diff options
| author | Predrag Ivanovic <predivan@mts.rs> | 2017-08-17 16:29:39 +0200 |
|---|---|---|
| committer | Fredrik Rinnestam <fredrik@crux.nu> | 2017-08-17 22:13:36 +0200 |
| commit | f6570385db2d33d5a4344ef944345ba1da9cc3a1 (patch) | |
| tree | 5e6a8d401a9dee19a4d2a134ce3824474e2d47bc /qpdf | |
| parent | 4b20258a73f5f8a84685366873509684ff5dc7ff (diff) | |
| download | opt-f6570385db2d33d5a4344ef944345ba1da9cc3a1.tar.gz opt-f6570385db2d33d5a4344ef944345ba1da9cc3a1.tar.xz | |
qpdf: Patch CVE-2017-{9208,9209,9210}
Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1454820
Diffstat (limited to 'qpdf')
| -rw-r--r-- | qpdf/.md5sum | 4 | ||||
| -rw-r--r-- | qpdf/.signature | 5 | ||||
| -rw-r--r-- | qpdf/Pkgfile | 14 | ||||
| -rw-r--r-- | qpdf/qpdf-6.0.0-CVE-2017-9208.patch | 36 | ||||
| -rw-r--r-- | qpdf/qpdf-6.0.0-CVE-2017-9209.patch | 37 | ||||
| -rw-r--r-- | qpdf/qpdf-6.0.0-CVE-2017-9210.patch | 13 | ||||
| -rw-r--r-- | qpdf/qpdf-6.0.0-detect-recursions.patch | 61 |
7 files changed, 163 insertions, 7 deletions
diff --git a/qpdf/.md5sum b/qpdf/.md5sum index 74ebe5ded..aaf973f6c 100644 --- a/qpdf/.md5sum +++ b/qpdf/.md5sum @@ -1 +1,5 @@ +b3cc65446adae1fe4f164c010c59f64b qpdf-6.0.0-CVE-2017-9208.patch +491486ccdfddc450f2c3b1414eb369f9 qpdf-6.0.0-CVE-2017-9209.patch +5713ad31faa151c1b7bd9064d820a367 qpdf-6.0.0-CVE-2017-9210.patch +c9457b6f4430f43fe7aaad93736bd67a qpdf-6.0.0-detect-recursions.patch e014bd3ecf1c4d1a520bbc14d84ac20e qpdf-6.0.0.tar.gz diff --git a/qpdf/.signature b/qpdf/.signature deleted file mode 100644 index cc7b5644e..000000000 --- a/qpdf/.signature +++ /dev/null @@ -1,5 +0,0 @@ -untrusted comment: verify with /etc/ports/opt.pub -RWSE3ohX2g5d/SgNXvxSnvi9WfYZ5yJZsFzdUiNb2UZGqPtWlrpfzmammdTilXO4kVjmqyTaEa6KtkRl+ptQvVuHbpuYAuCygwM= -SHA256 (Pkgfile) = 0296edc5293d7e31d19e379e923c4b34560991b6fadab1f53bdf97946db22f07 -SHA256 (.footprint) = 85e6362fb2da951b8318d1de30c3cb3607fb78de108a8348944a3cb992cd37c3 -SHA256 (qpdf-6.0.0.tar.gz) = a9fdc7e94d38fcd3831f37b6e0fe36492bf79aa6d54f8f66062cf7f9c4155233 diff --git a/qpdf/Pkgfile b/qpdf/Pkgfile index 9764cb6fd..9d1ad834a 100644 --- a/qpdf/Pkgfile +++ b/qpdf/Pkgfile @@ -5,11 +5,21 @@ name=qpdf version=6.0.0 -release=2 -source=(http://downloads.sourceforge.net/project/$name/$name/$version/$name-$version.tar.gz) +release=3 +source=(http://downloads.sourceforge.net/project/$name/$name/$version/$name-$version.tar.gz + qpdf-6.0.0-detect-recursions.patch + qpdf-6.0.0-CVE-2017-9208.patch + qpdf-6.0.0-CVE-2017-9209.patch + qpdf-6.0.0-CVE-2017-9210.patch) build() { cd $name-$version + + patch -p1 -i $SRC/qpdf-6.0.0-detect-recursions.patch + patch -p1 -i $SRC/qpdf-6.0.0-CVE-2017-9208.patch + patch -p1 -i $SRC/qpdf-6.0.0-CVE-2017-9209.patch + patch -p1 -i $SRC/qpdf-6.0.0-CVE-2017-9210.patch + ./configure --prefix=/usr make make DESTDIR=$PKG install diff --git a/qpdf/qpdf-6.0.0-CVE-2017-9208.patch b/qpdf/qpdf-6.0.0-CVE-2017-9208.patch new file mode 100644 index 000000000..0dce30995 --- /dev/null +++ b/qpdf/qpdf-6.0.0-CVE-2017-9208.patch @@ -0,0 +1,36 @@ +diff -up qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9208 qpdf-6.0.0/libqpdf/QPDF.cc +--- qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9208 2017-08-03 08:53:32.806072781 +0200 ++++ qpdf-6.0.0/libqpdf/QPDF.cc 2017-08-03 08:55:39.529073703 +0200 +@@ -1340,6 +1340,13 @@ QPDF::readObjectAtOffset(bool try_recove + objid = atoi(tobjid.getValue().c_str()); + generation = atoi(tgen.getValue().c_str()); + ++ if (objid == 0) ++ { ++ throw QPDFExc(qpdf_e_damaged_pdf, this->file->getName(), ++ this->last_object_description, offset, ++ "object with ID 0"); ++ } ++ + if ((exp_objid >= 0) && + (! ((objid == exp_objid) && (generation == exp_generation)))) + { +diff -up qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9208 qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc +--- qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9208 2015-11-10 18:48:52.000000000 +0100 ++++ qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc 2017-08-03 08:54:50.264499428 +0200 +@@ -1090,6 +1090,15 @@ QPDFObjectHandle::parseInternal(PointerH + QPDFObjectHandle + QPDFObjectHandle::newIndirect(QPDF* qpdf, int objid, int generation) + { ++ if (objid == 0) ++ { ++ // Special case: QPDF uses objid 0 as a sentinel for direct ++ // objects, and the PDF specification doesn't allow for object ++ // 0. Treat indirect references to object 0 as null so that we ++ // never create an indirect object with objid 0. ++ return newNull(); ++ } ++ + return QPDFObjectHandle(qpdf, objid, generation); + } + diff --git a/qpdf/qpdf-6.0.0-CVE-2017-9209.patch b/qpdf/qpdf-6.0.0-CVE-2017-9209.patch new file mode 100644 index 000000000..6af336f14 --- /dev/null +++ b/qpdf/qpdf-6.0.0-CVE-2017-9209.patch @@ -0,0 +1,37 @@ +diff -up qpdf-6.0.0/include/qpdf/QPDF.hh.CVE-2017-9209 qpdf-6.0.0/include/qpdf/QPDF.hh +--- qpdf-6.0.0/include/qpdf/QPDF.hh.CVE-2017-9209 2017-08-03 10:00:17.489291722 +0200 ++++ qpdf-6.0.0/include/qpdf/QPDF.hh 2017-08-03 10:00:17.494291685 +0200 +@@ -1095,6 +1095,7 @@ class QPDF + // copied_stream_data_provider is owned by copied_streams + CopiedStreamDataProvider* copied_stream_data_provider; + std::set<QPDFObjGen> attachment_streams; ++ bool reconstructed_xref; + + // Linearization data + qpdf_offset_t first_xref_item_offset; // actual value from file +diff -up qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9209 qpdf-6.0.0/libqpdf/QPDF.cc +--- qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9209 2017-08-03 10:00:17.491291707 +0200 ++++ qpdf-6.0.0/libqpdf/QPDF.cc 2017-08-03 10:01:43.243661883 +0200 +@@ -93,6 +93,7 @@ QPDF::QPDF() : + cached_key_generation(0), + pushed_inherited_attributes_to_pages(false), + copied_stream_data_provider(0), ++ reconstructed_xref(false), + first_xref_item_offset(0), + uncompressed_after_compressed(false) + { +@@ -331,6 +332,14 @@ QPDF::setTrailer(QPDFObjectHandle obj) + void + QPDF::reconstruct_xref(QPDFExc& e) + { ++ if (this->reconstructed_xref) ++ { ++ // Avoid xref reconstruction infinite loops ++ throw e; ++ } ++ ++ this->reconstructed_xref = true; ++ + PCRE obj_re("^\\s*(\\d+)\\s+(\\d+)\\s+obj\\b"); + PCRE endobj_re("^\\s*endobj\\b"); + PCRE trailer_re("^\\s*trailer\\b"); diff --git a/qpdf/qpdf-6.0.0-CVE-2017-9210.patch b/qpdf/qpdf-6.0.0-CVE-2017-9210.patch new file mode 100644 index 000000000..e3ce8e9a4 --- /dev/null +++ b/qpdf/qpdf-6.0.0-CVE-2017-9210.patch @@ -0,0 +1,13 @@ +diff -up qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9210 qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc +--- qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9210 2017-08-03 10:09:46.670111267 +0200 ++++ qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc 2017-08-03 10:10:56.430600663 +0200 +@@ -1076,8 +1076,7 @@ QPDFObjectHandle::parseInternal(PointerH + throw QPDFExc( + qpdf_e_damaged_pdf, + input->getName(), object_description, offset, +- std::string("dictionary key not name (") + +- key_obj.unparse() + ")"); ++ std::string("dictionary key is not not a name token")); + } + dict[key_obj.getName()] = val; + } diff --git a/qpdf/qpdf-6.0.0-detect-recursions.patch b/qpdf/qpdf-6.0.0-detect-recursions.patch new file mode 100644 index 000000000..ae87d8080 --- /dev/null +++ b/qpdf/qpdf-6.0.0-detect-recursions.patch @@ -0,0 +1,61 @@ +diff -up qpdf-6.0.0/include/qpdf/QPDF.hh.detect-recursions qpdf-6.0.0/include/qpdf/QPDF.hh +--- qpdf-6.0.0/include/qpdf/QPDF.hh.detect-recursions 2015-11-10 18:48:52.000000000 +0100 ++++ qpdf-6.0.0/include/qpdf/QPDF.hh 2017-08-02 08:41:17.500831407 +0200 +@@ -603,6 +603,25 @@ class QPDF + int gen; + }; + ++ class ResolveRecorder ++ { ++ public: ++ ResolveRecorder(QPDF* qpdf, QPDFObjGen const& og) : ++ qpdf(qpdf), ++ og(og) ++ { ++ qpdf->resolving.insert(og); ++ } ++ virtual ~ResolveRecorder() ++ { ++ this->qpdf->resolving.erase(og); ++ } ++ private: ++ QPDF* qpdf; ++ QPDFObjGen og; ++ }; ++ friend class ResolveRecorder; ++ + void parse(char const* password); + void warn(QPDFExc const& e); + void setTrailer(QPDFObjectHandle obj); +@@ -1065,6 +1084,7 @@ class QPDF + std::map<QPDFObjGen, QPDFXRefEntry> xref_table; + std::set<int> deleted_objects; + std::map<QPDFObjGen, ObjCache> obj_cache; ++ std::set<QPDFObjGen> resolving; + QPDFObjectHandle trailer; + std::vector<QPDFObjectHandle> all_pages; + std::map<QPDFObjGen, int> pageobj_to_pages_pos; +diff -up qpdf-6.0.0/libqpdf/QPDF.cc.detect-recursions qpdf-6.0.0/libqpdf/QPDF.cc +--- qpdf-6.0.0/libqpdf/QPDF.cc.detect-recursions 2015-11-10 18:48:52.000000000 +0100 ++++ qpdf-6.0.0/libqpdf/QPDF.cc 2017-08-02 08:42:19.070393817 +0200 +@@ -1453,6 +1453,20 @@ QPDF::resolve(int objid, int generation) + // to insert things into the object cache that don't actually + // exist in the file. + QPDFObjGen og(objid, generation); ++ if (this->resolving.count(og)) ++ { ++ // This can happen if an object references itself directly or ++ // indirectly in some key that has to be resolved during ++ // object parsing, such as stream length. ++ warn(QPDFExc(qpdf_e_damaged_pdf, this->file->getName(), ++ "", this->file->getLastOffset(), ++ "loop detected resolving object " + ++ QUtil::int_to_string(objid) + " " + ++ QUtil::int_to_string(generation))); ++ return new QPDF_Null; ++ } ++ ResolveRecorder rr(this, og); ++ + if (! this->obj_cache.count(og)) + { + if (! this->xref_table.count(og)) |