Bug#933637: buster-pu: package pdfresurrect/0.15-2
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
I'd like to fix a buffer overflow in the pdfresurrect version that's in
buster.
See https://security-tracker.debian.org/tracker/CVE-2019-14267.
Attached is the debdiff.
Francois
diff -Nru pdfresurrect-0.15/debian/changelog pdfresurrect-0.15/debian/changelog
--- pdfresurrect-0.15/debian/changelog 2019-03-01 23:12:55.000000000 -0800
+++ pdfresurrect-0.15/debian/changelog 2019-07-30 08:41:35.000000000 -0700
@@ -1,3 +1,9 @@
+pdfresurrect (0.15-2+deb10u1) buster; urgency=high
+
+ * Fix buffer overflow (CVE-2019-14267).
+
+ -- Francois Marier <francois@debian.org> Tue, 30 Jul 2019 08:41:35 -0700
+
pdfresurrect (0.15-2) unstable; urgency=medium
* Bump Standars-Version up to 4.3.0
diff -Nru pdfresurrect-0.15/debian/patches/CVE-2019-14267.patch pdfresurrect-0.15/debian/patches/CVE-2019-14267.patch
--- pdfresurrect-0.15/debian/patches/CVE-2019-14267.patch 1969-12-31 16:00:00.000000000 -0800
+++ pdfresurrect-0.15/debian/patches/CVE-2019-14267.patch 2019-07-30 08:41:35.000000000 -0700
@@ -0,0 +1,46 @@
+commit 4ea7a6f4f51d0440da651d099247e2273f811dbc
+Author: Matt Davis <mattdavis9@gmail.com>
+Date: Thu Jul 25 20:30:04 2019 -0700
+
+ Prevent a buffer overflow in possibly corrupt PDFs.
+
+ The startxref identification logic assumed a worse case of having to
+ inspect 256 bytes. However, that is not always the case (e.g.,
+ corrupted PDFs). This patch prevents that situation.
+
+ This bug was identified by j0lamma. Thanks!
+
+ CVE-2019-14267
+
+diff --git a/main.c b/main.c
+index d604613..de2f8e9 100644
+--- a/main.c
++++ b/main.c
+@@ -203,7 +203,10 @@ static pdf_t *init_pdf(FILE *fp, const char *name)
+
+ pdf = pdf_new(name);
+ pdf_get_version(fp, pdf);
+- pdf_load_xrefs(fp, pdf);
++ if (pdf_load_xrefs(fp, pdf) == -1) {
++ pdf_delete(pdf);
++ return NULL;
++ }
+ pdf_load_pages_kids(fp, pdf);
+
+ return pdf;
+diff --git a/pdf.c b/pdf.c
+index 4cd7f12..b23b50a 100644
+--- a/pdf.c
++++ b/pdf.c
+@@ -233,6 +233,11 @@ int pdf_load_xrefs(FILE *fp, pdf_t *pdf)
+ fseek(fp, pos - (++pos_count), SEEK_SET);
+
+ /* Suck in end of "startxref" to start of %%EOF */
++ if (pos_count >= sizeof(buf)) {
++ ERR("Failed to locate the startxref token. "
++ "This might be a corrupt PDF.\n");
++ return -1;
++ }
+ memset(buf, 0, sizeof(buf));
+ SAFE_E(fread(buf, 1, pos_count, fp), pos_count,
+ "Failed to read startxref.\n");
diff -Nru pdfresurrect-0.15/debian/patches/series pdfresurrect-0.15/debian/patches/series
--- pdfresurrect-0.15/debian/patches/series 1969-12-31 16:00:00.000000000 -0800
+++ pdfresurrect-0.15/debian/patches/series 2019-07-30 08:41:35.000000000 -0700
@@ -0,0 +1 @@
+CVE-2019-14267.patch
Reply to: