Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: pu
Hi, I would like to upload a squeeze update for poppler, fixing three CVEs (which were deemed minor, hence with no dsa), and a crasher bug and a memory handling issue recently fixed in unstable (and wheezy). The changes are: * fix CVE-2010-0206: - patch straight from upstream * fix CVE-2010-0207: - patch from upstream adapted to be API-/ABI-compatible, even though the functions were private * fix CVE-2010-4653 - patch from upstream adapted to include Object.h instead of goo/GooLikely.h (non-existent in poppler 0.12.x) - fix GooString::insert (#693817) - backport the fix - fix two uninitialized vars in PSOutputDev (#699421) - backport the fix I also added myself as uploader, as I did many months ago. Let me know whether the proposed change seem okay, and I can upload to stable. Thanks, -- Pino
diff -u poppler-0.12.4/debian/changelog poppler-0.12.4/debian/changelog --- poppler-0.12.4/debian/changelog +++ poppler-0.12.4/debian/changelog @@ -1,3 +1,19 @@ +poppler (0.12.4-1.2+squeeze1) stable; urgency=low + + * Add myself as uploader. + * Fix CVE-2010-0206. + * Fix CVE-2010-0207; patch adapted to be API-/ABI-compatible. + * Fix CVE-2010-4653; patch adapted to include object.h instead + of goo/GooLikely.h (non-existent in poppler 0.12.x). + * Backport upstream commits 7ba15d11e56175601104d125d5e4a47619c224bf and + 55940e989701eb9118015e30f4f48eb654fa34c4 to fix GooString::insert; + patch upstream_fix-GooString-insert.diff. (Closes: #693817) + * Correctly initialize PSOutputDev::fontFileNameLen and + PSOutputDev::psFileNames; patch psoutputdev-initialize-vars.diff. + (Closes: #699421) + + -- Pino Toscano <p...@debian.org> Thu, 14 Feb 2013 13:05:25 +0100 + poppler (0.12.4-1.2) unstable; urgency=medium * Non-maintainer upload by the Security Team diff -u poppler-0.12.4/debian/control poppler-0.12.4/debian/control --- poppler-0.12.4/debian/control +++ poppler-0.12.4/debian/control @@ -4,7 +4,8 @@ Maintainer: Loic Minier <l...@dooz.org> Uploaders: Josselin Mouette <j...@debian.org>, Dave Beckett <daj...@debian.org>, - Ross Burton <r...@debian.org> + Ross Burton <r...@debian.org>, + Pino Toscano <p...@debian.org> Build-Depends: cdbs (>= 0.4.52), debhelper (>= 5), quilt, diff -u poppler-0.12.4/debian/patches/series poppler-0.12.4/debian/patches/series --- poppler-0.12.4/debian/patches/series +++ poppler-0.12.4/debian/patches/series @@ -4 +4,6 @@ -04_security.patch \ No newline at end of file +04_security.patch +05_CVE-2010-0206.patch +06_CVE-2010-0207.patch +07_CVE-2010-4653.patch +upstream_fix-GooString-insert.diff +psoutputdev-initialize-vars.diff only in patch2: unchanged: --- poppler-0.12.4.orig/debian/patches/psoutputdev-initialize-vars.diff +++ poppler-0.12.4/debian/patches/psoutputdev-initialize-vars.diff @@ -0,0 +1,41 @@ +Author: Pino Toscano <p...@debian.org> +Description: initialize PSOutputDev::fontFileNameLen and PSOutputDev::psFileNames + Avoid crashing in ~PSOutputDev when the PSOutputDev instance is not "ok". +Applied-Upstream: not-needed +Last-Update: 2013-01-31 +Bug-Debian: http://bugs.debian.org/699421 + +--- a/poppler/PSOutputDev.cc ++++ b/poppler/PSOutputDev.cc +@@ -1012,6 +1012,7 @@ PSOutputDev::PSOutputDev(const char *fil + fontIDs = NULL; + fontFileIDs = NULL; + fontFileNames = NULL; ++ fontFileNameLen = 0; + font8Info = NULL; + font16Enc = NULL; + imgIDs = NULL; +@@ -1022,6 +1023,7 @@ PSOutputDev::PSOutputDev(const char *fil + haveTextClip = gFalse; + haveCSPattern = gFalse; + t3String = NULL; ++ psFileNames = NULL; + + forceRasterize = forceRasterizeA; + +@@ -1077,6 +1079,7 @@ PSOutputDev::PSOutputDev(PSOutputFunc ou + fontIDs = NULL; + fontFileIDs = NULL; + fontFileNames = NULL; ++ fontFileNameLen = 0; + font8Info = NULL; + font16Enc = NULL; + imgIDs = NULL; +@@ -1087,6 +1090,7 @@ PSOutputDev::PSOutputDev(PSOutputFunc ou + haveTextClip = gFalse; + haveCSPattern = gFalse; + t3String = NULL; ++ psFileNames = NULL; + + forceRasterize = forceRasterizeA; + only in patch2: unchanged: --- poppler-0.12.4.orig/debian/patches/05_CVE-2010-0206.patch +++ poppler-0.12.4/debian/patches/05_CVE-2010-0206.patch @@ -0,0 +1,56 @@ +From 30ea3ab8a1eecafb3366aef193910098fdb7ccc8 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid <aa...@kde.org> +Date: Tue, 25 May 2010 23:07:56 +0100 +Subject: [PATCH] Fix crash when parsing pdf in bug 28170 + +This code is a can of crashing worms :-7 +--- + poppler/JBIG2Stream.cc | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc +index 97994bd..f16ad58 100644 +--- a/poppler/JBIG2Stream.cc ++++ b/poppler/JBIG2Stream.cc +@@ -742,13 +742,18 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint x, Guint y, Guint wA, Guint hA) { + Guint xx, yy; + + slice = new JBIG2Bitmap(0, wA, hA); +- slice->clearToZero(); +- for (yy = 0; yy < hA; ++yy) { +- for (xx = 0; xx < wA; ++xx) { +- if (getPixel(x + xx, y + yy)) { +- slice->setPixel(xx, yy); ++ if (slice->isOk()) { ++ slice->clearToZero(); ++ for (yy = 0; yy < hA; ++yy) { ++ for (xx = 0; xx < wA; ++xx) { ++ if (getPixel(x + xx, y + yy)) { ++ slice->setPixel(xx, yy); ++ } + } + } ++ } else { ++ delete slice; ++ slice = NULL; + } + return slice; + } +@@ -3224,8 +3229,12 @@ void JBIG2Stream::readGenericRefinementRegionSeg(Guint segNum, GBool imm, + + // store the region bitmap + } else { +- bitmap->setSegNum(segNum); +- segments->append(bitmap); ++ if (bitmap) { ++ bitmap->setSegNum(segNum); ++ segments->append(bitmap); ++ } else { ++ error(curStr->getPos(), "readGenericRefinementRegionSeg with null bitmap"); ++ } + } + + // delete the referenced bitmap +-- +1.7.10 + only in patch2: unchanged: --- poppler-0.12.4.orig/debian/patches/06_CVE-2010-0207.patch +++ poppler-0.12.4/debian/patches/06_CVE-2010-0207.patch @@ -0,0 +1,113 @@ +Author: Albert Astals Cid <aa...@kde.org> +Author: Pino Toscano <p...@debian.org> +Description: Do not follow loops blindly + Fixes CVE-2010-0207. + . + Patch modified by keeping the readXRef and refXRefTable versions without the + additional GooVector parameter to avoid breaking API and ABI, and using + operator[int] instead of at(int) with GooVector, as the former does not exist + in 0.12.x. +Bug: https://bugs.freedesktop.org/show_bug.cgi?id=28172 +Applied-Upstream: commit:9eda6e8aaae412a9882141d1b5b8c7bf0c823c68 +Last-Update: 2012-06-27 + +--- a/poppler/XRef.cc ++++ b/poppler/XRef.cc +@@ -15,7 +15,7 @@ + // + // Copyright (C) 2005 Dan Sheridan <dan.sheri...@postman.org.uk> + // Copyright (C) 2005 Brad Hards <br...@frogmouth.net> +-// Copyright (C) 2006, 2008 Albert Astals Cid <aa...@kde.org> ++// Copyright (C) 2006, 2008, 2010 Albert Astals Cid <aa...@kde.org> + // Copyright (C) 2007-2008 Julien Rebetez <juli...@svn.gnome.org> + // Copyright (C) 2007 Carlos Garcia Campos <carlo...@gnome.org> + // Copyright (C) 2009 Ilya Gorenbein <igorenb...@finjan.com> +@@ -267,7 +267,8 @@ XRef::XRef(BaseStream *strA) { + + // read the xref table + } else { +- while (readXRef(&pos)) ; ++ GooVector<Guint> followedXRefStm; ++ while (readXRef(&pos, &followedXRefStm)) ; + + // if there was a problem with the xref table, + // try to reconstruct it +@@ -347,6 +348,11 @@ Guint XRef::getStartXref() { + // Read one xref table section. Also reads the associated trailer + // dictionary, and returns the prev pointer (if any). + GBool XRef::readXRef(Guint *pos) { ++ GooVector<Guint> followedXRefStm; ++ return readXRef(pos, &followedXRefStm); ++} ++ ++GBool XRef::readXRef(Guint *pos, GooVector<Guint> *followedXRefStm) { + Parser *parser; + Object obj; + GBool more; +@@ -362,7 +368,7 @@ GBool XRef::readXRef(Guint *pos) { + // parse an old-style xref table + if (obj.isCmd("xref")) { + obj.free(); +- more = readXRefTable(parser, pos); ++ more = readXRefTable(parser, pos, followedXRefStm); + + // parse an xref stream + } else if (obj.isInt()) { +@@ -396,6 +402,11 @@ GBool XRef::readXRef(Guint *pos) { + } + + GBool XRef::readXRefTable(Parser *parser, Guint *pos) { ++ GooVector<Guint> followedXRefStm; ++ return readXRefTable(parser, pos, &followedXRefStm); ++} ++ ++GBool XRef::readXRefTable(Parser *parser, Guint *pos, GooVector<Guint> *followedXRefStm) { + XRefEntry entry; + GBool more; + Object obj, obj2; +@@ -509,7 +520,15 @@ GBool XRef::readXRefTable(Parser *parser + // check for an 'XRefStm' key + if (obj.getDict()->lookup("XRefStm", &obj2)->isInt()) { + pos2 = (Guint)obj2.getInt(); +- readXRef(&pos2); ++ for (uint i = 0; ok == gTrue && i < followedXRefStm->size(); ++i) { ++ if ((*followedXRefStm)[i] == pos2) { ++ ok = gFalse; ++ } ++ } ++ if (ok) { ++ followedXRefStm->push_back(pos2); ++ readXRef(&pos2, followedXRefStm); ++ } + if (!ok) { + obj2.free(); + goto err1; +--- a/poppler/XRef.h ++++ b/poppler/XRef.h +@@ -14,7 +14,7 @@ + // under GPL version 2 or later + // + // Copyright (C) 2005 Brad Hards <br...@frogmouth.net> +-// Copyright (C) 2006, 2008 Albert Astals Cid <aa...@kde.org> ++// Copyright (C) 2006, 2008, 2010 Albert Astals Cid <aa...@kde.org> + // Copyright (C) 2007-2008 Julien Rebetez <juli...@svn.gnome.org> + // Copyright (C) 2007 Carlos Garcia Campos <carlo...@gnome.org> + // +@@ -31,6 +31,7 @@ + #endif + + #include "goo/gtypes.h" ++#include "goo/GooVector.h" + #include "Object.h" + + class Dict; +@@ -157,7 +158,9 @@ private: + + Guint getStartXref(); + GBool readXRef(Guint *pos); ++ GBool readXRef(Guint *pos, GooVector<Guint> *followedXRefStm); + GBool readXRefTable(Parser *parser, Guint *pos); ++ GBool readXRefTable(Parser *parser, Guint *pos, GooVector<Guint> *followedXRefStm); + GBool readXRefStreamSection(Stream *xrefStr, int *w, int first, int n); + GBool readXRefStream(Stream *xrefStr, Guint *pos); + GBool constructXRef(); only in patch2: unchanged: --- poppler-0.12.4.orig/debian/patches/upstream_fix-GooString-insert.diff +++ poppler-0.12.4/debian/patches/upstream_fix-GooString-insert.diff @@ -0,0 +1,24 @@ +Author: Pino Toscano <p...@kde.org> +Description: fix GooString::insert +Applied-Upstream: 0.21.3, commit:7ba15d11e56175601104d125d5e4a47619c224bf, commit:55940e989701eb9118015e30f4f48eb654fa34c4 +Last-Update: 2012-11-27 +Bug-Debian: http://bugs.debian.org/693817 + +--- a/goo/GooString.cc ++++ b/goo/GooString.cc +@@ -640,14 +640,12 @@ GooString *GooString::insert(int i, GooS + } + + GooString *GooString::insert(int i, const char *str, int lengthA) { +- int j; + int prevLen = length; + if (CALC_STRING_LEN == lengthA) + lengthA = strlen(str); + + resize(length + lengthA); +- for (j = prevLen; j >= i; --j) +- s[j+lengthA] = s[j]; ++ memmove(s+i+lengthA, s+i, prevLen-i); + memcpy(s+i, str, lengthA); + return this; + } only in patch2: unchanged: --- poppler-0.12.4.orig/debian/patches/07_CVE-2010-4653.patch +++ poppler-0.12.4/debian/patches/07_CVE-2010-4653.patch @@ -0,0 +1,55 @@ +From cad66a7d25abdb6aa15f3aa94a35737b119b2659 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid <aa...@kde.org> +Date: Tue, 2 Nov 2010 19:14:34 +0000 +Subject: [PATCH] Fix crash in broken documents + +mapLen = (code + 256) & ~255; can wrap and you end up with mapLen < code +that is not what you wanted +--- + poppler/CharCodeToUnicode.cc | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/poppler/CharCodeToUnicode.cc b/poppler/CharCodeToUnicode.cc +index 1835ddd..3cfa402 100644 +--- a/poppler/CharCodeToUnicode.cc ++++ b/poppler/CharCodeToUnicode.cc +@@ -13,7 +13,7 @@ + // All changes made under the Poppler project to this file are licensed + // under GPL version 2 or later + // +-// Copyright (C) 2006, 2008, 2009 Albert Astals Cid <aa...@kde.org> ++// Copyright (C) 2006, 2008-2010 Albert Astals Cid <aa...@kde.org> + // Copyright (C) 2007 Julien Rebetez <juli...@svn.gnome.org> + // Copyright (C) 2007 Koji Otani <s...@bbr.jp> + // Copyright (C) 2008 Michael Vrable <mvra...@cs.ucsd.edu> +@@ -36,6 +36,7 @@ + #include <string.h> + #include "goo/gmem.h" + #include "goo/gfile.h" ++#include "Object.h" + #include "goo/GooString.h" + #include "Error.h" + #include "GlobalParams.h" +@@ -366,10 +367,15 @@ void CharCodeToUnicode::addMapping(CharCode code, char *uStr, int n, + if (code >= mapLen) { + oldLen = mapLen; + mapLen = (code + 256) & ~255; +- map = (Unicode *)greallocn(map, mapLen, sizeof(Unicode)); +- for (i = oldLen; i < mapLen; ++i) { +- map[i] = 0; +- } ++ if (unlikely(code >= mapLen)) { ++ error(-1, "Illegal code value in CharCodeToUnicode::addMapping"); ++ return; ++ } else { ++ map = (Unicode *)greallocn(map, mapLen, sizeof(Unicode)); ++ for (i = oldLen; i < mapLen; ++i) { ++ map[i] = 0; ++ } ++ } + } + if (n <= 4) { + if (sscanf(uStr, "%x", &u) != 1) { +-- +1.7.10 +