[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#700568: marked as done (pu: package poppler/0.12.4-1.2+squeeze1)

Your message dated Sat, 23 Feb 2013 11:56:55 +0000
with message-id <1361620615.20752.10.camel@jacala.jungle.funky-badger.org>
and subject line Closing p-u bugs included in point release
has caused the Debian Bug report #700568,
regarding pu: package poppler/0.12.4-1.2+squeeze1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
700568: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700568
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I would like to upload a squeeze update for poppler, fixing three CVEs
(which were deemed minor, hence with no dsa), and a crasher bug and a
memory handling issue recently fixed in unstable (and wheezy).

The changes are:
* fix CVE-2010-0206:
  - patch straight from upstream
* fix CVE-2010-0207:
  - patch from upstream adapted to be API-/ABI-compatible, even though
    the functions were private
* fix CVE-2010-4653
  - patch from upstream adapted to include Object.h instead of
    goo/GooLikely.h (non-existent in poppler 0.12.x)
- fix GooString::insert (#693817)
  - backport the fix
- fix two uninitialized vars in PSOutputDev (#699421)
  - backport the fix

I also added myself as uploader, as I did many months ago.

Let me know whether the proposed change seem okay, and I can upload to
stable.

Thanks,
-- 
Pino

diff -u poppler-0.12.4/debian/changelog poppler-0.12.4/debian/changelog
--- poppler-0.12.4/debian/changelog
+++ poppler-0.12.4/debian/changelog
@@ -1,3 +1,19 @@
+poppler (0.12.4-1.2+squeeze1) stable; urgency=low
+
+  * Add myself as uploader.
+  * Fix CVE-2010-0206.
+  * Fix CVE-2010-0207; patch adapted to be API-/ABI-compatible.
+  * Fix CVE-2010-4653; patch adapted to include object.h instead
+    of goo/GooLikely.h (non-existent in poppler 0.12.x).
+  * Backport upstream commits 7ba15d11e56175601104d125d5e4a47619c224bf and
+    55940e989701eb9118015e30f4f48eb654fa34c4 to fix GooString::insert;
+    patch upstream_fix-GooString-insert.diff. (Closes: #693817)
+  * Correctly initialize PSOutputDev::fontFileNameLen and
+    PSOutputDev::psFileNames; patch psoutputdev-initialize-vars.diff.
+    (Closes: #699421)
+
+ -- Pino Toscano <pino@debian.org>  Thu, 14 Feb 2013 13:05:25 +0100
+
 poppler (0.12.4-1.2) unstable; urgency=medium
 
   * Non-maintainer upload by the Security Team
diff -u poppler-0.12.4/debian/control poppler-0.12.4/debian/control
--- poppler-0.12.4/debian/control
+++ poppler-0.12.4/debian/control
@@ -4,7 +4,8 @@
 Maintainer: Loic Minier <lool@dooz.org>
 Uploaders: Josselin Mouette <joss@debian.org>,
            Dave Beckett <dajobe@debian.org>,
-           Ross Burton <ross@debian.org>
+           Ross Burton <ross@debian.org>,
+           Pino Toscano <pino@debian.org>
 Build-Depends: cdbs (>= 0.4.52),
                debhelper (>= 5),
                quilt,
diff -u poppler-0.12.4/debian/patches/series poppler-0.12.4/debian/patches/series
--- poppler-0.12.4/debian/patches/series
+++ poppler-0.12.4/debian/patches/series
@@ -4 +4,6 @@
-04_security.patch
\ No newline at end of file
+04_security.patch
+05_CVE-2010-0206.patch
+06_CVE-2010-0207.patch
+07_CVE-2010-4653.patch
+upstream_fix-GooString-insert.diff
+psoutputdev-initialize-vars.diff
only in patch2:
unchanged:
--- poppler-0.12.4.orig/debian/patches/psoutputdev-initialize-vars.diff
+++ poppler-0.12.4/debian/patches/psoutputdev-initialize-vars.diff
@@ -0,0 +1,41 @@
+Author: Pino Toscano <pino@debian.org>
+Description: initialize PSOutputDev::fontFileNameLen and PSOutputDev::psFileNames
+ Avoid crashing in ~PSOutputDev when the PSOutputDev instance is not "ok".
+Applied-Upstream: not-needed
+Last-Update: 2013-01-31
+Bug-Debian: http://bugs.debian.org/699421
+
+--- a/poppler/PSOutputDev.cc
++++ b/poppler/PSOutputDev.cc
+@@ -1012,6 +1012,7 @@ PSOutputDev::PSOutputDev(const char *fil
+   fontIDs = NULL;
+   fontFileIDs = NULL;
+   fontFileNames = NULL;
++  fontFileNameLen = 0;
+   font8Info = NULL;
+   font16Enc = NULL;
+   imgIDs = NULL;
+@@ -1022,6 +1023,7 @@ PSOutputDev::PSOutputDev(const char *fil
+   haveTextClip = gFalse;
+   haveCSPattern = gFalse;
+   t3String = NULL;
++  psFileNames = NULL;
+ 
+   forceRasterize = forceRasterizeA;
+ 
+@@ -1077,6 +1079,7 @@ PSOutputDev::PSOutputDev(PSOutputFunc ou
+   fontIDs = NULL;
+   fontFileIDs = NULL;
+   fontFileNames = NULL;
++  fontFileNameLen = 0;
+   font8Info = NULL;
+   font16Enc = NULL;
+   imgIDs = NULL;
+@@ -1087,6 +1090,7 @@ PSOutputDev::PSOutputDev(PSOutputFunc ou
+   haveTextClip = gFalse;
+   haveCSPattern = gFalse;
+   t3String = NULL;
++  psFileNames = NULL;
+ 
+   forceRasterize = forceRasterizeA;
+ 
only in patch2:
unchanged:
--- poppler-0.12.4.orig/debian/patches/05_CVE-2010-0206.patch
+++ poppler-0.12.4/debian/patches/05_CVE-2010-0206.patch
@@ -0,0 +1,56 @@
+From 30ea3ab8a1eecafb3366aef193910098fdb7ccc8 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 25 May 2010 23:07:56 +0100
+Subject: [PATCH] Fix crash when parsing pdf in bug 28170
+
+This code is a can of crashing worms :-7
+---
+ poppler/JBIG2Stream.cc |   23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
+index 97994bd..f16ad58 100644
+--- a/poppler/JBIG2Stream.cc
++++ b/poppler/JBIG2Stream.cc
+@@ -742,13 +742,18 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint x, Guint y, Guint wA, Guint hA) {
+   Guint xx, yy;
+ 
+   slice = new JBIG2Bitmap(0, wA, hA);
+-  slice->clearToZero();
+-  for (yy = 0; yy < hA; ++yy) {
+-    for (xx = 0; xx < wA; ++xx) {
+-      if (getPixel(x + xx, y + yy)) {
+-	slice->setPixel(xx, yy);
++  if (slice->isOk()) {
++    slice->clearToZero();
++    for (yy = 0; yy < hA; ++yy) {
++      for (xx = 0; xx < wA; ++xx) {
++        if (getPixel(x + xx, y + yy)) {
++	  slice->setPixel(xx, yy);
++        }
+       }
+     }
++  } else {
++    delete slice;
++    slice = NULL;
+   }
+   return slice;
+ }
+@@ -3224,8 +3229,12 @@ void JBIG2Stream::readGenericRefinementRegionSeg(Guint segNum, GBool imm,
+ 
+   // store the region bitmap
+   } else {
+-    bitmap->setSegNum(segNum);
+-    segments->append(bitmap);
++    if (bitmap) {
++      bitmap->setSegNum(segNum);
++      segments->append(bitmap);
++    } else {
++      error(curStr->getPos(), "readGenericRefinementRegionSeg with null bitmap");
++    }
+   }
+ 
+   // delete the referenced bitmap
+-- 
+1.7.10
+
only in patch2:
unchanged:
--- poppler-0.12.4.orig/debian/patches/06_CVE-2010-0207.patch
+++ poppler-0.12.4/debian/patches/06_CVE-2010-0207.patch
@@ -0,0 +1,113 @@
+Author: Albert Astals Cid <aacid@kde.org>
+Author: Pino Toscano <pino@debian.org>
+Description: Do not follow loops blindly
+ Fixes CVE-2010-0207.
+ .
+ Patch modified by keeping the readXRef and refXRefTable versions without the
+ additional GooVector parameter to avoid breaking API and ABI, and using
+ operator[int] instead of at(int) with GooVector, as the former does not exist
+ in 0.12.x.
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=28172
+Applied-Upstream: commit:9eda6e8aaae412a9882141d1b5b8c7bf0c823c68
+Last-Update: 2012-06-27
+
+--- a/poppler/XRef.cc
++++ b/poppler/XRef.cc
+@@ -15,7 +15,7 @@
+ //
+ // Copyright (C) 2005 Dan Sheridan <dan.sheridan@postman.org.uk>
+ // Copyright (C) 2005 Brad Hards <bradh@frogmouth.net>
+-// Copyright (C) 2006, 2008 Albert Astals Cid <aacid@kde.org>
++// Copyright (C) 2006, 2008, 2010 Albert Astals Cid <aacid@kde.org>
+ // Copyright (C) 2007-2008 Julien Rebetez <julienr@svn.gnome.org>
+ // Copyright (C) 2007 Carlos Garcia Campos <carlosgc@gnome.org>
+ // Copyright (C) 2009 Ilya Gorenbein <igorenbein@finjan.com>
+@@ -267,7 +267,8 @@ XRef::XRef(BaseStream *strA) {
+ 
+   // read the xref table
+   } else {
+-    while (readXRef(&pos)) ;
++    GooVector<Guint> followedXRefStm;
++    while (readXRef(&pos, &followedXRefStm)) ;
+ 
+     // if there was a problem with the xref table,
+     // try to reconstruct it
+@@ -347,6 +348,11 @@ Guint XRef::getStartXref() {
+ // Read one xref table section.  Also reads the associated trailer
+ // dictionary, and returns the prev pointer (if any).
+ GBool XRef::readXRef(Guint *pos) {
++  GooVector<Guint> followedXRefStm;
++  return readXRef(pos, &followedXRefStm);
++}
++
++GBool XRef::readXRef(Guint *pos, GooVector<Guint> *followedXRefStm) {
+   Parser *parser;
+   Object obj;
+   GBool more;
+@@ -362,7 +368,7 @@ GBool XRef::readXRef(Guint *pos) {
+   // parse an old-style xref table
+   if (obj.isCmd("xref")) {
+     obj.free();
+-    more = readXRefTable(parser, pos);
++    more = readXRefTable(parser, pos, followedXRefStm);
+ 
+   // parse an xref stream
+   } else if (obj.isInt()) {
+@@ -396,6 +402,11 @@ GBool XRef::readXRef(Guint *pos) {
+ }
+ 
+ GBool XRef::readXRefTable(Parser *parser, Guint *pos) {
++  GooVector<Guint> followedXRefStm;
++  return readXRefTable(parser, pos, &followedXRefStm);
++}
++
++GBool XRef::readXRefTable(Parser *parser, Guint *pos, GooVector<Guint> *followedXRefStm) {
+   XRefEntry entry;
+   GBool more;
+   Object obj, obj2;
+@@ -509,7 +520,15 @@ GBool XRef::readXRefTable(Parser *parser
+   // check for an 'XRefStm' key
+   if (obj.getDict()->lookup("XRefStm", &obj2)->isInt()) {
+     pos2 = (Guint)obj2.getInt();
+-    readXRef(&pos2);
++    for (uint i = 0; ok == gTrue && i < followedXRefStm->size(); ++i) {
++      if ((*followedXRefStm)[i] == pos2) {
++        ok = gFalse;
++      }
++    }
++    if (ok) {
++      followedXRefStm->push_back(pos2);
++      readXRef(&pos2, followedXRefStm);
++    }
+     if (!ok) {
+       obj2.free();
+       goto err1;
+--- a/poppler/XRef.h
++++ b/poppler/XRef.h
+@@ -14,7 +14,7 @@
+ // under GPL version 2 or later
+ //
+ // Copyright (C) 2005 Brad Hards <bradh@frogmouth.net>
+-// Copyright (C) 2006, 2008 Albert Astals Cid <aacid@kde.org>
++// Copyright (C) 2006, 2008, 2010 Albert Astals Cid <aacid@kde.org>
+ // Copyright (C) 2007-2008 Julien Rebetez <julienr@svn.gnome.org>
+ // Copyright (C) 2007 Carlos Garcia Campos <carlosgc@gnome.org>
+ //
+@@ -31,6 +31,7 @@
+ #endif
+ 
+ #include "goo/gtypes.h"
++#include "goo/GooVector.h"
+ #include "Object.h"
+ 
+ class Dict;
+@@ -157,7 +158,9 @@ private:
+ 
+   Guint getStartXref();
+   GBool readXRef(Guint *pos);
++  GBool readXRef(Guint *pos, GooVector<Guint> *followedXRefStm);
+   GBool readXRefTable(Parser *parser, Guint *pos);
++  GBool readXRefTable(Parser *parser, Guint *pos, GooVector<Guint> *followedXRefStm);
+   GBool readXRefStreamSection(Stream *xrefStr, int *w, int first, int n);
+   GBool readXRefStream(Stream *xrefStr, Guint *pos);
+   GBool constructXRef();
only in patch2:
unchanged:
--- poppler-0.12.4.orig/debian/patches/upstream_fix-GooString-insert.diff
+++ poppler-0.12.4/debian/patches/upstream_fix-GooString-insert.diff
@@ -0,0 +1,24 @@
+Author: Pino Toscano <pino@kde.org>
+Description: fix GooString::insert
+Applied-Upstream: 0.21.3, commit:7ba15d11e56175601104d125d5e4a47619c224bf, commit:55940e989701eb9118015e30f4f48eb654fa34c4
+Last-Update: 2012-11-27
+Bug-Debian: http://bugs.debian.org/693817
+
+--- a/goo/GooString.cc
++++ b/goo/GooString.cc
+@@ -640,14 +640,12 @@ GooString *GooString::insert(int i, GooS
+ }
+ 
+ GooString *GooString::insert(int i, const char *str, int lengthA) {
+-  int j;
+   int prevLen = length;
+   if (CALC_STRING_LEN == lengthA)
+     lengthA = strlen(str);
+ 
+   resize(length + lengthA);
+-  for (j = prevLen; j >= i; --j)
+-    s[j+lengthA] = s[j];
++  memmove(s+i+lengthA, s+i, prevLen-i);
+   memcpy(s+i, str, lengthA);
+   return this;
+ }
only in patch2:
unchanged:
--- poppler-0.12.4.orig/debian/patches/07_CVE-2010-4653.patch
+++ poppler-0.12.4/debian/patches/07_CVE-2010-4653.patch
@@ -0,0 +1,55 @@
+From cad66a7d25abdb6aa15f3aa94a35737b119b2659 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 2 Nov 2010 19:14:34 +0000
+Subject: [PATCH] Fix crash in broken documents
+
+mapLen = (code + 256) & ~255; can wrap and you end up with mapLen < code
+that is not what you wanted
+---
+ poppler/CharCodeToUnicode.cc |   16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/poppler/CharCodeToUnicode.cc b/poppler/CharCodeToUnicode.cc
+index 1835ddd..3cfa402 100644
+--- a/poppler/CharCodeToUnicode.cc
++++ b/poppler/CharCodeToUnicode.cc
+@@ -13,7 +13,7 @@
+ // All changes made under the Poppler project to this file are licensed
+ // under GPL version 2 or later
+ //
+-// Copyright (C) 2006, 2008, 2009 Albert Astals Cid <aacid@kde.org>
++// Copyright (C) 2006, 2008-2010 Albert Astals Cid <aacid@kde.org>
+ // Copyright (C) 2007 Julien Rebetez <julienr@svn.gnome.org>
+ // Copyright (C) 2007 Koji Otani <sho@bbr.jp>
+ // Copyright (C) 2008 Michael Vrable <mvrable@cs.ucsd.edu>
+@@ -36,6 +36,7 @@
+ #include <string.h>
+ #include "goo/gmem.h"
+ #include "goo/gfile.h"
++#include "Object.h"
+ #include "goo/GooString.h"
+ #include "Error.h"
+ #include "GlobalParams.h"
+@@ -366,10 +367,15 @@ void CharCodeToUnicode::addMapping(CharCode code, char *uStr, int n,
+   if (code >= mapLen) {
+     oldLen = mapLen;
+     mapLen = (code + 256) & ~255;
+-    map = (Unicode *)greallocn(map, mapLen, sizeof(Unicode));
+-    for (i = oldLen; i < mapLen; ++i) {
+-      map[i] = 0;
+-    }
++    if (unlikely(code >= mapLen)) {
++      error(-1, "Illegal code value in CharCodeToUnicode::addMapping");
++      return;
++    } else {
++      map = (Unicode *)greallocn(map, mapLen, sizeof(Unicode));
++      for (i = oldLen; i < mapLen; ++i) {
++        map[i] = 0;
++      }
++	}
+   }
+   if (n <= 4) {
+     if (sscanf(uStr, "%x", &u) != 1) {
+-- 
+1.7.10
+

--- End Message ---
--- Begin Message --- 
Version: 6.0.7

Hi,

The package discussed in each of these bugs was added to stable as part
of today's point release.

Regards,

Adam

--- End Message ---
Reply to: