Bug#946819: buster-pu: package atril/1.20.3-1+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Dear Release Team,
I have just uploaded atril 1.20.3-1+deb10u1 to Debian buster with the
following changes:
+ [ Martin Wimpress ]
+ * debian/patches:
+ + Add 0001_prevent_no_doc_segfault.patch. Prevent segfaults when no document
+ is loaded.
See upstream issue: https://github.com/mate-desktop/atril/issues/357
When one loaded atril with no document and started playing with the
application settings, atril would segfault.
+ + Add 0002_CVE-2019-1010006.patch. Fix buffer overflow. (CVE-2019-1010006)
This is a low security issue, but not tagged as no-dsa on the security
tracker. However, getting the other two patches into buster had prio and
thus I took the buster-pu upload path for this.
+ [ Mike Gabriel ]
+ * debian/patches:
+ + Add CVE-2019-11459.patch. tiff: Handle failure from
+ TIFFReadRGBAImageOriented. (Closes: #927821).
+ + Rebase 0001_prevent_no_doc_segfault.patch.
Security issue marked as unimportant, still something that deserves a fix via
buster-pu.
light+love,
Mike
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru atril-1.20.3/debian/changelog atril-1.20.3/debian/changelog
--- atril-1.20.3/debian/changelog 2018-12-22 22:24:46.000000000 +0100
+++ atril-1.20.3/debian/changelog 2019-12-16 10:33:35.000000000 +0100
@@ -1,3 +1,19 @@
+atril (1.20.3-1+deb10u1) buster; urgency=medium
+
+ [ Martin Wimpress ]
+ * debian/patches:
+ + Add 0001_prevent_no_doc_segfault.patch. Prevent segfaults when no document
+ is loaded.
+ + Add 0002_CVE-2019-1010006.patch. Fix buffer overflow. (CVE-2019-1010006)
+
+ [ Mike Gabriel ]
+ * debian/patches:
+ + Add CVE-2019-11459.patch. tiff: Handle failure from
+ TIFFReadRGBAImageOriented. (Closes: #927821).
+ + Rebase 0001_prevent_no_doc_segfault.patch.
+
+ -- Mike Gabriel <sunweaver@debian.org> Mon, 16 Dec 2019 10:33:35 +0100
+
atril (1.20.3-1) unstable; urgency=medium
* New upstream release.
diff -Nru atril-1.20.3/debian/patches/0001_prevent_no_doc_segfault.patch atril-1.20.3/debian/patches/0001_prevent_no_doc_segfault.patch
--- atril-1.20.3/debian/patches/0001_prevent_no_doc_segfault.patch 1970-01-01 01:00:00.000000000 +0100
+++ atril-1.20.3/debian/patches/0001_prevent_no_doc_segfault.patch 2019-12-16 10:31:57.000000000 +0100
@@ -0,0 +1,286 @@
+From 807e54f51919de389c2824df6ccef41947c57911 Mon Sep 17 00:00:00 2001
+From: Reuben Green <reubengreen73@gmail.com>
+Date: Sat, 3 Aug 2019 22:54:44 +0100
+Subject: [PATCH] prevent segfaults when no document loaded
+
+See the issue report for a description of the bug. The root cause is
+dereferencing of NULL pointers, specifically the priv->document member of
+EvWindow structures when no document is loaded. This commit adds checks
+for a NULL value of priv->document at all the points in the file
+shell/ev-window.c where this pointer was previously dereferenced without
+being checked.
+
+Fixes 357 (https://github.com/mate-desktop/atril/issues/357)
+---
+ shell/ev-window.c | 63 ++++++++++++++++++++++++-----------------------
+ 1 file changed, 32 insertions(+), 31 deletions(-)
+
+--- a/shell/ev-window.c
++++ b/shell/ev-window.c
+@@ -1448,7 +1448,7 @@
+ /* Presentation */
+ if (ev_metadata_get_boolean (window->priv->metadata, "presentation", &presentation)) {
+ if (presentation) {
+- if (window->priv->document->iswebdocument == TRUE ) {
++ if (window->priv->document && window->priv->document->iswebdocument == TRUE ) {
+ return;
+ }
+ else {
+@@ -1850,7 +1850,7 @@
+ ev_window_handle_link (EvWindow *ev_window,
+ EvLinkDest *dest)
+ {
+- if (ev_window->priv->document->iswebdocument == TRUE ) {
++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) {
+ return;
+ }
+ if (dest) {
+@@ -4117,7 +4117,7 @@
+ */
+ if (ev_window->priv->chrome & EV_CHROME_FINDBAR) {
+ egg_find_bar_grab_focus(ev_window->priv->find_bar);
+- } else if (ev_window->priv->document->iswebdocument == FALSE ) {
++ } else if (ev_window->priv->document && ev_window->priv->document->iswebdocument == FALSE ) {
+ ev_view_select_all (EV_VIEW (ev_window->priv->view));
+ }
+ #if ENABLE_EPUB
+@@ -4152,7 +4152,7 @@
+ update_chrome_flag (ev_window, EV_CHROME_FINDBAR, TRUE);
+ update_chrome_visibility (ev_window);
+ gtk_widget_grab_focus (ev_window->priv->find_bar);
+- if (ev_window->priv->document->iswebdocument == FALSE) {
++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == FALSE) {
+ ev_view_find_next (EV_VIEW (ev_window->priv->view));
+ }
+ #if ENABLE_EPUB
+@@ -4171,7 +4171,7 @@
+ update_chrome_flag (ev_window, EV_CHROME_FINDBAR, TRUE);
+ update_chrome_visibility (ev_window);
+ gtk_widget_grab_focus (ev_window->priv->find_bar);
+- if (ev_window->priv->document->iswebdocument == FALSE) {
++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == FALSE) {
+ ev_view_find_previous (EV_VIEW (ev_window->priv->view));
+ }
+ #if ENABLE_EPUB
+@@ -4186,7 +4186,7 @@
+ {
+ g_return_if_fail (EV_IS_WINDOW (ev_window));
+ #if ENABLE_EPUB
+- if (ev_window->priv->document->iswebdocument) {
++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument) {
+ ev_web_view_copy(EV_WEB_VIEW(ev_window->priv->webview));
+ } else
+ #endif
+@@ -4406,8 +4406,9 @@
+
+ if (EV_WINDOW_IS_PRESENTATION (window))
+ return;
++
+
+- if (window->priv->document->iswebdocument) {
++ if (window->priv->document && window->priv->document->iswebdocument) {
+ ev_window_warning_message(window,_("Presentation mode is not supported for ePub documents"));
+ return;
+ }
+@@ -4795,7 +4796,7 @@
+
+ ev_document_model_set_sizing_mode (ev_window->priv->model, EV_SIZING_FREE);
+ #if ENABLE_EPUB
+- if (ev_window->priv->document->iswebdocument) {
++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument) {
+ ev_web_view_zoom_in(EV_WEB_VIEW(ev_window->priv->webview));
+ }
+ else
+@@ -4812,7 +4813,7 @@
+
+ ev_document_model_set_sizing_mode (ev_window->priv->model, EV_SIZING_FREE);
+ #if ENABLE_EPUB
+- if ( ev_window->priv->document->iswebdocument) {
++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument) {
+ ev_web_view_zoom_out(EV_WEB_VIEW(ev_window->priv->webview));
+ }
+ else
+@@ -4829,7 +4830,7 @@
+
+ ev_document_model_set_sizing_mode (ev_window->priv->model, EV_SIZING_FREE);
+ #if ENABLE_EPUB
+- if ( ev_window->priv->document->iswebdocument) {
++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument) {
+ ev_web_view_zoom_reset(EV_WEB_VIEW(ev_window->priv->webview));
+ }
+ else
+@@ -4844,7 +4845,7 @@
+ {
+ g_return_if_fail (EV_IS_WINDOW (ev_window));
+ #if ENABLE_EPUB
+- if ( ev_window->priv->document->iswebdocument == TRUE ) {
++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) {
+ ev_web_view_previous_page(EV_WEB_VIEW(ev_window->priv->webview));
+ }
+ else
+@@ -4859,7 +4860,7 @@
+ {
+ g_return_if_fail (EV_IS_WINDOW (ev_window));
+ #if ENABLE_EPUB
+- if ( ev_window->priv->document->iswebdocument == TRUE ) {
++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) {
+ ev_web_view_next_page(EV_WEB_VIEW(ev_window->priv->webview));
+ } else
+ #endif
+@@ -5440,8 +5441,8 @@
+ gboolean show_internal = FALSE;
+ GtkAction *action;
+
+- if ( ev_window->priv->document->iswebdocument == TRUE ) return ;
+-
++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) return ;
++
+ if (ev_window->priv->link)
+ g_object_unref (ev_window->priv->link);
+
+@@ -5494,7 +5495,7 @@
+ GtkAction *action;
+ gboolean show_image = FALSE;
+
+- if (ev_window->priv->document->iswebdocument == TRUE ) return ;
++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) return ;
+ if (ev_window->priv->image)
+ g_object_unref (ev_window->priv->image);
+
+@@ -5522,7 +5523,7 @@
+ gboolean show_annot = FALSE;
+ gboolean can_remove_annots = FALSE;
+
+- if (ev_window->priv->document->iswebdocument == TRUE ) return ;
++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) return ;
+ if (ev_window->priv->annot)
+ g_object_unref (ev_window->priv->annot);
+ ev_window->priv->annot = (annot) ? g_object_ref (annot) : NULL;
+@@ -5679,7 +5680,7 @@
+ {
+ ev_window_update_actions (ev_window);
+ #if ENABLE_EPUB
+- if (ev_window->priv->document->iswebdocument == TRUE ) {
++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) {
+ ev_web_view_find_changed(EV_WEB_VIEW(ev_window->priv->webview),
+ job->results,job->text, job->case_sensitive);
+ }
+@@ -5716,7 +5717,7 @@
+ EvWindow *ev_window)
+ {
+ #if ENABLE_EPUB
+- if (ev_window->priv->document->iswebdocument == TRUE ) {
++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) {
+ ev_web_view_find_previous(EV_WEB_VIEW(ev_window->priv->webview));
+ }else
+ #endif
+@@ -5730,7 +5731,7 @@
+ EvWindow *ev_window)
+ {
+ #if ENABLE_EPUB
+- if (ev_window->priv->document->iswebdocument == TRUE ) {
++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) {
+ ev_web_view_find_next(EV_WEB_VIEW(ev_window->priv->webview));
+ } else
+ #endif
+@@ -5744,7 +5745,7 @@
+ EvWindow *ev_window)
+ {
+ #if ENABLE_EPUB
+- if (ev_window->priv->document->iswebdocument == TRUE ) {
++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) {
+ ev_web_view_find_cancel(EV_WEB_VIEW(ev_window->priv->webview));
+ }
+ else
+@@ -5800,7 +5801,7 @@
+ {
+ /* Either the string or case sensitivity could have changed. */
+ #if ENABLE_EPUB
+- if (ev_window->priv->document->iswebdocument) {
++ if (ev_window->priv->document && ev_window->priv->document->iswebdocument) {
+ ev_web_view_find_search_changed(EV_WEB_VIEW (ev_window->priv->webview));
+ } else
+ #endif
+@@ -6570,7 +6571,7 @@
+ static void
+ sidebar_links_link_activated_cb (EvSidebarLinks *sidebar_links, EvLink *link, EvWindow *window)
+ {
+- if (window->priv->document->iswebdocument == FALSE ) {
++ if (window->priv->document && window->priv->document->iswebdocument == FALSE ) {
+ ev_view_handle_link (EV_VIEW (window->priv->view), link);
+ }
+ #if ENABLE_EPUB
+@@ -6599,7 +6600,7 @@
+ navigation_action_activate_link_cb (EvNavigationAction *action, EvLink *link, EvWindow *window)
+ {
+ #if ENABLE_EPUB
+- if (window->priv->document->iswebdocument == TRUE ) {
++ if (window->priv->document && window->priv->document->iswebdocument == TRUE ) {
+ ev_web_view_handle_link(EV_WEB_VIEW(window->priv->webview),link);
+ gtk_widget_grab_focus (window->priv->webview);
+ return;
+@@ -6613,7 +6614,7 @@
+ sidebar_layers_visibility_changed (EvSidebarLayers *layers,
+ EvWindow *window)
+ {
+- if (window->priv->document->iswebdocument == FALSE ) {
++ if (window->priv->document && window->priv->document->iswebdocument == FALSE ) {
+ ev_view_reload (EV_VIEW (window->priv->view));
+ }
+ #if ENABLE_EPUB
+@@ -6629,7 +6630,7 @@
+ EvMapping *annot_mapping,
+ EvWindow *window)
+ {
+- if (window->priv->document->iswebdocument == TRUE ) return;
++ if (window->priv->document && window->priv->document->iswebdocument == TRUE ) return;
+ ev_view_focus_annotation (EV_VIEW (window->priv->view), annot_mapping);
+ }
+
+@@ -6638,7 +6639,7 @@
+ EvAnnotationType annot_type,
+ EvWindow *window)
+ {
+- if (window->priv->document->iswebdocument == TRUE ) return;
++ if (window->priv->document && window->priv->document->iswebdocument == TRUE ) return;
+ ev_view_begin_add_annotation (EV_VIEW (window->priv->view), annot_type);
+ }
+
+@@ -6663,7 +6664,7 @@
+ sidebar_annots_annot_add_cancelled (EvSidebarAnnotations *sidebar_annots,
+ EvWindow *window)
+ {
+- if (window->priv->document->iswebdocument == TRUE ) return;
++ if (window->priv->document && window->priv->document->iswebdocument == TRUE ) return;
+ ev_view_cancel_add_annotation (EV_VIEW (window->priv->view));
+ }
+
+@@ -7070,7 +7071,7 @@
+ static void
+ ev_view_popup_cmd_open_link (GtkAction *action, EvWindow *window)
+ {
+- if (window->priv->document->iswebdocument == TRUE ) return;
++ if (window->priv->document && window->priv->document->iswebdocument == TRUE ) return;
+ ev_view_handle_link (EV_VIEW (window->priv->view), window->priv->link);
+ }
+
+@@ -7095,7 +7096,7 @@
+ ev_view_popup_cmd_copy_link_address (GtkAction *action, EvWindow *window)
+ {
+ EvLinkAction *ev_action;
+- if (window->priv->document->iswebdocument == TRUE ) return;
++ if (window->priv->document && window->priv->document->iswebdocument == TRUE ) return;
+ ev_action = ev_link_get_action (window->priv->link);
+ if (!ev_action)
+ return;
+@@ -7285,8 +7286,8 @@
+ ev_view_popup_cmd_annot_properties (GtkAction *action,
+ EvWindow *window)
+ {
+- if (window->priv->document->iswebdocument == TRUE ) return;
+-
++ if (window->priv->document && window->priv->document->iswebdocument == TRUE ) return;
++
+ const gchar *author;
+ GdkRGBA rgba;
+ gdouble opacity;
diff -Nru atril-1.20.3/debian/patches/0002_CVE-2019-1010006.patch atril-1.20.3/debian/patches/0002_CVE-2019-1010006.patch
--- atril-1.20.3/debian/patches/0002_CVE-2019-1010006.patch 1970-01-01 01:00:00.000000000 +0100
+++ atril-1.20.3/debian/patches/0002_CVE-2019-1010006.patch 2019-12-16 10:29:52.000000000 +0100
@@ -0,0 +1,44 @@
+diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c
+index 0aa31cb6..94adc400 100644
+--- a/backend/tiff/tiff-document.c
++++ b/backend/tiff/tiff-document.c
+@@ -268,13 +268,14 @@ tiff_document_render (EvDocument *document,
+ return NULL;
+ }
+
+- bytes = height * rowstride;
+- if (bytes / rowstride != height) {
++ if (height >= INT_MAX / rowstride) {
+ g_warning("Overflow while rendering document.");
+ /* overflow */
+ return NULL;
+ }
+
++ bytes = height * rowstride;
++
+ pixels = g_try_malloc (bytes);
+ if (!pixels) {
+ g_warning("Failed to allocate memory for rendering.");
+@@ -356,15 +357,17 @@ tiff_document_render_pixbuf (EvDocument *document,
+ if (width <= 0 || height <= 0)
+ return NULL;
+
+- rowstride = width * 4;
+- if (rowstride / 4 != width)
++ if (width >= INT_MAX / 4)
+ /* overflow */
+ return NULL;
+
+- bytes = height * rowstride;
+- if (bytes / rowstride != height)
++ rowstride = width * 4;
++
++ if (height >= INT_MAX / rowstride)
+ /* overflow */
+- return NULL;
++ return NULL;
++
++ bytes = height * rowstride;
+
+ pixels = g_try_malloc (bytes);
+ if (!pixels)
diff -Nru atril-1.20.3/debian/patches/CVE-2019-11459.patch atril-1.20.3/debian/patches/CVE-2019-11459.patch
--- atril-1.20.3/debian/patches/CVE-2019-11459.patch 1970-01-01 01:00:00.000000000 +0100
+++ atril-1.20.3/debian/patches/CVE-2019-11459.patch 2019-12-16 10:30:41.000000000 +0100
@@ -0,0 +1,70 @@
+From 5ecffe6a75542fc4d82264c9b263fee5d25a84b1 Mon Sep 17 00:00:00 2001
+From: Victor Kareh <vkareh@redhat.com>
+Date: Sun, 11 Aug 2019 05:20:09 +0300
+Subject: [PATCH] tiff: Handle failure from TIFFReadRGBAImageOriented
+
+The TIFFReadRGBAImageOriented function returns zero if it was unable to
+read the image. Return NULL in this case instead of displaying
+uninitialized memory.
+
+This addresses CVE-2019-11459
+
+upstream commit:
+https://gitlab.gnome.org/GNOME/evince/commit/234f034a4
+---
+ backend/tiff/tiff-document.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+--- a/backend/tiff/tiff-document.c
++++ b/backend/tiff/tiff-document.c
+@@ -281,6 +281,15 @@
+ g_warning("Failed to allocate memory for rendering.");
+ return NULL;
+ }
++
++ if (!TIFFReadRGBAImageOriented (tiff_document->tiff,
++ width, height,
++ (uint32 *)pixels,
++ orientation, 0)) {
++ g_warning ("Failed to read TIFF image.");
++ g_free (pixels);
++ return NULL;
++ }
+
+ surface = cairo_image_surface_create_for_data (pixels,
+ CAIRO_FORMAT_RGB24,
+@@ -288,11 +297,6 @@
+ rowstride);
+ cairo_surface_set_user_data (surface, &key,
+ pixels, (cairo_destroy_func_t)g_free);
+-
+- TIFFReadRGBAImageOriented (tiff_document->tiff,
+- width, height,
+- (uint32 *)pixels,
+- orientation, 0);
+ pop_handlers ();
+
+ /* Convert the format returned by libtiff to
+@@ -372,14 +376,18 @@
+ pixels = g_try_malloc (bytes);
+ if (!pixels)
+ return NULL;
++
++ if (!TIFFReadRGBAImageOriented (tiff_document->tiff,
++ width, height,
++ (uint32 *)pixels,
++ ORIENTATION_TOPLEFT, 0)) {
++ g_free (pixels);
++ return NULL;
++ }
+
+ pixbuf = gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, TRUE, 8,
+ width, height, rowstride,
+ (GdkPixbufDestroyNotify) g_free, NULL);
+- TIFFReadRGBAImageOriented (tiff_document->tiff,
+- width, height,
+- (uint32 *)pixels,
+- ORIENTATION_TOPLEFT, 0);
+ pop_handlers ();
+
+ scaled_pixbuf = gdk_pixbuf_scale_simple (pixbuf,
diff -Nru atril-1.20.3/debian/patches/series atril-1.20.3/debian/patches/series
--- atril-1.20.3/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ atril-1.20.3/debian/patches/series 2019-12-16 10:31:03.000000000 +0100
@@ -0,0 +1,3 @@
+0001_prevent_no_doc_segfault.patch
+0002_CVE-2019-1010006.patch
+CVE-2019-11459.patch
Reply to: