Control: tags 924351 + patch Control: tags 924351 + pending
Dear maintainer, I've prepared an NMU for mupdf (versioned as 1.14.0+ds1-3.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. The previously mentioned issue was actually caused to a additional missing commit unrelated to the security fixes, which I as well cherry-picked in this update now. Apart of the attached debdiff, the single commits can be as well taken from the merge request at https://salsa.debian.org/koster/mupdf/merge_requests/1 . Regards, Salvatore
diff -Nru mupdf-1.14.0+ds1/debian/changelog mupdf-1.14.0+ds1/debian/changelog --- mupdf-1.14.0+ds1/debian/changelog 2019-01-19 04:01:19.000000000 +0100 +++ mupdf-1.14.0+ds1/debian/changelog 2019-03-15 22:53:36.000000000 +0100 @@ -1,3 +1,14 @@ +mupdf (1.14.0+ds1-3.1) unstable; urgency=medium + + * Non-maintainer upload. + * Avoid being smart about keeping only a single reference to the buffer + (CVE-2018-16647) (Closes: #924351) + * Fix text used as clip mask in pdfwrite device (CVE-2018-16648) + (Closes: #924351) + * Fix typo in pdf write device + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 15 Mar 2019 22:53:36 +0100 + mupdf (1.14.0+ds1-3) unstable; urgency=high * d/patches: import upstream fixes for various bugs. diff -Nru mupdf-1.14.0+ds1/debian/patches/0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch mupdf-1.14.0+ds1/debian/patches/0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch --- mupdf-1.14.0+ds1/debian/patches/0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch 1970-01-01 01:00:00.000000000 +0100 +++ mupdf-1.14.0+ds1/debian/patches/0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch 2019-03-15 22:53:36.000000000 +0100 @@ -0,0 +1,79 @@ +From: Sebastian Rasmussen <seb...@gmail.com> +Date: Mon, 1 Oct 2018 15:13:13 +0800 +Subject: Avoid being smart about keeping only a single reference to the + buffer. +Origin: http://www.ghostscript.com/cgi-bin/findgit.cgi?351c99d8ce23bbf7099dbd52771a095f67e45a2c +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-16647 +Bug-Debian: https://bugs.debian.org/924351 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=699686 + +When pdf_dev_pop() is called it will drop the reference to the buffer. +pdf_dev_push_new_buf() will either create a new buffer reference or take a reference to the existing buffer. +When pdf_dev_pop() is called unbalance this creates a problem as the +top level buffer will be unreferenced too many times. + +fails-32.pdf +--- + source/pdf/pdf-device.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/source/pdf/pdf-device.c b/source/pdf/pdf-device.c +index 31a7a10f2722..0103e9a7d9be 100644 +--- a/source/pdf/pdf-device.c ++++ b/source/pdf/pdf-device.c +@@ -66,7 +66,6 @@ struct pdf_device_s + + pdf_document *doc; + pdf_obj *resources; +- fz_buffer *buffer; + + int in_text; + +@@ -1061,7 +1060,10 @@ pdf_dev_drop_device(fz_context *ctx, fz_device *dev) + int i; + + for (i = pdev->num_gstates-1; i >= 0; i--) ++ { ++ fz_drop_buffer(ctx, pdev->gstates[i].buf); + fz_drop_stroke_state(ctx, pdev->gstates[i].stroke_state); ++ } + + for (i = pdev->num_cid_fonts-1; i >= 0; i--) + fz_drop_font(ctx, pdev->cid_fonts[i]); +@@ -1069,7 +1071,6 @@ pdf_dev_drop_device(fz_context *ctx, fz_device *dev) + for (i = pdev->num_groups - 1; i >= 0; i--) + pdf_drop_obj(ctx, pdev->groups[i].ref); + +- fz_drop_buffer(ctx, pdev->buffer); + pdf_drop_obj(ctx, pdev->resources); + fz_free(ctx, pdev->cid_fonts); + fz_free(ctx, pdev->image_indices); +@@ -1111,10 +1112,13 @@ fz_device *pdf_new_pdf_device(fz_context *ctx, pdf_document *doc, fz_matrix topc + dev->super.begin_tile = pdf_dev_begin_tile; + dev->super.end_tile = pdf_dev_end_tile; + ++ fz_var(buf); ++ + fz_try(ctx) + { +- dev->buffer = fz_keep_buffer(ctx, buf); +- if (!buf) ++ if (buf) ++ buf = fz_keep_buffer(ctx, buf); ++ else + buf = fz_new_buffer(ctx, 256); + dev->doc = doc; + dev->resources = pdf_keep_obj(ctx, resources); +@@ -1136,8 +1140,7 @@ fz_device *pdf_new_pdf_device(fz_context *ctx, pdf_document *doc, fz_matrix topc + } + fz_catch(ctx) + { +- if (dev->gstates && dev->buffer == NULL) +- fz_drop_buffer(ctx, dev->gstates[0].buf); ++ fz_drop_buffer(ctx, buf); + fz_free(ctx, dev); + fz_rethrow(ctx); + } +-- +2.20.1 + diff -Nru mupdf-1.14.0+ds1/debian/patches/0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch mupdf-1.14.0+ds1/debian/patches/0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch --- mupdf-1.14.0+ds1/debian/patches/0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch 1970-01-01 01:00:00.000000000 +0100 +++ mupdf-1.14.0+ds1/debian/patches/0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch 2019-03-15 22:53:36.000000000 +0100 @@ -0,0 +1,50 @@ +From: Tor Andersson <tor.anders...@artifex.com> +Date: Mon, 22 Oct 2018 17:16:35 +0200 +Subject: Fix text used as clip mask in pdfwrite device. +Origin: http://www.ghostscript.com/cgi-bin/findgit.cgi?38f883fe129a5e89306252a4676eaaf4bc968824 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-16648 +Bug-Debian: https://bugs.debian.org/924351 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=699685 + +Push the clip state, and pass the correct text rendering mode state. +--- + source/pdf/pdf-device.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/source/pdf/pdf-device.c b/source/pdf/pdf-device.c +index 4dd729b8b981..427e3b389e7e 100644 +--- a/source/pdf/pdf-device.c ++++ b/source/pdf/pdf-device.c +@@ -734,9 +734,13 @@ pdf_dev_clip_text(fz_context *ctx, fz_device *dev, const fz_text *text, fz_matri + { + pdf_device *pdev = (pdf_device*)dev; + fz_text_span *span; ++ ++ pdf_dev_end_text(ctx, pdev); ++ pdf_dev_push(ctx, pdev); ++ + for (span = text->head; span; span = span->next) + { +- pdf_dev_begin_text(ctx, pdev, span->trm, 0); ++ pdf_dev_begin_text(ctx, pdev, span->trm, 7); + pdf_dev_ctm(ctx, pdev, ctm); + pdf_dev_font(ctx, pdev, span->font); + pdf_dev_text_span(ctx, pdev, span); +@@ -748,9 +752,13 @@ pdf_dev_clip_stroke_text(fz_context *ctx, fz_device *dev, const fz_text *text, c + { + pdf_device *pdev = (pdf_device*)dev; + fz_text_span *span; ++ ++ pdf_dev_end_text(ctx, pdev); ++ pdf_dev_push(ctx, pdev); ++ + for (span = text->head; span; span = span->next) + { +- pdf_dev_begin_text(ctx, pdev, span->trm, 0); ++ pdf_dev_begin_text(ctx, pdev, span->trm, 7); + pdf_dev_font(ctx, pdev, span->font); + pdf_dev_ctm(ctx, pdev, ctm); + pdf_dev_text_span(ctx, pdev, span); +-- +2.20.1 + diff -Nru mupdf-1.14.0+ds1/debian/patches/0013-Fix-typo-in-pdf-write-device.patch mupdf-1.14.0+ds1/debian/patches/0013-Fix-typo-in-pdf-write-device.patch --- mupdf-1.14.0+ds1/debian/patches/0013-Fix-typo-in-pdf-write-device.patch 1970-01-01 01:00:00.000000000 +0100 +++ mupdf-1.14.0+ds1/debian/patches/0013-Fix-typo-in-pdf-write-device.patch 2019-03-15 22:53:36.000000000 +0100 @@ -0,0 +1,25 @@ +From: Tor Andersson <tor.anders...@artifex.com> +Date: Mon, 22 Oct 2018 16:21:11 +0200 +Subject: Fix typo in pdf write device. +Origin: https://git.kernel.org/linus/fa4cdfca9ec3034dbe54e1cb08c8b97e9ebed46d + +--- + source/pdf/pdf-device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source/pdf/pdf-device.c b/source/pdf/pdf-device.c +index 8d07968992da..31a7a10f2722 100644 +--- a/source/pdf/pdf-device.c ++++ b/source/pdf/pdf-device.c +@@ -1132,7 +1132,7 @@ fz_device *pdf_new_pdf_device(fz_context *ctx, pdf_document *doc, fz_matrix topc + dev->max_gstates = 1; + + if (!fz_is_identity(topctm)) +- fz_append_printf(ctx, buf, "%M cm\n", topctm); ++ fz_append_printf(ctx, buf, "%M cm\n", &topctm); + } + fz_catch(ctx) + { +-- +2.11.0 + diff -Nru mupdf-1.14.0+ds1/debian/patches/series mupdf-1.14.0+ds1/debian/patches/series --- mupdf-1.14.0+ds1/debian/patches/series 2019-01-19 04:01:19.000000000 +0100 +++ mupdf-1.14.0+ds1/debian/patches/series 2019-03-15 22:53:36.000000000 +0100 @@ -8,3 +8,6 @@ 0008-PATCH-Fix-700043-Don-t-assume-a-font-is-t3-just-beca.patch 0009-PATCH-Bug-700442-Add-a-recursion-depth-check-to-prev.patch 0010-PATCH-Throw-when-page-number-is-out-of-range.patch +0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch +0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch +0013-Fix-typo-in-pdf-write-device.patch