Dear maintainer, dear LTS team, Am 06.08.2016 um 15:59 schrieb Jonas Meurer: > the Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of mupdf: > https://security-tracker.debian.org/tracker/CVE-2016-6525 > [...] > > PS: I already started working on backporting the fix for CVE-2016-6525 > to the mupdf version in wheezy. Now I realized, that in an earlier > conversation you expressed interest to prepare packages for > wheezy-security yourself. Back then, this was not necessary due to > wheezy not being affected. I can take care of fixing CVE-2016-6525 in > wheezy or leave it up to you - whatever you prefer. Please find the debdiff for mupdf 0.9-2+deb7u3 attached to this mail. I backported the upstreams patch[1] to the 0.9 codebase and tested basic functionality of the updated package. If nobody objects, I'll upload mupdf 0.9-2+deb7u3 to wheezy-security tomorrow and send out the DLA afterwards. Cheers, jonas [1] http://git.ghostscript.com/?p=mupdf.git;h=39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e
diff -Nru mupdf-0.9/debian/changelog mupdf-0.9/debian/changelog --- mupdf-0.9/debian/changelog 2014-06-04 16:46:48.000000000 +0200 +++ mupdf-0.9/debian/changelog 2016-08-06 16:13:17.000000000 +0200 @@ -1,3 +1,11 @@ +mupdf (0.9-2+deb7u3) wheezy-security; urgency=high + + * Non-maintainer upload by the LTS Team. + * Backport fix for CVE-2016-6525: heap overflow in pdf_load_mesh_params() + from upstream git commit 39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e. + + -- Jonas Meurer <mejo@debian.org> Sat, 06 Aug 2016 16:13:05 +0200 + mupdf (0.9-2+deb7u2) wheezy-security; urgency=high * Fix header mismatch with libjpeg-dev. diff -Nru mupdf-0.9/debian/patches/CVE-2016-6525.patch mupdf-0.9/debian/patches/CVE-2016-6525.patch --- mupdf-0.9/debian/patches/CVE-2016-6525.patch 1970-01-01 01:00:00.000000000 +0100 +++ mupdf-0.9/debian/patches/CVE-2016-6525.patch 2016-08-06 16:17:29.000000000 +0200 @@ -0,0 +1,43 @@ +From: Jonas Meurer <mejo@debian.org> +Date: Sat, 06 Aug 2016 13:26:23 +0200 +Subject: [PATCH] fix heap overflow in pdf_load_mesh_params() (CVE-2016-6525) + +pdf_load_mesh_params() reads more than FZ_MAX_COLORS values into mesh_params. +Limiting the number of allowed values to FZ_MAX_COLORS prevents a possible +buffer overflow. +This patch is backported from the upstream fix by Sebastian Rasmussen in git +commit 39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e. + +diff --git a/fitz/fitz.h b/fitz/fitz.h +index dff6b8d..a847e0e 100644 +--- a/fitz/fitz.h ++++ b/fitz/fitz.h +@@ -154,6 +154,15 @@ int fz_strlcat(char *dst, const char *src, int n); + /* Range checking atof */ + float fz_atof(const char *s); + ++/* ++ Backport standard math function fz_mini from mupdf 1.9a in ++ order to fix CVE-2016-6525 in pdf/pdf_shade.c:574. ++*/ ++static inline int fz_mini(int a, int b) ++{ ++ return (a < b ? a : b); ++} ++ + /* utf-8 encoding and decoding */ + int chartorune(int *rune, char *str); + int runetochar(char *str, int *rune); +diff --git a/pdf/pdf_shade.c b/pdf/pdf_shade.c +index 1e0bf5f..cdc8a9c 100644 +--- a/pdf/pdf_shade.c ++++ b/pdf/pdf_shade.c +@@ -571,7 +571,7 @@ pdf_load_mesh_params(pdf_xref *xref, fz_obj *dict, struct mesh_params *p) + obj = fz_dict_gets(dict, "Decode"); + if (fz_array_len(obj) >= 6) + { +- n = (fz_array_len(obj) - 4) / 2; ++ n = fz_mini(FZ_MAX_COLORS, (fz_array_len(obj) - 4) / 2); + p->x0 = fz_to_real(fz_array_get(obj, 0)); + p->x1 = fz_to_real(fz_array_get(obj, 1)); + p->y0 = fz_to_real(fz_array_get(obj, 2)); diff -Nru mupdf-0.9/debian/patches/series mupdf-0.9/debian/patches/series --- mupdf-0.9/debian/patches/series 2014-06-04 16:46:48.000000000 +0200 +++ mupdf-0.9/debian/patches/series 2016-08-06 13:22:21.000000000 +0200 @@ -1,3 +1,4 @@ CVE-2014-2013.patch bug621894.patch bug646350.patch +CVE-2016-6525.patch
Attachment:
signature.asc
Description: OpenPGP digital signature