X-Original-To: alpine-aports@lists.alpinelinux.org Received: from mail-qk0-f180.google.com (mail-qk0-f180.google.com [209.85.220.180]) by lists.alpinelinux.org (Postfix) with ESMTP id 19FEC5C50B4 for ; Thu, 9 Mar 2017 16:50:02 +0000 (GMT) Received: by mail-qk0-f180.google.com with SMTP id v125so125631305qkh.2 for ; Thu, 09 Mar 2017 08:50:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:in-reply-to:references; bh=pHQYh/93h/qbJ0G6TeOGggjdU3bfg7V9Q/nZEPI+x1U=; b=srgsKX3l88pQncD05Lpgb8SogNCtRg75+aSk0GOCkKShtPz4mYdeRfZ9ZWKWWMlLBV 2xhpizl0806MUIUEWAO63Aew9UNsmyijj2koJzASzH+X2goIgAg02Q4Qs1A2Ad+2Igc5 WLrC5y752ZdekPi64qgLF3kQ72Lor/3SeuAVckyIsV45qIZPTs1Xfui7s9M4Hq+LTg1E uHWtuo/Xe/QvGs5UPgHSx+cmVnjTMw9j2xArqiwm6Ss6bE73Ie6VAJRSIMPi8panulJm uX3AWdLlOrOVBAu+9cwBwY8wF94anbrHUGdynwo//1orEj/EYtVg600jLkRfBGkAXcCE 7Dwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=pHQYh/93h/qbJ0G6TeOGggjdU3bfg7V9Q/nZEPI+x1U=; b=eHpCeX8L6tt1etyVowhcQPYxXUyBuQWNYe0KxIpgKubQduVgjjHcNsLI9kUBdrcNYT NzrbVmknHTWbBmb39VK6OoYvftJ2FEUAPQlbwyWoIhMeRMYHQswViFKAezmzWIU5Jea6 kbcHtt2QJg5e4gJkyQHStbV+bKMswV6gY26UIzL39RbSZBsWgetFVdS5gRPuc0jotScV YNuJEEKqOuEAroEaPKm2a3ZAXm84OPoQ/o5nUkCRjor3wWeZNAq2JAarBm/RtqjCuvW2 pK+77p/Zq4FjzIEReIn4ry5/7y6PzC7W8riOCLuI5EJ/S3xZACsYacw1wY5B9ITEJFSN D5ew== X-Gm-Message-State: AMke39nxFzduSBYFMGThiUI8l9QDFU7NqCR9WhQIUwRD2uVFFHhzuBvTWI6e2SnG26GUiA== X-Received: by 10.55.64.139 with SMTP id n133mr14431689qka.38.1489078201539; Thu, 09 Mar 2017 08:50:01 -0800 (PST) Received: from alp.lan (c-71-60-35-21.hsd1.pa.comcast.net. [71.60.35.21]) by smtp.gmail.com with ESMTPSA id f56sm4590294qta.14.2017.03.09.08.50.00 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Mar 2017 08:50:01 -0800 (PST) From: Daniel Sabogal To: alpine-aports@lists.alpinelinux.org Subject: [alpine-aports] [PATCH 2/2 3.5-stable] main/mupdf: fix for CVE-2017-5991 Date: Thu, 9 Mar 2017 11:49:08 -0500 Message-Id: <20170309164908.17024-3-dsabogalcc@gmail.com> X-Mailer: git-send-email 2.11.1 In-Reply-To: <20170309164908.17024-1-dsabogalcc@gmail.com> References: <20170309164908.17024-1-dsabogalcc@gmail.com> X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: --- main/mupdf/APKBUILD | 14 +++++-- main/mupdf/CVE-2017-5991.patch | 91 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 101 insertions(+), 4 deletions(-) create mode 100644 main/mupdf/CVE-2017-5991.patch diff --git a/main/mupdf/APKBUILD b/main/mupdf/APKBUILD index a9ade1b397..166d6d5075 100644 --- a/main/mupdf/APKBUILD +++ b/main/mupdf/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Daniel Sabogal pkgname=mupdf pkgver=1.10a -pkgrel=1 +pkgrel=2 pkgdesc="A lightweight PDF and XPS viewer" url="http://mupdf.com" arch="all" @@ -17,9 +17,12 @@ source="http://mupdf.com/downloads/archive/$pkgname-$pkgver-source.tar.gz shared-lib.patch openjpeg-2.1.patch CVE-2017-5896.patch + CVE-2017-5991.patch " # secfixes: +# 1.10a-r2: +# - CVE-2017-5991 # 1.10a-r1: # - CVE-2017-5896 @@ -82,12 +85,15 @@ _tools() { md5sums="f80fbba2524d1d52f6ed09237d382411 mupdf-1.10a-source.tar.gz 8c4c5ec03c3df7e87a672c79302f6df5 shared-lib.patch a5b85a55be0e958c16f900730ff24ad8 openjpeg-2.1.patch -64d2931655dbea67a291032221b67e10 CVE-2017-5896.patch" +64d2931655dbea67a291032221b67e10 CVE-2017-5896.patch +1c10386d9b536669c5c787b3b1585d6f CVE-2017-5991.patch" sha256sums="aacc1f36b9180f562022ef1ab3439b009369d944364f3cff8a2a898834e3a836 mupdf-1.10a-source.tar.gz 3ff3c9413c4c1005db7e41a085ce8e72ee1e956e8d1538a615f51f86f8bb1d14 shared-lib.patch 12ea2a295b62ca85298273d54b423ec8e73fb52d712bcee20bab0507a595b7a0 openjpeg-2.1.patch -23994ce0dc819b29f983328503d073595d56d75fd1001674d30275170fe96792 CVE-2017-5896.patch" +23994ce0dc819b29f983328503d073595d56d75fd1001674d30275170fe96792 CVE-2017-5896.patch +c600d516648c6324069930ea6b606a0a040dfaf7a9d3d323156c5e7d80bc4eb9 CVE-2017-5991.patch" sha512sums="8c735963364985e74ceb38242afae555a3d2ee7c69abe3fe5c485e8613a83d996a58f231cb689a156019d431fa67d565503247d010b0a404054850483aed9fec mupdf-1.10a-source.tar.gz bc38cc6935ed1c5941773e0671bea25d33897c1018c30f11ff3a1ec1e583276597f521b9e526f9bd38a6f9a1e76aa3e52782995ded72a618d07811abcd7ca734 shared-lib.patch bfb509c529e26c3d2dc827298ce3a6083640fbe3fd7491560ffb1e8f86d62bbd4a5d52721079caef8a38d6f332132b581859276000b397f9512673eedb0315a7 openjpeg-2.1.patch -e9f29b909e016967fc9e6ca6723d63aecfea5c8aeadbd923bbf8a0fa1f4b0e16bd4eedac178bbf5fa359e47a55aa307b6581c6ce45b177ee12430f41c0b49cd7 CVE-2017-5896.patch" +e9f29b909e016967fc9e6ca6723d63aecfea5c8aeadbd923bbf8a0fa1f4b0e16bd4eedac178bbf5fa359e47a55aa307b6581c6ce45b177ee12430f41c0b49cd7 CVE-2017-5896.patch +b65a9dce7ba239be788d144c27edb7528ebcf08ead4defe887a08d7879cf72ca3b172a9a33ec3f9426743f45ecb9aac17baf1b526bf5f880beb00bdd84bdc42a CVE-2017-5991.patch" diff --git a/main/mupdf/CVE-2017-5991.patch b/main/mupdf/CVE-2017-5991.patch new file mode 100644 index 0000000000..d19d2e6c4e --- /dev/null +++ b/main/mupdf/CVE-2017-5991.patch @@ -0,0 +1,91 @@ +From 1912de5f08e90af1d9d0a9791f58ba3afdb9d465 Mon Sep 17 00:00:00 2001 +From: Robin Watts +Date: Thu, 9 Feb 2017 15:49:15 +0000 +Subject: [PATCH] Bug 697500: Fix NULL ptr access. + +Cope better with errors during rendering - avoid letting the +gstate stack get out of sync. + +This avoids us ever getting into the situation of popping +a clip when we should be popping a mask or a group. This was +causing an unexpected case in the painting. +--- + source/pdf/pdf-op-run.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/source/pdf/pdf-op-run.c b/source/pdf/pdf-op-run.c +index a3ea895..f1eac8d 100644 +--- a/source/pdf/pdf-op-run.c ++++ b/source/pdf/pdf-op-run.c +@@ -1213,6 +1213,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf + pdf_run_processor *pr = (pdf_run_processor *)proc; + pdf_gstate *gstate = NULL; + int oldtop = 0; ++ int oldbot = -1; + fz_matrix local_transform = *transform; + softmask_save softmask = { NULL }; + int gparent_save; +@@ -1232,16 +1233,17 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf + fz_var(cleanup_state); + fz_var(gstate); + fz_var(oldtop); ++ fz_var(oldbot); + + gparent_save = pr->gparent; + pr->gparent = pr->gtop; ++ oldtop = pr->gtop; + + fz_try(ctx) + { + pdf_gsave(ctx, pr); + + gstate = pr->gstate + pr->gtop; +- oldtop = pr->gtop; + + pdf_xobject_bbox(ctx, xobj, &xobj_bbox); + pdf_xobject_matrix(ctx, xobj, &xobj_matrix); +@@ -1302,12 +1304,25 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf + + doc = pdf_get_bound_document(ctx, xobj->obj); + ++ oldbot = pr->gbot; ++ pr->gbot = pr->gtop; ++ + pdf_process_contents(ctx, (pdf_processor*)pr, doc, resources, xobj->obj, NULL); + } + fz_always(ctx) + { ++ /* Undo any gstate mismatches due to the pdf_process_contents call */ ++ if (oldbot != -1) ++ { ++ while (pr->gtop > pr->gbot) ++ { ++ pdf_grestore(ctx, pr); ++ } ++ pr->gbot = oldbot; ++ } ++ + if (cleanup_state >= 3) +- pdf_grestore(ctx, pr); /* Remove the clippath */ ++ pdf_grestore(ctx, pr); /* Remove the state we pushed for the clippath */ + + /* wrap up transparency stacks */ + if (transparency) +@@ -1341,13 +1356,8 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf + pr->gstate[pr->gparent].ctm = gparent_save_ctm; + pr->gparent = gparent_save; + +- if (gstate) +- { +- while (oldtop < pr->gtop) +- pdf_grestore(ctx, pr); +- ++ while (oldtop < pr->gtop) + pdf_grestore(ctx, pr); +- } + + pdf_unmark_obj(ctx, xobj->obj); + } +-- +2.9.1 + -- 2.11.1 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---