[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#946819: marked as done (buster-pu: package atril/1.20.3-1+deb10u1)



Your message dated Sat, 08 Feb 2020 14:21:36 +0000
with message-id <cf1cb2f35981916a86b98b83609df15c95aa378b.camel@adam-barratt.org.uk>
and subject line Closing requests included in 10.3 point release
has caused the Debian Bug report #946819,
regarding buster-pu: package atril/1.20.3-1+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
946819: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946819
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear Release Team,

I have just uploaded atril 1.20.3-1+deb10u1 to Debian buster with the
following changes:

+  [ Martin Wimpress ]
+  * debian/patches:
+    + Add 0001_prevent_no_doc_segfault.patch. Prevent segfaults when no document
+      is loaded.

See upstream issue: https://github.com/mate-desktop/atril/issues/357

When one loaded atril with no document and started playing with the
application settings, atril would segfault.

+    + Add 0002_CVE-2019-1010006.patch. Fix buffer overflow. (CVE-2019-1010006)

This is a low security issue, but not tagged as no-dsa on the security
tracker. However, getting the other two patches into buster had prio and
thus I took the buster-pu upload path for this.

+  [ Mike Gabriel ]
+  * debian/patches:
+    + Add CVE-2019-11459.patch. tiff: Handle failure from
+      TIFFReadRGBAImageOriented. (Closes: #927821).
+    + Rebase 0001_prevent_no_doc_segfault.patch.

Security issue marked as unimportant, still something that deserves a fix via
buster-pu.

light+love,
Mike



-- System Information:
Debian Release: 10.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru atril-1.20.3/debian/changelog atril-1.20.3/debian/changelog
--- atril-1.20.3/debian/changelog	2018-12-22 22:24:46.000000000 +0100
+++ atril-1.20.3/debian/changelog	2019-12-16 10:33:35.000000000 +0100
@@ -1,3 +1,19 @@
+atril (1.20.3-1+deb10u1) buster; urgency=medium
+
+  [ Martin Wimpress ]
+  * debian/patches:
+    + Add 0001_prevent_no_doc_segfault.patch. Prevent segfaults when no document
+      is loaded.
+    + Add 0002_CVE-2019-1010006.patch. Fix buffer overflow. (CVE-2019-1010006)
+
+  [ Mike Gabriel ]
+  * debian/patches:
+    + Add CVE-2019-11459.patch. tiff: Handle failure from
+      TIFFReadRGBAImageOriented. (Closes: #927821).
+    + Rebase 0001_prevent_no_doc_segfault.patch.
+
+ -- Mike Gabriel <sunweaver@debian.org>  Mon, 16 Dec 2019 10:33:35 +0100
+
 atril (1.20.3-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru atril-1.20.3/debian/patches/0001_prevent_no_doc_segfault.patch atril-1.20.3/debian/patches/0001_prevent_no_doc_segfault.patch
--- atril-1.20.3/debian/patches/0001_prevent_no_doc_segfault.patch	1970-01-01 01:00:00.000000000 +0100
+++ atril-1.20.3/debian/patches/0001_prevent_no_doc_segfault.patch	2019-12-16 10:31:57.000000000 +0100
@@ -0,0 +1,286 @@
+From 807e54f51919de389c2824df6ccef41947c57911 Mon Sep 17 00:00:00 2001
+From: Reuben Green <reubengreen73@gmail.com>
+Date: Sat, 3 Aug 2019 22:54:44 +0100
+Subject: [PATCH] prevent segfaults when no document loaded
+
+See the issue report for a description of the bug. The root cause is
+dereferencing of NULL pointers, specifically the priv->document member of
+EvWindow structures when no document is loaded. This commit adds checks
+for a NULL value of priv->document at all the points in the file
+shell/ev-window.c where this pointer was previously dereferenced without
+being checked.
+
+Fixes 357 (https://github.com/mate-desktop/atril/issues/357)
+---
+ shell/ev-window.c | 63 ++++++++++++++++++++++++-----------------------
+ 1 file changed, 32 insertions(+), 31 deletions(-)
+
+--- a/shell/ev-window.c
++++ b/shell/ev-window.c
+@@ -1448,7 +1448,7 @@
+ 	/* Presentation */
+ 	if (ev_metadata_get_boolean (window->priv->metadata, "presentation", &presentation)) {
+ 		if (presentation) {
+-			if (window->priv->document->iswebdocument == TRUE ) {
++			if (window->priv->document && window->priv->document->iswebdocument == TRUE ) {
+ 				return;
+ 			}
+ 			else {
+@@ -1850,7 +1850,7 @@
+ ev_window_handle_link (EvWindow *ev_window,
+ 		       EvLinkDest *dest)
+ {
+-	if (ev_window->priv->document->iswebdocument == TRUE ) {
++	if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) {
+ 		return;
+ 	}
+ 	if (dest) {
+@@ -4117,7 +4117,7 @@
+ 	 */
+ 	if (ev_window->priv->chrome & EV_CHROME_FINDBAR) {
+ 		egg_find_bar_grab_focus(ev_window->priv->find_bar);
+-	} else if (ev_window->priv->document->iswebdocument == FALSE ) {
++	} else if (ev_window->priv->document && ev_window->priv->document->iswebdocument == FALSE ) {
+ 		ev_view_select_all (EV_VIEW (ev_window->priv->view));
+ 	}
+ #if ENABLE_EPUB
+@@ -4152,7 +4152,7 @@
+ 	update_chrome_flag (ev_window, EV_CHROME_FINDBAR, TRUE);
+ 	update_chrome_visibility (ev_window);
+ 	gtk_widget_grab_focus (ev_window->priv->find_bar);
+-	if (ev_window->priv->document->iswebdocument == FALSE) {
++	if (ev_window->priv->document && ev_window->priv->document->iswebdocument == FALSE) {
+ 		ev_view_find_next (EV_VIEW (ev_window->priv->view));
+ 	}
+ #if ENABLE_EPUB
+@@ -4171,7 +4171,7 @@
+ 	update_chrome_flag (ev_window, EV_CHROME_FINDBAR, TRUE);
+ 	update_chrome_visibility (ev_window);
+ 	gtk_widget_grab_focus (ev_window->priv->find_bar);
+-	if (ev_window->priv->document->iswebdocument == FALSE) {
++	if (ev_window->priv->document && ev_window->priv->document->iswebdocument == FALSE) {
+ 		ev_view_find_previous (EV_VIEW (ev_window->priv->view));
+ 	} 
+ #if ENABLE_EPUB
+@@ -4186,7 +4186,7 @@
+ {
+         g_return_if_fail (EV_IS_WINDOW (ev_window));
+ #if ENABLE_EPUB	
+-	if (ev_window->priv->document->iswebdocument) {
++	if (ev_window->priv->document && ev_window->priv->document->iswebdocument) {
+ 		ev_web_view_copy(EV_WEB_VIEW(ev_window->priv->webview));
+ 	} else 
+ #endif
+@@ -4406,8 +4406,9 @@
+ 
+ 	if (EV_WINDOW_IS_PRESENTATION (window))
+ 		return;
++
+ 	
+-	if (window->priv->document->iswebdocument) {
++	if (window->priv->document && window->priv->document->iswebdocument) {
+ 		ev_window_warning_message(window,_("Presentation mode is not supported for ePub documents"));
+ 		return;
+ 	}
+@@ -4795,7 +4796,7 @@
+ 
+ 	ev_document_model_set_sizing_mode (ev_window->priv->model, EV_SIZING_FREE);
+ #if ENABLE_EPUB
+-	if (ev_window->priv->document->iswebdocument) {
++	if (ev_window->priv->document && ev_window->priv->document->iswebdocument) {
+ 		ev_web_view_zoom_in(EV_WEB_VIEW(ev_window->priv->webview));
+ 	}
+ 	else
+@@ -4812,7 +4813,7 @@
+ 
+ 	ev_document_model_set_sizing_mode (ev_window->priv->model, EV_SIZING_FREE);
+ #if ENABLE_EPUB
+-	if ( ev_window->priv->document->iswebdocument)  {
++	if (ev_window->priv->document && ev_window->priv->document->iswebdocument)  {
+ 		ev_web_view_zoom_out(EV_WEB_VIEW(ev_window->priv->webview));
+ 	}
+ 	else
+@@ -4829,7 +4830,7 @@
+ 
+ 	ev_document_model_set_sizing_mode (ev_window->priv->model, EV_SIZING_FREE);
+ #if ENABLE_EPUB
+-	if ( ev_window->priv->document->iswebdocument)  {
++	if (ev_window->priv->document && ev_window->priv->document->iswebdocument)  {
+ 	        ev_web_view_zoom_reset(EV_WEB_VIEW(ev_window->priv->webview));
+ 	}
+ 	else
+@@ -4844,7 +4845,7 @@
+ {
+         g_return_if_fail (EV_IS_WINDOW (ev_window));
+ #if ENABLE_EPUB
+-	if ( ev_window->priv->document->iswebdocument == TRUE ) {
++	if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) {
+ 		ev_web_view_previous_page(EV_WEB_VIEW(ev_window->priv->webview));
+ 	}
+ 	else
+@@ -4859,7 +4860,7 @@
+ {
+         g_return_if_fail (EV_IS_WINDOW (ev_window));
+ #if ENABLE_EPUB
+-	if ( ev_window->priv->document->iswebdocument == TRUE ) {
++	if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) {
+ 		ev_web_view_next_page(EV_WEB_VIEW(ev_window->priv->webview));
+ 	} else 
+ #endif
+@@ -5440,8 +5441,8 @@
+ 	gboolean   show_internal = FALSE;
+ 	GtkAction *action;
+ 
+-	if ( ev_window->priv->document->iswebdocument == TRUE ) return ;
+-	
++	if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) return ;
++
+ 	if (ev_window->priv->link)
+ 		g_object_unref (ev_window->priv->link);
+ 	
+@@ -5494,7 +5495,7 @@
+ 	GtkAction *action;
+ 	gboolean   show_image = FALSE;
+ 
+-	if (ev_window->priv->document->iswebdocument == TRUE ) return ;
++	if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) return ;
+ 	if (ev_window->priv->image)
+ 		g_object_unref (ev_window->priv->image);
+ 	
+@@ -5522,7 +5523,7 @@
+ 	gboolean   show_annot = FALSE;
+ 	gboolean can_remove_annots = FALSE;
+ 
+-	if (ev_window->priv->document->iswebdocument == TRUE ) return ;
++	if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) return ;
+ 	if (ev_window->priv->annot)
+ 		g_object_unref (ev_window->priv->annot);
+ 	ev_window->priv->annot = (annot) ? g_object_ref (annot) : NULL;
+@@ -5679,7 +5680,7 @@
+ {
+ 	ev_window_update_actions (ev_window);
+ #if ENABLE_EPUB
+-	if (ev_window->priv->document->iswebdocument == TRUE ) {
++	if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) {
+ 		ev_web_view_find_changed(EV_WEB_VIEW(ev_window->priv->webview),
+ 								 job->results,job->text, job->case_sensitive);
+ 	}
+@@ -5716,7 +5717,7 @@
+ 		      EvWindow   *ev_window)
+ {
+ #if ENABLE_EPUB
+-	if (ev_window->priv->document->iswebdocument == TRUE ) {
++	if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) {
+ 		ev_web_view_find_previous(EV_WEB_VIEW(ev_window->priv->webview));
+ 	}else 
+ #endif
+@@ -5730,7 +5731,7 @@
+ 		  EvWindow   *ev_window)
+ {
+ #if ENABLE_EPUB
+-	if (ev_window->priv->document->iswebdocument == TRUE ) {
++	if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) {
+ 		ev_web_view_find_next(EV_WEB_VIEW(ev_window->priv->webview));
+ 	} else 
+ #endif
+@@ -5744,7 +5745,7 @@
+ 		   EvWindow   *ev_window)
+ {
+ #if ENABLE_EPUB
+-	if (ev_window->priv->document->iswebdocument == TRUE ) {		
++	if (ev_window->priv->document && ev_window->priv->document->iswebdocument == TRUE ) {
+ 		ev_web_view_find_cancel(EV_WEB_VIEW(ev_window->priv->webview));
+ 	}
+ 	else 
+@@ -5800,7 +5801,7 @@
+ {
+ 	/* Either the string or case sensitivity could have changed. */
+ #if ENABLE_EPUB
+-	if (ev_window->priv->document->iswebdocument) {
++	if (ev_window->priv->document && ev_window->priv->document->iswebdocument) {
+ 		ev_web_view_find_search_changed(EV_WEB_VIEW (ev_window->priv->webview));
+ 	} else
+ #endif
+@@ -6570,7 +6571,7 @@
+ static void
+ sidebar_links_link_activated_cb (EvSidebarLinks *sidebar_links, EvLink *link, EvWindow *window)
+ {
+-	if (window->priv->document->iswebdocument == FALSE ) {
++	if (window->priv->document && window->priv->document->iswebdocument == FALSE ) {
+ 		ev_view_handle_link (EV_VIEW (window->priv->view), link);
+ 	}
+ #if ENABLE_EPUB
+@@ -6599,7 +6600,7 @@
+ navigation_action_activate_link_cb (EvNavigationAction *action, EvLink *link, EvWindow *window)
+ {
+ #if ENABLE_EPUB
+-	if (window->priv->document->iswebdocument == TRUE )  {
++	if (window->priv->document && window->priv->document->iswebdocument == TRUE )  {
+ 		ev_web_view_handle_link(EV_WEB_VIEW(window->priv->webview),link);
+ 		gtk_widget_grab_focus (window->priv->webview);
+ 		return;
+@@ -6613,7 +6614,7 @@
+ sidebar_layers_visibility_changed (EvSidebarLayers *layers,
+ 				   EvWindow        *window)
+ {
+-	if (window->priv->document->iswebdocument == FALSE ) {
++	if (window->priv->document && window->priv->document->iswebdocument == FALSE ) {
+ 		ev_view_reload (EV_VIEW (window->priv->view));
+ 	}
+ #if ENABLE_EPUB
+@@ -6629,7 +6630,7 @@
+ 				   EvMapping            *annot_mapping,
+ 				   EvWindow             *window)
+ {
+-	if (window->priv->document->iswebdocument == TRUE ) return;
++	if (window->priv->document && window->priv->document->iswebdocument == TRUE ) return;
+ 	ev_view_focus_annotation (EV_VIEW (window->priv->view), annot_mapping);
+ }
+ 
+@@ -6638,7 +6639,7 @@
+ 				EvAnnotationType      annot_type,
+ 				EvWindow             *window)
+ {
+-	if (window->priv->document->iswebdocument == TRUE ) return;
++	if (window->priv->document && window->priv->document->iswebdocument == TRUE ) return;
+ 	ev_view_begin_add_annotation (EV_VIEW (window->priv->view), annot_type);
+ }
+ 
+@@ -6663,7 +6664,7 @@
+ sidebar_annots_annot_add_cancelled (EvSidebarAnnotations *sidebar_annots,
+ 				    EvWindow             *window)
+ {
+-	if (window->priv->document->iswebdocument == TRUE ) return;
++	if (window->priv->document && window->priv->document->iswebdocument == TRUE ) return;
+ 	ev_view_cancel_add_annotation (EV_VIEW (window->priv->view));
+ }
+ 
+@@ -7070,7 +7071,7 @@
+ static void
+ ev_view_popup_cmd_open_link (GtkAction *action, EvWindow *window)
+ {
+-	if (window->priv->document->iswebdocument == TRUE ) return;
++	if (window->priv->document && window->priv->document->iswebdocument == TRUE ) return;
+ 	ev_view_handle_link (EV_VIEW (window->priv->view), window->priv->link);
+ }
+ 
+@@ -7095,7 +7096,7 @@
+ ev_view_popup_cmd_copy_link_address (GtkAction *action, EvWindow *window)
+ {
+ 	EvLinkAction *ev_action;
+-	if (window->priv->document->iswebdocument == TRUE ) return;
++	if (window->priv->document && window->priv->document->iswebdocument == TRUE ) return;
+ 	ev_action = ev_link_get_action (window->priv->link);
+ 	if (!ev_action)
+ 		return;
+@@ -7285,8 +7286,8 @@
+ ev_view_popup_cmd_annot_properties (GtkAction *action,
+ 				    EvWindow  *window)
+ {
+-	if (window->priv->document->iswebdocument == TRUE ) return;
+-	
++	if (window->priv->document && window->priv->document->iswebdocument == TRUE ) return;
++
+ 	const gchar                  *author;
+ 	GdkRGBA                       rgba;
+ 	gdouble                       opacity;
diff -Nru atril-1.20.3/debian/patches/0002_CVE-2019-1010006.patch atril-1.20.3/debian/patches/0002_CVE-2019-1010006.patch
--- atril-1.20.3/debian/patches/0002_CVE-2019-1010006.patch	1970-01-01 01:00:00.000000000 +0100
+++ atril-1.20.3/debian/patches/0002_CVE-2019-1010006.patch	2019-12-16 10:29:52.000000000 +0100
@@ -0,0 +1,44 @@
+diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c
+index 0aa31cb6..94adc400 100644
+--- a/backend/tiff/tiff-document.c
++++ b/backend/tiff/tiff-document.c
+@@ -268,13 +268,14 @@ tiff_document_render (EvDocument      *document,
+ 		return NULL;                
+ 	}
+ 	
+-	bytes = height * rowstride;
+-	if (bytes / rowstride != height) {
++	if (height >= INT_MAX / rowstride) {
+ 		g_warning("Overflow while rendering document.");
+ 		/* overflow */
+ 		return NULL;
+ 	}
+ 	
++	bytes = height * rowstride;
++
+ 	pixels = g_try_malloc (bytes);
+ 	if (!pixels) {
+ 		g_warning("Failed to allocate memory for rendering.");
+@@ -356,15 +357,17 @@ tiff_document_render_pixbuf (EvDocument      *document,
+ 	if (width <= 0 || height <= 0)
+ 		return NULL;                
+ 
+-	rowstride = width * 4;
+-	if (rowstride / 4 != width)
++	if (width >= INT_MAX / 4)
+ 		/* overflow */
+ 		return NULL;                
+         
+-	bytes = height * rowstride;
+-	if (bytes / rowstride != height)
++	rowstride = width * 4;
++
++	if (height >= INT_MAX / rowstride)
+ 		/* overflow */
+-		return NULL;                
++		return NULL; 
++
++	bytes = height * rowstride;               
+ 	
+ 	pixels = g_try_malloc (bytes);
+ 	if (!pixels)
diff -Nru atril-1.20.3/debian/patches/CVE-2019-11459.patch atril-1.20.3/debian/patches/CVE-2019-11459.patch
--- atril-1.20.3/debian/patches/CVE-2019-11459.patch	1970-01-01 01:00:00.000000000 +0100
+++ atril-1.20.3/debian/patches/CVE-2019-11459.patch	2019-12-16 10:30:41.000000000 +0100
@@ -0,0 +1,70 @@
+From 5ecffe6a75542fc4d82264c9b263fee5d25a84b1 Mon Sep 17 00:00:00 2001
+From: Victor Kareh <vkareh@redhat.com>
+Date: Sun, 11 Aug 2019 05:20:09 +0300
+Subject: [PATCH] tiff: Handle failure from TIFFReadRGBAImageOriented
+
+The TIFFReadRGBAImageOriented function returns zero if it was unable to
+read the image. Return NULL in this case instead of displaying
+uninitialized memory.
+
+This addresses CVE-2019-11459
+
+upstream commit:
+https://gitlab.gnome.org/GNOME/evince/commit/234f034a4
+---
+ backend/tiff/tiff-document.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+--- a/backend/tiff/tiff-document.c
++++ b/backend/tiff/tiff-document.c
+@@ -281,6 +281,15 @@
+ 		g_warning("Failed to allocate memory for rendering.");
+ 		return NULL;
+ 	}
++
++	if (!TIFFReadRGBAImageOriented (tiff_document->tiff,
++	                               width, height,
++	                               (uint32 *)pixels,
++	                                orientation, 0)) {
++		g_warning ("Failed to read TIFF image.");
++		g_free (pixels);
++		return NULL;
++	}
+ 	
+ 	surface = cairo_image_surface_create_for_data (pixels,
+ 						       CAIRO_FORMAT_RGB24,
+@@ -288,11 +297,6 @@
+ 						       rowstride);
+ 	cairo_surface_set_user_data (surface, &key,
+ 				     pixels, (cairo_destroy_func_t)g_free);
+-
+-	TIFFReadRGBAImageOriented (tiff_document->tiff,
+-				   width, height,
+-				   (uint32 *)pixels,
+-				   orientation, 0);
+ 	pop_handlers ();
+ 
+ 	/* Convert the format returned by libtiff to
+@@ -372,14 +376,18 @@
+ 	pixels = g_try_malloc (bytes);
+ 	if (!pixels)
+ 		return NULL;
++
++	if (!TIFFReadRGBAImageOriented (tiff_document->tiff,
++					width, height,
++					(uint32 *)pixels,
++					ORIENTATION_TOPLEFT, 0)) {
++		g_free (pixels);
++		return NULL;
++	}
+ 	
+ 	pixbuf = gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, TRUE, 8, 
+ 					   width, height, rowstride,
+ 					   (GdkPixbufDestroyNotify) g_free, NULL);
+-	TIFFReadRGBAImageOriented (tiff_document->tiff,
+-				   width, height,
+-				   (uint32 *)pixels,
+-				   ORIENTATION_TOPLEFT, 0);
+ 	pop_handlers ();
+ 
+ 	scaled_pixbuf = gdk_pixbuf_scale_simple (pixbuf,
diff -Nru atril-1.20.3/debian/patches/series atril-1.20.3/debian/patches/series
--- atril-1.20.3/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ atril-1.20.3/debian/patches/series	2019-12-16 10:31:03.000000000 +0100
@@ -0,0 +1,3 @@
+0001_prevent_no_doc_segfault.patch
+0002_CVE-2019-1010006.patch
+CVE-2019-11459.patch

--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.3

Hi,

Each of the uploads referred to by these bugs was included in today's
stable point release.

Regards,

Adam

--- End Message ---

Reply to: