oldbot = -1;
+ fz_matrix local_transform = *transform;
+ softmask_save softmask = { NULL };
+ int gparent_save;
+@@ -1232,16 +1233,17 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ fz_var(cleanup_state);
+ fz_var(gstate);
+ fz_var(oldtop);
++ fz_var(oldbot);
+
+ gparent_save = pr->gparent;
+ pr->gparent = pr->gtop;
++ oldtop = pr->gtop;
+
+ fz_try(ctx)
+ {
+ pdf_gsave(ctx, pr);
+
+ gstate = pr->gstate + pr->gtop;
+- oldtop = pr->gtop;
+
+ pdf_xobject_bbox(ctx, xobj, &xobj_bbox);
+ pdf_xobject_matrix(ctx, xobj, &xobj_matrix);
+@@ -1302,12 +1304,25 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+
+ doc = pdf_get_bound_document(ctx, xobj->obj);
+
++ oldbot = pr->gbot;
++ pr->gbot = pr->gtop;
++
+ pdf_process_contents(ctx, (pdf_processor*)pr, doc, resources, xobj->obj, NULL);
+ }
+ fz_always(ctx)
+ {
++ /* Undo any gstate mismatches due to the pdf_process_contents call */
++ if (oldbot != -1)
++ {
++ while (pr->gtop > pr->gbot)
++ {
++ pdf_grestore(ctx, pr);
++ }
++ pr->gbot = oldbot;
++ }
++
+ if (cleanup_state >= 3)
+- pdf_grestore(ctx, pr); /* Remove the clippath */
++ pdf_grestore(ctx, pr); /* Remove the state we pushed for the clippath */
+
+ /* wrap up transparency stacks */
+ if (transparency)
+@@ -1341,13 +1356,8 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ pr->gstate[pr->gparent].ctm = gparent_save_ctm;
+ pr->gparent = gparent_save;
+
+- if (gstate)
+- {
+- while (oldtop < pr->gtop)
+- pdf_grestore(ctx, pr);
+-
++ while (oldtop < pr->gtop)
+ pdf_grestore(ctx, pr);
+- }
+
+ pdf_unmark_obj(ctx, xobj->obj);
+ }
+--
+2.12.0
+
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index d449b72ee..205b8af2d 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -11,6 +11,7 @@
;;; Coypright © 2016 Julien Lepiller <julien <at> lepiller.eu>
;;; Copyright © 2016 Arun Isaac <arunisaac <at> systemreboot.net>
;;; Copyright © 2017 Leo Famulari <leo <at> famulari.name>
+;;; Copyright © 2017 Alex Vong <alexvong1995 <at> gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -492,7 +493,9 @@ extracting content or merging files.")
"0dm8wcs8i29aibzkqkrn8kcnk4q0kd1v66pg48h5c3qqp4v1zk5a"))
(patches (search-patches "mupdf-build-with-openjpeg-2.1.patch"
"mupdf-mujs-CVE-2016-10132.patch"
- "mupdf-mujs-CVE-2016-10133.patch"))
+ "mupdf-mujs-CVE-2016-10133.patch"
+ "mupdf-CVE-2017-5896.patch"
+ "mupdf-CVE-2017-5991.patch"))
(modules '((guix build utils)))
(snippet
;; Delete all the bundled libraries except for mujs, which is
--
2.12.0
[Message part 5 (text/plain, inline)]
Cheers,
Alex
[signature.asc (application/pgp-signature, inline)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#25935; Package
guix-patches.
(Thu, 02 Mar 2017 18:12:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 25935 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Thu, Mar 02, 2017 at 09:15:29PM +0800, Alex Vong wrote:
> This patch (applied to core-updates) fixes the two CVEs disclosed recently.
Can you send a patch for the master branch instead? The patches should
be applied to mupdf/fixed in (gnu packages pdf).
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#25935; Package
guix-patches.
(Fri, 03 Mar 2017 06:05:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 25935 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
> On Thu, Mar 02, 2017 at 09:15:29PM +0800, Alex Vong wrote:
>> This patch (applied to core-updates) fixes the two CVEs disclosed recently.
>
> Can you send a patch for the master branch instead? The patches should
> be applied to mupdf/fixed in (gnu packages pdf).
Sure, here it is:
[0001-gnu-mupdf-Fix-CVE-2017-5896-5991.patch (text/x-diff, inline)]
From 24ceef58b2ebb70d45c01e7e1bc43cc2056f8705 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995 <at> gmail.com>
Date: Thu, 2 Mar 2017 19:59:05 +0800
Subject: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}.
* gnu/packages/patches/mupdf-CVE-2017-5896.patch,
gnu/packages/patches/mupdf-CVE-2017-5991.patch: New files.
* gnu/packages/pdf.scm (mupdf/fixed)[source]: Add patches.
* gnu/local.mk (dist_patch_DATA): Add them.
---
gnu/local.mk | 2 +
gnu/packages/patches/mupdf-CVE-2017-5896.patch | 63 +++++++++++++++
gnu/packages/patches/mupdf-CVE-2017-5991.patch | 101 +++++++++++++++++++++++++
gnu/packages/pdf.scm | 5 +-
4 files changed, 170 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/mupdf-CVE-2017-5896.patch
create mode 100644 gnu/packages/patches/mupdf-CVE-2017-5991.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 406e0dc96..584ab75a5 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -764,6 +764,8 @@ dist_patch_DATA = \
%D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch \
%D%/packages/patches/mupdf-mujs-CVE-2016-10132.patch \
%D%/packages/patches/mupdf-mujs-CVE-2016-10133.patch \
+ %D%/packages/patches/mupdf-CVE-2017-5896.patch \
+ %D%/packages/patches/mupdf-CVE-2017-5991.patch \
%D%/packages/patches/mupen64plus-ui-console-notice.patch \
%D%/packages/patches/musl-CVE-2016-8859.patch \
%D%/packages/patches/mutt-store-references.patch \
diff --git a/gnu/packages/patches/mupdf-CVE-2017-5896.patch b/gnu/packages/patches/mupdf-CVE-2017-5896.patch
new file mode 100644
index 000000000..1537ecc89
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-5896.patch
@@ -0,0 +1,63 @@
+Fix CVE-2017-5896:
+
+https://bugs.ghostscript.com/show_bug.cgi?id=697515
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5896
+http://www.openwall.com/lists/oss-security/2017/02/10/1
+https://security-tracker.debian.org/tracker/CVE-2017-5896
+https://blogs.gentoo.org/ago/2017/02/09/mupdf-use-after-free-in-fz_subsample_pixmap-pixmap-c/
+
+Patch lifted from upstream source repository:
+
+http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27
+
+From 2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts <at> artifex.com>
+Date: Thu, 9 Feb 2017 07:12:16 -0800
+Subject: [PATCH] bug 697515: Fix out of bounds read in fz_subsample_pixmap
+
+Pointer arithmetic for final special case was going wrong.
