Control: tags 983684 + patch Control: tags 983684 + pending Control: severity 983684 serious
(make RC as this should go into bullseye). Dear maintainer, I've prepared an NMU for mupdf (versioned as 1.17.0+ds1-1.3) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru mupdf-1.17.0+ds1/debian/changelog mupdf-1.17.0+ds1/debian/changelog --- mupdf-1.17.0+ds1/debian/changelog 2020-11-28 14:59:08.000000000 +0100 +++ mupdf-1.17.0+ds1/debian/changelog 2021-02-28 13:40:40.000000000 +0100 @@ -1,3 +1,11 @@ +mupdf (1.17.0+ds1-1.3) unstable; urgency=medium + + * Non-maintainer upload. + * Fix double free of object during linearization (CVE-2021-3407) + (Closes: #983684) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 28 Feb 2021 13:40:40 +0100 + mupdf (1.17.0+ds1-1.2) unstable; urgency=medium * Non-maintainer upload. diff -Nru mupdf-1.17.0+ds1/debian/patches/0012-Bug-703366-Fix-double-free-of-object-during-lineariz.patch mupdf-1.17.0+ds1/debian/patches/0012-Bug-703366-Fix-double-free-of-object-during-lineariz.patch --- mupdf-1.17.0+ds1/debian/patches/0012-Bug-703366-Fix-double-free-of-object-during-lineariz.patch 1970-01-01 01:00:00.000000000 +0100 +++ mupdf-1.17.0+ds1/debian/patches/0012-Bug-703366-Fix-double-free-of-object-during-lineariz.patch 2021-02-28 13:40:40.000000000 +0100 @@ -0,0 +1,51 @@ +From: Robin Watts <robin.wa...@artifex.com> +Date: Fri, 22 Jan 2021 17:05:15 +0000 +Subject: Bug 703366: Fix double free of object during linearization. +origin: http://git.ghostscript.com/?p=mupdf.git;h=cee7cefc610d42fd383b3c80c12cbc675443176a +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=703366 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3407 +Bug-Debian: https://bugs.debian.org/983684 + +This appears to happen because we parse an illegal object from +a broken file and assign it to object 0, which is defined to +be free. + +Here, we fix the parsing code so this can't happen. +--- + source/pdf/pdf-parse.c | 6 ++++++ + source/pdf/pdf-xref.c | 2 ++ + 2 files changed, 8 insertions(+) + +diff --git a/source/pdf/pdf-parse.c b/source/pdf/pdf-parse.c +index 7abc8c3d41aa..5761c3351773 100644 +--- a/source/pdf/pdf-parse.c ++++ b/source/pdf/pdf-parse.c +@@ -749,6 +749,12 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_document *doc, + fz_throw(ctx, FZ_ERROR_SYNTAX, "expected generation number (%d ? obj)", num); + } + gen = buf->i; ++ if (gen < 0 || gen >= 65536) ++ { ++ if (try_repair) ++ *try_repair = 1; ++ fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid generation number (%d)", gen); ++ } + + tok = pdf_lex(ctx, file, buf); + if (tok != PDF_TOK_OBJ) +diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c +index 1b2bdcd59d70..30197b4b8577 100644 +--- a/source/pdf/pdf-xref.c ++++ b/source/pdf/pdf-xref.c +@@ -1190,6 +1190,8 @@ pdf_read_new_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf) + { + ofs = fz_tell(ctx, doc->file); + trailer = pdf_parse_ind_obj(ctx, doc, doc->file, buf, &num, &gen, &stm_ofs, NULL); ++ if (num == 0) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "Trailer object number cannot be 0\n"); + } + fz_catch(ctx) + { +-- +2.30.0 + diff -Nru mupdf-1.17.0+ds1/debian/patches/series mupdf-1.17.0+ds1/debian/patches/series --- mupdf-1.17.0+ds1/debian/patches/series 2020-11-28 14:59:08.000000000 +0100 +++ mupdf-1.17.0+ds1/debian/patches/series 2021-02-28 13:40:40.000000000 +0100 @@ -8,3 +8,4 @@ 0008-Build-mupdf-without-executable-stack.patch 0010-Prevent-thirdparty-archive-build.patch 0011-Bug-702857-Detect-avoid-overflow-when-calculating-si.patch +0012-Bug-703366-Fix-double-free-of-object-during-lineariz.patch