Hello community, here is the log from the commit of package mupdf for openSUSE:Factory checked in at 2017-02-10 09:46:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mupdf (Old) and /work/SRC/openSUSE:Factory/.mupdf.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mupdf" Changes: -------- --- /work/SRC/openSUSE:Factory/mupdf/mupdf.changes 2017-02-03 17:50:56.660360918 +0100 +++ /work/SRC/openSUSE:Factory/.mupdf.new/mupdf.changes 2017-02-10 09:46:18.936852495 +0100 @@ -1,0 +2,6 @@ +Mon Feb 6 12:51:00 UTC 2017 - idon...@suse.com + +- Add CVE-2017-5627.patch and CVE-2017-5628.patch fixes + CVE-2017-5627 and CVE-2017-5628 bsc#1022503 bsc#1022504 + +------------------------------------------------------------------- New: ---- CVE-2017-5627.patch CVE-2017-5628.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mupdf.spec ++++++ --- /var/tmp/diff_new_pack.GzuBNa/_old 2017-02-10 09:46:21.744454779 +0100 +++ /var/tmp/diff_new_pack.GzuBNa/_new 2017-02-10 09:46:21.744454779 +0100 @@ -31,6 +31,8 @@ Patch2: CVE-2016-10132.patch Patch3: CVE-2016-10133.patch Patch4: CVE-2016-10141.patch +Patch5: CVE-2017-5627.patch +Patch6: CVE-2017-5628.patch BuildRequires: freetype-devel BuildRequires: gcc-c++ BuildRequires: jbig2dec-devel @@ -72,6 +74,8 @@ %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 popd # do not use the inlined copies of build dpendencies except for mujs ++++++ CVE-2017-5627.patch ++++++ X-Git-Url: http://git.ghostscript.com/?p=mujs.git;a=blobdiff_plain;f=jsrun.c;h=ca7d5ad46ba2414f075280ee94121a88f0bcfde6;hp=782a6f9caa62d510377397b0c63c1407e70f6c95;hb=4006739a28367c708dea19aeb19b8a1a9326ce08;hpb=8f62ea10a0af68e56d5c00720523ebcba13c2e6a diff --git a/jsrun.c b/jsrun.c index 782a6f9..ca7d5ad 100644 --- a/jsrun.c +++ b/jsrun.c @@ -544,7 +544,7 @@ static void jsR_setproperty(js_State *J, js_Object *obj, const char *name) if (!strcmp(name, "length")) { double rawlen = jsV_tonumber(J, value); int newlen = jsV_numbertointeger(rawlen); - if (newlen != rawlen) + if (newlen != rawlen || newlen < 0) js_rangeerror(J, "array length"); jsV_resizearray(J, obj, newlen); return; ++++++ CVE-2017-5628.patch ++++++ >From 8f62ea10a0af68e56d5c00720523ebcba13c2e6a Mon Sep 17 00:00:00 2001 From: Tor Andersson <tor.anders...@gmail.com> Date: Tue, 24 Jan 2017 14:32:14 +0100 Subject: [PATCH] Fix 697496: Check NAN before accessing array in MakeDay(). --- jsdate.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/jsdate.c b/jsdate.c index 2b43edf..6efbb60 100644 --- a/jsdate.c +++ b/jsdate.c @@ -207,12 +207,17 @@ static double MakeDay(double y, double m, double date) }; double yd, md; + int im; y += floor(m / 12); m = pmod(m, 12); + im = (int)m; + if (im < 0 || im >= 12) + return NAN; + yd = floor(TimeFromYear(y) / msPerDay); - md = firstDayOfMonth[InLeapYear(y)][(int)m]; + md = firstDayOfMonth[InLeapYear(y)][im]; return yd + md + date - 1; } -- 2.9.1