diff --git a/mupdf-1.11-CVE-2017-15369.patch b/mupdf-1.11-CVE-2017-15369.patch new file mode 100644 index 0000000..3b62e96 --- /dev/null +++ b/mupdf-1.11-CVE-2017-15369.patch @@ -0,0 +1,45 @@ +From c2663e51238ec8256da7fc61ad580db891d9fe9a Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen +Date: Mon, 25 Sep 2017 13:04:11 +0200 +Subject: [PATCH] Bug 698592: Mark variable fz_var(), avoiding optimization. + +The change in 2707fa9e8e6d17d794330e719dec1b08161fb045 +in build_filter_chain() allows for the variable chain +to reside in a register, which means that the bug is +likely to only be visible if built under optimization. + +First the chain variable is transferred to chain2, then +set to NULL, then when an exception occurs in build_filter() +the filter chain will be freed by build_filter(). Next +the expectation is that execution proceeds to fz_catch() +where fz_drop_stream() would be called with chain == NULL. + +However due to the chain variable residing in a register, +its value is not NULL as expected, but was reset to its +original value upon the exception (since they use setjmp()), +hence fz_drop_stream() is called with a non-NULL value. + +Marking the chain variable with fz_var() prevents the +compiler from allowing the chain variable to reside in +a register and hence its value will remain NULL and +never be reset. +--- + source/pdf/pdf-stream.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c +index baf9f0a..56592b0 100644 +--- a/source/pdf/pdf-stream.c ++++ b/source/pdf/pdf-stream.c +@@ -246,6 +246,8 @@ build_filter_chain(fz_context *ctx, fz_stream *chain, pdf_document *doc, pdf_obj + pdf_obj *p; + int i, n; + ++ fz_var(chain); ++ + fz_try(ctx) + { + n = pdf_array_len(ctx, fs); +-- +2.9.1 + diff --git a/mupdf-1.11-CVE-2017-15587.patch b/mupdf-1.11-CVE-2017-15587.patch new file mode 100644 index 0000000..0640979 --- /dev/null +++ b/mupdf-1.11-CVE-2017-15587.patch @@ -0,0 +1,26 @@ +From 82df2631d7d0446b206ea6b434ea609b6c28b0e8 Mon Sep 17 00:00:00 2001 +From: Tor Andersson +Date: Mon, 16 Oct 2017 13:14:25 +0200 +Subject: [PATCH] Check for integer overflow when validating new style xref + Index. + +--- + source/pdf/pdf-xref.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c +index 66bd0ed..6292793 100644 +--- a/source/pdf/pdf-xref.c ++++ b/source/pdf/pdf-xref.c +@@ -924,7 +924,7 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, fz + pdf_xref_entry *table; + int i, n; + +- if (i0 < 0 || i1 < 0) ++ if (i0 < 0 || i1 < 0 || (i0+i1) < 0) + fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index"); + //if (i0 + i1 > pdf_xref_len(ctx, doc)) + // fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries"); +-- +2.9.1 + diff --git a/mupdf.spec b/mupdf.spec index 99b1a25..ee07d77 100644 --- a/mupdf.spec +++ b/mupdf.spec @@ -1,6 +1,6 @@ Name: mupdf Version: 1.11 -Release: 8%{?dist} +Release: 9%{?dist} Summary: A lightweight PDF viewer and toolkit Group: Applications/Publishing License: GPLv3 @@ -13,6 +13,8 @@ BuildRequires: libjpeg-devel freetype-devel libXext-devel curl-devel BuildRequires: harfbuzz-devel BuildRequires: glfw-devel mesa-libGL-devel Patch0: %{name}-1.11-openjpeg.patch +Patch1: %{name}-1.11-CVE-2017-15369.patch +Patch2: %{name}-1.11-CVE-2017-15587.patch %description @@ -44,6 +46,8 @@ applications that use mupdf and static libraries %setup -q -n %{name}-%{version}-source rm -rf thirdparty %patch0 -p1 +%patch1 -p1 +%patch2 -p1 %build export XCFLAGS="%{optflags} -fPIC -DJBIG_NO_MEMENTO -DTOFU -DTOFU_CJK" @@ -81,6 +85,10 @@ update-desktop-database &> /dev/null || : %{_libdir}/lib%{name}*.a %changelog +* Sat Nov 11 2017 Michael J Gruber - 1.11-9 +* CVE-2017-15369 +* CVE-2017-15587 + * Sat Nov 11 2017 Michael J Gruber - 1.11-8 * repair FTBFS from version specific patch in 412e729 ("New release 1.11", 2017-04-11)