[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#700568: pu: package poppler/0.12.4-1.2+squeeze1

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I would like to upload a squeeze update for poppler, fixing three CVEs
(which were deemed minor, hence with no dsa), and a crasher bug and a
memory handling issue recently fixed in unstable (and wheezy).

The changes are:
* fix CVE-2010-0206:
  - patch straight from upstream
* fix CVE-2010-0207:
  - patch from upstream adapted to be API-/ABI-compatible, even though
    the functions were private
* fix CVE-2010-4653
  - patch from upstream adapted to include Object.h instead of
    goo/GooLikely.h (non-existent in poppler 0.12.x)
- fix GooString::insert (#693817)
  - backport the fix
- fix two uninitialized vars in PSOutputDev (#699421)
  - backport the fix

I also added myself as uploader, as I did many months ago.

Let me know whether the proposed change seem okay, and I can upload to
stable.

Thanks,
-- 
Pino

diff -u poppler-0.12.4/debian/changelog poppler-0.12.4/debian/changelog
--- poppler-0.12.4/debian/changelog
+++ poppler-0.12.4/debian/changelog
@@ -1,3 +1,19 @@
+poppler (0.12.4-1.2+squeeze1) stable; urgency=low
+
+  * Add myself as uploader.
+  * Fix CVE-2010-0206.
+  * Fix CVE-2010-0207; patch adapted to be API-/ABI-compatible.
+  * Fix CVE-2010-4653; patch adapted to include object.h instead
+    of goo/GooLikely.h (non-existent in poppler 0.12.x).
+  * Backport upstream commits 7ba15d11e56175601104d125d5e4a47619c224bf and
+    55940e989701eb9118015e30f4f48eb654fa34c4 to fix GooString::insert;
+    patch upstream_fix-GooString-insert.diff. (Closes: #693817)
+  * Correctly initialize PSOutputDev::fontFileNameLen and
+    PSOutputDev::psFileNames; patch psoutputdev-initialize-vars.diff.
+    (Closes: #699421)
+
+ -- Pino Toscano <pino@debian.org>  Thu, 14 Feb 2013 13:05:25 +0100
+
 poppler (0.12.4-1.2) unstable; urgency=medium
 
   * Non-maintainer upload by the Security Team
diff -u poppler-0.12.4/debian/control poppler-0.12.4/debian/control
--- poppler-0.12.4/debian/control
+++ poppler-0.12.4/debian/control
@@ -4,7 +4,8 @@
 Maintainer: Loic Minier <lool@dooz.org>
 Uploaders: Josselin Mouette <joss@debian.org>,
            Dave Beckett <dajobe@debian.org>,
-           Ross Burton <ross@debian.org>
+           Ross Burton <ross@debian.org>,
+           Pino Toscano <pino@debian.org>
 Build-Depends: cdbs (>= 0.4.52),
                debhelper (>= 5),
                quilt,
diff -u poppler-0.12.4/debian/patches/series poppler-0.12.4/debian/patches/series
--- poppler-0.12.4/debian/patches/series
+++ poppler-0.12.4/debian/patches/series
@@ -4 +4,6 @@
-04_security.patch
\ No newline at end of file
+04_security.patch
+05_CVE-2010-0206.patch
+06_CVE-2010-0207.patch
+07_CVE-2010-4653.patch
+upstream_fix-GooString-insert.diff
+psoutputdev-initialize-vars.diff
only in patch2:
unchanged:
--- poppler-0.12.4.orig/debian/patches/psoutputdev-initialize-vars.diff
+++ poppler-0.12.4/debian/patches/psoutputdev-initialize-vars.diff
@@ -0,0 +1,41 @@
+Author: Pino Toscano <pino@debian.org>
+Description: initialize PSOutputDev::fontFileNameLen and PSOutputDev::psFileNames
+ Avoid crashing in ~PSOutputDev when the PSOutputDev instance is not "ok".
+Applied-Upstream: not-needed
+Last-Update: 2013-01-31
+Bug-Debian: http://bugs.debian.org/699421
+
+--- a/poppler/PSOutputDev.cc
++++ b/poppler/PSOutputDev.cc
+@@ -1012,6 +1012,7 @@ PSOutputDev::PSOutputDev(const char *fil
+   fontIDs = NULL;
+   fontFileIDs = NULL;
+   fontFileNames = NULL;
++  fontFileNameLen = 0;
+   font8Info = NULL;
+   font16Enc = NULL;
+   imgIDs = NULL;
+@@ -1022,6 +1023,7 @@ PSOutputDev::PSOutputDev(const char *fil
+   haveTextClip = gFalse;
+   haveCSPattern = gFalse;
+   t3String = NULL;
++  psFileNames = NULL;
+ 
+   forceRasterize = forceRasterizeA;
+ 
+@@ -1077,6 +1079,7 @@ PSOutputDev::PSOutputDev(PSOutputFunc ou
+   fontIDs = NULL;
+   fontFileIDs = NULL;
+   fontFileNames = NULL;
++  fontFileNameLen = 0;
+   font8Info = NULL;
+   font16Enc = NULL;
+   imgIDs = NULL;
+@@ -1087,6 +1090,7 @@ PSOutputDev::PSOutputDev(PSOutputFunc ou
+   haveTextClip = gFalse;
+   haveCSPattern = gFalse;
+   t3String = NULL;
++  psFileNames = NULL;
+ 
+   forceRasterize = forceRasterizeA;
+ 
only in patch2:
unchanged:
--- poppler-0.12.4.orig/debian/patches/05_CVE-2010-0206.patch
+++ poppler-0.12.4/debian/patches/05_CVE-2010-0206.patch
@@ -0,0 +1,56 @@
+From 30ea3ab8a1eecafb3366aef193910098fdb7ccc8 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 25 May 2010 23:07:56 +0100
+Subject: [PATCH] Fix crash when parsing pdf in bug 28170
+
+This code is a can of crashing worms :-7
+---
+ poppler/JBIG2Stream.cc |   23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
+index 97994bd..f16ad58 100644
+--- a/poppler/JBIG2Stream.cc
++++ b/poppler/JBIG2Stream.cc
+@@ -742,13 +742,18 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint x, Guint y, Guint wA, Guint hA) {
+   Guint xx, yy;
+ 
+   slice = new JBIG2Bitmap(0, wA, hA);
+-  slice->clearToZero();
+-  for (yy = 0; yy < hA; ++yy) {
+-    for (xx = 0; xx < wA; ++xx) {
+-      if (getPixel(x + xx, y + yy)) {
+-	slice->setPixel(xx, yy);
++  if (slice->isOk()) {
++    slice->clearToZero();
++    for (yy = 0; yy < hA; ++yy) {
++      for (xx = 0; xx < wA; ++xx) {
++        if (getPixel(x + xx, y + yy)) {
++	  slice->setPixel(xx, yy);
++        }
+       }
+     }
++  } else {
++    delete slice;
++    slice = NULL;
+   }
+   return slice;
+ }
+@@ -3224,8 +3229,12 @@ void JBIG2Stream::readGenericRefinementRegionSeg(Guint segNum, GBool imm,
+ 
+   // store the region bitmap
+   } else {
+-    bitmap->setSegNum(segNum);
+-    segments->append(bitmap);
++    if (bitmap) {
++      bitmap->setSegNum(segNum);
++      segments->append(bitmap);
++    } else {
++      error(curStr->getPos(), "readGenericRefinementRegionSeg with null bitmap");
++    }
+   }
+ 
+   // delete the referenced bitmap
+-- 
+1.7.10
+
only in patch2:
unchanged:
--- poppler-0.12.4.orig/debian/patches/06_CVE-2010-0207.patch
+++ poppler-0.12.4/debian/patches/06_CVE-2010-0207.patch
@@ -0,0 +1,113 @@
+Author: Albert Astals Cid <aacid@kde.org>
+Author: Pino Toscano <pino@debian.org>
+Description: Do not follow loops blindly
+ Fixes CVE-2010-0207.
+ .
+ Patch modified by keeping the readXRef and refXRefTable versions without the
+ additional GooVector parameter to avoid breaking API and ABI, and using
+ operator[int] instead of at(int) with GooVector, as the former does not exist
+ in 0.12.x.
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=28172
+Applied-Upstream: commit:9eda6e8aaae412a9882141d1b5b8c7bf0c823c68
+Last-Update: 2012-06-27
+
+--- a/poppler/XRef.cc
++++ b/poppler/XRef.cc
+@@ -15,7 +15,7 @@
+ //
+ // Copyright (C) 2005 Dan Sheridan <dan.sheridan@postman.org.uk>
+ // Copyright (C) 2005 Brad Hards <bradh@frogmouth.net>
+-// Copyright (C) 2006, 2008 Albert Astals Cid <aacid@kde.org>
++// Copyright (C) 2006, 2008, 2010 Albert Astals Cid <aacid@kde.org>
+ // Copyright (C) 2007-2008 Julien Rebetez <julienr@svn.gnome.org>
+ // Copyright (C) 2007 Carlos Garcia Campos <carlosgc@gnome.org>
+ // Copyright (C) 2009 Ilya Gorenbein <igorenbein@finjan.com>
+@@ -267,7 +267,8 @@ XRef::XRef(BaseStream *strA) {
+ 
+   // read the xref table
+   } else {
+-    while (readXRef(&pos)) ;
++    GooVector<Guint> followedXRefStm;
++    while (readXRef(&pos, &followedXRefStm)) ;
+ 
+     // if there was a problem with the xref table,
+     // try to reconstruct it
+@@ -347,6 +348,11 @@ Guint XRef::getStartXref() {
+ // Read one xref table section.  Also reads the associated trailer
+ // dictionary, and returns the prev pointer (if any).
+ GBool XRef::readXRef(Guint *pos) {
++  GooVector<Guint> followedXRefStm;
++  return readXRef(pos, &followedXRefStm);
++}
++
++GBool XRef::readXRef(Guint *pos, GooVector<Guint> *followedXRefStm) {
+   Parser *parser;
+   Object obj;
+   GBool more;
+@@ -362,7 +368,7 @@ GBool XRef::readXRef(Guint *pos) {
+   // parse an old-style xref table
+   if (obj.isCmd("xref")) {
+     obj.free();
+-    more = readXRefTable(parser, pos);
++    more = readXRefTable(parser, pos, followedXRefStm);
+ 
+   // parse an xref stream
+   } else if (obj.isInt()) {
+@@ -396,6 +402,11 @@ GBool XRef::readXRef(Guint *pos) {
+ }
+ 
+ GBool XRef::readXRefTable(Parser *parser, Guint *pos) {
++  GooVector<Guint> followedXRefStm;
++  return readXRefTable(parser, pos, &followedXRefStm);
++}
++
++GBool XRef::readXRefTable(Parser *parser, Guint *pos, GooVector<Guint> *followedXRefStm) {
+   XRefEntry entry;
+   GBool more;
+   Object obj, obj2;
+@@ -509,7 +520,15 @@ GBool XRef::readXRefTable(Parser *parser
+   // check for an 'XRefStm' key
+   if (obj.getDict()->lookup("XRefStm", &obj2)->isInt()) {
+     pos2 = (Guint)obj2.getInt();
+-    readXRef(&pos2);
++    for (uint i = 0; ok == gTrue && i < followedXRefStm->size(); ++i) {
++      if ((*followedXRefStm)[i] == pos2) {
++        ok = gFalse;
++      }
++    }
++    if (ok) {
++      followedXRefStm->push_back(pos2);
++      readXRef(&pos2, followedXRefStm);
++    }
+     if (!ok) {
+       obj2.free();
+       goto err1;
+--- a/poppler/XRef.h
++++ b/poppler/XRef.h
+@@ -14,7 +14,7 @@
+ // under GPL version 2 or later
+ //
+ // Copyright (C) 2005 Brad Hards <bradh@frogmouth.net>
+-// Copyright (C) 2006, 2008 Albert Astals Cid <aacid@kde.org>
++// Copyright (C) 2006, 2008, 2010 Albert Astals Cid <aacid@kde.org>
+ // Copyright (C) 2007-2008 Julien Rebetez <julienr@svn.gnome.org>
+ // Copyright (C) 2007 Carlos Garcia Campos <carlosgc@gnome.org>
+ //
+@@ -31,6 +31,7 @@
+ #endif
+ 
+ #include "goo/gtypes.h"
++#include "goo/GooVector.h"
+ #include "Object.h"
+ 
+ class Dict;
+@@ -157,7 +158,9 @@ private:
+ 
+   Guint getStartXref();
+   GBool readXRef(Guint *pos);
++  GBool readXRef(Guint *pos, GooVector<Guint> *followedXRefStm);
+   GBool readXRefTable(Parser *parser, Guint *pos);
++  GBool readXRefTable(Parser *parser, Guint *pos, GooVector<Guint> *followedXRefStm);
+   GBool readXRefStreamSection(Stream *xrefStr, int *w, int first, int n);
+   GBool readXRefStream(Stream *xrefStr, Guint *pos);
+   GBool constructXRef();
only in patch2:
unchanged:
--- poppler-0.12.4.orig/debian/patches/upstream_fix-GooString-insert.diff
+++ poppler-0.12.4/debian/patches/upstream_fix-GooString-insert.diff
@@ -0,0 +1,24 @@
+Author: Pino Toscano <pino@kde.org>
+Description: fix GooString::insert
+Applied-Upstream: 0.21.3, commit:7ba15d11e56175601104d125d5e4a47619c224bf, commit:55940e989701eb9118015e30f4f48eb654fa34c4
+Last-Update: 2012-11-27
+Bug-Debian: http://bugs.debian.org/693817
+
+--- a/goo/GooString.cc
++++ b/goo/GooString.cc
+@@ -640,14 +640,12 @@ GooString *GooString::insert(int i, GooS
+ }
+ 
+ GooString *GooString::insert(int i, const char *str, int lengthA) {
+-  int j;
+   int prevLen = length;
+   if (CALC_STRING_LEN == lengthA)
+     lengthA = strlen(str);
+ 
+   resize(length + lengthA);
+-  for (j = prevLen; j >= i; --j)
+-    s[j+lengthA] = s[j];
++  memmove(s+i+lengthA, s+i, prevLen-i);
+   memcpy(s+i, str, lengthA);
+   return this;
+ }
only in patch2:
unchanged:
--- poppler-0.12.4.orig/debian/patches/07_CVE-2010-4653.patch
+++ poppler-0.12.4/debian/patches/07_CVE-2010-4653.patch
@@ -0,0 +1,55 @@
+From cad66a7d25abdb6aa15f3aa94a35737b119b2659 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 2 Nov 2010 19:14:34 +0000
+Subject: [PATCH] Fix crash in broken documents
+
+mapLen = (code + 256) & ~255; can wrap and you end up with mapLen < code
+that is not what you wanted
+---
+ poppler/CharCodeToUnicode.cc |   16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/poppler/CharCodeToUnicode.cc b/poppler/CharCodeToUnicode.cc
+index 1835ddd..3cfa402 100644
+--- a/poppler/CharCodeToUnicode.cc
++++ b/poppler/CharCodeToUnicode.cc
+@@ -13,7 +13,7 @@
+ // All changes made under the Poppler project to this file are licensed
+ // under GPL version 2 or later
+ //
+-// Copyright (C) 2006, 2008, 2009 Albert Astals Cid <aacid@kde.org>
++// Copyright (C) 2006, 2008-2010 Albert Astals Cid <aacid@kde.org>
+ // Copyright (C) 2007 Julien Rebetez <julienr@svn.gnome.org>
+ // Copyright (C) 2007 Koji Otani <sho@bbr.jp>
+ // Copyright (C) 2008 Michael Vrable <mvrable@cs.ucsd.edu>
+@@ -36,6 +36,7 @@
+ #include <string.h>
+ #include "goo/gmem.h"
+ #include "goo/gfile.h"
++#include "Object.h"
+ #include "goo/GooString.h"
+ #include "Error.h"
+ #include "GlobalParams.h"
+@@ -366,10 +367,15 @@ void CharCodeToUnicode::addMapping(CharCode code, char *uStr, int n,
+   if (code >= mapLen) {
+     oldLen = mapLen;
+     mapLen = (code + 256) & ~255;
+-    map = (Unicode *)greallocn(map, mapLen, sizeof(Unicode));
+-    for (i = oldLen; i < mapLen; ++i) {
+-      map[i] = 0;
+-    }
++    if (unlikely(code >= mapLen)) {
++      error(-1, "Illegal code value in CharCodeToUnicode::addMapping");
++      return;
++    } else {
++      map = (Unicode *)greallocn(map, mapLen, sizeof(Unicode));
++      for (i = oldLen; i < mapLen; ++i) {
++        map[i] = 0;
++      }
++	}
+   }
+   if (n <= 4) {
+     if (sscanf(uStr, "%x", &u) != 1) {
+-- 
+1.7.10
+
Reply to: