Re: poppler / CVE-2019-9959
Brian May <bam@debian.org> writes:
> It appears if I can work out how to define SPLASH_CMYK for the build,
> then I can fix CVE-2019-10871 too. So I will investigate this
> possibility.
Updated patch.
diff -Nru poppler-0.26.5/debian/changelog poppler-0.26.5/debian/changelog
--- poppler-0.26.5/debian/changelog 2019-09-27 03:13:02.000000000 +1000
+++ poppler-0.26.5/debian/changelog 2019-10-14 17:24:52.000000000 +1100
@@ -1,3 +1,17 @@
+poppler (0.26.5-2+deb8u12) jessie-security; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2019-9959
+ JPXStream::init function doesn't check for negative values of
+ stream length, leading to an Integer Overflow, leading to large
+ memory request causing DOS.
+ * CVE-2019-10871
+ Fix heap-based buffer over-read in the function
+ PSOutputDev::checkPageSlice at PSOutputDev.cc by defining
+ SPLASH_CMYK in builds.
+
+ -- Brian May <bam@debian.org> Mon, 14 Oct 2019 17:24:52 +1100
+
poppler (0.26.5-2+deb8u11) jessie-security; urgency=medium
* Non-maintainer upload by the LTS Team.
diff -Nru poppler-0.26.5/debian/patches/CVE-2019-9959.patch poppler-0.26.5/debian/patches/CVE-2019-9959.patch
--- poppler-0.26.5/debian/patches/CVE-2019-9959.patch 1970-01-01 10:00:00.000000000 +1000
+++ poppler-0.26.5/debian/patches/CVE-2019-9959.patch 2019-10-14 17:19:03.000000000 +1100
@@ -0,0 +1,21 @@
+From 68ef84e5968a4249c2162b839ca6d7975048a557 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Mon, 15 Jul 2019 23:24:22 +0200
+Subject: [PATCH] JPXStream::init: ignore dict Length if clearly broken
+
+Fixes issue #805
+---
+ poppler/JPEG2000Stream.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/poppler/JPEG2000Stream.cc
++++ b/poppler/JPEG2000Stream.cc
+@@ -72,7 +72,7 @@
+ if (getDict()) getDict()->lookup("Length", &oLen);
+
+ int bufSize = BUFFER_INITIAL_SIZE;
+- if (oLen.isInt()) bufSize = oLen.getInt();
++ if (oLen.isInt() && oLen.getInt() > 0) bufSize = oLen.getInt();
+ oLen.free();
+
+
diff -Nru poppler-0.26.5/debian/patches/series poppler-0.26.5/debian/patches/series
--- poppler-0.26.5/debian/patches/series 2019-09-27 03:13:02.000000000 +1000
+++ poppler-0.26.5/debian/patches/series 2019-10-14 17:17:34.000000000 +1100
@@ -40,3 +40,4 @@
CVE-2018-21009.patch
CVE-2019-12493.patch
CVE-2018-20650.patch
+CVE-2019-9959.patch
diff -Nru poppler-0.26.5/debian/rules poppler-0.26.5/debian/rules
--- poppler-0.26.5/debian/rules 2019-03-09 05:09:06.000000000 +1100
+++ poppler-0.26.5/debian/rules 2019-10-14 17:24:52.000000000 +1100
@@ -19,6 +19,9 @@
# enable all the hardening options
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+export DEB_CFLAGS_APPEND = -DSPLASH_CMYK
+export DEB_CXXFLAGS_APPEND = -DSPLASH_CMYK
+
# DEB_* variables
DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
--
Brian May <bam@debian.org>
Reply to: