diff options
-rw-r--r-- | gnu/local.mk | 4 | ||||
-rw-r--r-- | gnu/packages/patches/mupdf-CVE-2017-5896.patch | 63 | ||||
-rw-r--r-- | gnu/packages/patches/mupdf-CVE-2017-5991.patch | 101 | ||||
-rw-r--r-- | gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch | 16 | ||||
-rw-r--r-- | gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch | 188 | ||||
-rw-r--r-- | gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch | 36 | ||||
-rw-r--r-- | gnu/packages/pdf.scm | 10 |
7 files changed, 11 insertions, 407 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 82e94171b8..c78eeb5e8d 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -785,10 +785,6 @@ dist_patch_DATA = \ %D%/packages/patches/multiqc-fix-git-subprocess-error.patch \ %D%/packages/patches/mumps-build-parallelism.patch \ %D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch \ - %D%/packages/patches/mupdf-mujs-CVE-2016-10132.patch \ - %D%/packages/patches/mupdf-mujs-CVE-2016-10133.patch \ - %D%/packages/patches/mupdf-CVE-2017-5896.patch \ - %D%/packages/patches/mupdf-CVE-2017-5991.patch \ %D%/packages/patches/mupen64plus-ui-console-notice.patch \ %D%/packages/patches/musl-CVE-2016-8859.patch \ %D%/packages/patches/mutt-store-references.patch \ diff --git a/gnu/packages/patches/mupdf-CVE-2017-5896.patch b/gnu/packages/patches/mupdf-CVE-2017-5896.patch deleted file mode 100644 index 1537ecc896..0000000000 --- a/gnu/packages/patches/mupdf-CVE-2017-5896.patch +++ /dev/null @@ -1,63 +0,0 @@ -Fix CVE-2017-5896: - -https://bugs.ghostscript.com/show_bug.cgi?id=697515 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5896 -http://www.openwall.com/lists/oss-security/2017/02/10/1 -https://security-tracker.debian.org/tracker/CVE-2017-5896 -https://blogs.gentoo.org/ago/2017/02/09/mupdf-use-after-free-in-fz_subsample_pixmap-pixmap-c/ - -Patch lifted from upstream source repository: - -http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 - -From 2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 Mon Sep 17 00:00:00 2001 -From: Robin Watts <Robin.Watts@artifex.com> -Date: Thu, 9 Feb 2017 07:12:16 -0800 -Subject: [PATCH] bug 697515: Fix out of bounds read in fz_subsample_pixmap - -Pointer arithmetic for final special case was going wrong. ---- - source/fitz/pixmap.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c -index a8317127..f1291dc2 100644 ---- a/source/fitz/pixmap.c -+++ b/source/fitz/pixmap.c -@@ -1104,6 +1104,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor, - "@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,back5,divXY\n" - "ldr r4, [r13,#4*22] @ r4 = divXY \n" - "ldr r5, [r13,#4*11] @ for (nn = n; nn > 0; n--) { \n" -+ "ldr r8, [r13,#4*17] @ r8 = back4 \n" - "18: @ \n" - "mov r14,#0 @ r14= v = 0 \n" - "sub r5, r5, r1, LSL #8 @ for (xx = x; xx > 0; x--) { \n" -@@ -1120,7 +1121,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor, - "mul r14,r4, r14 @ r14= v *= divX \n" - "mov r14,r14,LSR #16 @ r14= v >>= 16 \n" - "strb r14,[r9], #1 @ *d++ = r14 \n" -- "sub r0, r0, r8 @ s -= back2 \n" -+ "sub r0, r0, r8 @ s -= back4 \n" - "subs r5, r5, #1 @ n-- \n" - "bgt 18b @ } \n" - "21: @ \n" -@@ -1249,6 +1250,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor) - x += f; - if (x > 0) - { -+ int back4 = x * n - 1; - div = x * y; - for (nn = n; nn > 0; nn--) - { -@@ -1263,7 +1265,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor) - s -= back5; - } - *d++ = v / div; -- s -= back2; -+ s -= back4; - } - } - } --- -2.12.0 - diff --git a/gnu/packages/patches/mupdf-CVE-2017-5991.patch b/gnu/packages/patches/mupdf-CVE-2017-5991.patch deleted file mode 100644 index 1fa6dc3466..0000000000 --- a/gnu/packages/patches/mupdf-CVE-2017-5991.patch +++ /dev/null @@ -1,101 +0,0 @@ -Fix CVE-2017-5991: - -https://bugs.ghostscript.com/show_bug.cgi?id=697500 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5991 -https://security-tracker.debian.org/tracker/CVE-2017-5991 - -Patch lifted from upstream source repository: - -http://git.ghostscript.com/?p=mupdf.git;h=1912de5f08e90af1d9d0a9791f58ba3afdb9d465 - -From 1912de5f08e90af1d9d0a9791f58ba3afdb9d465 Mon Sep 17 00:00:00 2001 -From: Robin Watts <robin.watts@artifex.com> -Date: Thu, 9 Feb 2017 15:49:15 +0000 -Subject: [PATCH] Bug 697500: Fix NULL ptr access. - -Cope better with errors during rendering - avoid letting the -gstate stack get out of sync. - -This avoids us ever getting into the situation of popping -a clip when we should be popping a mask or a group. This was -causing an unexpected case in the painting. ---- - source/pdf/pdf-op-run.c | 26 ++++++++++++++++++-------- - 1 file changed, 18 insertions(+), 8 deletions(-) - -diff --git a/source/pdf/pdf-op-run.c b/source/pdf/pdf-op-run.c -index a3ea895d..f1eac8d3 100644 ---- a/source/pdf/pdf-op-run.c -+++ b/source/pdf/pdf-op-run.c -@@ -1213,6 +1213,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf - pdf_run_processor *pr = (pdf_run_processor *)proc; - pdf_gstate *gstate = NULL; - int oldtop = 0; -+ int oldbot = -1; - fz_matrix local_transform = *transform; - softmask_save softmask = { NULL }; - int gparent_save; -@@ -1232,16 +1233,17 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf - fz_var(cleanup_state); - fz_var(gstate); - fz_var(oldtop); -+ fz_var(oldbot); - - gparent_save = pr->gparent; - pr->gparent = pr->gtop; -+ oldtop = pr->gtop; - - fz_try(ctx) - { - pdf_gsave(ctx, pr); - - gstate = pr->gstate + pr->gtop; -- oldtop = pr->gtop; - - pdf_xobject_bbox(ctx, xobj, &xobj_bbox); - pdf_xobject_matrix(ctx, xobj, &xobj_matrix); -@@ -1302,12 +1304,25 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf - - doc = pdf_get_bound_document(ctx, xobj->obj); - -+ oldbot = pr->gbot; -+ pr->gbot = pr->gtop; -+ - pdf_process_contents(ctx, (pdf_processor*)pr, doc, resources, xobj->obj, NULL); - } - fz_always(ctx) - { -+ /* Undo any gstate mismatches due to the pdf_process_contents call */ -+ if (oldbot != -1) -+ { -+ while (pr->gtop > pr->gbot) -+ { -+ pdf_grestore(ctx, pr); -+ } -+ pr->gbot = oldbot; -+ } -+ - if (cleanup_state >= 3) -- pdf_grestore(ctx, pr); /* Remove the clippath */ -+ pdf_grestore(ctx, pr); /* Remove the state we pushed for the clippath */ - - /* wrap up transparency stacks */ - if (transparency) -@@ -1341,13 +1356,8 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf - pr->gstate[pr->gparent].ctm = gparent_save_ctm; - pr->gparent = gparent_save; - -- if (gstate) -- { -- while (oldtop < pr->gtop) -- pdf_grestore(ctx, pr); -- -+ while (oldtop < pr->gtop) - pdf_grestore(ctx, pr); -- } - - pdf_unmark_obj(ctx, xobj->obj); - } --- -2.12.0 - diff --git a/gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch b/gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch index d97c1cb348..0b5b735ff3 100644 --- a/gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch +++ b/gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch @@ -13,17 +13,15 @@ diff --git a/source/fitz/load-jpx.c b/source/fitz/load-jpx.c index 6b92e5c..72dea50 100644 --- a/source/fitz/load-jpx.c +++ b/source/fitz/load-jpx.c -@@ -1,13 +1,5 @@ - #include "mupdf/fitz.h" +@@ -444,11 +444,6 @@ + + #else /* HAVE_LURATECH */ --/* Without the definition of OPJ_STATIC, compilation fails on windows -- * due to the use of __stdcall. We believe it is required on some -- * linux toolchains too. */ -#define OPJ_STATIC --#ifndef _MSC_VER +-#define OPJ_HAVE_INTTYPES_H +-#if !defined(_WIN32) && !defined(_WIN64) -#define OPJ_HAVE_STDINT_H -#endif -- - #include <openjpeg.h> + #define USE_JPIP - static void fz_opj_error_callback(const char *msg, void *client_data) + #include <openjpeg.h> diff --git a/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch b/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch deleted file mode 100644 index e752e57ec5..0000000000 --- a/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch +++ /dev/null @@ -1,188 +0,0 @@ -Fix CVE-2016-10132: - -https://bugs.ghostscript.com/show_bug.cgi?id=697381 -http://seclists.org/oss-sec/2017/q1/74 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10132 - -Patch lifted from upstream source repository: - -http://git.ghostscript.com/?p=mujs.git;h=fd003eceda531e13fbdd1aeb6e9c73156496e569 - -From fd003eceda531e13fbdd1aeb6e9c73156496e569 Mon Sep 17 00:00:00 2001 -From: Tor Andersson <tor@ccxvii.net> -Date: Fri, 2 Dec 2016 14:56:20 -0500 -Subject: [PATCH] Fix 697381: check allocation when compiling regular - expressions. - -Also use allocator callback function. ---- - thirdparty/mujs/jsgc.c | 2 +- - thirdparty/mujs/jsregexp.c | 2 +- - thirdparty/mujs/jsstate.c | 6 ------ - thirdparty/mujs/regexp.c | 45 +++++++++++++++++++++++++++++++++++---------- - thirdparty/mujs/regexp.h | 7 +++++++ - 5 files changed, 44 insertions(+), 18 deletions(-) - -diff --git a/thirdparty/mujs/jsgc.c b/thirdparty/mujs/jsgc.c -index 4f7e7dc..f80111e 100644 ---- a/thirdparty/mujs/jsgc.c -+++ b/thirdparty/mujs/jsgc.c -@@ -46,7 +46,7 @@ static void jsG_freeobject(js_State *J, js_Object *obj) - jsG_freeproperty(J, obj->head); - if (obj->type == JS_CREGEXP) { - js_free(J, obj->u.r.source); -- js_regfree(obj->u.r.prog); -+ js_regfreex(J->alloc, J->actx, obj->u.r.prog); - } - if (obj->type == JS_CITERATOR) - jsG_freeiterator(J, obj->u.iter.head); -diff --git a/thirdparty/mujs/jsregexp.c b/thirdparty/mujs/jsregexp.c -index a2d5156..7b09c06 100644 ---- a/thirdparty/mujs/jsregexp.c -+++ b/thirdparty/mujs/jsregexp.c -@@ -16,7 +16,7 @@ void js_newregexp(js_State *J, const char *pattern, int flags) - if (flags & JS_REGEXP_I) opts |= REG_ICASE; - if (flags & JS_REGEXP_M) opts |= REG_NEWLINE; - -- prog = js_regcomp(pattern, opts, &error); -+ prog = js_regcompx(J->alloc, J->actx, pattern, opts, &error); - if (!prog) - js_syntaxerror(J, "regular expression: %s", error); - -diff --git a/thirdparty/mujs/jsstate.c b/thirdparty/mujs/jsstate.c -index 638cab3..fd5bcf6 100644 ---- a/thirdparty/mujs/jsstate.c -+++ b/thirdparty/mujs/jsstate.c -@@ -9,12 +9,6 @@ - - static void *js_defaultalloc(void *actx, void *ptr, int size) - { -- if (size == 0) { -- free(ptr); -- return NULL; -- } -- if (!ptr) -- return malloc((size_t)size); - return realloc(ptr, (size_t)size); - } - -diff --git a/thirdparty/mujs/regexp.c b/thirdparty/mujs/regexp.c -index 9852be2..01c18a3 100644 ---- a/thirdparty/mujs/regexp.c -+++ b/thirdparty/mujs/regexp.c -@@ -807,23 +807,31 @@ static void dumpprog(Reprog *prog) - } - #endif - --Reprog *regcomp(const char *pattern, int cflags, const char **errorp) -+Reprog *regcompx(void *(*alloc)(void *ctx, void *p, int n), void *ctx, -+ const char *pattern, int cflags, const char **errorp) - { - struct cstate g; - Renode *node; - Reinst *split, *jump; - int i; - -- g.prog = malloc(sizeof (Reprog)); -- g.pstart = g.pend = malloc(sizeof (Renode) * strlen(pattern) * 2); -+ g.pstart = NULL; -+ g.prog = NULL; - - if (setjmp(g.kaboom)) { - if (errorp) *errorp = g.error; -- free(g.pstart); -- free(g.prog); -+ alloc(ctx, g.pstart, 0); -+ alloc(ctx, g.prog, 0); - return NULL; - } - -+ g.prog = alloc(ctx, NULL, sizeof (Reprog)); -+ if (!g.prog) -+ die(&g, "cannot allocate regular expression"); -+ g.pstart = g.pend = alloc(ctx, NULL, sizeof (Renode) * strlen(pattern) * 2); -+ if (!g.pstart) -+ die(&g, "cannot allocate regular expression parse list"); -+ - g.source = pattern; - g.ncclass = 0; - g.nsub = 1; -@@ -840,7 +848,9 @@ Reprog *regcomp(const char *pattern, int cflags, const char **errorp) - die(&g, "syntax error"); - - g.prog->nsub = g.nsub; -- g.prog->start = g.prog->end = malloc((count(node) + 6) * sizeof (Reinst)); -+ g.prog->start = g.prog->end = alloc(ctx, NULL, (count(node) + 6) * sizeof (Reinst)); -+ if (!g.prog->start) -+ die(&g, "cannot allocate regular expression instruction list"); - - split = emit(g.prog, I_SPLIT); - split->x = split + 3; -@@ -859,20 +869,35 @@ Reprog *regcomp(const char *pattern, int cflags, const char **errorp) - dumpprog(g.prog); - #endif - -- free(g.pstart); -+ alloc(ctx, g.pstart, 0); - - if (errorp) *errorp = NULL; - return g.prog; - } - --void regfree(Reprog *prog) -+void regfreex(void *(*alloc)(void *ctx, void *p, int n), void *ctx, Reprog *prog) - { - if (prog) { -- free(prog->start); -- free(prog); -+ alloc(ctx, prog->start, 0); -+ alloc(ctx, prog, 0); - } - } - -+static void *default_alloc(void *ctx, void *p, int n) -+{ -+ return realloc(p, (size_t)n); -+} -+ -+Reprog *regcomp(const char *pattern, int cflags, const char **errorp) -+{ -+ return regcompx(default_alloc, NULL, pattern, cflags, errorp); -+} -+ -+void regfree(Reprog *prog) -+{ -+ regfreex(default_alloc, NULL, prog); -+} -+ - /* Match */ - - static int isnewline(int c) -diff --git a/thirdparty/mujs/regexp.h b/thirdparty/mujs/regexp.h -index 4bb4615..6bb73e8 100644 ---- a/thirdparty/mujs/regexp.h -+++ b/thirdparty/mujs/regexp.h -@@ -1,6 +1,8 @@ - #ifndef regexp_h - #define regexp_h - -+#define regcompx js_regcompx -+#define regfreex js_regfreex - #define regcomp js_regcomp - #define regexec js_regexec - #define regfree js_regfree -@@ -8,6 +10,11 @@ - typedef struct Reprog Reprog; - typedef struct Resub Resub; - -+Reprog *regcompx(void *(*alloc)(void *ctx, void *p, int n), void *ctx, -+ const char *pattern, int cflags, const char **errorp); -+void regfreex(void *(*alloc)(void *ctx, void *p, int n), void *ctx, -+ Reprog *prog); -+ - Reprog *regcomp(const char *pattern, int cflags, const char **errorp); - int regexec(Reprog *prog, const char *string, Resub *sub, int eflags); - void regfree(Reprog *prog); --- -2.9.1 - diff --git a/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch b/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch deleted file mode 100644 index d73849262c..0000000000 --- a/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch +++ /dev/null @@ -1,36 +0,0 @@ -Fix CVE-2016-10133: - -https://bugs.ghostscript.com/show_bug.cgi?id=697401 -http://seclists.org/oss-sec/2017/q1/74 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10133 - -Patch lifted from upstream source repository: - -https://git.ghostscript.com/?p=mujs.git;h=77ab465f1c394bb77f00966cd950650f3f53cb24 - -From 77ab465f1c394bb77f00966cd950650f3f53cb24 Mon Sep 17 00:00:00 2001 -From: Tor Andersson <tor.andersson@gmail.com> -Date: Thu, 12 Jan 2017 14:47:01 +0100 -Subject: [PATCH] Fix 697401: Error when dropping extra arguments to - lightweight functions. - ---- - thirdparty/mujs/jsrun.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/thirdparty/mujs/jsrun.c b/thirdparty/mujs/jsrun.c -index ee80845..782a6f9 100644 ---- a/thirdparty/mujs/jsrun.c -+++ b/thirdparty/mujs/jsrun.c -@@ -937,7 +937,7 @@ static void jsR_calllwfunction(js_State *J, int n, js_Function *F, js_Environmen - jsR_savescope(J, scope); - - if (n > F->numparams) { -- js_pop(J, F->numparams - n); -+ js_pop(J, n - F->numparams); - n = F->numparams; - } - for (i = n; i < F->varlen; ++i) --- -2.9.1 - diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index 0882d3b942..5ccaa38eea 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -531,7 +531,7 @@ extracting content or merging files.") (define-public mupdf (package (name "mupdf") - (version "1.10a") + (version "1.11") (source (origin (method url-fetch) @@ -539,10 +539,8 @@ extracting content or merging files.") name "-" version "-source.tar.gz")) (sha256 (base32 - "0dm8wcs8i29aibzkqkrn8kcnk4q0kd1v66pg48h5c3qqp4v1zk5a")) - (patches (search-patches "mupdf-build-with-openjpeg-2.1.patch" - "mupdf-mujs-CVE-2016-10132.patch" - "mupdf-mujs-CVE-2016-10133.patch")) + "02phamcchgsmvjnb3ir7r5sssvx9fcrscn297z73b82n1jl79510")) + (patches (search-patches "mupdf-build-with-openjpeg-2.1.patch")) (modules '((guix build utils))) (snippet ;; Delete all the bundled libraries except for mujs, which is @@ -554,7 +552,7 @@ extracting content or merging files.") "thirdparty/glfw" "thirdparty/harfbuzz" "thirdparty/jbig2dec" - "thirdparty/jpeg" + "thirdparty/libjpeg" "thirdparty/openjpeg" "thirdparty/zlib"))))) (build-system gnu-build-system) |