From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 02 08:16:15 2017 Received: (at submit) by debbugs.gnu.org; 2 Mar 2017 13:16:15 +0000 Received: from localhost ([127.0.0.1]:35471 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cjQaW-0003I0-Mk for submit@debbugs.gnu.org; Thu, 02 Mar 2017 08:16:15 -0500 Received: from eggs.gnu.org ([208.118.235.92]:56284) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cjQaS-0003HF-B8 for submit@debbugs.gnu.org; Thu, 02 Mar 2017 08:16:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cjQaI-0000hY-VF for submit@debbugs.gnu.org; Thu, 02 Mar 2017 08:15:58 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: ** X-Spam-Status: No, score=2.5 required=5.0 tests=BAYES_50,FAKE_REPLY_C, FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:59358) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cjQaI-0000hT-S2 for submit@debbugs.gnu.org; Thu, 02 Mar 2017 08:15:54 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47204) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cjQaG-0002mB-Es for guix-patches@gnu.org; Thu, 02 Mar 2017 08:15:54 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cjQaE-0000fb-MM for guix-patches@gnu.org; Thu, 02 Mar 2017 08:15:52 -0500 Received: from mail-pg0-x22d.google.com ([2607:f8b0:400e:c05::22d]:34836) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cjQa8-0000cO-Hu; Thu, 02 Mar 2017 08:15:44 -0500 Received: by mail-pg0-x22d.google.com with SMTP id b129so32338309pgc.2; Thu, 02 Mar 2017 05:15:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:user-agent:mime-version; bh=A1urNqHOHtUjbC/jk9uL0DUX3WTZ9z9hHQUuX8dNiyU=; b=FcUwLPumhiSLF59fFQYrqkRIyLJF2mqTeScbF0x+1fu4DKeRRk6yln1zBr4gj9XfDQ hrXvFcUOaowU2RSuIZe35QG0PStrcI3av4MCAHpGGNcu7ObrYeKIRvZIzYSmwiYEm90w NPx9Jcd5tjYTURYA3AC6u8eJzYJueOB2RRKuXTd4hqXa0JVrrO+WmS9C+8b/Fhcc3om8 f0DmG7oyIR4J8LVmKK+pivFbfOnkvwG+5dbYWWsNnu3NUiQ2lxNpWspJlREa4zEYYQ7V u0LNh11z2TCHyx7oOqqMPo20PVS1SHI6sxiFrJhu0DUB5lbUyYbX5eXKBv/CxQpTVRCA 8+vw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:user-agent :mime-version; bh=A1urNqHOHtUjbC/jk9uL0DUX3WTZ9z9hHQUuX8dNiyU=; b=iF97ef3wtBG42c9QezBymD9QK93E6dKqwAi8HLEZSbDKLcik1hTRGKDmmhrXfnw78z 2R/lCfSGe0TvWKT7A+o/mLPyObs4FUzL/aAF/KtzI9LojIDbxlcQeigmJIym0oaMKXmd xmFQiZOvDox+JpcJi014QymHZg/GcOIPN7TdnNO4oBHAVeV2KbsNZ4xVCONggn+oBzZG ImctW7JNyDRYGxLFjcmbCQUqdnHQfRJs4+8bPYeadwEWJcj2qfk5CsNaYP9BGA080tik kDtG4uzAIQFl60+s35zNiQr+s0qyo/5kShrdOYldlpm5yPpHmhZ+lWRuU2b+pdJOcr+m hsAg== X-Gm-Message-State: AMke39lvXqwjiXG8dhgJsKd5w10OCL6OY1nhlAfaASWmbqGpM5YQMbNL1aCsaP133HBiXg== X-Received: by 10.84.211.144 with SMTP id c16mr18633423pli.82.1488460543661; Thu, 02 Mar 2017 05:15:43 -0800 (PST) Received: from debian (n218103180172.netvigator.com. [218.103.180.172]) by smtp.gmail.com with ESMTPSA id e14sm17187035pfd.107.2017.03.02.05.15.42 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 02 Mar 2017 05:15:42 -0800 (PST) From: Alex Vong To: guix-patches@gnu.org, guix-devel@gnu.org Subject: Re: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}. Date: Thu, 02 Mar 2017 21:15:29 +0800 Message-ID: <87wpc7bz0u.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="====-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -3.8 (---) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.2 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: I've just found out we have guix-patches now! We should continue the discussion in the bug report instead of guix-devel. Hello, This patch (applied to core-updates) fixes the two CVEs disclosed recently. [...] Content analysis details: (1.2 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (alexvong1995[at]gmail.com) 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (alexvong1995[at]gmail.com) 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid 0.0 FAKE_REPLY_C No description available. --====-=-= Content-Type: multipart/mixed; boundary="===-=-=" --===-=-= Content-Type: text/plain I've just found out we have guix-patches now! We should continue the discussion in the bug report instead of guix-devel. --===-=-= Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 8bit Bcc: alexvong1995@gmail.com Return-Path: Received: from debian (n218103180172.netvigator.com. [218.103.180.172]) by smtp.gmail.com with ESMTPSA id r67sm17067995pfb.125.2017.03.02.04.55.33 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 02 Mar 2017 04:55:34 -0800 (PST) From: Alex Vong To: guix-devel@gnu.org Subject: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}. Date: Thu, 02 Mar 2017 20:55:25 +0800 Message-ID: <87d1dzdeiq.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Hello, This patch (applied to core-updates) fixes the two CVEs disclosed recently. I am currently testing the patch. I think the patch works but it is still building right now. --=-=-= Content-Type: text/x-diff; charset=utf-8 Content-Disposition: inline; filename=0001-gnu-mupdf-Fix-CVE-2017-5896-5991.patch Content-Transfer-Encoding: quoted-printable From=20a5bb1e9601d8bb3e48fdb521e6d1821dd5d9c833 Mon Sep 17 00:00:00 2001 From: Alex Vong Date: Thu, 2 Mar 2017 19:59:05 +0800 Subject: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}. * gnu/packages/patches/mupdf-CVE-2017-5896.patch, gnu/packages/patches/mupdf-CVE-2017-5991.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/pdf.scm (mupdf)[source]: Use it. =2D-- gnu/local.mk | 2 + gnu/packages/patches/mupdf-CVE-2017-5896.patch | 63 +++++++++++++++ gnu/packages/patches/mupdf-CVE-2017-5991.patch | 101 +++++++++++++++++++++= ++++ gnu/packages/pdf.scm | 5 +- 4 files changed, 170 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/mupdf-CVE-2017-5896.patch create mode 100644 gnu/packages/patches/mupdf-CVE-2017-5991.patch diff --git a/gnu/local.mk b/gnu/local.mk index 3d9ad7065..d0ec9ea50 100644 =2D-- a/gnu/local.mk +++ b/gnu/local.mk @@ -767,6 +767,8 @@ dist_patch_DATA =3D \ %D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch \ %D%/packages/patches/mupdf-mujs-CVE-2016-10132.patch \ %D%/packages/patches/mupdf-mujs-CVE-2016-10133.patch \ + %D%/packages/patches/mupdf-CVE-2017-5896.patch \ + %D%/packages/patches/mupdf-CVE-2017-5991.patch \ %D%/packages/patches/mupen64plus-ui-console-notice.patch \ %D%/packages/patches/musl-CVE-2016-8859.patch \ %D%/packages/patches/mutt-store-references.patch \ diff --git a/gnu/packages/patches/mupdf-CVE-2017-5896.patch b/gnu/packages/= patches/mupdf-CVE-2017-5896.patch new file mode 100644 index 000000000..1537ecc89 =2D-- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2017-5896.patch @@ -0,0 +1,63 @@ +Fix CVE-2017-5896: + +https://bugs.ghostscript.com/show_bug.cgi?id=3D697515 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-5896 +http://www.openwall.com/lists/oss-security/2017/02/10/1 +https://security-tracker.debian.org/tracker/CVE-2017-5896 +https://blogs.gentoo.org/ago/2017/02/09/mupdf-use-after-free-in-fz_subsamp= le_pixmap-pixmap-c/ + +Patch lifted from upstream source repository: + +http://git.ghostscript.com/?p=3Dmupdf.git;h=3D2c4e5867ee699b1081527bc6c6ea= 0e99a35a5c27 + +From 2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 Mon Sep 17 00:00:00 2001 +From: Robin Watts +Date: Thu, 9 Feb 2017 07:12:16 -0800 +Subject: [PATCH] bug 697515: Fix out of bounds read in fz_subsample_pixmap + +Pointer arithmetic for final special case was going wrong. +--- + source/fitz/pixmap.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c +index a8317127..f1291dc2 100644 +--- a/source/fitz/pixmap.c ++++ b/source/fitz/pixmap.c +@@ -1104,6 +1104,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, i= nt h, int f, int factor, + "@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,ba= ck5,divXY\n" + "ldr r4, [r13,#4*22] @ r4 =3D divXY \n" + "ldr r5, [r13,#4*11] @ for (nn =3D n; nn > 0; n--) { \n" ++ "ldr r8, [r13,#4*17] @ r8 =3D back4 \n" + "18: @ \n" + "mov r14,#0 @ r14=3D v =3D 0 \n" + "sub r5, r5, r1, LSL #8 @ for (xx =3D x; xx > 0; x--) { \n" +@@ -1120,7 +1121,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, i= nt h, int f, int factor, + "mul r14,r4, r14 @ r14=3D v *=3D divX \n" + "mov r14,r14,LSR #16 @ r14=3D v >>=3D 16 \n" + "strb r14,[r9], #1 @ *d++ =3D r14 \n" +- "sub r0, r0, r8 @ s -=3D back2 \n" ++ "sub r0, r0, r8 @ s -=3D back4 \n" + "subs r5, r5, #1 @ n-- \n" + "bgt 18b @ } \n" + "21: @ \n" +@@ -1249,6 +1250,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile= , int factor) + x +=3D f; + if (x > 0) + { ++ int back4 =3D x * n - 1; + div =3D x * y; + for (nn =3D n; nn > 0; nn--) + { +@@ -1263,7 +1265,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile= , int factor) + s -=3D back5; + } + *d++ =3D v / div; +- s -=3D back2; ++ s -=3D back4; + } + } + } +--=20 +2.12.0 + diff --git a/gnu/packages/patches/mupdf-CVE-2017-5991.patch b/gnu/packages/= patches/mupdf-CVE-2017-5991.patch new file mode 100644 index 000000000..1fa6dc346 =2D-- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2017-5991.patch @@ -0,0 +1,101 @@ +Fix CVE-2017-5991: + +https://bugs.ghostscript.com/show_bug.cgi?id=3D697500 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-5991 +https://security-tracker.debian.org/tracker/CVE-2017-5991 + +Patch lifted from upstream source repository: + +http://git.ghostscript.com/?p=3Dmupdf.git;h=3D1912de5f08e90af1d9d0a9791f58= ba3afdb9d465 + +From 1912de5f08e90af1d9d0a9791f58ba3afdb9d465 Mon Sep 17 00:00:00 2001 +From: Robin Watts +Date: Thu, 9 Feb 2017 15:49:15 +0000 +Subject: [PATCH] Bug 697500: Fix NULL ptr access. + +Cope better with errors during rendering - avoid letting the +gstate stack get out of sync. + +This avoids us ever getting into the situation of popping +a clip when we should be popping a mask or a group. This was +causing an unexpected case in the painting. +--- + source/pdf/pdf-op-run.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/source/pdf/pdf-op-run.c b/source/pdf/pdf-op-run.c +index a3ea895d..f1eac8d3 100644 +--- a/source/pdf/pdf-op-run.c ++++ b/source/pdf/pdf-op-run.c +@@ -1213,6 +1213,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *= proc, pdf_xobject *xobj, pdf + pdf_run_processor *pr =3D (pdf_run_processor *)proc; + pdf_gstate *gstate =3D NULL; + int oldtop =3D 0; ++ int oldbot =3D -1; + fz_matrix local_transform =3D *transform; + softmask_save softmask =3D { NULL }; + int gparent_save; +@@ -1232,16 +1233,17 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor= *proc, pdf_xobject *xobj, pdf + fz_var(cleanup_state); + fz_var(gstate); + fz_var(oldtop); ++ fz_var(oldbot); +=20 + gparent_save =3D pr->gparent; + pr->gparent =3D pr->gtop; ++ oldtop =3D pr->gtop; +=20 + fz_try(ctx) + { + pdf_gsave(ctx, pr); +=20 + gstate =3D pr->gstate + pr->gtop; +- oldtop =3D pr->gtop; +=20 + pdf_xobject_bbox(ctx, xobj, &xobj_bbox); + pdf_xobject_matrix(ctx, xobj, &xobj_matrix); +@@ -1302,12 +1304,25 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor= *proc, pdf_xobject *xobj, pdf +=20 + doc =3D pdf_get_bound_document(ctx, xobj->obj); +=20 ++ oldbot =3D pr->gbot; ++ pr->gbot =3D pr->gtop; ++ + pdf_process_contents(ctx, (pdf_processor*)pr, doc, resources, xobj->obj= , NULL); + } + fz_always(ctx) + { ++ /* Undo any gstate mismatches due to the pdf_process_contents call */ ++ if (oldbot !=3D -1) ++ { ++ while (pr->gtop > pr->gbot) ++ { ++ pdf_grestore(ctx, pr); ++ } ++ pr->gbot =3D oldbot; ++ } ++ + if (cleanup_state >=3D 3) +- pdf_grestore(ctx, pr); /* Remove the clippath */ ++ pdf_grestore(ctx, pr); /* Remove the state we pushed for the clippath = */ +=20 + /* wrap up transparency stacks */ + if (transparency) +@@ -1341,13 +1356,8 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor = *proc, pdf_xobject *xobj, pdf + pr->gstate[pr->gparent].ctm =3D gparent_save_ctm; + pr->gparent =3D gparent_save; +=20 +- if (gstate) +- { +- while (oldtop < pr->gtop) +- pdf_grestore(ctx, pr); +- ++ while (oldtop < pr->gtop) + pdf_grestore(ctx, pr); +- } +=20 + pdf_unmark_obj(ctx, xobj->obj); + } +--=20 +2.12.0 + diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index d449b72ee..205b8af2d 100644 =2D-- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -11,6 +11,7 @@ ;;; Coypright =C2=A9 2016 Julien Lepiller ;;; Copyright =C2=A9 2016 Arun Isaac ;;; Copyright =C2=A9 2017 Leo Famulari +;;; Copyright =C2=A9 2017 Alex Vong ;;; ;;; This file is part of GNU Guix. ;;; @@ -492,7 +493,9 @@ extracting content or merging files.") "0dm8wcs8i29aibzkqkrn8kcnk4q0kd1v66pg48h5c3qqp4v1zk5a")) (patches (search-patches "mupdf-build-with-openjpeg-2.1.patch" "mupdf-mujs-CVE-2016-10132.patch" =2D "mupdf-mujs-CVE-2016-10133.patch")) + "mupdf-mujs-CVE-2016-10133.patch" + "mupdf-CVE-2017-5896.patch" + "mupdf-CVE-2017-5991.patch")) (modules '((guix build utils))) (snippet ;; Delete all the bundled libraries except for mujs, which is =2D-=20 2.12.0 --=-=-= Content-Type: text/plain Cheers, Alex --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAli4Fj0ACgkQxYq4eRf1 Ea41bBAAnVkCNn16x2ufCYbHB64ogc3pplEEL7hLY74IWRfCEYCj+AjhmqcJbDRS U7os4Owj+0crlk1qHUgFWojQpCxET73m3/pjm51srKgpZFlvrnGoSm6JSSgjrwTQ U56xazfnszN1CveesA5MVqSgaHeIV6A8w57snNSKbAzNXLEDhYqskNKZ2DbN8kCi b/LcvCMaBrAW1GE1exsst1DWnW7WExaWmNBJIbgwWbp0qvPTj073LcK43MoE5Fuh wsa9XDrSSYjfvYzQXuaItYQZbXcqa+oPloM4e1Lw5gBLXB/F7wfWIGRGsEQcPl+F gfL5Jfu6/bZJVhrfBVeCd1RVCbhhOZYySQC/ZvMp89ax+JI+9eSzRRlOLRtP3ZuT WWa2gXi2w88GxucXLPh+OZcRMyAabV1YGciDUCb4fWBjRcO/C3Rw6z+QIH+veW6q obObrA6/Kmctjgm/8xvtw381YnI3Hy0pqDoLX/Wcn29G8IYF1u87ASqA6f5PmroX EUQsDcfqlmhfOaAQog1XfartwnQZaKDdCxLVo1VMVDW5pNcCBk/+4TY5/h5SgLPE OqPTKimhJj3nARsHcawqO5juooYE2aoRkRqzAmX2TZfok8V7HCvxAPAM6hz1owoh f3VWZh4p6lKMwWuI+DX6F3SoJTIr6u4gFB4+9C/zwoTN7pBLP6g= =QY9G -----END PGP SIGNATURE----- --==-=-=-- --===-=-=-- --====-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAli4GvEACgkQxYq4eRf1 Ea4I4Q//d0oG3jWyp0u0fXnViIGCQupajQa0p81w+RQIwuyEDXAY2m5gJudOcaoq Ly5jApCz1DaJ+6merw/wUZ9zY+5DB4/TelDYbH/o38UXq81MwavkSsDbGuZrxFCV 4AytbYrx2bpVtsrYRRbzbzfl8XroI0FX4NK8mVq5+5c+GMwETJDw4QYpRPEL4+cR jw40XwlHQZFvGs2kAUzKHYdb0niBCj/4mEp7Ap+IrDBIr1b6GUyf9DOyzH5vXoKN u0sK5pHPhY05fiYg7NCQ56koyJDlQwJt2g4JryKC7RaxitLgxRgHB8cMfGTirkYi YxDS6aNyYh9bRq+MbXW3eeO3gIEtaPjTYuemRLgDuwRWkWVdLSQyPjMXnIo4dXcP rjW2h+pgYjHfmdc+UGA2c5nKwnXWEYStAo88QVg1BIIZVyg9PZLoshVWydeBua3s /QWAoysN3Q1Eso2WQqxSrh6h13gd5T7/4J1HimhJdsDENxVA9UqJBZ6M/v5tLiKQ z22f/o96V6jloPGUbRwP/BjhNbeHXv38mw6TOzPHlFOsMLVl1rvZUCYqfV+4KNBZ T0K9x5s70iiY4JvhtzjzMCbWabRJbn0B6BKJ139XDitAZTDi8tg16uFwjuo3eIwg mDbEJ7YEgUkbpfrc6DkuF9LWBEPXNxQ/tM0Cp0NZnU4nMXXz0hs= =vudq -----END PGP SIGNATURE----- --====-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 02 13:11:53 2017 Received: (at 25935) by debbugs.gnu.org; 2 Mar 2017 18:11:53 +0000 Received: from localhost ([127.0.0.1]:36847 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cjVCj-0002Pz-2N for submit@debbugs.gnu.org; Thu, 02 Mar 2017 13:11:53 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:51751) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cjVCh-0002Pq-Ok for 25935@debbugs.gnu.org; Thu, 02 Mar 2017 13:11:51 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 90E3E20934; Thu, 2 Mar 2017 13:11:51 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Thu, 02 Mar 2017 13:11:51 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=VOfYrFlwEnVZn9q2UlP+f7XYn0o=; b=GQdtpE R4oSA1+y3zdfU1uFrqHfuuQOe5r7a0d4ixDBZ+56KegDnYa1Ustfm8nAJrypXgdz XwdZ5qxdRCutB7WxOMT4n64NfRY2jCwiFZuz6klXSjtPibprrKPth0YCmYEAXh/U fji6E5I5cpHeLTQkaZpKC8qC/zL35nbvC1Euw= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=smtpout; bh=VOfYrFlwEnVZn9 q2UlP+f7XYn0o=; b=YKdc7gAfIZcebM88GN3S9lbr2CuOSoR33+nTd1jELlXv0e VNFGZXAuaCLdAFkUA+nTySE7MyoDD4svCcK3GZQCfGQpVgXuW2/hJSDlIv8oE+JH TEWI3nD5gIc72tddszwPqKkQfPtvvz2HJ1D8pYSxI71CjutPc/96FnEUZ2dYE= X-ME-Sender: X-Sasl-enc: oRyyhBJIB7mOdW1cLcIODHdaESYxGw1WP+B8Q4ZvSq/i 1488478311 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id 518F2240AE; Thu, 2 Mar 2017 13:11:51 -0500 (EST) Date: Thu, 2 Mar 2017 13:11:50 -0500 From: Leo Famulari To: Alex Vong Subject: Re: bug#25935: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}. Message-ID: <20170302181150.GA9579@jasmine> References: <87wpc7bz0u.fsf@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="LQksG6bCIzRHxTLp" Content-Disposition: inline In-Reply-To: <87wpc7bz0u.fsf@gmail.com> User-Agent: Mutt/1.8.0 (2017-02-23) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 25935 Cc: guix-devel@gnu.org, 25935@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --LQksG6bCIzRHxTLp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Mar 02, 2017 at 09:15:29PM +0800, Alex Vong wrote: > This patch (applied to core-updates) fixes the two CVEs disclosed recently. Can you send a patch for the master branch instead? The patches should be applied to mupdf/fixed in (gnu packages pdf). --LQksG6bCIzRHxTLp Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAli4YGEACgkQJkb6MLrK fwjd0hAAjpSE57Z5KTQv1uD6x9hXDRxVICftr2PxduoVarIO7abt9dN3GZpZv4br nkdw2JfYjj2a/rQeXiCvKmNJ76p4gDH6xlj7Mkzh/mIyM3QwTHELsuAP0jxpo4hZ V6/iQExO1QdCtkWqIiL+CgfyUpR11JkZDD59ApjxC6zP0nFtlcsMJyJAYiRnuOGB 1vDo95G33HTouhz8c7BvZMyMZKhH2zVMeeWJupiu3iyWPAZxzZuHvcR2/Owec0BF okZ8sxiHUHY/4yVwk70BAj2Um0ue4+0ofGoDlHH42aBEQb3Dk1xRhN6kP8jzD1qj BXc60/UplhfrNkabMNfmQIpUNeLpclOKl8gv70wVYyXxMkSL2++X7eS4YuN98QmD mQfESvnO4roJzNZ/GOWIp0DUDbOTgrnJr0NkbDpS5DbRhmt4iH+l/y2n4rw6f+An f9H2RglPvIjetzRK87+8QZ9PD9YnnRvATtl8UapUHIcHn+4KI/CUFo1NCihuMAK9 7m/7g0vkNmxZDqrAlCe7zeSCZ/iV5A7vPIBAX4N80lDhq4UnyTNf2IqcUk2D4Hvn CdAjwYFu5Y2CB9YYhcf/f/vCE7MwtLca1kuMdTqwkT000DFSL4LfHrgCSLe7jUer zSxJeLHqfjAwUatpfG15GJgjdQLs4vx1ppDXODWf/KBuXXJjyRs= =MxuH -----END PGP SIGNATURE----- --LQksG6bCIzRHxTLp-- From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 03 01:04:43 2017 Received: (at 25935) by debbugs.gnu.org; 3 Mar 2017 06:04:43 +0000 Received: from localhost ([127.0.0.1]:37288 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cjgKT-0007zh-14 for submit@debbugs.gnu.org; Fri, 03 Mar 2017 01:04:43 -0500 Received: from mail-pf0-f176.google.com ([209.85.192.176]:35984) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cjgKO-0007zQ-69 for 25935@debbugs.gnu.org; Fri, 03 Mar 2017 01:04:35 -0500 Received: by mail-pf0-f176.google.com with SMTP id x66so29997878pfb.3 for <25935@debbugs.gnu.org>; Thu, 02 Mar 2017 22:04:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=hSg8VZBO1JxD7kMz2Mdl+vtbsnsNsA8mHIAvE/0FZn4=; b=dRNLKgAGCxkUj6xPskhq7CLHjEkFTfKD56EAE6l20um/HIZXdPtRYjqUj5cQTP0WdQ FcctahYkSZX3gW8Y8ksLwK9ACqfc1anz0VnoJMa9ZeWuSqdv3aWGlramwdKl/LrSTFPF 16G/LGVH/Boe6XKZRV/5td7IwdALKo4SbD2QAmft2GvJObUoJcuC8HKb6lvAPby4aE/8 fcJ1EwSiwd2JvKwp6payOtLfNAxfXiTxVf3O+LeT5PDPR64DSmBs1Q8X6m/GD4ZPI/GF Pl5d8NP5ZkL8EqkydZpZ4ya1b5cT9HXzbG+pFSUfVBn9t0QRbCmvqacmaQB1AUNGYfgK HtWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=hSg8VZBO1JxD7kMz2Mdl+vtbsnsNsA8mHIAvE/0FZn4=; b=iNSFOvgaDfgck90j/IzVB1XdAwGZCw79hJBdvH6PkxC7XknSP26Rxvy1kWeeFYleB8 0emIXN17SyC5UbelA0kkDC4MDFguOi/44o/hn83dct8fIW2L3ZWoSu1kxWhvMhlh0cVP 3u18SgH0geyhVhbsN0AmrtumYTBBUEVAlGZXCj5AJV7CWX9HZIwdpsOPDxv/+/BAfImg 4Yb7BKUrgFnhVV7DG3CWoTKHPvsj1dPcF0/zb+HP637UsUzj8QgSupPRVzLw2/hkWXAx T4JOXtxzHNXlGjJpwTYM3X1c1bNpn2P0BW3yPr9ZfldtQhzGzN2/c9q7jijbdYA/tQ1f VR9g== X-Gm-Message-State: AMke39kP1JhbDbcaPJDjSW8UOC4S6wxInbsrVrMPg5Li9ZUZGCcL0BQJTsNwkqQ2aeD6Sg== X-Received: by 10.98.157.12 with SMTP id i12mr1390889pfd.166.1488521066447; Thu, 02 Mar 2017 22:04:26 -0800 (PST) Received: from debian (1-64-207-155.static.netvigator.com. [1.64.207.155]) by smtp.gmail.com with ESMTPSA id x15sm20717828pgo.56.2017.03.02.22.04.24 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 02 Mar 2017 22:04:25 -0800 (PST) From: Alex Vong To: Leo Famulari Subject: Re: bug#25935: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}. References: <87wpc7bz0u.fsf@gmail.com> <20170302181150.GA9579@jasmine> Date: Fri, 03 Mar 2017 14:04:11 +0800 In-Reply-To: <20170302181150.GA9579@jasmine> (Leo Famulari's message of "Thu, 2 Mar 2017 13:11:50 -0500") Message-ID: <877f466gmc.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: 25935 Cc: guix-devel@gnu.org, 25935@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.3 (/) --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Leo Famulari writes: > On Thu, Mar 02, 2017 at 09:15:29PM +0800, Alex Vong wrote: >> This patch (applied to core-updates) fixes the two CVEs disclosed recently. > > Can you send a patch for the master branch instead? The patches should > be applied to mupdf/fixed in (gnu packages pdf). Sure, here it is: --=-=-= Content-Type: text/x-diff; charset=utf-8 Content-Disposition: inline; filename=0001-gnu-mupdf-Fix-CVE-2017-5896-5991.patch Content-Transfer-Encoding: quoted-printable From=2024ceef58b2ebb70d45c01e7e1bc43cc2056f8705 Mon Sep 17 00:00:00 2001 From: Alex Vong Date: Thu, 2 Mar 2017 19:59:05 +0800 Subject: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}. * gnu/packages/patches/mupdf-CVE-2017-5896.patch, gnu/packages/patches/mupdf-CVE-2017-5991.patch: New files. * gnu/packages/pdf.scm (mupdf/fixed)[source]: Add patches. * gnu/local.mk (dist_patch_DATA): Add them. =2D-- gnu/local.mk | 2 + gnu/packages/patches/mupdf-CVE-2017-5896.patch | 63 +++++++++++++++ gnu/packages/patches/mupdf-CVE-2017-5991.patch | 101 +++++++++++++++++++++= ++++ gnu/packages/pdf.scm | 5 +- 4 files changed, 170 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/mupdf-CVE-2017-5896.patch create mode 100644 gnu/packages/patches/mupdf-CVE-2017-5991.patch diff --git a/gnu/local.mk b/gnu/local.mk index 406e0dc96..584ab75a5 100644 =2D-- a/gnu/local.mk +++ b/gnu/local.mk @@ -764,6 +764,8 @@ dist_patch_DATA =3D \ %D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch \ %D%/packages/patches/mupdf-mujs-CVE-2016-10132.patch \ %D%/packages/patches/mupdf-mujs-CVE-2016-10133.patch \ + %D%/packages/patches/mupdf-CVE-2017-5896.patch \ + %D%/packages/patches/mupdf-CVE-2017-5991.patch \ %D%/packages/patches/mupen64plus-ui-console-notice.patch \ %D%/packages/patches/musl-CVE-2016-8859.patch \ %D%/packages/patches/mutt-store-references.patch \ diff --git a/gnu/packages/patches/mupdf-CVE-2017-5896.patch b/gnu/packages/= patches/mupdf-CVE-2017-5896.patch new file mode 100644 index 000000000..1537ecc89 =2D-- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2017-5896.patch @@ -0,0 +1,63 @@ +Fix CVE-2017-5896: + +https://bugs.ghostscript.com/show_bug.cgi?id=3D697515 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-5896 +http://www.openwall.com/lists/oss-security/2017/02/10/1 +https://security-tracker.debian.org/tracker/CVE-2017-5896 +https://blogs.gentoo.org/ago/2017/02/09/mupdf-use-after-free-in-fz_subsamp= le_pixmap-pixmap-c/ + +Patch lifted from upstream source repository: + +http://git.ghostscript.com/?p=3Dmupdf.git;h=3D2c4e5867ee699b1081527bc6c6ea= 0e99a35a5c27 + +From 2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 Mon Sep 17 00:00:00 2001 +From: Robin Watts +Date: Thu, 9 Feb 2017 07:12:16 -0800 +Subject: [PATCH] bug 697515: Fix out of bounds read in fz_subsample_pixmap + +Pointer arithmetic for final special case was going wrong. +--- + source/fitz/pixmap.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c +index a8317127..f1291dc2 100644 +--- a/source/fitz/pixmap.c ++++ b/source/fitz/pixmap.c +@@ -1104,6 +1104,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, i= nt h, int f, int factor, + "@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,ba= ck5,divXY\n" + "ldr r4, [r13,#4*22] @ r4 =3D divXY \n" + "ldr r5, [r13,#4*11] @ for (nn =3D n; nn > 0; n--) { \n" ++ "ldr r8, [r13,#4*17] @ r8 =3D back4 \n" + "18: @ \n" + "mov r14,#0 @ r14=3D v =3D 0 \n" + "sub r5, r5, r1, LSL #8 @ for (xx =3D x; xx > 0; x--) { \n" +@@ -1120,7 +1121,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, i= nt h, int f, int factor, + "mul r14,r4, r14 @ r14=3D v *=3D divX \n" + "mov r14,r14,LSR #16 @ r14=3D v >>=3D 16 \n" + "strb r14,[r9], #1 @ *d++ =3D r14 \n" +- "sub r0, r0, r8 @ s -=3D back2 \n" ++ "sub r0, r0, r8 @ s -=3D back4 \n" + "subs r5, r5, #1 @ n-- \n" + "bgt 18b @ } \n" + "21: @ \n" +@@ -1249,6 +1250,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile= , int factor) + x +=3D f; + if (x > 0) + { ++ int back4 =3D x * n - 1; + div =3D x * y; + for (nn =3D n; nn > 0; nn--) + { +@@ -1263,7 +1265,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile= , int factor) + s -=3D back5; + } + *d++ =3D v / div; +- s -=3D back2; ++ s -=3D back4; + } + } + } +--=20 +2.12.0 + diff --git a/gnu/packages/patches/mupdf-CVE-2017-5991.patch b/gnu/packages/= patches/mupdf-CVE-2017-5991.patch new file mode 100644 index 000000000..1fa6dc346 =2D-- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2017-5991.patch @@ -0,0 +1,101 @@ +Fix CVE-2017-5991: + +https://bugs.ghostscript.com/show_bug.cgi?id=3D697500 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-5991 +https://security-tracker.debian.org/tracker/CVE-2017-5991 + +Patch lifted from upstream source repository: + +http://git.ghostscript.com/?p=3Dmupdf.git;h=3D1912de5f08e90af1d9d0a9791f58= ba3afdb9d465 + +From 1912de5f08e90af1d9d0a9791f58ba3afdb9d465 Mon Sep 17 00:00:00 2001 +From: Robin Watts +Date: Thu, 9 Feb 2017 15:49:15 +0000 +Subject: [PATCH] Bug 697500: Fix NULL ptr access. + +Cope better with errors during rendering - avoid letting the +gstate stack get out of sync. + +This avoids us ever getting into the situation of popping +a clip when we should be popping a mask or a group. This was +causing an unexpected case in the painting. +--- + source/pdf/pdf-op-run.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/source/pdf/pdf-op-run.c b/source/pdf/pdf-op-run.c +index a3ea895d..f1eac8d3 100644 +--- a/source/pdf/pdf-op-run.c ++++ b/source/pdf/pdf-op-run.c +@@ -1213,6 +1213,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *= proc, pdf_xobject *xobj, pdf + pdf_run_processor *pr =3D (pdf_run_processor *)proc; + pdf_gstate *gstate =3D NULL; + int oldtop =3D 0; ++ int oldbot =3D -1; + fz_matrix local_transform =3D *transform; + softmask_save softmask =3D { NULL }; + int gparent_save; +@@ -1232,16 +1233,17 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor= *proc, pdf_xobject *xobj, pdf + fz_var(cleanup_state); + fz_var(gstate); + fz_var(oldtop); ++ fz_var(oldbot); +=20 + gparent_save =3D pr->gparent; + pr->gparent =3D pr->gtop; ++ oldtop =3D pr->gtop; +=20 + fz_try(ctx) + { + pdf_gsave(ctx, pr); +=20 + gstate =3D pr->gstate + pr->gtop; +- oldtop =3D pr->gtop; +=20 + pdf_xobject_bbox(ctx, xobj, &xobj_bbox); + pdf_xobject_matrix(ctx, xobj, &xobj_matrix); +@@ -1302,12 +1304,25 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor= *proc, pdf_xobject *xobj, pdf +=20 + doc =3D pdf_get_bound_document(ctx, xobj->obj); +=20 ++ oldbot =3D pr->gbot; ++ pr->gbot =3D pr->gtop; ++ + pdf_process_contents(ctx, (pdf_processor*)pr, doc, resources, xobj->obj= , NULL); + } + fz_always(ctx) + { ++ /* Undo any gstate mismatches due to the pdf_process_contents call */ ++ if (oldbot !=3D -1) ++ { ++ while (pr->gtop > pr->gbot) ++ { ++ pdf_grestore(ctx, pr); ++ } ++ pr->gbot =3D oldbot; ++ } ++ + if (cleanup_state >=3D 3) +- pdf_grestore(ctx, pr); /* Remove the clippath */ ++ pdf_grestore(ctx, pr); /* Remove the state we pushed for the clippath = */ +=20 + /* wrap up transparency stacks */ + if (transparency) +@@ -1341,13 +1356,8 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor = *proc, pdf_xobject *xobj, pdf + pr->gstate[pr->gparent].ctm =3D gparent_save_ctm; + pr->gparent =3D gparent_save; +=20 +- if (gstate) +- { +- while (oldtop < pr->gtop) +- pdf_grestore(ctx, pr); +- ++ while (oldtop < pr->gtop) + pdf_grestore(ctx, pr); +- } +=20 + pdf_unmark_obj(ctx, xobj->obj); + } +--=20 +2.12.0 + diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index a229d689d..13dbd0ecd 100644 =2D-- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -11,6 +11,7 @@ ;;; Coypright =C2=A9 2016 Julien Lepiller ;;; Copyright =C2=A9 2016 Arun Isaac ;;; Copyright =C2=A9 2017 Leo Famulari +;;; Copyright =C2=A9 2017 Alex Vong ;;; ;;; This file is part of GNU Guix. ;;; @@ -550,7 +551,9 @@ and examining the file structure (pdfshow).") (append (origin-patches (package-source mupdf)) (search-patches "mupdf-mujs-CVE-2016-10132.patch" =2D "mupdf-mujs-CVE-2016-10133.patch"))))))) + "mupdf-mujs-CVE-2016-10133.patch" + "mupdf-CVE-2017-5896.patch" + "mupdf-CVE-2017-5991.patch"))))))) =20 (define-public qpdf (package =2D-=20 2.12.0 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAli5B1sACgkQxYq4eRf1 Ea7PLQ/+MVPQqVnG8KiZu8+r6aIY8CMvKTZsRDhF/r1uvdtbaxYsaIHRoFVgWoG7 etoCU5m67HIHxQKFh66lmsPOwuKl8wjiBRXQOqj54ctG7kIjidKlK5CYzYdwMKvD sACl5Ev5rKebeR0aR+gJl8fhEkXlPa81PoNCzFLSu00j0FSnAkXdNbdQsSq8Elkc s3Hd5H1IPO76FCCY49Bl+Nf9VCsssV1wFtqGy7WB0GG5tuYwAzEldMHioK6PXXET +9oC3JLhAcjEx73Zq/gxZX0P3l9iuJNwV+85dzHpaIAlP0KvkFu2bEbwYOqAKi5v q2jZNGmRoTwWsNwynL0ap2+kyFrnK3m1MnHVCUQg/oM9a9cxf67LhfgJRye6z7GK N1fi7NYr3kbauuZo9CFIi31klU4Jh4nSkJr63os1SJ3rulBMflaIw1nnmAihNoiC bO10H3teXNEHPY1Lly+i6HBjMGW2pM4vWdEkmjGQJQhAjH2mHTpIuo8ld/+8eJ7A YfVtpUm3VixG7f0RqST9Fh2F2oOMznszpZzlkX96P8ylZE+I4tApKRSqaBNCus5P m9kzS8mCryhBu0rvxRwc2BAJlQ+1K1E6eSHSqsAZhcpJTj2UTcz/e8hShtX1dMnD DLlWo8HCkvs307Th8e/Hq+hrrzpMPuRKoxVXz8G/v3F/XkMmpbE= =ony3 -----END PGP SIGNATURE----- --==-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 03 04:55:21 2017 Received: (at 25935) by debbugs.gnu.org; 3 Mar 2017 09:55:21 +0000 Received: from localhost ([127.0.0.1]:37414 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cjjvl-0006w2-Hr for submit@debbugs.gnu.org; Fri, 03 Mar 2017 04:55:21 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:48604) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cjjvi-0006vt-Dh for 25935@debbugs.gnu.org; Fri, 03 Mar 2017 04:55:20 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id F377A20986; Fri, 3 Mar 2017 04:55:17 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Fri, 03 Mar 2017 04:55:18 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=s+Ldhu/VIhTVZpqXP7/xAcjOC/k=; b=LUgoTt Wa6sxp6GiHIB1a2xZFTfNVpcGWS6zLxGTivjuBUXyHvjmc53BkXpJPPWJdWhzYdY tRY+Jaavx+XTiyedxohmdLx+VZWs5apmlTJugsjbH72HIWkT5IZ4bX6QZkq1GCZv ifyuTT73QV7ouRLaICpMxKpj/I23edVOeeySk= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=smtpout; bh=s+Ldhu/VIhTVZp qXP7/xAcjOC/k=; b=npFL+n7JKcqA6wmzvBKfPaQWCLN6MehGYszRx7ZyQwVtpD RoPlBnScQUBI9DzB23Flruv4FsbzZsMJz9WCwjzqrrJJweK4QqIScJCCfKxZo9CM bTkRl4lvlMQO3me4f5YnJVTDUKCGiueSmaewlFDTiJE62dWb6WnCzYL2QP9MQ= X-ME-Sender: X-Sasl-enc: F+LTga9S2jv9cpamMikvOQXdXnOjOwKusmnW2bwiS2Ah 1488534917 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id AE083240AE; Fri, 3 Mar 2017 04:55:17 -0500 (EST) Date: Fri, 3 Mar 2017 04:55:16 -0500 From: Leo Famulari To: Alex Vong Subject: Re: bug#25935: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}. Message-ID: <20170303095516.GA16917@jasmine> References: <87wpc7bz0u.fsf@gmail.com> <20170302181150.GA9579@jasmine> <877f466gmc.fsf@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA" Content-Disposition: inline In-Reply-To: <877f466gmc.fsf@gmail.com> User-Agent: Mutt/1.8.0 (2017-02-23) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 25935 Cc: guix-devel@gnu.org, 25935@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 03, 2017 at 02:04:11PM +0800, Alex Vong wrote: > Leo Famulari writes: >=20 > > On Thu, Mar 02, 2017 at 09:15:29PM +0800, Alex Vong wrote: > >> This patch (applied to core-updates) fixes the two CVEs disclosed rece= ntly. > > > > Can you send a patch for the master branch instead? The patches should > > be applied to mupdf/fixed in (gnu packages pdf). >=20 > Sure, here it is: >=20 > From 24ceef58b2ebb70d45c01e7e1bc43cc2056f8705 Mon Sep 17 00:00:00 2001 > From: Alex Vong > Date: Thu, 2 Mar 2017 19:59:05 +0800 > Subject: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}. >=20 > * gnu/packages/patches/mupdf-CVE-2017-5896.patch, > gnu/packages/patches/mupdf-CVE-2017-5991.patch: New files. > * gnu/packages/pdf.scm (mupdf/fixed)[source]: Add patches. > * gnu/local.mk (dist_patch_DATA): Add them. Thanks, pushed! --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAli5PYQACgkQJkb6MLrK fwgrkBAA1UtkPDpYZeFwU4ezRK7CS43jEu0RamPi+MyDoY5pEJhkeFL9iIVaJ7KK 1aWcftJMm7yHWgrCPRg9wTE430WXRqFLf1RhkmRyS1F+V1hJC7OJw8wKm9LIwTV5 WWs9xRy618P1Is7TJAxPSiFzHZ17hF/704akLSDpY+ptkImxtddZrjeqCkMNtvvU w1bQ1oEDZhyge1dNe1qA220QeXzxhdK/7V86y0z2KUt7jzGr9ok7lSBQzCfFGQ3A XFat5J3PK0W0TRDyy6Uq92ZdUWO0Hmg+AqGg466on4sqvb3UitCrB4IOSZCFk+k6 I8ufk8v9pg+3xIvONx5TCzDt3MfuYJh//wGrTz4CSQ90W4ZwOkkMtn7ediWhw0Tw zBRjDDmarSr/21pJ9onV4Sh7wfLDqIKECUg/2MrxQAxP5VBANb3S30t/Lnu2x+KX 40MXrYtHsqf3yQ3fFIfA4GfEikCUVZtyyab/QXHgMfYRf0ybREM5nxm92K55Fcu3 LbtqvyLG98BKAed7xmOuGSUgDXxvubdyec8qJX0desFRF7iiSuonT0OX9xCUFNPl sUVsRNXarxGRt2BJt6SovhtROMHeKwNzbss7EvRr1soGwDR7w3KwcEbGmipSpXBq 0Fk4KtA9yw+ljyj2iiR5bS8AVpJ9Z6wFZSbh5G9IbVEnYFnz1XU= =raHJ -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA-- From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 11 04:37:46 2017 Received: (at 25935-done) by debbugs.gnu.org; 11 Mar 2017 09:37:46 +0000 Received: from localhost ([127.0.0.1]:50256 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cmdT7-0004Ag-Qk for submit@debbugs.gnu.org; Sat, 11 Mar 2017 04:37:45 -0500 Received: from mail-pf0-f174.google.com ([209.85.192.174]:34050) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cmdT3-0004AO-GC for 25935-done@debbugs.gnu.org; Sat, 11 Mar 2017 04:37:45 -0500 Received: by mail-pf0-f174.google.com with SMTP id v190so50908420pfb.1 for <25935-done@debbugs.gnu.org>; Sat, 11 Mar 2017 01:37:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=Fktq3lhr/0234MAbmF5KmJnOCceC/Nf9A3DwC4SnD6c=; b=hX695SD7pmmSpHn/ar1uEEFQo6X/fy1kdgxPJA3Vi5Wjcb5vXiKQ8LaUEXS65md1qf s2qpFhzOiHtqXZ1QzUVPlmn8680COJcOXv4SM/xSJvdfRfTPD56P7U6Ijq405X8yw4TY JeiwXylk1xJ4UBbbVQQM8jC4R+T09YzPIRWMWzPJCftzPqVJFVspKyjUiLaR0g8tQY7p W5a3nNXuNmAtJBrK37JNycBhgoTYZj082gQomaagju5m5pgikKjm+ix8sBa56J201FE5 +bJjLexoFIV/kRGzlUPTfH/KIrLHaY0bWlQI/+hqR7K826c+ND89f5kXb8xr7al2V0Oo VrgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=Fktq3lhr/0234MAbmF5KmJnOCceC/Nf9A3DwC4SnD6c=; b=X3y6/7Rht5X4fw29NiJ4LD3jH76omkOf23Ucp1Tt3LhBeG7jc2CkG4oEqaPkOdTjQa TgX8TNXI3dMzErgrwq+t+/kE/5+qGAft9O7i2VhJbvEzKRYeDmdJTLjx3MrsURTaRlL1 /UOsMWszyUb7mbmtGshdwP0RDY8FZqADSI8XXQ1mo+Jz3lzOiQeSsQ+Ie/DlkR9CO7ij 15XZxZJpQPR6FB5ArnYr+8S68NoQmG22C5ePva7XCYP3TFapFhgyrGQ8VDmwp7QMVdJ6 xqP4+94EmrO4Eak989iusqqhwZ75f8Ur2IInhF+wCleTZG+ZWycUkWdH9TlyD+sckJhU lf8A== X-Gm-Message-State: AMke39nc7keMdoDBeBMcdZPLJ3Wsk2OMtKwETr5R3xfH0zXjMCXlPLyoRJCvKiOo1s7u3w== X-Received: by 10.98.134.142 with SMTP id x136mr26177782pfd.64.1489225055828; Sat, 11 Mar 2017 01:37:35 -0800 (PST) Received: from debian (n058152176219.netvigator.com. [58.152.176.219]) by smtp.gmail.com with ESMTPSA id o125sm23068115pfb.109.2017.03.11.01.37.34 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 11 Mar 2017 01:37:35 -0800 (PST) From: Alex Vong To: 25935-done@debbugs.gnu.org Subject: Re: bug#25935: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}. References: <87wpc7bz0u.fsf@gmail.com> <20170302181150.GA9579@jasmine> <877f466gmc.fsf@gmail.com> <20170303095516.GA16917@jasmine> Date: Sat, 11 Mar 2017 17:37:23 +0800 In-Reply-To: <20170303095516.GA16917@jasmine> (Leo Famulari's message of "Fri, 3 Mar 2017 04:55:16 -0500") Message-ID: <87k27wb1d8.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 25935-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.3 (/) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Leo Famulari writes: > On Fri, Mar 03, 2017 at 02:04:11PM +0800, Alex Vong wrote: >> Leo Famulari writes: >>=20 >> > On Thu, Mar 02, 2017 at 09:15:29PM +0800, Alex Vong wrote: >> >> This patch (applied to core-updates) fixes the two CVEs disclosed rec= ently. >> > >> > Can you send a patch for the master branch instead? The patches should >> > be applied to mupdf/fixed in (gnu packages pdf). >>=20 >> Sure, here it is: >>=20 > >> From 24ceef58b2ebb70d45c01e7e1bc43cc2056f8705 Mon Sep 17 00:00:00 2001 >> From: Alex Vong >> Date: Thu, 2 Mar 2017 19:59:05 +0800 >> Subject: [PATCH] gnu: mupdf: Fix CVE-2017-{5896,5991}. >>=20 >> * gnu/packages/patches/mupdf-CVE-2017-5896.patch, >> gnu/packages/patches/mupdf-CVE-2017-5991.patch: New files. >> * gnu/packages/pdf.scm (mupdf/fixed)[source]: Add patches. >> * gnu/local.mk (dist_patch_DATA): Add them. > > Thanks, pushed! --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAljDxVMACgkQxYq4eRf1 Ea4jUA/8CBB0d22ZzOAMCtlF7FlmMnBeixpbGpFj1TBvYJtiiowEJ8JF6PVO+W7S BKh89DVbHyNjl8Ecx+byJlTmJBtAdV+8T7S2q9BAZVq3UDBAiE6wOBZgWlndfAJe dgYdfKP6ne29NriKNjXHfZd2P9O4hZ19FWMAoY8cFNBE+8gTMibuZbVpF7vloVyg ZCnK4EJhdbWSYdPqufOFFfLxs/zNCayV1sZlCf0yBGda3Aoxms1Qn+rBBF42TZgN khMDUlnJQC4AmoCv/P03VxVr1OFt6qXMmAVei+9NtzXm0VLqTFLmOSQLlZ1kIopQ aS7TROdX9bjhku2RrtBDDHV8BcLHmQhXfCR/Sx0IlpAtdW5fte2IVIFm4JJD3RUa UTYyroFM2n0filxSiKU8r8eg31h/GwFTi+xESk2AnYgGOvy8pX+zLC7Fkio8H8E/ 3AuAb7p7jCs3TaCnaFN7W/cnUsA40rHOn9J3XchvTob7kuP+n8/mcqL3EH+lmPAA u2d6rKSdVMpNJENhKA6GW/Ycf45arsCtDaS0ItjR53rTmEPfcyEIrJjbVc0hTVr0 MjeNgADjrZd8H6Gale0soTzeGRpkn0VhCCWYvyA9JO5gX8sAQcspBLlYx71c/Az9 Rb+iov5kSfPU82QwJuR2VOpjDdEyLdVwOwwwKJNt9wm71P7zInE= =vAKf -----END PGP SIGNATURE----- --=-=-=-- From unknown Mon Jun 23 11:26:06 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 08 Apr 2017 11:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator