[notify] security fixes for CVE-2017-{14685,14686,14687,15587}

see http://www.cvedetails.com/vulnerability-list/vendor_id-10846/product_id-20840/year-2017/Artifex-Mupdf.html
author: Juergen Daubert <jue@jue.li> 2017-11-07 18:52:12 +0100
committer: Juergen Daubert <jue@jue.li> 2017-11-07 18:52:12 +0100
commit: 19c238d66e7631a695f717c2afb0b43a9b3d2dee (patch)
tree: c3e7a7fcea39a93e02c3484f8d4846d938a53cd4 /mupdf
parent: 9d1ff45b6f327f3a905fb522276d7af0896e18d3 (diff)
download: opt-19c238d66e7631a695f717c2afb0b43a9b3d2dee.tar.gz
opt-19c238d66e7631a695f717c2afb0b43a9b3d2dee.tar.xz
7 files changed, 218 insertions, 4 deletions
diff --git a/mupdf/.md5sum b/mupdf/.md5sum
index 4c796f0b8..d61b1b520 100644
--- a/mupdf/.md5sum
+++ b/mupdf/.md5sum
@@ -1 +1,5 @@
+ae097201b362bc58fd75b51d7c6fe42b  CVE-2017-14685.patch
+998048b4fe608696a272cb2a14952976  CVE-2017-14686.patch
+cafedbc55e43c18bb637dde7d65ea0c8  CVE-2017-14687.patch
+56290af93197efb585ceb67eb778b706  CVE-2017-15587.patch
 ab9a6629f572225e803c4cf426bdb09c  mupdf-1.11-source.tar.gz
diff --git a/mupdf/.signature b/mupdf/.signature
index b884c4a5c..050789138 100644
--- a/mupdf/.signature
+++ b/mupdf/.signature
@@ -1,5 +1,9 @@
 untrusted comment: verify with /etc/ports/opt.pub
-RWSE3ohX2g5d/TjHZSlyXiGNKATgLUJf2J5WDdkYtouMMWjI/cpT7ZMk2zgGRXBKftZUU0NlZQG0jeG+qtNjcN4dQ9EolwHbowk=
-SHA256 (Pkgfile) = 74b8f807c16ebcb0e5b136874551078a34304ea5e8c7a5125c3d297d5d33f2b5
+RWSE3ohX2g5d/fpadTpCZzmMLuXrlc1l6RJ6rPSVI8LXGJ0LqM/G6+PYnyeSQ76f6UtW7Hb7guZwDpEyjQqjfU8MbI8erLtGuQM=
+SHA256 (Pkgfile) = 98ba17357685d3ba8bab3dc1994e5774717ea19769035bdc7ee30c6bd0c30da2
 SHA256 (.footprint) = be0289826affec677e3cf44cd775c3f2a18c27bbe38d50d439460234b4f3da24
 SHA256 (mupdf-1.11-source.tar.gz) = 209474a80c56a035ce3f4958a63373a96fad75c927c7b1acdc553fc85855f00a
+SHA256 (CVE-2017-14685.patch) = 86f48971516962a7ff454f9a4354145b560966bf5e0c35ec18c32920f9551d88
+SHA256 (CVE-2017-14686.patch) = 2c143f3d7b40a9db575038332118dd7f954130e195c04c54f4da56885d3d765e
+SHA256 (CVE-2017-14687.patch) = 4d423d717ddca66061bfe6feadeaa819db49e613b329e6c498e3db96390b6407
+SHA256 (CVE-2017-15587.patch) = c90e900cfa19855bf784d10443f08b31ce328572843c7186795f71e00fe76e12
diff --git a/mupdf/CVE-2017-14685.patch b/mupdf/CVE-2017-14685.patch
new file mode 100644
index 000000000..a93652625
--- /dev/null
+++ b/mupdf/CVE-2017-14685.patch
@@ -0,0 +1,26 @@
+From ab1a420613dec93c686acbee2c165274e922f82a Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Tue, 19 Sep 2017 15:23:04 +0200
+Subject: [PATCH] Fix 698539: Don't use xps font if it could not be loaded.
