Bug#855356: marked as done (unblock: mupdf/1.9a+ds1-3)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Fri, 17 Feb 2017 06:45:00 +0000
with message-id <e8fd16f7-b12d-98c7-624a-987dbf943ece@thykier.net>
and subject line Re: Bug#855356: unblock: mupdf/1.9a+ds1-3
has caused the Debian Bug report #855356,
regarding unblock: mupdf/1.9a+ds1-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
855356: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855356
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: mupdf/1.9a+ds1-3
• From: Kan-Ru Chen (陳侃如) <koster@debian.org>
• Date: Fri, 17 Feb 2017 14:18:11 +0800
• Message-id: <[🔎] 148731229101.30518.3570818569538655499.reportbug@moz.kanru.info>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package mupdf

Security fixes

   * CVE-2017-5896: use-after-free in fz_subsample_pixmap()  (Closes: #854734)
   * CVE-2017-5991: NULL pointer dereference in pdf_run_xobject()

unblock mupdf/1.9a+ds1-3

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru mupdf-1.9a+ds1/debian/changelog mupdf-1.9a+ds1/debian/changelog
--- mupdf-1.9a+ds1/debian/changelog	2016-11-15 00:07:55.000000000 +0800
+++ mupdf-1.9a+ds1/debian/changelog	2017-02-16 23:43:55.000000000 +0800
@@ -1,3 +1,10 @@
+mupdf (1.9a+ds1-3) unstable; urgency=high
+
+  * CVE-2017-5896: use-after-free in fz_subsample_pixmap()  (Closes: #854734)
+  * CVE-2017-5991: NULL pointer dereference in pdf_run_xobject()
+
+ -- Kan-Ru Chen (陳侃如) <koster@debian.org>  Thu, 16 Feb 2017 23:43:55 +0800
+
 mupdf (1.9a+ds1-2) unstable; urgency=medium
 
   * Acknowledge NMU.
diff -Nru mupdf-1.9a+ds1/debian/patches/0008-CVE-2016-8674.patch mupdf-1.9a+ds1/debian/patches/0008-CVE-2016-8674.patch
--- mupdf-1.9a+ds1/debian/patches/0008-CVE-2016-8674.patch	2016-11-14 23:56:43.000000000 +0800
+++ mupdf-1.9a+ds1/debian/patches/0008-CVE-2016-8674.patch	2017-02-16 23:43:55.000000000 +0800
@@ -1,10 +1,6 @@
-From: Kan-Ru Chen <koster@debian.org>
-Date: Mon, 14 Nov 2016 23:55:28 +0800
-Subject: CVE-2016-8674
-
 From: Robin Watts <robin.watts@artifex.com>
 Date: Thu, 22 Sep 2016 13:44:45 +0100
-Subject: [PATCH] Bug 697015: Avoid object references vanishing during repair.
+Subject: Bug 697015: Avoid object references vanishing during repair.
 
 A PDF repair can be triggered 'just in time', when we encounter
 a problem in the file. The idea is that this can happen without
diff -Nru mupdf-1.9a+ds1/debian/patches/0009-CVE-2017-5896.patch mupdf-1.9a+ds1/debian/patches/0009-CVE-2017-5896.patch
--- mupdf-1.9a+ds1/debian/patches/0009-CVE-2017-5896.patch	1970-01-01 08:00:00.000000000 +0800
+++ mupdf-1.9a+ds1/debian/patches/0009-CVE-2017-5896.patch	2017-02-16 23:43:55.000000000 +0800
@@ -0,0 +1,47 @@
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Thu, 9 Feb 2017 07:12:16 -0800
+Subject: bug 697515: Fix out of bounds read in fz_subsample_pixmap
+
+Pointer arithmetic for final special case was going wrong.
+---
+ source/fitz/pixmap.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c
+index 6897fe3..66eb2b2 100644
+--- a/source/fitz/pixmap.c
++++ b/source/fitz/pixmap.c
+@@ -1420,6 +1420,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
+ 	"@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,back5,divXY\n"
+ 	"ldr	r4, [r13,#4*22]		@ r4 = divXY			\n"
+ 	"ldr	r5, [r13,#4*11]		@ for (nn = n; nn > 0; n--) {	\n"
++	"ldr	r8, [r13,#4*17]		@ r8 = back4			\n"
+ 	"18:				@				\n"
+ 	"mov	r14,#0			@ r14= v = 0			\n"
+ 	"sub	r5, r5, r1, LSL #8	@ for (xx = x; xx > 0; x--) {	\n"
+@@ -1436,7 +1437,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
+ 	"mul	r14,r4, r14		@ r14= v *= divX		\n"
+ 	"mov	r14,r14,LSR #16		@ r14= v >>= 16			\n"
+ 	"strb	r14,[r9], #1		@ *d++ = r14			\n"
+-	"sub	r0, r0, r8		@ s -= back2			\n"
++	"sub	r0, r0, r8		@ s -= back4			\n"
+ 	"subs	r5, r5, #1		@ n--				\n"
+ 	"bgt	18b			@ }				\n"
+ 	"21:				@				\n"
+@@ -1562,6 +1563,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
+ 		x += f;
+ 		if (x > 0)
+ 		{
++			int back4 = x * n - 1;
+ 			div = x * y;
+ 			for (nn = n; nn > 0; nn--)
+ 			{
+@@ -1576,7 +1578,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
+ 					s -= back5;
+ 				}
+ 				*d++ = v / div;
+-				s -= back2;
++				s -= back4;
+ 			}
+ 		}
+ 	}
diff -Nru mupdf-1.9a+ds1/debian/patches/0010-CVE-2017-5991.patch mupdf-1.9a+ds1/debian/patches/0010-CVE-2017-5991.patch
--- mupdf-1.9a+ds1/debian/patches/0010-CVE-2017-5991.patch	1970-01-01 08:00:00.000000000 +0800
+++ mupdf-1.9a+ds1/debian/patches/0010-CVE-2017-5991.patch	2017-02-16 23:43:55.000000000 +0800
@@ -0,0 +1,84 @@
+From: Robin Watts <robin.watts@artifex.com>
+Date: Thu, 16 Feb 2017 23:28:37 +0800
+Subject: Bug 697500: Fix NULL ptr access.
+
+Cope better with errors during rendering - avoid letting the
+gstate stack get out of sync.
+
+This avoids us ever getting into the situation of popping
+a clip when we should be popping a mask or a group. This was
+causing an unexpected case in the painting.
+---
+ source/pdf/pdf-op-run.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/source/pdf/pdf-op-run.c b/source/pdf/pdf-op-run.c
+index 593afe2..9c0d0c8 100644
+--- a/source/pdf/pdf-op-run.c
++++ b/source/pdf/pdf-op-run.c
+@@ -1201,6 +1201,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ 	pdf_run_processor *pr = (pdf_run_processor *)proc;
+ 	pdf_gstate *gstate = NULL;
+ 	int oldtop = 0;
++	int oldbot = -1;
+ 	fz_matrix local_transform = *transform;
+ 	softmask_save softmask = { NULL };
+ 	int gparent_save;
+@@ -1216,6 +1217,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ 	fz_var(cleanup_state);
+ 	fz_var(gstate);
+ 	fz_var(oldtop);
++	fz_var(oldbot);
+ 
+ 	gparent_save = pr->gparent;
+ 	pr->gparent = pr->gtop;
+@@ -1225,7 +1227,6 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ 		pdf_gsave(ctx, pr);
+ 
+ 		gstate = pr->gstate + pr->gtop;
+-		oldtop = pr->gtop;
+ 
+ 		/* apply xobject's transform matrix */
+ 		fz_concat(&local_transform, &xobj->matrix, &local_transform);
+@@ -1276,12 +1277,25 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ 		if (!resources)
+ 			resources = page_resources;
+ 
++		oldbot = pr->gbot;
++		pr->gbot = pr->gtop;
++
+ 		pdf_process_contents(ctx, (pdf_processor*)pr, xobj->document, resources, xobj->contents, NULL);
+ 	}
+ 	fz_always(ctx)
+ 	{
++		/* Undo any gstate mismatches due to the pdf_process_contents call */
++		if (oldbot != -1)
++		{
++			while (pr->gtop > pr->gbot)
++			{
++				pdf_grestore(ctx, pr);
++			}
++			pr->gbot = oldbot;
++		}
++
+ 		if (cleanup_state >= 3)
+-			pdf_grestore(ctx, pr); /* Remove the clippath */
++			pdf_grestore(ctx, pr); /* Remove the state we pushed for the clippath */
+ 
+ 		/* wrap up transparency stacks */
+ 		if (xobj->transparency)
+@@ -1315,13 +1329,8 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
+ 		pr->gstate[pr->gparent].ctm = gparent_save_ctm;
+ 		pr->gparent = gparent_save;
+ 
+-		if (gstate)
+-		{
+-			while (oldtop < pr->gtop)
+-				pdf_grestore(ctx, pr);
+-
++		while (oldtop < pr->gtop)
+ 			pdf_grestore(ctx, pr);
+-		}
+ 
+ 		pdf_unmark_obj(ctx, xobj->me);
+ 	}
diff -Nru mupdf-1.9a+ds1/debian/patches/series mupdf-1.9a+ds1/debian/patches/series
--- mupdf-1.9a+ds1/debian/patches/series	2016-11-14 23:56:43.000000000 +0800
+++ mupdf-1.9a+ds1/debian/patches/series	2017-02-16 23:43:55.000000000 +0800
@@ -6,3 +6,5 @@
 0006-CVE-2016-6265.patch
 0007-CVE-2016-6525.patch
 0008-CVE-2016-8674.patch
+0009-CVE-2017-5896.patch
+0010-CVE-2017-5991.patch

Attachment: mupdf_1.9a+ds1-3.debdiff.sig
Description: Binary data

--- End Message ---

--- Begin Message ---

• To: Kan-Ru Chen (陳侃如) <koster@debian.org>, 855356-done@bugs.debian.org
• Subject: Re: Bug#855356: unblock: mupdf/1.9a+ds1-3
• From: Niels Thykier <niels@thykier.net>
• Date: Fri, 17 Feb 2017 06:45:00 +0000
• Message-id: <e8fd16f7-b12d-98c7-624a-987dbf943ece@thykier.net>
• In-reply-to: <[🔎] 148731229101.30518.3570818569538655499.reportbug@moz.kanru.info>
• References: <[🔎] 148731229101.30518.3570818569538655499.reportbug@moz.kanru.info>

Kan-Ru Chen (陳侃如):
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package mupdf
> 
> Security fixes
> 
>    * CVE-2017-5896: use-after-free in fz_subsample_pixmap()  (Closes: #854734)
>    * CVE-2017-5991: NULL pointer dereference in pdf_run_xobject()
> 
> unblock mupdf/1.9a+ds1-3
> 
> [...]

Unblocked, thanks.

~Niels

--- End Message ---