Dear maintainer, dear LTS team, Am 06.08.2016 um 15:59 schrieb Jonas Meurer: > the Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of mupdf: > https://security-tracker.debian.org/tracker/CVE-2016-6525 > [...] > > PS: I already started working on backporting the fix for CVE-2016-6525 > to the mupdf version in wheezy. Now I realized, that in an earlier > conversation you expressed interest to prepare packages for > wheezy-security yourself. Back then, this was not necessary due to > wheezy not being affected. I can take care of fixing CVE-2016-6525 in > wheezy or leave it up to you - whatever you prefer. Please find the debdiff for mupdf 0.9-2+deb7u3 attached to this mail. I backported the upstreams patch[1] to the 0.9 codebase and tested basic functionality of the updated package. If nobody objects, I'll upload mupdf 0.9-2+deb7u3 to wheezy-security tomorrow and send out the DLA afterwards. Cheers, jonas [1] http://git.ghostscript.com/?p=mupdf.git;h=39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e
diff -Nru mupdf-0.9/debian/changelog mupdf-0.9/debian/changelog
--- mupdf-0.9/debian/changelog 2014-06-04 16:46:48.000000000 +0200
+++ mupdf-0.9/debian/changelog 2016-08-06 16:13:17.000000000 +0200
@@ -1,3 +1,11 @@
+mupdf (0.9-2+deb7u3) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * Backport fix for CVE-2016-6525: heap overflow in pdf_load_mesh_params()
+ from upstream git commit 39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e.
+
+ -- Jonas Meurer <mejo@debian.org> Sat, 06 Aug 2016 16:13:05 +0200
+
mupdf (0.9-2+deb7u2) wheezy-security; urgency=high
* Fix header mismatch with libjpeg-dev.
diff -Nru mupdf-0.9/debian/patches/CVE-2016-6525.patch mupdf-0.9/debian/patches/CVE-2016-6525.patch
--- mupdf-0.9/debian/patches/CVE-2016-6525.patch 1970-01-01 01:00:00.000000000 +0100
+++ mupdf-0.9/debian/patches/CVE-2016-6525.patch 2016-08-06 16:17:29.000000000 +0200
@@ -0,0 +1,43 @@
+From: Jonas Meurer <mejo@debian.org>
+Date: Sat, 06 Aug 2016 13:26:23 +0200
+Subject: [PATCH] fix heap overflow in pdf_load_mesh_params() (CVE-2016-6525)
+
+pdf_load_mesh_params() reads more than FZ_MAX_COLORS values into mesh_params.
+Limiting the number of allowed values to FZ_MAX_COLORS prevents a possible
+buffer overflow.
+This patch is backported from the upstream fix by Sebastian Rasmussen in git
+commit 39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e.
+
+diff --git a/fitz/fitz.h b/fitz/fitz.h
+index dff6b8d..a847e0e 100644
+--- a/fitz/fitz.h
++++ b/fitz/fitz.h
+@@ -154,6 +154,15 @@ int fz_strlcat(char *dst, const char *src, int n);
+ /* Range checking atof */
+ float fz_atof(const char *s);
+
++/*
++ Backport standard math function fz_mini from mupdf 1.9a in
++ order to fix CVE-2016-6525 in pdf/pdf_shade.c:574.
++*/
++static inline int fz_mini(int a, int b)
++{
++ return (a < b ? a : b);
++}
++
+ /* utf-8 encoding and decoding */
+ int chartorune(int *rune, char *str);
+ int runetochar(char *str, int *rune);
+diff --git a/pdf/pdf_shade.c b/pdf/pdf_shade.c
+index 1e0bf5f..cdc8a9c 100644
+--- a/pdf/pdf_shade.c
++++ b/pdf/pdf_shade.c
+@@ -571,7 +571,7 @@ pdf_load_mesh_params(pdf_xref *xref, fz_obj *dict, struct mesh_params *p)
+ obj = fz_dict_gets(dict, "Decode");
+ if (fz_array_len(obj) >= 6)
+ {
+- n = (fz_array_len(obj) - 4) / 2;
++ n = fz_mini(FZ_MAX_COLORS, (fz_array_len(obj) - 4) / 2);
+ p->x0 = fz_to_real(fz_array_get(obj, 0));
+ p->x1 = fz_to_real(fz_array_get(obj, 1));
+ p->y0 = fz_to_real(fz_array_get(obj, 2));
diff -Nru mupdf-0.9/debian/patches/series mupdf-0.9/debian/patches/series
--- mupdf-0.9/debian/patches/series 2014-06-04 16:46:48.000000000 +0200
+++ mupdf-0.9/debian/patches/series 2016-08-06 13:22:21.000000000 +0200
@@ -1,3 +1,4 @@
CVE-2014-2013.patch
bug621894.patch
bug646350.patch
+CVE-2016-6525.patch
Attachment:
signature.asc
Description: OpenPGP digital signature