diff --git a/mingw-poppler.spec b/mingw-poppler.spec index 8ebd762..064850b 100644 --- a/mingw-poppler.spec +++ b/mingw-poppler.spec @@ -4,7 +4,7 @@ Name: mingw-%{pkgname} Version: 0.67.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: MinGW Windows Poppler library License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT @@ -12,10 +12,28 @@ BuildArch: noarch URL: http://poppler.freedesktop.org/ Source0: http://poppler.freedesktop.org/%{pkgname}-%{version}.tar.xz -# Fix CVE-2017-9083 (#1453200) -Patch0: poppler_CVE-2017-9083.patch # Don't use SYSTEM includes, they break stuff like #include_next -Patch2: poppler_isystem.patch +Patch0: poppler_isystem.patch +# Downstream fix for CVE-2017-9083 (#1453200) +Patch1: poppler_CVE-2017-9083.patch +# Backport fix for CVE-2018-16646 +# https://gitlab.freedesktop.org/poppler/poppler/commit/3d35d209c19c1d3b09b794a0c863ba5de44a9c0a +# https://gitlab.freedesktop.org/poppler/poppler/commit/89fccf45fc5bfca3756102e6bec1950ec1d436a9 +# https://gitlab.freedesktop.org/poppler/poppler/commit/08572e1bdca03baed694dd9828bb2b878865e669 +Patch2: poppler_CVE-2018-16646.patch +# Backport fix for CVE-2018-19058 +# https://gitlab.freedesktop.org/poppler/poppler/commit/6912e06d9ab19ba28991b5cab3319d61d856bd6d +Patch3: poppler_CVE-2018-19058.patch +# Backport fix for CVE-2018-19059 +# https://gitlab.freedesktop.org/poppler/poppler/commit/77a30e94d96220d7e22dff5b3f0a7f296f01b118 +Patch4: poppler_CVE-2018-19059.patch +# Backport fix for CVE-2018-19060 +# https://gitlab.freedesktop.org/poppler/poppler/commit/d2f5d424ba8752f9a9e9dad410546ec1b46caa0a +Patch5: poppler_CVE-2018-19060.patch +# Backport fix for CVE-2018-19149 +# https://gitlab.freedesktop.org/poppler/poppler/commit/f162ecdea0dda5dbbdb45503c1d55d9afaa41d44 +Patch6: poppler_CVE-2018-19149.patch + BuildRequires: cmake BuildRequires: gettext-devel @@ -224,6 +242,10 @@ rm -f %{buildroot}%{mingw64_bindir}/*.exe %changelog +* Thu Dec 20 2018 Sandro Mani - 0.67.0-2 +- Backport security fixes: + CVE-2018-16646, CVE-2018-19058, CVE-2018-19059, CVE-2018-19060, CVE-2018-19149 + * Tue Aug 14 2018 Sandro Mani - 0.67.0-1 - Update to 0.67.0 diff --git a/poppler_CVE-2017-9083.patch b/poppler_CVE-2017-9083.patch index 24617d9..520c8dd 100644 --- a/poppler_CVE-2017-9083.patch +++ b/poppler_CVE-2017-9083.patch @@ -1,6 +1,6 @@ diff -rupN poppler-0.67.0/poppler/JPXStream.cc poppler-0.67.0-new/poppler/JPXStream.cc --- poppler-0.67.0/poppler/JPXStream.cc 2018-07-19 23:20:03.000000000 +0200 -+++ poppler-0.67.0-new/poppler/JPXStream.cc 2018-08-14 10:39:06.664961908 +0200 ++++ poppler-0.67.0-new/poppler/JPXStream.cc 2018-12-20 11:58:45.039936495 +0100 @@ -965,6 +965,11 @@ GBool JPXStream::readCodestream(Guint le "Different number of components in JPX SIZ marker segment"); return gFalse; diff --git a/poppler_CVE-2018-16646.patch b/poppler_CVE-2018-16646.patch new file mode 100644 index 0000000..7c32f8d --- /dev/null +++ b/poppler_CVE-2018-16646.patch @@ -0,0 +1,58 @@ +diff -rupN poppler-0.67.0/poppler/Parser.cc poppler-0.67.0-new/poppler/Parser.cc +--- poppler-0.67.0/poppler/Parser.cc 2018-07-19 23:20:03.000000000 +0200 ++++ poppler-0.67.0-new/poppler/Parser.cc 2018-12-20 11:58:45.082936464 +0100 +@@ -202,6 +202,18 @@ Stream *Parser::makeStream(Object &&dict + Stream *str; + Goffset length; + Goffset pos, endPos; ++ XRefEntry *entry = nullptr; ++ ++ if (xref && (entry = xref->getEntry(objNum, false))) { ++ if (!entry->getFlag(XRefEntry::Parsing) || ++ (objNum == 0 && objGen == 0)) { ++ entry->setFlag(XRefEntry::Parsing, true); ++ } else { ++ error(errSyntaxError, getPos(), ++ "Object '{0:d} {1:d} obj' is being already parsed", objNum, objGen); ++ return nullptr; ++ } ++ } + + // get stream start position + lexer->skipToNextLine(); +@@ -222,6 +234,10 @@ Stream *Parser::makeStream(Object &&dict + length = 0; + } + ++ // the above dictLookup can cause a xref reconstruction if the file is damaged ++ // so we need to update the entry pointer ++ entry = xref ? xref->getEntry(objNum, false) : nullptr; ++ + // check for length in damaged file + if (xref && xref->getStreamEnd(pos, &endPos)) { + length = endPos - pos; +@@ -283,6 +299,9 @@ Stream *Parser::makeStream(Object &&dict + // get filters + str = str->addFilters(str->getDict(), recursion); + ++ if (entry) ++ entry->setFlag(XRefEntry::Parsing, false); ++ + return str; + } + +diff -rupN poppler-0.67.0/poppler/XRef.h poppler-0.67.0-new/poppler/XRef.h +--- poppler-0.67.0/poppler/XRef.h 2018-07-19 23:20:03.000000000 +0200 ++++ poppler-0.67.0-new/poppler/XRef.h 2018-12-20 11:58:45.082936464 +0100 +@@ -73,7 +73,10 @@ struct XRefEntry { + + // Special flags -- available only after xref->scanSpecialFlags() is run + Unencrypted, // Entry is stored in unencrypted form (meaningless in unencrypted documents) +- DontRewrite // Entry must not be written back in case of full rewrite ++ DontRewrite, // Entry must not be written back in case of full rewrite ++ ++ // Regular flag (moved here to preserve values of previous flags) ++ Parsing // Entry is currently being parsed + }; + + inline GBool getFlag(Flag flag) const { diff --git a/poppler_CVE-2018-19058.patch b/poppler_CVE-2018-19058.patch new file mode 100644 index 0000000..56be32d --- /dev/null +++ b/poppler_CVE-2018-19058.patch @@ -0,0 +1,13 @@ +diff -rupN poppler-0.67.0/poppler/FileSpec.cc poppler-0.67.0-new/poppler/FileSpec.cc +--- poppler-0.67.0/poppler/FileSpec.cc 2018-07-19 23:20:03.000000000 +0200 ++++ poppler-0.67.0-new/poppler/FileSpec.cc 2018-12-20 11:58:45.123936435 +0100 +@@ -93,6 +93,9 @@ GBool EmbFile::save(const char *path) { + GBool EmbFile::save2(FILE *f) { + int c; + ++ if (unlikely(!m_objStr.isStream())) ++ return false; ++ + m_objStr.streamReset(); + while ((c = m_objStr.streamGetChar()) != EOF) { + fputc(c, f); diff --git a/poppler_CVE-2018-19059.patch b/poppler_CVE-2018-19059.patch new file mode 100644 index 0000000..2d8b567 --- /dev/null +++ b/poppler_CVE-2018-19059.patch @@ -0,0 +1,31 @@ +diff -rupN poppler-0.67.0/utils/pdfdetach.cc poppler-0.67.0-new/utils/pdfdetach.cc +--- poppler-0.67.0/utils/pdfdetach.cc 2018-07-19 23:20:03.000000000 +0200 ++++ poppler-0.67.0-new/utils/pdfdetach.cc 2018-12-20 11:58:45.161936407 +0100 +@@ -250,7 +250,12 @@ int main(int argc, char *argv[]) { + } + *p = '\0'; + +- if (!fileSpec->getEmbeddedFile()->save(path)) { ++ auto *embFile = fileSpec->getEmbeddedFile(); ++ if (!embFile || !embFile->isOk()) { ++ exitCode = 3; ++ goto err2; ++ } ++ if (!embFile->save(path)) { + error(errIO, -1, "Error saving embedded file as '{0:s}'", p); + exitCode = 2; + goto err2; +@@ -295,7 +300,12 @@ int main(int argc, char *argv[]) { + p = path; + } + +- if (!fileSpec->getEmbeddedFile()->save(p)) { ++ auto *embFile = fileSpec->getEmbeddedFile(); ++ if (!embFile || !embFile->isOk()) { ++ exitCode = 3; ++ goto err2; ++ } ++ if (!embFile->save(p)) { + error(errIO, -1, "Error saving embedded file as '{0:s}'", p); + exitCode = 2; + goto err2; diff --git a/poppler_CVE-2018-19060.patch b/poppler_CVE-2018-19060.patch new file mode 100644 index 0000000..77a6461 --- /dev/null +++ b/poppler_CVE-2018-19060.patch @@ -0,0 +1,66 @@ +diff -rupN poppler-0.67.0/utils/pdfdetach.cc poppler-0.67.0-new/utils/pdfdetach.cc +--- poppler-0.67.0/utils/pdfdetach.cc 2018-12-20 11:58:45.198936381 +0100 ++++ poppler-0.67.0-new/utils/pdfdetach.cc 2018-12-20 11:58:45.200936379 +0100 +@@ -190,14 +190,18 @@ int main(int argc, char *argv[]) { + fileSpec = static_cast(embeddedFiles->get(i)); + printf("%d: ", i+1); + s1 = fileSpec->getFileName(); +- if ((s1->getChar(0) & 0xff) == 0xfe && (s1->getChar(1) & 0xff) == 0xff) { ++ if (!s1) { ++ exitCode = 3; ++ goto err2; ++ } ++ if (s1->hasUnicodeMarker()) { + isUnicode = gTrue; + j = 2; + } else { + isUnicode = gFalse; + j = 0; + } +- while (j < fileSpec->getFileName()->getLength()) { ++ while (j < s1->getLength()) { + if (isUnicode) { + u = ((s1->getChar(j) & 0xff) << 8) | (s1->getChar(j+1) & 0xff); + j += 2; +@@ -227,14 +231,18 @@ int main(int argc, char *argv[]) { + p = path; + } + s1 = fileSpec->getFileName(); +- if ((s1->getChar(0) & 0xff) == 0xfe && (s1->getChar(1) & 0xff) == 0xff) { ++ if (!s1) { ++ exitCode = 3; ++ goto err2; ++ } ++ if (s1->hasUnicodeMarker()) { + isUnicode = gTrue; + j = 2; + } else { + isUnicode = gFalse; + j = 0; + } +- while (j < fileSpec->getFileName()->getLength()) { ++ while (j < s1->getLength()) { + if (isUnicode) { + u = ((s1->getChar(j) & 0xff) << 8) | (s1->getChar(j+1) & 0xff); + j += 2; +@@ -275,14 +283,18 @@ int main(int argc, char *argv[]) { + } else { + p = path; + s1 = fileSpec->getFileName(); +- if ((s1->getChar(0) & 0xff) == 0xfe && (s1->getChar(1) & 0xff) == 0xff) { ++ if (!s1) { ++ exitCode = 3; ++ goto err2; ++ } ++ if (s1->hasUnicodeMarker()) { + isUnicode = gTrue; + j = 2; + } else { + isUnicode = gFalse; + j = 0; + } +- while (j < fileSpec->getFileName()->getLength()) { ++ while (j < s1->getLength()) { + if (isUnicode) { + u = ((s1->getChar(j) & 0xff) << 8) | (s1->getChar(j+1) & 0xff); + j += 2; diff --git a/poppler_CVE-2018-19149.patch b/poppler_CVE-2018-19149.patch new file mode 100644 index 0000000..981bcee --- /dev/null +++ b/poppler_CVE-2018-19149.patch @@ -0,0 +1,51 @@ +diff -rupN poppler-0.67.0/glib/poppler-attachment.cc poppler-0.67.0-new/glib/poppler-attachment.cc +--- poppler-0.67.0/glib/poppler-attachment.cc 2018-07-19 23:20:03.000000000 +0200 ++++ poppler-0.67.0-new/glib/poppler-attachment.cc 2018-12-20 11:58:45.239936351 +0100 +@@ -111,17 +111,25 @@ _poppler_attachment_new (FileSpec *emb_f + attachment->description = _poppler_goo_string_to_utf8 (emb_file->getDescription ()); + + embFile = emb_file->getEmbeddedFile(); +- attachment->size = embFile->size (); ++ if (embFile != NULL && embFile->streamObject()->isStream()) ++ { ++ attachment->size = embFile->size (); + +- if (embFile->createDate ()) +- _poppler_convert_pdf_date_to_gtime (embFile->createDate (), (time_t *)&attachment->ctime); +- if (embFile->modDate ()) +- _poppler_convert_pdf_date_to_gtime (embFile->modDate (), (time_t *)&attachment->mtime); ++ if (embFile->createDate ()) ++ _poppler_convert_pdf_date_to_gtime (embFile->createDate (), (time_t *)&attachment->ctime); ++ if (embFile->modDate ()) ++ _poppler_convert_pdf_date_to_gtime (embFile->modDate (), (time_t *)&attachment->mtime); + +- if (embFile->checksum () && embFile->checksum ()->getLength () > 0) +- attachment->checksum = g_string_new_len (embFile->checksum ()->getCString (), +- embFile->checksum ()->getLength ()); +- priv->obj_stream = embFile->streamObject()->copy(); ++ if (embFile->checksum () && embFile->checksum ()->getLength () > 0) ++ attachment->checksum = g_string_new_len (embFile->checksum ()->getCString (), ++ embFile->checksum ()->getLength ()); ++ priv->obj_stream = embFile->streamObject()->copy(); ++ } ++ else ++ { ++ g_warning ("Missing stream object for embedded file"); ++ g_clear_object (&attachment); ++ } + + return attachment; + } +diff -rupN poppler-0.67.0/glib/poppler-document.cc poppler-0.67.0-new/glib/poppler-document.cc +--- poppler-0.67.0/glib/poppler-document.cc 2018-07-19 23:20:03.000000000 +0200 ++++ poppler-0.67.0-new/glib/poppler-document.cc 2018-12-20 11:58:45.239936351 +0100 +@@ -666,7 +666,8 @@ poppler_document_get_attachments (Popple + attachment = _poppler_attachment_new (emb_file); + delete emb_file; + +- retval = g_list_prepend (retval, attachment); ++ if (attachment != NULL) ++ retval = g_list_prepend (retval, attachment); + } + return g_list_reverse (retval); + } diff --git a/poppler_isystem.patch b/poppler_isystem.patch index f432c78..2805a7e 100644 --- a/poppler_isystem.patch +++ b/poppler_isystem.patch @@ -1,6 +1,6 @@ diff -rupN poppler-0.67.0/glib/CMakeLists.txt poppler-0.67.0-new/glib/CMakeLists.txt --- poppler-0.67.0/glib/CMakeLists.txt 2018-07-19 23:20:03.000000000 +0200 -+++ poppler-0.67.0-new/glib/CMakeLists.txt 2018-08-14 10:39:06.699961906 +0200 ++++ poppler-0.67.0-new/glib/CMakeLists.txt 2018-12-20 11:58:45.002936522 +0100 @@ -4,7 +4,6 @@ include_directories( )