+
+xps_load_links_in_glyphs did not cope with font loading failures.
+---
+ source/xps/xps-link.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/source/xps/xps-link.c b/source/xps/xps-link.c
+index c07e0d7..c26a8d9 100644
+--- a/source/xps/xps-link.c
++++ b/source/xps/xps-link.c
+@@ -91,6 +91,8 @@ xps_load_links_in_glyphs(fz_context *ctx, xps_document *doc, const fz_matrix *ct
+ 			bidi_level = atoi(bidi_level_att);
+ 
+ 		font = xps_lookup_font(ctx, doc, base_uri, font_uri_att, style_att);
++		if (!font)
++			return;
+ 		text = xps_parse_glyphs_imp(ctx, doc, &local_ctm, font, fz_atof(font_size_att),
+ 				fz_atof(origin_x_att), fz_atof(origin_y_att),
+ 				is_sideways, bidi_level, indices_att, unicode_att);
+-- 
+2.9.1
+
diff --git a/mupdf/CVE-2017-14686.patch b/mupdf/CVE-2017-14686.patch
new file mode 100644
index 000000000..f0e7a6bad
--- /dev/null
+++ b/mupdf/CVE-2017-14686.patch
@@ -0,0 +1,26 @@
+From 0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Tue, 19 Sep 2017 16:33:38 +0200
+Subject: [PATCH] Fix 698540: Check name, comment and meta size field signs.
+
+---
+ source/fitz/unzip.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/source/fitz/unzip.c b/source/fitz/unzip.c
+index f2d4f32..0bcce0f 100644
+--- a/source/fitz/unzip.c
++++ b/source/fitz/unzip.c
+@@ -141,6 +141,9 @@ static void read_zip_dir_imp(fz_context *ctx, fz_zip_archive *zip, int start_off
+ 		(void) fz_read_int32_le(ctx, file); /* ext file atts */
+ 		offset = fz_read_int32_le(ctx, file);
+ 
++		if (namesize < 0 || metasize < 0 || commentsize < 0)
++			fz_throw(ctx, FZ_ERROR_GENERIC, "invalid size in zip entry");
++
+ 		name = fz_malloc(ctx, namesize + 1);
+ 		n = fz_read(ctx, file, (unsigned char*)name, namesize);
+ 		if (n < (size_t)namesize)
+-- 
+2.9.1
+
diff --git a/mupdf/CVE-2017-14687.patch b/mupdf/CVE-2017-14687.patch
new file mode 100644
index 000000000..d08d895d8
--- /dev/null
+++ b/mupdf/CVE-2017-14687.patch
@@ -0,0 +1,122 @@
+From 2b16dbd8f73269cb15ca61ece75cf8d2d196ed28 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Tue, 19 Sep 2017 17:17:12 +0200
+Subject: [PATCH] Fix 698558: Handle non-tags in tag name comparisons.
+
+Use fz_xml_is_tag instead of fz_xml_tag && !strcmp idiom.
+---
+ source/html/css-apply.c   | 2 +-
+ source/svg/svg-run.c      | 2 +-
+ source/xps/xps-common.c   | 6 +++---
+ source/xps/xps-glyphs.c   | 2 +-
+ source/xps/xps-path.c     | 4 ++--
+ source/xps/xps-resource.c | 2 +-
+ 6 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/source/html/css-apply.c b/source/html/css-apply.c
+index de55490..6a91df0 100644
+--- a/source/html/css-apply.c
++++ b/source/html/css-apply.c
+@@ -328,7 +328,7 @@ match_selector(fz_css_selector *sel, fz_xml *node)
+ 
+ 	if (sel->name)
+ 	{
+-		if (strcmp(sel->name, fz_xml_tag(node)))
++		if (!fz_xml_is_tag(node, sel->name))
+ 			return 0;
+ 	}
+ 
+diff --git a/source/svg/svg-run.c b/source/svg/svg-run.c
+index f974c67..5302c64 100644
+--- a/source/svg/svg-run.c
++++ b/source/svg/svg-run.c
+@@ -1044,7 +1044,7 @@ svg_run_use(fz_context *ctx, fz_device *dev, svg_document *doc, fz_xml *root, co
+ 		fz_xml *linked = fz_tree_lookup(ctx, doc->idmap, xlink_href_att + 1);
+ 		if (linked)
+ 		{
+-			if (!strcmp(fz_xml_tag(linked), "symbol"))
++			if (fz_xml_is_tag(linked, "symbol"))
+ 				svg_run_use_symbol(ctx, dev, doc, root, linked, &local_state);
+ 			else
+ 				svg_run_element(ctx, dev, doc, linked, &local_state);
+diff --git a/source/xps/xps-common.c b/source/xps/xps-common.c
+index cc7fed9..f2f9b93 100644
+--- a/source/xps/xps-common.c
++++ b/source/xps/xps-common.c
+@@ -47,7 +47,7 @@ xps_parse_brush(fz_context *ctx, xps_document *doc, const fz_matrix *ctm, const
+ 	else if (fz_xml_is_tag(node, "RadialGradientBrush"))
+ 		xps_parse_radial_gradient_brush(ctx, doc, ctm, area, base_uri, dict, node);
+ 	else
+-		fz_warn(ctx, "unknown brush tag: %s", fz_xml_tag(node));
++		fz_warn(ctx, "unknown brush tag");
+ }
+ 
+ void
+@@ -85,7 +85,7 @@ xps_begin_opacity(fz_context *ctx, xps_document *doc, const fz_matrix *ctm, cons
+ 	if (opacity_att)
+ 		opacity = fz_atof(opacity_att);
+ 
+-	if (opacity_mask_tag && !strcmp(fz_xml_tag(opacity_mask_tag), "SolidColorBrush"))
++	if (fz_xml_is_tag(opacity_mask_tag, "SolidColorBrush"))
+ 	{
+ 		char *scb_opacity_att = fz_xml_att(opacity_mask_tag, "Opacity");
+ 		char *scb_color_att = fz_xml_att(opacity_mask_tag, "Color");
+@@ -129,7 +129,7 @@ xps_end_opacity(fz_context *ctx, xps_document *doc, char *base_uri, xps_resource
+ 
+ 	if (opacity_mask_tag)
+ 	{
+-		if (strcmp(fz_xml_tag(opacity_mask_tag), "SolidColorBrush"))
++		if (!fz_xml_is_tag(opacity_mask_tag, "SolidColorBrush"))
+ 			fz_pop_clip(ctx, dev);
+ 	}
+ }
+diff --git a/source/xps/xps-glyphs.c b/source/xps/xps-glyphs.c
+index 29dc5b3..5b26d78 100644
+--- a/source/xps/xps-glyphs.c
++++ b/source/xps/xps-glyphs.c
+@@ -592,7 +592,7 @@ xps_parse_glyphs(fz_context *ctx, xps_document *doc, const fz_matrix *ctm,
+ 
+ 	/* If it's a solid color brush fill/stroke do a simple fill */
+ 
+-	if (fill_tag && !strcmp(fz_xml_tag(fill_tag), "SolidColorBrush"))
++	if (fz_xml_is_tag(fill_tag, "SolidColorBrush"))
+ 	{
+ 		fill_opacity_att = fz_xml_att(fill_tag, "Opacity");
+ 		fill_att = fz_xml_att(fill_tag, "Color");
+diff --git a/source/xps/xps-path.c b/source/xps/xps-path.c
+index 6faeb0c..021d202 100644
+--- a/source/xps/xps-path.c
++++ b/source/xps/xps-path.c
+@@ -879,14 +879,14 @@ xps_parse_path(fz_context *ctx, xps_document *doc, const fz_matrix *ctm, char *b
+ 	if (!data_att && !data_tag)
+ 		return;
+ 
+-	if (fill_tag && !strcmp(fz_xml_tag(fill_tag), "SolidColorBrush"))
++	if (fz_xml_is_tag(fill_tag, "SolidColorBrush"))
+ 	{
+ 		fill_opacity_att = fz_xml_att(fill_tag, "Opacity");
+ 		fill_att = fz_xml_att(fill_tag, "Color");
+ 		fill_tag = NULL;
+ 	}
+ 
+-	if (stroke_tag && !strcmp(fz_xml_tag(stroke_tag), "SolidColorBrush"))
++	if (fz_xml_is_tag(stroke_tag, "SolidColorBrush"))
+ 	{
+ 		stroke_opacity_att = fz_xml_att(stroke_tag, "Opacity");
+ 		stroke_att = fz_xml_att(stroke_tag, "Color");
+diff --git a/source/xps/xps-resource.c b/source/xps/xps-resource.c
+index c2292e6..8e81ab8 100644
+--- a/source/xps/xps-resource.c
++++ b/source/xps/xps-resource.c
+@@ -84,7 +84,7 @@ xps_parse_remote_resource_dictionary(fz_context *ctx, xps_document *doc, char *b
+ 	if (!xml)
+ 		return NULL;
+ 
+-	if (strcmp(fz_xml_tag(xml), "ResourceDictionary"))
++	if (!fz_xml_is_tag(xml, "ResourceDictionary"))
+ 	{
+ 		fz_drop_xml(ctx, xml);
+ 		fz_throw(ctx, FZ_ERROR_GENERIC, "expected ResourceDictionary element");
+-- 
+2.9.1
+
diff --git a/mupdf/CVE-2017-15587.patch b/mupdf/CVE-2017-15587.patch
new file mode 100644
index 000000000..06409794f
--- /dev/null
+++ b/mupdf/CVE-2017-15587.patch
@@ -0,0 +1,26 @@
+From 82df2631d7d0446b206ea6b434ea609b6c28b0e8 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Mon, 16 Oct 2017 13:14:25 +0200
+Subject: [PATCH] Check for integer overflow when validating new style xref
+ Index.
+
+---
+ source/pdf/pdf-xref.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 66bd0ed..6292793 100644
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -924,7 +924,7 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, fz
+ 	pdf_xref_entry *table;
+ 	int i, n;
+ 
+-	if (i0 < 0 || i1 < 0)
++	if (i0 < 0 || i1 < 0 || (i0+i1) < 0)
+ 		fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
+ 	//if (i0 + i1 > pdf_xref_len(ctx, doc))
+ 	//	fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");
+-- 
+2.9.1
+
diff --git a/mupdf/Pkgfile b/mupdf/Pkgfile
index 70e2d30fe..1db8346ef 100644
--- a/mupdf/Pkgfile
+++ b/mupdf/Pkgfile
@@ -5,12 +5,18 @@
 
 name=mupdf
 version=1.11
-release=1
-source=(http://mupdf.com/downloads/$name-$version-source.tar.gz)
+release=2
+source=(http://mupdf.com/downloads/$name-$version-source.tar.gz
+        CVE-2017-{14685,14686,14687,15587}.patch)
 
 build() {
     cd $name-$version-source
 
+    patch -p1 -i $SRC/CVE-2017-14685.patch
+    patch -p1 -i $SRC/CVE-2017-14686.patch
+    patch -p1 -i $SRC/CVE-2017-14687.patch
+    patch -p1 -i $SRC/CVE-2017-15587.patch
+
     rm -r thirdparty/{freetype,libjpeg,zlib,curl,harfbuzz}
 
     make XCFLAGS="-fpic" build=release
author	Juergen Daubert <jue@jue.li>	2017-11-07 18:52:12 +0100
committer	Juergen Daubert <jue@jue.li>	2017-11-07 18:52:12 +0100
commit	19c238d66e7631a695f717c2afb0b43a9b3d2dee (patch)
tree	c3e7a7fcea39a93e02c3484f8d4846d938a53cd4 /mupdf
parent	9d1ff45b6f327f3a905fb522276d7af0896e18d3 (diff)
download	opt-19c238d66e7631a695f717c2afb0b43a9b3d2dee.tar.gz opt-19c238d66e7631a695f717c2afb0b43a9b3d2dee.tar.xz