Bug#933636: stretch-pu: package pdfresurrect/0.12-6
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
I'd like to fix a buffer overflow in the pdfresurrect version that's in
stretch.
See https://security-tracker.debian.org/tracker/CVE-2019-14267.
Attached is the debdiff.
Francois
diff -Nru pdfresurrect-0.12/debian/changelog pdfresurrect-0.12/debian/changelog
--- pdfresurrect-0.12/debian/changelog 2015-09-13 18:30:02.000000000 -0700
+++ pdfresurrect-0.12/debian/changelog 2019-07-30 08:54:01.000000000 -0700
@@ -1,3 +1,9 @@
+pdfresurrect (0.12-6+deb9u1) stretch; urgency=high
+
+ * Fix buffer overflow (CVE-2019-14267).
+
+ -- Francois Marier <francois@debian.org> Tue, 30 Jul 2019 08:54:01 -0700
+
pdfresurrect (0.12-6) unstable; urgency=medium
* Run wrap-and-sort
diff -Nru pdfresurrect-0.12/debian/patches/CVE-2019-14267.patch pdfresurrect-0.12/debian/patches/CVE-2019-14267.patch
--- pdfresurrect-0.12/debian/patches/CVE-2019-14267.patch 1969-12-31 16:00:00.000000000 -0800
+++ pdfresurrect-0.12/debian/patches/CVE-2019-14267.patch 2019-07-30 08:54:01.000000000 -0700
@@ -0,0 +1,47 @@
+commit 4ea7a6f4f51d0440da651d099247e2273f811dbc
+Author: Matt Davis <mattdavis9@gmail.com>
+Date: Thu Jul 25 20:30:04 2019 -0700
+Last-Update: 2019-07-30
+
+ Prevent a buffer overflow in possibly corrupt PDFs.
+
+ The startxref identification logic assumed a worse case of having to
+ inspect 256 bytes. However, that is not always the case (e.g.,
+ corrupted PDFs). This patch prevents that situation.
+
+ This bug was identified by j0lamma. Thanks!
+
+ CVE-2019-14267
+
+diff --git a/main.c b/main.c
+index d274acc..18ba696 100644
+--- a/main.c
++++ b/main.c
+@@ -230,7 +230,10 @@ static pdf_t *init_pdf(FILE *fp, const char *name)
+
+ pdf = pdf_new(name);
+ pdf_get_version(fp, pdf);
+- pdf_load_xrefs(fp, pdf);
++ if (pdf_load_xrefs(fp, pdf) == -1) {
++ pdf_delete(pdf);
++ return NULL;
++ }
+ pdf_load_pages_kids(fp, pdf);
+
+ return pdf;
+diff --git a/pdf.c b/pdf.c
+index 27b09a1..b671537 100644
+--- a/pdf.c
++++ b/pdf.c
+@@ -210,6 +210,11 @@ int pdf_load_xrefs(FILE *fp, pdf_t *pdf)
+ fseek(fp, pos - (++pos_count), SEEK_SET);
+
+ /* Suck in end of "startxref" to start of %%EOF */
++ if (pos_count >= sizeof(buf)) {
++ ERR("Failed to locate the startxref token. "
++ "This might be a corrupt PDF.\n");
++ return -1;
++ }
+ memset(buf, 0, sizeof(buf));
+ fread(buf, 1, pos_count, fp);
+ c = buf;
diff -Nru pdfresurrect-0.12/debian/patches/series pdfresurrect-0.12/debian/patches/series
--- pdfresurrect-0.12/debian/patches/series 2015-09-13 18:30:02.000000000 -0700
+++ pdfresurrect-0.12/debian/patches/series 2019-07-30 08:54:01.000000000 -0700
@@ -1 +1,2 @@
fix_manpage_path.patch
+CVE-2019-14267.patch
Reply to: