--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package pdfresurrect/0.12-6
- From: Francois Marier <francois@debian.org>
- Date: Thu, 1 Aug 2019 01:54:01 -0700
- Message-id: <20190801085401.GA23159@akranes.dyn.fmarier.org>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
I'd like to fix a buffer overflow in the pdfresurrect version that's in
stretch.
See https://security-tracker.debian.org/tracker/CVE-2019-14267.
Attached is the debdiff.
Francois
diff -Nru pdfresurrect-0.12/debian/changelog pdfresurrect-0.12/debian/changelog
--- pdfresurrect-0.12/debian/changelog 2015-09-13 18:30:02.000000000 -0700
+++ pdfresurrect-0.12/debian/changelog 2019-07-30 08:54:01.000000000 -0700
@@ -1,3 +1,9 @@
+pdfresurrect (0.12-6+deb9u1) stretch; urgency=high
+
+ * Fix buffer overflow (CVE-2019-14267).
+
+ -- Francois Marier <francois@debian.org> Tue, 30 Jul 2019 08:54:01 -0700
+
pdfresurrect (0.12-6) unstable; urgency=medium
* Run wrap-and-sort
diff -Nru pdfresurrect-0.12/debian/patches/CVE-2019-14267.patch pdfresurrect-0.12/debian/patches/CVE-2019-14267.patch
--- pdfresurrect-0.12/debian/patches/CVE-2019-14267.patch 1969-12-31 16:00:00.000000000 -0800
+++ pdfresurrect-0.12/debian/patches/CVE-2019-14267.patch 2019-07-30 08:54:01.000000000 -0700
@@ -0,0 +1,47 @@
+commit 4ea7a6f4f51d0440da651d099247e2273f811dbc
+Author: Matt Davis <mattdavis9@gmail.com>
+Date: Thu Jul 25 20:30:04 2019 -0700
+Last-Update: 2019-07-30
+
+ Prevent a buffer overflow in possibly corrupt PDFs.
+
+ The startxref identification logic assumed a worse case of having to
+ inspect 256 bytes. However, that is not always the case (e.g.,
+ corrupted PDFs). This patch prevents that situation.
+
+ This bug was identified by j0lamma. Thanks!
+
+ CVE-2019-14267
+
+diff --git a/main.c b/main.c
+index d274acc..18ba696 100644
+--- a/main.c
++++ b/main.c
+@@ -230,7 +230,10 @@ static pdf_t *init_pdf(FILE *fp, const char *name)
+
+ pdf = pdf_new(name);
+ pdf_get_version(fp, pdf);
+- pdf_load_xrefs(fp, pdf);
++ if (pdf_load_xrefs(fp, pdf) == -1) {
++ pdf_delete(pdf);
++ return NULL;
++ }
+ pdf_load_pages_kids(fp, pdf);
+
+ return pdf;
+diff --git a/pdf.c b/pdf.c
+index 27b09a1..b671537 100644
+--- a/pdf.c
++++ b/pdf.c
+@@ -210,6 +210,11 @@ int pdf_load_xrefs(FILE *fp, pdf_t *pdf)
+ fseek(fp, pos - (++pos_count), SEEK_SET);
+
+ /* Suck in end of "startxref" to start of %%EOF */
++ if (pos_count >= sizeof(buf)) {
++ ERR("Failed to locate the startxref token. "
++ "This might be a corrupt PDF.\n");
++ return -1;
++ }
+ memset(buf, 0, sizeof(buf));
+ fread(buf, 1, pos_count, fp);
+ c = buf;
diff -Nru pdfresurrect-0.12/debian/patches/series pdfresurrect-0.12/debian/patches/series
--- pdfresurrect-0.12/debian/patches/series 2015-09-13 18:30:02.000000000 -0700
+++ pdfresurrect-0.12/debian/patches/series 2019-07-30 08:54:01.000000000 -0700
@@ -1 +1,2 @@
fix_manpage_path.patch
+CVE-2019-14267.patch
--- End Message ---
--- Begin Message ---
- To: 933636-done@bugs.debian.org, Francois Marier <francois@debian.org>, Salvatore Bonaccorso <carnil@debian.org>
- Subject: Re: Bug#933636: CVE-2019-14934
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sun, 12 Jul 2020 20:59:50 +0100
- Message-id: <7dd799d2831ac70f90a3dd670616c7f9f12ef09b.camel@adam-barratt.org.uk>
- In-reply-to: <c2329b265b1ce218dde757f2462748d67b0899fd.camel@adam-barratt.org.uk>
- References: <20190801085401.GA23159@akranes.dyn.fmarier.org> <20190814062955.GD29207@akranes.dyn.fmarier.org> <20190801085401.GA23159@akranes.dyn.fmarier.org> <d8b96b85c7c39f7db5a8bcd91e3660b1b3eae46d.camel@adam-barratt.org.uk> <20200207091424.GA1690332@eldamar.local> <20190801085401.GA23159@akranes.dyn.fmarier.org> <20200210235922.GA1979781@akranes.dyn.fmarier.org> <20190801085401.GA23159@akranes.dyn.fmarier.org> <c2329b265b1ce218dde757f2462748d67b0899fd.camel@adam-barratt.org.uk>
On Mon, 2020-06-15 at 20:30 +0100, Adam D. Barratt wrote:
> On Mon, 2020-02-10 at 15:59 -0800, Francois Marier wrote:
> > On 2020-02-07 at 10:14:24, Salvatore Bonaccorso wrote:
> > > > It looks OK to me. Tagging moreinfo until there's a final diff.
> > >
> > > Friendly ping, any news? (It's too late now for the upcoming
> > > point
> > > release though).
> >
> > It's still on my list, but not a very high priority. Definitely
> > won't
> > happen
> > until at least after the Ubuntu 20.04 Debian merge deadline.
> >
>
> For the record, we're now planning for the final stretch point
> release
> before it moves to LTS.
The window for getting fixes into that point release just closed, so
I'm afraid that I'm going to close this request now.
Regards,
Adam
--- End Message ---