Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
I would like to upload a squeeze update for poppler, fixing three CVEs
(which were deemed minor, hence with no dsa), and a crasher bug and a
memory handling issue recently fixed in unstable (and wheezy).
The changes are:
* fix CVE-2010-0206:
- patch straight from upstream
* fix CVE-2010-0207:
- patch from upstream adapted to be API-/ABI-compatible, even though
the functions were private
* fix CVE-2010-4653
- patch from upstream adapted to include Object.h instead of
goo/GooLikely.h (non-existent in poppler 0.12.x)
- fix GooString::insert (#693817)
- backport the fix
- fix two uninitialized vars in PSOutputDev (#699421)
- backport the fix
I also added myself as uploader, as I did many months ago.
Let me know whether the proposed change seem okay, and I can upload to
stable.
Thanks,
--
Pino
diff -u poppler-0.12.4/debian/changelog poppler-0.12.4/debian/changelog
--- poppler-0.12.4/debian/changelog
+++ poppler-0.12.4/debian/changelog
@@ -1,3 +1,19 @@
+poppler (0.12.4-1.2+squeeze1) stable; urgency=low
+
+ * Add myself as uploader.
+ * Fix CVE-2010-0206.
+ * Fix CVE-2010-0207; patch adapted to be API-/ABI-compatible.
+ * Fix CVE-2010-4653; patch adapted to include object.h instead
+ of goo/GooLikely.h (non-existent in poppler 0.12.x).
+ * Backport upstream commits 7ba15d11e56175601104d125d5e4a47619c224bf and
+ 55940e989701eb9118015e30f4f48eb654fa34c4 to fix GooString::insert;
+ patch upstream_fix-GooString-insert.diff. (Closes: #693817)
+ * Correctly initialize PSOutputDev::fontFileNameLen and
+ PSOutputDev::psFileNames; patch psoutputdev-initialize-vars.diff.
+ (Closes: #699421)
+
+ -- Pino Toscano <p...@debian.org> Thu, 14 Feb 2013 13:05:25 +0100
+
poppler (0.12.4-1.2) unstable; urgency=medium
* Non-maintainer upload by the Security Team
diff -u poppler-0.12.4/debian/control poppler-0.12.4/debian/control
--- poppler-0.12.4/debian/control
+++ poppler-0.12.4/debian/control
@@ -4,7 +4,8 @@
Maintainer: Loic Minier <l...@dooz.org>
Uploaders: Josselin Mouette <j...@debian.org>,
Dave Beckett <daj...@debian.org>,
- Ross Burton <r...@debian.org>
+ Ross Burton <r...@debian.org>,
+ Pino Toscano <p...@debian.org>
Build-Depends: cdbs (>= 0.4.52),
debhelper (>= 5),
quilt,
diff -u poppler-0.12.4/debian/patches/series poppler-0.12.4/debian/patches/series
--- poppler-0.12.4/debian/patches/series
+++ poppler-0.12.4/debian/patches/series
@@ -4 +4,6 @@
-04_security.patch
\ No newline at end of file
+04_security.patch
+05_CVE-2010-0206.patch
+06_CVE-2010-0207.patch
+07_CVE-2010-4653.patch
+upstream_fix-GooString-insert.diff
+psoutputdev-initialize-vars.diff
only in patch2:
unchanged:
--- poppler-0.12.4.orig/debian/patches/psoutputdev-initialize-vars.diff
+++ poppler-0.12.4/debian/patches/psoutputdev-initialize-vars.diff
@@ -0,0 +1,41 @@
+Author: Pino Toscano <p...@debian.org>
+Description: initialize PSOutputDev::fontFileNameLen and PSOutputDev::psFileNames
+ Avoid crashing in ~PSOutputDev when the PSOutputDev instance is not "ok".
+Applied-Upstream: not-needed
+Last-Update: 2013-01-31
+Bug-Debian: http://bugs.debian.org/699421
+
+--- a/poppler/PSOutputDev.cc
++++ b/poppler/PSOutputDev.cc
+@@ -1012,6 +1012,7 @@ PSOutputDev::PSOutputDev(const char *fil
+ fontIDs = NULL;
+ fontFileIDs = NULL;
+ fontFileNames = NULL;
++ fontFileNameLen = 0;
+ font8Info = NULL;
+ font16Enc = NULL;
+ imgIDs = NULL;
+@@ -1022,6 +1023,7 @@ PSOutputDev::PSOutputDev(const char *fil
+ haveTextClip = gFalse;
+ haveCSPattern = gFalse;
+ t3String = NULL;
++ psFileNames = NULL;
+
+ forceRasterize = forceRasterizeA;
+
+@@ -1077,6 +1079,7 @@ PSOutputDev::PSOutputDev(PSOutputFunc ou
+ fontIDs = NULL;
+ fontFileIDs = NULL;
+ fontFileNames = NULL;
++ fontFileNameLen = 0;
+ font8Info = NULL;
+ font16Enc = NULL;
+ imgIDs = NULL;
+@@ -1087,6 +1090,7 @@ PSOutputDev::PSOutputDev(PSOutputFunc ou
+ haveTextClip = gFalse;
+ haveCSPattern = gFalse;
+ t3String = NULL;
++ psFileNames = NULL;
+
+ forceRasterize = forceRasterizeA;
+
only in patch2:
unchanged:
--- poppler-0.12.4.orig/debian/patches/05_CVE-2010-0206.patch
+++ poppler-0.12.4/debian/patches/05_CVE-2010-0206.patch
@@ -0,0 +1,56 @@
+From 30ea3ab8a1eecafb3366aef193910098fdb7ccc8 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aa...@kde.org>
+Date: Tue, 25 May 2010 23:07:56 +0100
+Subject: [PATCH] Fix crash when parsing pdf in bug 28170
+
+This code is a can of crashing worms :-7
+---
+ poppler/JBIG2Stream.cc | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
+index 97994bd..f16ad58 100644
+--- a/poppler/JBIG2Stream.cc
++++ b/poppler/JBIG2Stream.cc
+@@ -742,13 +742,18 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint x, Guint y, Guint wA, Guint hA) {
+ Guint xx, yy;
+
+ slice = new JBIG2Bitmap(0, wA, hA);
+- slice->clearToZero();
+- for (yy = 0; yy < hA; ++yy) {
+- for (xx = 0; xx < wA; ++xx) {
+- if (getPixel(x + xx, y + yy)) {
+- slice->setPixel(xx, yy);
++ if (slice->isOk()) {
++ slice->clearToZero();
++ for (yy = 0; yy < hA; ++yy) {
++ for (xx = 0; xx < wA; ++xx) {
++ if (getPixel(x + xx, y + yy)) {
++ slice->setPixel(xx, yy);
++ }
+ }
+ }
++ } else {
++ delete slice;
++ slice = NULL;
+ }
+ return slice;
+ }
+@@ -3224,8 +3229,12 @@ void JBIG2Stream::readGenericRefinementRegionSeg(Guint segNum, GBool imm,
+
+ // store the region bitmap
+ } else {
+- bitmap->setSegNum(segNum);
+- segments->append(bitmap);
++ if (bitmap) {
++ bitmap->setSegNum(segNum);
++ segments->append(bitmap);
++ } else {
++ error(curStr->getPos(), "readGenericRefinementRegionSeg with null bitmap");
++ }
+ }
+
+ // delete the referenced bitmap
+--
+1.7.10
+
only in patch2:
unchanged:
--- poppler-0.12.4.orig/debian/patches/06_CVE-2010-0207.patch
+++ poppler-0.12.4/debian/patches/06_CVE-2010-0207.patch
@@ -0,0 +1,113 @@
+Author: Albert Astals Cid <aa...@kde.org>
+Author: Pino Toscano <p...@debian.org>
+Description: Do not follow loops blindly
+ Fixes CVE-2010-0207.
+ .
+ Patch modified by keeping the readXRef and refXRefTable versions without the
+ additional GooVector parameter to avoid breaking API and ABI, and using
+ operator[int] instead of at(int) with GooVector, as the former does not exist
+ in 0.12.x.
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=28172
+Applied-Upstream: commit:9eda6e8aaae412a9882141d1b5b8c7bf0c823c68
+Last-Update: 2012-06-27
+
+--- a/poppler/XRef.cc
++++ b/poppler/XRef.cc
+@@ -15,7 +15,7 @@
+ //
+ // Copyright (C) 2005 Dan Sheridan <dan.sheri...@postman.org.uk>
+ // Copyright (C) 2005 Brad Hards <br...@frogmouth.net>
+-// Copyright (C) 2006, 2008 Albert Astals Cid <aa...@kde.org>
++// Copyright (C) 2006, 2008, 2010 Albert Astals Cid <aa...@kde.org>
+ // Copyright (C) 2007-2008 Julien Rebetez <juli...@svn.gnome.org>
+ // Copyright (C) 2007 Carlos Garcia Campos <carlo...@gnome.org>
+ // Copyright (C) 2009 Ilya Gorenbein <igorenb...@finjan.com>
+@@ -267,7 +267,8 @@ XRef::XRef(BaseStream *strA) {
+
+ // read the xref table
+ } else {
+- while (readXRef(&pos)) ;
++ GooVector<Guint> followedXRefStm;
++ while (readXRef(&pos, &followedXRefStm)) ;
+
+ // if there was a problem with the xref table,
+ // try to reconstruct it
+@@ -347,6 +348,11 @@ Guint XRef::getStartXref() {
+ // Read one xref table section. Also reads the associated trailer
+ // dictionary, and returns the prev pointer (if any).
+ GBool XRef::readXRef(Guint *pos) {
++ GooVector<Guint> followedXRefStm;
++ return readXRef(pos, &followedXRefStm);
++}
++
++GBool XRef::readXRef(Guint *pos, GooVector<Guint> *followedXRefStm) {
+ Parser *parser;
+ Object obj;
+ GBool more;
+@@ -362,7 +368,7 @@ GBool XRef::readXRef(Guint *pos) {
+ // parse an old-style xref table
+ if (obj.isCmd("xref")) {
+ obj.free();
+- more = readXRefTable(parser, pos);
++ more = readXRefTable(parser, pos, followedXRefStm);
+
+ // parse an xref stream
+ } else if (obj.isInt()) {
+@@ -396,6 +402,11 @@ GBool XRef::readXRef(Guint *pos) {
+ }
+
+ GBool XRef::readXRefTable(Parser *parser, Guint *pos) {
++ GooVector<Guint> followedXRefStm;
++ return readXRefTable(parser, pos, &followedXRefStm);
++}
++
++GBool XRef::readXRefTable(Parser *parser, Guint *pos, GooVector<Guint> *followedXRefStm) {
+ XRefEntry entry;
+ GBool more;
+ Object obj, obj2;
+@@ -509,7 +520,15 @@ GBool XRef::readXRefTable(Parser *parser
+ // check for an 'XRefStm' key
+ if (obj.getDict()->lookup("XRefStm", &obj2)->isInt()) {
+ pos2 = (Guint)obj2.getInt();
+- readXRef(&pos2);
++ for (uint i = 0; ok == gTrue && i < followedXRefStm->size(); ++i) {
++ if ((*followedXRefStm)[i] == pos2) {
++ ok = gFalse;
++ }
++ }
++ if (ok) {
++ followedXRefStm->push_back(pos2);
++ readXRef(&pos2, followedXRefStm);
++ }
+ if (!ok) {
+ obj2.free();
+ goto err1;
+--- a/poppler/XRef.h
++++ b/poppler/XRef.h
+@@ -14,7 +14,7 @@
+ // under GPL version 2 or later
+ //
+ // Copyright (C) 2005 Brad Hards <br...@frogmouth.net>
+-// Copyright (C) 2006, 2008 Albert Astals Cid <aa...@kde.org>
++// Copyright (C) 2006, 2008, 2010 Albert Astals Cid <aa...@kde.org>
+ // Copyright (C) 2007-2008 Julien Rebetez <juli...@svn.gnome.org>
+ // Copyright (C) 2007 Carlos Garcia Campos <carlo...@gnome.org>
+ //
+@@ -31,6 +31,7 @@
+ #endif
+
+ #include "goo/gtypes.h"
++#include "goo/GooVector.h"
+ #include "Object.h"
+
+ class Dict;
+@@ -157,7 +158,9 @@ private:
+
+ Guint getStartXref();
+ GBool readXRef(Guint *pos);
++ GBool readXRef(Guint *pos, GooVector<Guint> *followedXRefStm);
+ GBool readXRefTable(Parser *parser, Guint *pos);
++ GBool readXRefTable(Parser *parser, Guint *pos, GooVector<Guint> *followedXRefStm);
+ GBool readXRefStreamSection(Stream *xrefStr, int *w, int first, int n);
+ GBool readXRefStream(Stream *xrefStr, Guint *pos);
+ GBool constructXRef();
only in patch2:
unchanged:
--- poppler-0.12.4.orig/debian/patches/upstream_fix-GooString-insert.diff
+++ poppler-0.12.4/debian/patches/upstream_fix-GooString-insert.diff
@@ -0,0 +1,24 @@
+Author: Pino Toscano <p...@kde.org>
+Description: fix GooString::insert
+Applied-Upstream: 0.21.3, commit:7ba15d11e56175601104d125d5e4a47619c224bf, commit:55940e989701eb9118015e30f4f48eb654fa34c4
+Last-Update: 2012-11-27
+Bug-Debian: http://bugs.debian.org/693817
+
+--- a/goo/GooString.cc
++++ b/goo/GooString.cc
+@@ -640,14 +640,12 @@ GooString *GooString::insert(int i, GooS
+ }
+
+ GooString *GooString::insert(int i, const char *str, int lengthA) {
+- int j;
+ int prevLen = length;
+ if (CALC_STRING_LEN == lengthA)
+ lengthA = strlen(str);
+
+ resize(length + lengthA);
+- for (j = prevLen; j >= i; --j)
+- s[j+lengthA] = s[j];
++ memmove(s+i+lengthA, s+i, prevLen-i);
+ memcpy(s+i, str, lengthA);
+ return this;
+ }
only in patch2:
unchanged:
--- poppler-0.12.4.orig/debian/patches/07_CVE-2010-4653.patch
+++ poppler-0.12.4/debian/patches/07_CVE-2010-4653.patch
@@ -0,0 +1,55 @@
+From cad66a7d25abdb6aa15f3aa94a35737b119b2659 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aa...@kde.org>
+Date: Tue, 2 Nov 2010 19:14:34 +0000
+Subject: [PATCH] Fix crash in broken documents
+
+mapLen = (code + 256) & ~255; can wrap and you end up with mapLen < code
+that is not what you wanted
+---
+ poppler/CharCodeToUnicode.cc | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/poppler/CharCodeToUnicode.cc b/poppler/CharCodeToUnicode.cc
+index 1835ddd..3cfa402 100644
+--- a/poppler/CharCodeToUnicode.cc
++++ b/poppler/CharCodeToUnicode.cc
+@@ -13,7 +13,7 @@
+ // All changes made under the Poppler project to this file are licensed
+ // under GPL version 2 or later
+ //
+-// Copyright (C) 2006, 2008, 2009 Albert Astals Cid <aa...@kde.org>
++// Copyright (C) 2006, 2008-2010 Albert Astals Cid <aa...@kde.org>
+ // Copyright (C) 2007 Julien Rebetez <juli...@svn.gnome.org>
+ // Copyright (C) 2007 Koji Otani <s...@bbr.jp>
+ // Copyright (C) 2008 Michael Vrable <mvra...@cs.ucsd.edu>
+@@ -36,6 +36,7 @@
+ #include <string.h>
+ #include "goo/gmem.h"
+ #include "goo/gfile.h"
++#include "Object.h"
+ #include "goo/GooString.h"
+ #include "Error.h"
+ #include "GlobalParams.h"
+@@ -366,10 +367,15 @@ void CharCodeToUnicode::addMapping(CharCode code, char *uStr, int n,
+ if (code >= mapLen) {
+ oldLen = mapLen;
+ mapLen = (code + 256) & ~255;
+- map = (Unicode *)greallocn(map, mapLen, sizeof(Unicode));
+- for (i = oldLen; i < mapLen; ++i) {
+- map[i] = 0;
+- }
++ if (unlikely(code >= mapLen)) {
++ error(-1, "Illegal code value in CharCodeToUnicode::addMapping");
++ return;
++ } else {
++ map = (Unicode *)greallocn(map, mapLen, sizeof(Unicode));
++ for (i = oldLen; i < mapLen; ++i) {
++ map[i] = 0;
++ }
++ }
+ }
+ if (n <= 4) {
+ if (sscanf(uStr, "%x", &u) != 1) {
+--
+1.7.10
+