+---
+ source/fitz/pixmap.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c
+index a8317127..f1291dc2 100644
+--- a/source/fitz/pixmap.c
++++ b/source/fitz/pixmap.c
+@@ -1104,6 +1104,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
+ "@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,back5,divXY\n"
+ "ldr r4, [r13,#4*22] @ r4 = divXY \n"
+ "ldr r5, [r13,#4*11] @ for (nn = n; nn > 0; n--) { \n"
++ "ldr r8, [r13,#4*17] @ r8 = back4 \n"
+ "18: @ \n"
+ "mov r14,#0 @ r14= v = 0 \n"
+ "sub r5, r5, r1, LSL #8 @ for (xx = x; xx > 0; x--) { \n"
+@@ -1120,7 +1121,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
+ "mul r14,r4, r14 @ r14= v *= divX \n"
+ "mov r14,r14,LSR #16 @ r14= v >>= 16 \n"
+ "strb r14,[r9], #1 @ *d++ = r14 \n"
+- "sub r0, r0, r8 @ s -= back2 \n"
++ "sub r0, r0, r8 @ s -= back4 \n"
+ "subs r5, r5, #1 @ n-- \n"
+ "bgt 18b @ } \n"
+ "21: @ \n"
+@@ -1249,6 +1250,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
+ x += f;
+ if (x > 0)
+ {
++ int back4 = x * n - 1;
+ div = x * y;
+ for (nn = n; nn > 0; nn--)
+ {
+@@ -1263,7 +1265,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
+ s -= back5;
+ }
+ *d++ = v / div;
+- s -= back2;
++ s -= back4;
+ }
+ }
+ }
+--
+2.12.0
+
diff --git a/gnu/packages/patches/mupdf-CVE-2017-5991.patch b/gnu/packages/patches/mupdf-CVE-2017-5991.patch
new file mode 100644
index 000000000..1fa6dc346
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-5991.patch
@@ -0,0 +1,101 @@
+Fix CVE-2017-5991:
+
+https://bugs.ghostscript.com/show_bug.cgi?id=697500
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5991
+https://security-tracker.debian.org/tracker/CVE-2017-5991
+
+Patch lifted from upstream source repository:
+
+http://git.ghostscript.com/?p=mupdf.git;h=1912de5f08e90af1d9d0a9791f58ba3afdb9d465
+
+From 1912de5f08e90af1d9d0a9791f58ba3afdb9d465 Mon Sep 17 00:00:00 2001
+From: Robin Watts <robin.watts <at> artifex.com>
+Date: Thu, 9 Feb 2017 15:49:15 +0000
+Subject: [PATCH] Bug 697500: Fix NULL ptr access.
+
+Cope better with errors during rendering - avoid letting the
+gstate stack get out of sync.
+
+This avoids us ever getting into the situation of popping
+a clip when we should be popping a mask or a group. This was
+causing an unexpected case in the painting.
+---
+ source/pdf/pdf-op-run.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/source/pdf/pdf-op-run.c b/source/pdf/pdf-op-run.c
+index a3ea895d..f1eac8d3 100644
+--- a/source/pdf/pdf-op-run.c
++++ b/source/pdf/pdf-op-run.c
+@@ -1213,6 +1213,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ pdf_run_processor *pr = (pdf_run_processor *)proc;
+ pdf_gstate *gstate = NULL;
+ int oldtop = 0;
++ int oldbot = -1;
+ fz_matrix local_transform = *transform;
+ softmask_save softmask = { NULL };
+ int gparent_save;
+@@ -1232,16 +1233,17 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ fz_var(cleanup_state);
+ fz_var(gstate);
+ fz_var(oldtop);
++ fz_var(oldbot);
+
+ gparent_save = pr->gparent;
+ pr->gparent = pr->gtop;
++ oldtop = pr->gtop;
+
+ fz_try(ctx)
+ {
+ pdf_gsave(ctx, pr);
+
+ gstate = pr->gstate + pr->gtop;
+- oldtop = pr->gtop;
+
+ pdf_xobject_bbox(ctx, xobj, &xobj_bbox);
+ pdf_xobject_matrix(ctx, xobj, &xobj_matrix);
+@@ -1302,12 +1304,25 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+
+ doc = pdf_get_bound_document(ctx, xobj->obj);
+
++ oldbot = pr->gbot;
++ pr->gbot = pr->gtop;
++
+ pdf_process_contents(ctx, (pdf_processor*)pr, doc, resources, xobj->obj, NULL);
+ }
+ fz_always(ctx)
+ {
++ /* Undo any gstate mismatches due to the pdf_process_contents call */
++ if (oldbot != -1)
++ {
++ while (pr->gtop > pr->gbot)
++ {
++ pdf_grestore(ctx, pr);
++ }
++ pr->gbot = oldbot;
++ }
++
+ if (cleanup_state >= 3)
+- pdf_grestore(ctx, pr); /* Remove the clippath */
++ pdf_grestore(ctx, pr); /* Remove the state we pushed for the clippath */
+
+ /* wrap up transparency stacks */
+ if (transparency)
+@@ -1341,13 +1356,8 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ pr->gstate[pr->gparent].ctm = gparent_save_ctm;
+ pr->gparent = gparent_save;
+
+- if (gstate)
+- {
+- while (oldtop < pr->gtop)
+- pdf_grestore(ctx, pr);
+-
++ while (oldtop < pr->gtop)
+ pdf_grestore(ctx, pr);
+- }
+
+ pdf_unmark_obj(ctx, xobj->obj);
+ }
+--
+2.12.0
+
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index a229d689d..13dbd0ecd 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -11,6 +11,7 @@
;;; Coypright © 2016 Julien Lepiller <julien <at> lepiller.eu>
;;; Copyright © 2016 Arun Isaac <arunisaac <at> systemreboot.net>
;;; Copyright © 2017 Leo Famulari <leo <at> famulari.name>
+;;; Copyright © 2017 Alex Vong <alexvong1995 <at> gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -550,7 +551,9 @@ and examining the file structure (pdfshow).")
(append
(origin-patches (package-source mupdf))
(search-patches "mupdf-mujs-CVE-2016-10132.patch"
- "mupdf-mujs-CVE-2016-10133.patch")))))))
+ "mupdf-mujs-CVE-2016-10133.patch"
+ "mupdf-CVE-2017-5896.patch"
+ "mupdf-CVE-2017-5991.patch")))))))
(define-public qpdf
(package
--
2.12.0
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#25935; Package
guix-patches.
(Fri, 03 Mar 2017 09:56:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 25935 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Fri, Mar 03, 2017 at 02:04:11PM +0800, Alex Vong wrote:
> Leo Famulari <leo <at> famulari.name> writes:
>
> > On Thu, Mar 02, 2017 at 09:15:29PM +0800, Alex Vong wrote:
> >> This patch (applied to core-updates) fixes the two CVEs disclosed recently.
> >
> > Can you send a patch for the master branch instead? The patches should
> > be applied to mupdf/fixed in (gnu packages pdf).
>
> Sure, here it is:
>
> From 24ceef58b2ebb70d45c01e7e1bc43cc2056f8705 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995 <at> gmail.com>
> Date: Thu, 2 Mar 2017 19:59:05 +0800
> Subject: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}.
>
> * gnu/packages/patches/mupdf-CVE-2017-5896.patch,
> gnu/packages/patches/mupdf-CVE-2017-5991.patch: New files.
> * gnu/packages/pdf.scm (mupdf/fixed)[source]: Add patches.
> * gnu/local.mk (dist_patch_DATA): Add them.
Thanks, pushed!
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Alex Vong <alexvong1995 <at> gmail.com>:
You have taken responsibility.
(Sat, 11 Mar 2017 09:38:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Alex Vong <alexvong1995 <at> gmail.com>:
bug acknowledged by developer.
(Sat, 11 Mar 2017 09:38:02 GMT)
Full text and
rfc822 format available.
Message #19 received at 25935-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
> On Fri, Mar 03, 2017 at 02:04:11PM +0800, Alex Vong wrote:
>> Leo Famulari <leo <at> famulari.name> writes:
>>
>> > On Thu, Mar 02, 2017 at 09:15:29PM +0800, Alex Vong wrote:
>> >> This patch (applied to core-updates) fixes the two CVEs disclosed recently.
>> >
>> > Can you send a patch for the master branch instead? The patches should
>> > be applied to mupdf/fixed in (gnu packages pdf).
>>
>> Sure, here it is:
>>
>
>> From 24ceef58b2ebb70d45c01e7e1bc43cc2056f8705 Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995 <at> gmail.com>
>> Date: Thu, 2 Mar 2017 19:59:05 +0800
>> Subject: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}.
>>
>> * gnu/packages/patches/mupdf-CVE-2017-5896.patch,
>> gnu/packages/patches/mupdf-CVE-2017-5991.patch: New files.
>> * gnu/packages/pdf.scm (mupdf/fixed)[source]: Add patches.
>> * gnu/local.mk (dist_patch_DATA): Add them.
>
> Thanks, pushed!
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sat, 08 Apr 2017 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 8 years and 78 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.