Bug#703930: marked as done (unblock: poppler/0.18.4-6)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 25 Mar 2013 22:16:54 +0000
with message-id <1364249814.3284.3.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#703930: unblock: poppler/0.18.4-6
has caused the Debian Bug report #703930,
regarding unblock: poppler/0.18.4-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
703930: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703930
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: poppler/0.18.4-6
• From: Pino Toscano <pino@debian.org>
• Date: Mon, 25 Mar 2013 22:26:41 +0100
• Message-id: <[🔎] 20130325212641.28265.28688.reportbug@drak>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,

I just uploaded poppler/0.18.4-6 fixing CVE-2013-1788 and CVE-2013-1790
(#702071). Could you please unblock it?
(Also, I noticed during the upload to have left urgency=low, maybe
is it worth urgency=medium.)

unblock poppler/0.18.4-6

Thanks,
-- 
Pino

diff -Nru poppler-0.18.4/debian/changelog poppler-0.18.4/debian/changelog
--- poppler-0.18.4/debian/changelog	2013-01-31 15:20:54.000000000 +0100
+++ poppler-0.18.4/debian/changelog	2013-03-25 21:43:14.000000000 +0100
@@ -1,3 +1,18 @@
+poppler (0.18.4-6) unstable; urgency=low
+
+  * Backport upstream commits 0388837f01bc467045164f9ddaff787000a8caaa (patch
+    upstream_Fix-another-invalid-memory-access-in-1091.pdf.asan.7.patch),
+    8b6dc55e530b2f5ede6b9dfb64aafdd1d5836492 (adapted patch
+    upstream_Fix-invalid-memory-access-in-1150.pdf.asan.8.69.patch), and
+    e14b6e9c13d35c9bd1e0c50906ace8e707816888 (adapted patch
+    upstream_Fix-invalid-memory-access-in-2030.pdf.asan.69.463.patch) to fix
+    CVE-2013-1788.
+  * Backport upstream commit b1026b5978c385328f2a15a2185c599a563edf91 to fix
+    CVE-2013-1790 (patch upstream_Initialize-refLine-totally.patch).
+  * With the changes above, this upload closes: #702071.
+
+ -- Pino Toscano <pino@debian.org>  Mon, 25 Mar 2013 21:43:07 +0100
+
 poppler (0.18.4-5) unstable; urgency=low
 
   * Correctly initialize PSOutputDev::fontFileNameLen and
diff -Nru poppler-0.18.4/debian/patches/series poppler-0.18.4/debian/patches/series
--- poppler-0.18.4/debian/patches/series	2013-01-31 13:58:17.000000000 +0100
+++ poppler-0.18.4/debian/patches/series	2013-03-23 07:48:04.000000000 +0100
@@ -4,3 +4,7 @@
 upstream_Change-nnnnnn-to-number.patch
 upstream_fix-GooString-insert.diff
 psoutputdev-initialize-vars.diff
+upstream_Fix-another-invalid-memory-access-in-1091.pdf.asan.7.patch
+upstream_Fix-invalid-memory-access-in-2030.pdf.asan.69.463.patch
+upstream_Fix-invalid-memory-access-in-1150.pdf.asan.8.69.patch
+upstream_Initialize-refLine-totally.patch
diff -Nru poppler-0.18.4/debian/patches/upstream_Fix-another-invalid-memory-access-in-1091.pdf.asan.7.patch poppler-0.18.4/debian/patches/upstream_Fix-another-invalid-memory-access-in-1091.pdf.asan.7.patch
--- poppler-0.18.4/debian/patches/upstream_Fix-another-invalid-memory-access-in-1091.pdf.asan.7.patch	1970-01-01 01:00:00.000000000 +0100
+++ poppler-0.18.4/debian/patches/upstream_Fix-another-invalid-memory-access-in-1091.pdf.asan.7.patch	2013-03-23 07:48:04.000000000 +0100
@@ -0,0 +1,40 @@
+From 0388837f01bc467045164f9ddaff787000a8caaa Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Thu, 10 Jan 2013 20:29:06 +0100
+Subject: [PATCH] Fix another invalid memory access in 1091.pdf.asan.72.42
+
+---
+ poppler/Stream.cc |   10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/poppler/Stream.cc b/poppler/Stream.cc
+index d118ddd..4cb3326 100644
+--- a/poppler/Stream.cc
++++ b/poppler/Stream.cc
+@@ -2132,7 +2132,8 @@ GBool CCITTFaxStream::isBinary(GBool last) {
+ 
+ // clip [-256,511] --> [0,255]
+ #define dctClipOffset 256
+-static Guchar dctClip[768];
++#define dctClipLength 768
++static Guchar dctClip[dctClipLength];
+ static int dctClipInit = 0;
+ 
+ // zig zag decode map
+@@ -3078,7 +3079,12 @@ void DCTStream::transformDataUnit(Gushort *quantTable,
+ 
+   // convert to 8-bit integers
+   for (i = 0; i < 64; ++i) {
+-    dataOut[i] = dctClip[dctClipOffset + 128 + ((dataIn[i] + 8) >> 4)];
++    const int ix = dctClipOffset + 128 + ((dataIn[i] + 8) >> 4);
++    if (unlikely(ix < 0 || ix >= dctClipLength)) {
++      dataOut[i] = 0;
++    } else {
++      dataOut[i] = dctClip[ix];
++    }
+   }
+ }
+ 
+-- 
+1.7.10.4
+
diff -Nru poppler-0.18.4/debian/patches/upstream_Fix-invalid-memory-access-in-1150.pdf.asan.8.69.patch poppler-0.18.4/debian/patches/upstream_Fix-invalid-memory-access-in-1150.pdf.asan.8.69.patch
--- poppler-0.18.4/debian/patches/upstream_Fix-invalid-memory-access-in-1150.pdf.asan.8.69.patch	1970-01-01 01:00:00.000000000 +0100
+++ poppler-0.18.4/debian/patches/upstream_Fix-invalid-memory-access-in-1150.pdf.asan.8.69.patch	2013-03-23 07:48:04.000000000 +0100
@@ -0,0 +1,27 @@
+From 8b6dc55e530b2f5ede6b9dfb64aafdd1d5836492 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Thu, 10 Jan 2013 22:31:52 +0100
+Subject: [PATCH] Fix invalid memory access in 1150.pdf.asan.8.69
+
+---
+ splash/Splash.cc |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/splash/Splash.cc
++++ b/splash/Splash.cc
+@@ -1521,11 +1521,14 @@ SplashPath *Splash::makeDashedPath(Splas
+   lineDashStartPhase -= (SplashCoord)i * lineDashTotal;
+   lineDashStartOn = gTrue;
+   lineDashStartIdx = 0;
+-  while (lineDashStartPhase >= state->lineDash[lineDashStartIdx]) {
++  while (lineDashStartIdx < state->lineDashLength && lineDashStartPhase >= state->lineDash[lineDashStartIdx]) {
+     lineDashStartOn = !lineDashStartOn;
+     lineDashStartPhase -= state->lineDash[lineDashStartIdx];
+     ++lineDashStartIdx;
+   }
++  if (unlikely(lineDashStartIdx == state->lineDashLength)) {
++    return new SplashPath();
++  }
+ 
+   dPath = new SplashPath();
+ 
diff -Nru poppler-0.18.4/debian/patches/upstream_Fix-invalid-memory-access-in-2030.pdf.asan.69.463.patch poppler-0.18.4/debian/patches/upstream_Fix-invalid-memory-access-in-2030.pdf.asan.69.463.patch
--- poppler-0.18.4/debian/patches/upstream_Fix-invalid-memory-access-in-2030.pdf.asan.69.463.patch	1970-01-01 01:00:00.000000000 +0100
+++ poppler-0.18.4/debian/patches/upstream_Fix-invalid-memory-access-in-2030.pdf.asan.69.463.patch	2013-03-23 07:48:04.000000000 +0100
@@ -0,0 +1,31 @@
+From e14b6e9c13d35c9bd1e0c50906ace8e707816888 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Thu, 10 Jan 2013 20:52:02 +0100
+Subject: [PATCH] Fix invalid memory access in 2030.pdf.asan.69.463
+
+---
+ poppler/Function.cc |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/poppler/Function.cc
++++ b/poppler/Function.cc
+@@ -13,7 +13,7 @@
+ // All changes made under the Poppler project to this file are licensed
+ // under GPL version 2 or later
+ //
+-// Copyright (C) 2006, 2008-2010 Albert Astals Cid <aacid@kde.org>
++// Copyright (C) 2006, 2008-2010, 2013 Albert Astals Cid <aacid@kde.org>
+ // Copyright (C) 2006 Jeff Muizelaar <jeff@infidigm.net>
+ // Copyright (C) 2010 Christian Feuersänger <cfeuersaenger@googlemail.com>
+ // Copyright (C) 2011 Andrea Canciani <ranma42@gmail.com>
+@@ -1002,6 +1002,10 @@ void PSStack::copy(int n) {
+     error(-1, "Stack underflow in PostScript function");
+     return;
+   }
++  if (unlikely(sp - n > psStackSize)) {
++    error(-1, "Stack underflow in PostScript function");
++    return;
++  }
+   if (!checkOverflow(n)) {
+     return;
+   }
diff -Nru poppler-0.18.4/debian/patches/upstream_Initialize-refLine-totally.patch poppler-0.18.4/debian/patches/upstream_Initialize-refLine-totally.patch
--- poppler-0.18.4/debian/patches/upstream_Initialize-refLine-totally.patch	1970-01-01 01:00:00.000000000 +0100
+++ poppler-0.18.4/debian/patches/upstream_Initialize-refLine-totally.patch	2013-03-23 07:48:04.000000000 +0100
@@ -0,0 +1,24 @@
+From b1026b5978c385328f2a15a2185c599a563edf91 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Wed, 9 Jan 2013 22:17:09 +0100
+Subject: [PATCH] Initialize refLine totally
+
+Fixes uninitialized memory read in 1004.pdf.asan.7.3
+---
+ poppler/Stream.cc |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/poppler/Stream.cc
++++ b/poppler/Stream.cc
+@@ -1595,8 +1595,9 @@ int CCITTFaxStream::lookChar() {
+       for (i = 0; codingLine[i] < columns; ++i) {
+ 	refLine[i] = codingLine[i];
+       }
+-      refLine[i++] = columns;
+-      refLine[i] = columns;
++      for (; i < columns + 2; ++i) {
++	refLine[i] = columns;
++      }
+       codingLine[0] = 0;
+       a0i = 0;
+       b1i = 0;

--- End Message ---

--- Begin Message ---

• To: Pino Toscano <pino@debian.org>, 703930-done@bugs.debian.org
• Subject: Re: Bug#703930: unblock: poppler/0.18.4-6
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Mon, 25 Mar 2013 22:16:54 +0000
• Message-id: <1364249814.3284.3.camel@jacala.jungle.funky-badger.org>
• In-reply-to: <[🔎] 20130325212641.28265.28688.reportbug@drak>
• References: <[🔎] 20130325212641.28265.28688.reportbug@drak>

On Mon, 2013-03-25 at 22:26 +0100, Pino Toscano wrote:
> I just uploaded poppler/0.18.4-6 fixing CVE-2013-1788 and CVE-2013-1790
> (#702071). Could you please unblock it?
> (Also, I noticed during the upload to have left urgency=low, maybe
> is it worth urgency=medium.)

Yep, and yep. :)

Regards,

Adam

--- End Message ---