Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Dear Release Team, I have just uploaded atril 1.20.3-1+deb10u1 to Debian buster with the following changes: + [ Martin Wimpress ] + * debian/patches: + + Add 0001_prevent_no_doc_segfault.patch. Prevent segfaults when no document + is loaded. See upstream issue: https://github.com/mate-desktop/atril/issues/357 When one loaded atril with no document and started playing with the application settings, atril would segfault. + + Add 0002_CVE-2019-1010006.patch. Fix buffer overflow. (CVE-2019-1010006) This is a low security issue, but not tagged as no-dsa on the security tracker. However, getting the other two patches into buster had prio and thus I took the buster-pu upload path for this. + [ Mike Gabriel ] + * debian/patches: + + Add CVE-2019-11459.patch. tiff: Handle failure from + TIFFReadRGBAImageOriented. (Closes: #927821). + + Rebase 0001_prevent_no_doc_segfault.patch. Security issue marked as unimportant, still something that deserves a fix via buster-pu. light+love, Mike -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru atril-1.20.3/debian/changelog atril-1.20.3/debian/changelog --- atril-1.20.3/debian/changelog 2018-12-22 22:24:46.000000000 +0100 +++ atril-1.20.3/debian/changelog 2019-12-16 10:33:35.000000000 +0100 @@ -1,3 +1,19 @@ +atril (1.20.3-1+deb10u1) buster; urgency=medium + + [ Martin Wimpress ] + * debian/patches: + + Add 0001_prevent_no_doc_segfault.patch. Prevent segfaults when no document + is loaded. + + Add 0002_CVE-2019-1010006.patch. Fix buffer overflow. (CVE-2019-1010006) + + [ Mike Gabriel ] + * debian/patches: + + Add CVE-2019-11459.patch. tiff: Handle failure from + TIFFReadRGBAImageOriented. (Closes: #927821). + + Rebase 0001_prevent_no_doc_segfault.patch. + + -- Mike Gabriel <sunwea...@debian.org> Mon, 16 Dec 2019 10:33:35 +0100 + atril (1.20.3-1) unstable; urgency=medium * New upstream release. diff -Nru atril-1.20.3/debian/patches/0001_prevent_no_doc_segfault.patch atril-1.20.3/debian/patches/0001_prevent_no_doc_segfault.patch --- atril-1.20.3/debian/patches/0001_prevent_no_doc_segfault.patch 1970-01-01 01:00:00.000000000 +0100 +++ atril-1.20.3/debian/patches/0001_prevent_no_doc_segfault.patch 2019-12-16 10:31:57.000000000 +0100 @@ -0,0 +1,286 @@ +From 807e54f51919de389c2824df6ccef41947c57911 Mon Sep 17 00:00:00 2001 +From: Reuben Green <reubengree...@gmail.com> +Date: Sat, 3 Aug 2019 22:54:44 +0100 +Subject: [PATCH] prevent segfaults when no document loaded + +See the issue report for a description of the bug. The root cause is +dereferencing of NULL pointers, specifically the priv->document member of +EvWindow structures when no document is loaded. This commit adds checks +for a NULL value of priv->document at all the points in the file +shell/ev-window.c where this pointer was previously dereferenced without +being checked. + +Fixes 357 (https://github.com/mate-desktop/atril/issues/357) +--- + shell/ev-window.c | 63 ++++++++++++++++++++++++----------------------- + 1 file changed, 32 insertions(+), 31 deletions(-) + +--- a/shell/ev-window.c ++++ b/shell/ev-window.c +@@ -1448,7 +1448,7 @@ + /* Presentation */ + if (ev_metadata_get_boolean (window->priv->metadata, "presentation", &presentation)) { + if (presentation) { +- if (window->priv->document->iswebdocument == TRUE ) { ++ if (window->priv->document && window->priv->document->iswebdocument == TRUE ) { + return; + } + else { +@@ -1850,7 +1850,7 @@ + ev_window_handle_link (EvWindow *ev_window, + EvLinkDest *dest) + { +- if (ev_window->priv->document->iswebdocument == TRUE ) { ++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) { + return; + } + if (dest) { +@@ -4117,7 +4117,7 @@ + */ + if (ev_window->priv->chrome & EV_CHROME_FINDBAR) { + egg_find_bar_grab_focus(ev_window->priv->find_bar); +- } else if (ev_window->priv->document->iswebdocument == FALSE ) { ++ } else if (ev_window->priv->document && ev_window->priv->document->iswebdocument == FALSE ) { + ev_view_select_all (EV_VIEW (ev_window->priv->view)); + } + #if ENABLE_EPUB +@@ -4152,7 +4152,7 @@ + update_chrome_flag (ev_window, EV_CHROME_FINDBAR, TRUE); + update_chrome_visibility (ev_window); + gtk_widget_grab_focus (ev_window->priv->find_bar); +- if (ev_window->priv->document->iswebdocument == FALSE) { ++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == FALSE) { + ev_view_find_next (EV_VIEW (ev_window->priv->view)); + } + #if ENABLE_EPUB +@@ -4171,7 +4171,7 @@ + update_chrome_flag (ev_window, EV_CHROME_FINDBAR, TRUE); + update_chrome_visibility (ev_window); + gtk_widget_grab_focus (ev_window->priv->find_bar); +- if (ev_window->priv->document->iswebdocument == FALSE) { ++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == FALSE) { + ev_view_find_previous (EV_VIEW (ev_window->priv->view)); + } + #if ENABLE_EPUB +@@ -4186,7 +4186,7 @@ + { + g_return_if_fail (EV_IS_WINDOW (ev_window)); + #if ENABLE_EPUB +- if (ev_window->priv->document->iswebdocument) { ++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument) { + ev_web_view_copy(EV_WEB_VIEW(ev_window->priv->webview)); + } else + #endif +@@ -4406,8 +4406,9 @@ + + if (EV_WINDOW_IS_PRESENTATION (window)) + return; ++ + +- if (window->priv->document->iswebdocument) { ++ if (window->priv->document && window->priv->document->iswebdocument) { + ev_window_warning_message(window,_("Presentation mode is not supported for ePub documents")); + return; + } +@@ -4795,7 +4796,7 @@ + + ev_document_model_set_sizing_mode (ev_window->priv->model, EV_SIZING_FREE); + #if ENABLE_EPUB +- if (ev_window->priv->document->iswebdocument) { ++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument) { + ev_web_view_zoom_in(EV_WEB_VIEW(ev_window->priv->webview)); + } + else +@@ -4812,7 +4813,7 @@ + + ev_document_model_set_sizing_mode (ev_window->priv->model, EV_SIZING_FREE); + #if ENABLE_EPUB +- if ( ev_window->priv->document->iswebdocument) { ++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument) { + ev_web_view_zoom_out(EV_WEB_VIEW(ev_window->priv->webview)); + } + else +@@ -4829,7 +4830,7 @@ + + ev_document_model_set_sizing_mode (ev_window->priv->model, EV_SIZING_FREE); + #if ENABLE_EPUB +- if ( ev_window->priv->document->iswebdocument) { ++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument) { + ev_web_view_zoom_reset(EV_WEB_VIEW(ev_window->priv->webview)); + } + else +@@ -4844,7 +4845,7 @@ + { + g_return_if_fail (EV_IS_WINDOW (ev_window)); + #if ENABLE_EPUB +- if ( ev_window->priv->document->iswebdocument == TRUE ) { ++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) { + ev_web_view_previous_page(EV_WEB_VIEW(ev_window->priv->webview)); + } + else +@@ -4859,7 +4860,7 @@ + { + g_return_if_fail (EV_IS_WINDOW (ev_window)); + #if ENABLE_EPUB +- if ( ev_window->priv->document->iswebdocument == TRUE ) { ++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) { + ev_web_view_next_page(EV_WEB_VIEW(ev_window->priv->webview)); + } else + #endif +@@ -5440,8 +5441,8 @@ + gboolean show_internal = FALSE; + GtkAction *action; + +- if ( ev_window->priv->document->iswebdocument == TRUE ) return ; +- ++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) return ; ++ + if (ev_window->priv->link) + g_object_unref (ev_window->priv->link); + +@@ -5494,7 +5495,7 @@ + GtkAction *action; + gboolean show_image = FALSE; + +- if (ev_window->priv->document->iswebdocument == TRUE ) return ; ++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) return ; + if (ev_window->priv->image) + g_object_unref (ev_window->priv->image); + +@@ -5522,7 +5523,7 @@ + gboolean show_annot = FALSE; + gboolean can_remove_annots = FALSE; + +- if (ev_window->priv->document->iswebdocument == TRUE ) return ; ++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) return ; + if (ev_window->priv->annot) + g_object_unref (ev_window->priv->annot); + ev_window->priv->annot = (annot) ? g_object_ref (annot) : NULL; +@@ -5679,7 +5680,7 @@ + { + ev_window_update_actions (ev_window); + #if ENABLE_EPUB +- if (ev_window->priv->document->iswebdocument == TRUE ) { ++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) { + ev_web_view_find_changed(EV_WEB_VIEW(ev_window->priv->webview), + job->results,job->text, job->case_sensitive); + } +@@ -5716,7 +5717,7 @@ + EvWindow *ev_window) + { + #if ENABLE_EPUB +- if (ev_window->priv->document->iswebdocument == TRUE ) { ++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) { + ev_web_view_find_previous(EV_WEB_VIEW(ev_window->priv->webview)); + }else + #endif +@@ -5730,7 +5731,7 @@ + EvWindow *ev_window) + { + #if ENABLE_EPUB +- if (ev_window->priv->document->iswebdocument == TRUE ) { ++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) { + ev_web_view_find_next(EV_WEB_VIEW(ev_window->priv->webview)); + } else + #endif +@@ -5744,7 +5745,7 @@ + EvWindow *ev_window) + { + #if ENABLE_EPUB +- if (ev_window->priv->document->iswebdocument == TRUE ) { ++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) { + ev_web_view_find_cancel(EV_WEB_VIEW(ev_window->priv->webview)); + } + else +@@ -5800,7 +5801,7 @@ + { + /* Either the string or case sensitivity could have changed. */ + #if ENABLE_EPUB +- if (ev_window->priv->document->iswebdocument) { ++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument) { + ev_web_view_find_search_changed(EV_WEB_VIEW (ev_window->priv->webview)); + } else + #endif +@@ -6570,7 +6571,7 @@ + static void + sidebar_links_link_activated_cb (EvSidebarLinks *sidebar_links, EvLink *link, EvWindow *window) + { +- if (window->priv->document->iswebdocument == FALSE ) { ++ if (window->priv->document && window->priv->document->iswebdocument == FALSE ) { + ev_view_handle_link (EV_VIEW (window->priv->view), link); + } + #if ENABLE_EPUB +@@ -6599,7 +6600,7 @@ + navigation_action_activate_link_cb (EvNavigationAction *action, EvLink *link, EvWindow *window) + { + #if ENABLE_EPUB +- if (window->priv->document->iswebdocument == TRUE ) { ++ if (window->priv->document && window->priv->document->iswebdocument == TRUE ) { + ev_web_view_handle_link(EV_WEB_VIEW(window->priv->webview),link); + gtk_widget_grab_focus (window->priv->webview); + return; +@@ -6613,7 +6614,7 @@ + sidebar_layers_visibility_changed (EvSidebarLayers *layers, + EvWindow *window) + { +- if (window->priv->document->iswebdocument == FALSE ) { ++ if (window->priv->document && window->priv->document->iswebdocument == FALSE ) { + ev_view_reload (EV_VIEW (window->priv->view)); + } + #if ENABLE_EPUB +@@ -6629,7 +6630,7 @@ + EvMapping *annot_mapping, + EvWindow *window) + { +- if (window->priv->document->iswebdocument == TRUE ) return; ++ if (window->priv->document && window->priv->document->iswebdocument == TRUE ) return; + ev_view_focus_annotation (EV_VIEW (window->priv->view), annot_mapping); + } + +@@ -6638,7 +6639,7 @@ + EvAnnotationType annot_type, + EvWindow *window) + { +- if (window->priv->document->iswebdocument == TRUE ) return; ++ if (window->priv->document && window->priv->document->iswebdocument == TRUE ) return; + ev_view_begin_add_annotation (EV_VIEW (window->priv->view), annot_type); + } + +@@ -6663,7 +6664,7 @@ + sidebar_annots_annot_add_cancelled (EvSidebarAnnotations *sidebar_annots, + EvWindow *window) + { +- if (window->priv->document->iswebdocument == TRUE ) return; ++ if (window->priv->document && window->priv->document->iswebdocument == TRUE ) return; + ev_view_cancel_add_annotation (EV_VIEW (window->priv->view)); + } + +@@ -7070,7 +7071,7 @@ + static void + ev_view_popup_cmd_open_link (GtkAction *action, EvWindow *window) + { +- if (window->priv->document->iswebdocument == TRUE ) return; ++ if (window->priv->document && window->priv->document->iswebdocument == TRUE ) return; + ev_view_handle_link (EV_VIEW (window->priv->view), window->priv->link); + } + +@@ -7095,7 +7096,7 @@ + ev_view_popup_cmd_copy_link_address (GtkAction *action, EvWindow *window) + { + EvLinkAction *ev_action; +- if (window->priv->document->iswebdocument == TRUE ) return; ++ if (window->priv->document && window->priv->document->iswebdocument == TRUE ) return; + ev_action = ev_link_get_action (window->priv->link); + if (!ev_action) + return; +@@ -7285,8 +7286,8 @@ + ev_view_popup_cmd_annot_properties (GtkAction *action, + EvWindow *window) + { +- if (window->priv->document->iswebdocument == TRUE ) return; +- ++ if (window->priv->document && window->priv->document->iswebdocument == TRUE ) return; ++ + const gchar *author; + GdkRGBA rgba; + gdouble opacity; diff -Nru atril-1.20.3/debian/patches/0002_CVE-2019-1010006.patch atril-1.20.3/debian/patches/0002_CVE-2019-1010006.patch --- atril-1.20.3/debian/patches/0002_CVE-2019-1010006.patch 1970-01-01 01:00:00.000000000 +0100 +++ atril-1.20.3/debian/patches/0002_CVE-2019-1010006.patch 2019-12-16 10:29:52.000000000 +0100 @@ -0,0 +1,44 @@ +diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c +index 0aa31cb6..94adc400 100644 +--- a/backend/tiff/tiff-document.c ++++ b/backend/tiff/tiff-document.c +@@ -268,13 +268,14 @@ tiff_document_render (EvDocument *document, + return NULL; + } + +- bytes = height * rowstride; +- if (bytes / rowstride != height) { ++ if (height >= INT_MAX / rowstride) { + g_warning("Overflow while rendering document."); + /* overflow */ + return NULL; + } + ++ bytes = height * rowstride; ++ + pixels = g_try_malloc (bytes); + if (!pixels) { + g_warning("Failed to allocate memory for rendering."); +@@ -356,15 +357,17 @@ tiff_document_render_pixbuf (EvDocument *document, + if (width <= 0 || height <= 0) + return NULL; + +- rowstride = width * 4; +- if (rowstride / 4 != width) ++ if (width >= INT_MAX / 4) + /* overflow */ + return NULL; + +- bytes = height * rowstride; +- if (bytes / rowstride != height) ++ rowstride = width * 4; ++ ++ if (height >= INT_MAX / rowstride) + /* overflow */ +- return NULL; ++ return NULL; ++ ++ bytes = height * rowstride; + + pixels = g_try_malloc (bytes); + if (!pixels) diff -Nru atril-1.20.3/debian/patches/CVE-2019-11459.patch atril-1.20.3/debian/patches/CVE-2019-11459.patch --- atril-1.20.3/debian/patches/CVE-2019-11459.patch 1970-01-01 01:00:00.000000000 +0100 +++ atril-1.20.3/debian/patches/CVE-2019-11459.patch 2019-12-16 10:30:41.000000000 +0100 @@ -0,0 +1,70 @@ +From 5ecffe6a75542fc4d82264c9b263fee5d25a84b1 Mon Sep 17 00:00:00 2001 +From: Victor Kareh <vka...@redhat.com> +Date: Sun, 11 Aug 2019 05:20:09 +0300 +Subject: [PATCH] tiff: Handle failure from TIFFReadRGBAImageOriented + +The TIFFReadRGBAImageOriented function returns zero if it was unable to +read the image. Return NULL in this case instead of displaying +uninitialized memory. + +This addresses CVE-2019-11459 + +upstream commit: +https://gitlab.gnome.org/GNOME/evince/commit/234f034a4 +--- + backend/tiff/tiff-document.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +--- a/backend/tiff/tiff-document.c ++++ b/backend/tiff/tiff-document.c +@@ -281,6 +281,15 @@ + g_warning("Failed to allocate memory for rendering."); + return NULL; + } ++ ++ if (!TIFFReadRGBAImageOriented (tiff_document->tiff, ++ width, height, ++ (uint32 *)pixels, ++ orientation, 0)) { ++ g_warning ("Failed to read TIFF image."); ++ g_free (pixels); ++ return NULL; ++ } + + surface = cairo_image_surface_create_for_data (pixels, + CAIRO_FORMAT_RGB24, +@@ -288,11 +297,6 @@ + rowstride); + cairo_surface_set_user_data (surface, &key, + pixels, (cairo_destroy_func_t)g_free); +- +- TIFFReadRGBAImageOriented (tiff_document->tiff, +- width, height, +- (uint32 *)pixels, +- orientation, 0); + pop_handlers (); + + /* Convert the format returned by libtiff to +@@ -372,14 +376,18 @@ + pixels = g_try_malloc (bytes); + if (!pixels) + return NULL; ++ ++ if (!TIFFReadRGBAImageOriented (tiff_document->tiff, ++ width, height, ++ (uint32 *)pixels, ++ ORIENTATION_TOPLEFT, 0)) { ++ g_free (pixels); ++ return NULL; ++ } + + pixbuf = gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, TRUE, 8, + width, height, rowstride, + (GdkPixbufDestroyNotify) g_free, NULL); +- TIFFReadRGBAImageOriented (tiff_document->tiff, +- width, height, +- (uint32 *)pixels, +- ORIENTATION_TOPLEFT, 0); + pop_handlers (); + + scaled_pixbuf = gdk_pixbuf_scale_simple (pixbuf, diff -Nru atril-1.20.3/debian/patches/series atril-1.20.3/debian/patches/series --- atril-1.20.3/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ atril-1.20.3/debian/patches/series 2019-12-16 10:31:03.000000000 +0100 @@ -0,0 +1,3 @@ +0001_prevent_no_doc_segfault.patch +0002_CVE-2019-1010006.patch +CVE-2019-11459.patch
