Bug#964777: stretch-pu: package atril/1.16.1-2+deb9u2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#964777: stretch-pu: package atril/1.16.1-2+deb9u2
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Fri, 10 Jul 2020 13:47:24 +0200
Message-id: <[🔎] 366e441f-c1cb-7b3c-f153-ed7d5dba7b4e@debian.org>
Reply-to: Emilio Pozuelo Monfort <pochu@debian.org>, 964777@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

This fixes three CVEs in atril, two of them fixed in buster via spu (#946819)
with the other one not affecting the version in buster.

Tested on a stretch VM. debdiff attached and package uploaded.

Thanks,
Emilio

diff -Nru atril-1.16.1/debian/changelog atril-1.16.1/debian/changelog
--- atril-1.16.1/debian/changelog	2017-07-21 06:59:09.000000000 +0200
+++ atril-1.16.1/debian/changelog	2020-07-10 12:35:24.000000000 +0200
@@ -1,3 +1,13 @@
+atril (1.16.1-2+deb9u2) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * dvi: Mitigate command injection attacks by quoting filename
+    (CVE-2017-1000159)
+  * Fix overflow checks in tiff backend (CVE-2019-1010006)
+  * tiff: Handle failure from TIFFReadRGBAImageOriented (CVE-2019-11459)
+
+ -- Emilio Pozuelo Monfort <pochu@debian.org>  Fri, 10 Jul 2020 12:35:24 +0200
+
 atril (1.16.1-2+deb9u1) stretch-security; urgency=high
 
   * Non-maintainer upload
diff -Nru atril-1.16.1/debian/patches/03_dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch atril-1.16.1/debian/patches/03_dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch
--- atril-1.16.1/debian/patches/03_dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch	1970-01-01 01:00:00.000000000 +0100
+++ atril-1.16.1/debian/patches/03_dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch	2020-07-10 12:18:10.000000000 +0200
@@ -0,0 +1,43 @@
+From: Tobias Mueller <muelli@cryptobitch.de>
+Date: Fri, 14 Jul 2017 12:52:14 +0200
+Subject: dvi: Mitigate command injection attacks by quoting filename
+Origin: https://gitlab.gnome.org/GNOME/evince/commit/350404c76dc8601e2cdd2636490e2afc83d3090e
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000159
+
+With commit 1fcca0b8041de0d6074d7e17fba174da36c65f99 came a DVI backend.
+It exports to PDF via the dvipdfm tool.
+It calls that tool with the filename of the currently loaded document.
+If that filename is cleverly crafted, it can escape the currently
+used manual quoting of the filename.  Instead of manually quoting the
+filename, we use g_shell_quote.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=784947
+---
+ backend/dvi/dvi-document.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/backend/dvi/dvi-document.c b/backend/dvi/dvi-document.c
+index 4a896e215273..28877700880f 100644
+--- a/backend/dvi/dvi-document.c
++++ b/backend/dvi/dvi-document.c
+@@ -300,12 +300,14 @@ dvi_document_file_exporter_end (EvFileExporter *exporter)
+ 	gboolean success;
+ 	
+ 	DviDocument *dvi_document = DVI_DOCUMENT(exporter);
++	gchar* quoted_filename = g_shell_quote (dvi_document->context->filename);
+ 	
+-	command_line = g_strdup_printf ("dvipdfm %s -o %s \"%s\"", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */
++	command_line = g_strdup_printf ("dvipdfm %s -o %s %s", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */
+ 					dvi_document->exporter_opts->str,
+ 					dvi_document->exporter_filename,
+-					dvi_document->context->filename);
+-	
++					quoted_filename);
++	g_free (quoted_filename);
++
+ 	success = g_spawn_command_line_sync (command_line,
+ 					     NULL,
+ 					     NULL,
+-- 
+2.25.0
+
diff -Nru atril-1.16.1/debian/patches/04_Fix-overflow-checks-in-tiff-backend.patch atril-1.16.1/debian/patches/04_Fix-overflow-checks-in-tiff-backend.patch
--- atril-1.16.1/debian/patches/04_Fix-overflow-checks-in-tiff-backend.patch	1970-01-01 01:00:00.000000000 +0100
+++ atril-1.16.1/debian/patches/04_Fix-overflow-checks-in-tiff-backend.patch	2020-07-10 12:18:10.000000000 +0200
@@ -0,0 +1,57 @@
+From: Jason Crain <jcrain@src.gnome.org>
+Date: Sat, 2 Dec 2017 20:24:33 -0600
+Subject: [1/2] Fix overflow checks in tiff backend
+Origin: https://gitlab.gnome.org/GNOME/evince/commit/e02fe9170ad0ac2fd46c75329c4f1d4502d4a362
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-1010006
+
+The overflow checks in tiff_document_render and
+tiff_document_get_thumbnail don't work when optimizations are enabled.
+Change the checks so they don't rely on undefined behavior.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=788980
+---
+ backend/tiff/tiff-document.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c
+index 8f40934ee766..7bf95c2bbd7b 100644
+--- a/backend/tiff/tiff-document.c
++++ b/backend/tiff/tiff-document.c
+@@ -284,12 +284,12 @@ tiff_document_render (EvDocument      *document,
+ 		return NULL;                
+ 	}
+ 	
+-	bytes = height * rowstride;
+-	if (bytes / rowstride != height) {
++	if (height >= INT_MAX / rowstride) {
+ 		g_warning("Overflow while rendering document.");
+ 		/* overflow */
+ 		return NULL;
+ 	}
++	bytes = height * rowstride;
+ 	
+ 	pixels = g_try_malloc (bytes);
+ 	if (!pixels) {
+@@ -374,15 +374,15 @@ tiff_document_get_thumbnail (EvDocument      *document,
+ 	if (width <= 0 || height <= 0)
+ 		return NULL;                
+ 
+-	rowstride = width * 4;
+-	if (rowstride / 4 != width)
++	if (width >= INT_MAX / 4)
+ 		/* overflow */
+ 		return NULL;                
++	rowstride = width * 4;
+         
+-	bytes = height * rowstride;
+-	if (bytes / rowstride != height)
++	if (height >= INT_MAX / rowstride)
+ 		/* overflow */
+ 		return NULL;                
++	bytes = height * rowstride;
+ 	
+ 	pixels = g_try_malloc (bytes);
+ 	if (!pixels)
+-- 
+2.25.0
+
diff -Nru atril-1.16.1/debian/patches/06_tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch atril-1.16.1/debian/patches/06_tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch
--- atril-1.16.1/debian/patches/06_tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch	1970-01-01 01:00:00.000000000 +0100
+++ atril-1.16.1/debian/patches/06_tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch	2020-07-10 12:32:25.000000000 +0200
@@ -0,0 +1,70 @@
+From: Jason Crain <jcrain@src.gnome.org>
+Date: Mon, 15 Apr 2019 23:06:36 -0600
+Subject: tiff: Handle failure from TIFFReadRGBAImageOriented
+Origin: https://gitlab.gnome.org/GNOME/evince/commit/3e38d5ad724a042eebadcba8c2d57b0f48b7a8c7
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11459
+Bug-Debian: https://bugs.debian.org/927820
+Bug: https://gitlab.gnome.org/GNOME/evince/issues/1129
+
+The TIFFReadRGBAImageOriented function returns zero if it was unable to
+read the image. Return NULL in this case instead of displaying
+uninitialized memory.
+
+Fixes #1129
+---
+ backend/tiff/tiff-document.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+--- a/backend/tiff/tiff-document.c
++++ b/backend/tiff/tiff-document.c
+@@ -280,18 +280,22 @@ tiff_document_render (EvDocument      *d
+ 		g_warning("Failed to allocate memory for rendering.");
+ 		return NULL;
+ 	}
+-	
++
++	if (!TIFFReadRGBAImageOriented (tiff_document->tiff,
++					width, height,
++					(uint32 *)pixels,
++					orientation, 0)) {
++		g_warning ("Failed to read TIFF image.");
++		g_free (pixels);
++		return NULL;
++	}
++
+ 	surface = cairo_image_surface_create_for_data (pixels,
+ 						       CAIRO_FORMAT_RGB24,
+ 						       width, height,
+ 						       rowstride);
+ 	cairo_surface_set_user_data (surface, &key,
+ 				     pixels, (cairo_destroy_func_t)g_free);
+-
+-	TIFFReadRGBAImageOriented (tiff_document->tiff,
+-				   width, height,
+-				   (uint32 *)pixels,
+-				   orientation, 0);
+ 	pop_handlers ();
+ 
+ 	/* Convert the format returned by libtiff to
+@@ -370,13 +374,17 @@ tiff_document_render_pixbuf (EvDocument
+ 	if (!pixels)
+ 		return NULL;
+ 	
++	if (!TIFFReadRGBAImageOriented (tiff_document->tiff,
++					width, height,
++					(uint32 *)pixels,
++					ORIENTATION_TOPLEFT, 0)) {
++		g_free (pixels);
++		return NULL;
++	}
++
+ 	pixbuf = gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, TRUE, 8, 
+ 					   width, height, rowstride,
+ 					   (GdkPixbufDestroyNotify) g_free, NULL);
+-	TIFFReadRGBAImageOriented (tiff_document->tiff,
+-				   width, height,
+-				   (uint32 *)pixels,
+-				   ORIENTATION_TOPLEFT, 0);
+ 	pop_handlers ();
+ 
+ 	scaled_pixbuf = gdk_pixbuf_scale_simple (pixbuf,
diff -Nru atril-1.16.1/debian/patches/series atril-1.16.1/debian/patches/series
--- atril-1.16.1/debian/patches/series	2017-07-19 13:58:54.000000000 +0200
+++ atril-1.16.1/debian/patches/series	2020-07-10 12:32:17.000000000 +0200
@@ -1 +1,4 @@
 0001-CVE-2017-1000083-comics-Remove-support-for-tar-and-tar-like-command.patch
+03_dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch
+04_Fix-overflow-checks-in-tiff-backend.patch
+06_tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch

Reply to:

Follow-Ups:
- Bug#964777: atril 1.16.1-2+deb9u2 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>
- Bug#964777: marked as done (stretch-pu: package atril/1.16.1-2+deb9u2)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: NEW changes in oldstable-new
Next by Date: Bug#964792: buster-pu: package gist/5.0.0-2+deb10u1
Previous by thread: Bug#964764: marked as done (stretch-pu: package file-roller/3.22.3-1+deb9u2)
Next by thread: Bug#964777: atril 1.16.1-2+deb9u2 flagged for acceptance
Index(es):
- Date
- Thread