Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
I'd like to fix a buffer overflow in the pdfresurrect version that's in buster. See https://security-tracker.debian.org/tracker/CVE-2019-14267. Attached is the debdiff. Francois
diff -Nru pdfresurrect-0.15/debian/changelog pdfresurrect-0.15/debian/changelog --- pdfresurrect-0.15/debian/changelog 2019-03-01 23:12:55.000000000 -0800 +++ pdfresurrect-0.15/debian/changelog 2019-07-30 08:41:35.000000000 -0700 @@ -1,3 +1,9 @@ +pdfresurrect (0.15-2+deb10u1) buster; urgency=high + + * Fix buffer overflow (CVE-2019-14267). + + -- Francois Marier <franc...@debian.org> Tue, 30 Jul 2019 08:41:35 -0700 + pdfresurrect (0.15-2) unstable; urgency=medium * Bump Standars-Version up to 4.3.0 diff -Nru pdfresurrect-0.15/debian/patches/CVE-2019-14267.patch pdfresurrect-0.15/debian/patches/CVE-2019-14267.patch --- pdfresurrect-0.15/debian/patches/CVE-2019-14267.patch 1969-12-31 16:00:00.000000000 -0800 +++ pdfresurrect-0.15/debian/patches/CVE-2019-14267.patch 2019-07-30 08:41:35.000000000 -0700 @@ -0,0 +1,46 @@ +commit 4ea7a6f4f51d0440da651d099247e2273f811dbc +Author: Matt Davis <mattdav...@gmail.com> +Date: Thu Jul 25 20:30:04 2019 -0700 + + Prevent a buffer overflow in possibly corrupt PDFs. + + The startxref identification logic assumed a worse case of having to + inspect 256 bytes. However, that is not always the case (e.g., + corrupted PDFs). This patch prevents that situation. + + This bug was identified by j0lamma. Thanks! + + CVE-2019-14267 + +diff --git a/main.c b/main.c +index d604613..de2f8e9 100644 +--- a/main.c ++++ b/main.c +@@ -203,7 +203,10 @@ static pdf_t *init_pdf(FILE *fp, const char *name) + + pdf = pdf_new(name); + pdf_get_version(fp, pdf); +- pdf_load_xrefs(fp, pdf); ++ if (pdf_load_xrefs(fp, pdf) == -1) { ++ pdf_delete(pdf); ++ return NULL; ++ } + pdf_load_pages_kids(fp, pdf); + + return pdf; +diff --git a/pdf.c b/pdf.c +index 4cd7f12..b23b50a 100644 +--- a/pdf.c ++++ b/pdf.c +@@ -233,6 +233,11 @@ int pdf_load_xrefs(FILE *fp, pdf_t *pdf) + fseek(fp, pos - (++pos_count), SEEK_SET); + + /* Suck in end of "startxref" to start of %%EOF */ ++ if (pos_count >= sizeof(buf)) { ++ ERR("Failed to locate the startxref token. " ++ "This might be a corrupt PDF.\n"); ++ return -1; ++ } + memset(buf, 0, sizeof(buf)); + SAFE_E(fread(buf, 1, pos_count, fp), pos_count, + "Failed to read startxref.\n"); diff -Nru pdfresurrect-0.15/debian/patches/series pdfresurrect-0.15/debian/patches/series --- pdfresurrect-0.15/debian/patches/series 1969-12-31 16:00:00.000000000 -0800 +++ pdfresurrect-0.15/debian/patches/series 2019-07-30 08:41:35.000000000 -0700 @@ -0,0 +1 @@ +CVE-2019-14267.patch