Bug#933636: marked as done (stretch-pu: package pdfresurrect/0.12-6)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 12 Jul 2020 20:59:50 +0100
with message-id <7dd799d2831ac70f90a3dd670616c7f9f12ef09b.camel@adam-barratt.org.uk>
and subject line Re: Bug#933636: CVE-2019-14934
has caused the Debian Bug report #933636,
regarding stretch-pu: package pdfresurrect/0.12-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
933636: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933636
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: stretch-pu: package pdfresurrect/0.12-6
• From: Francois Marier <francois@debian.org>
• Date: Thu, 1 Aug 2019 01:54:01 -0700
• Message-id: <20190801085401.GA23159@akranes.dyn.fmarier.org>

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

I'd like to fix a buffer overflow in the pdfresurrect version that's in
stretch.

See https://security-tracker.debian.org/tracker/CVE-2019-14267.

Attached is the debdiff.

Francois

diff -Nru pdfresurrect-0.12/debian/changelog pdfresurrect-0.12/debian/changelog
--- pdfresurrect-0.12/debian/changelog	2015-09-13 18:30:02.000000000 -0700
+++ pdfresurrect-0.12/debian/changelog	2019-07-30 08:54:01.000000000 -0700
@@ -1,3 +1,9 @@
+pdfresurrect (0.12-6+deb9u1) stretch; urgency=high
+
+  * Fix buffer overflow (CVE-2019-14267).
+
+ -- Francois Marier <francois@debian.org>  Tue, 30 Jul 2019 08:54:01 -0700
+
 pdfresurrect (0.12-6) unstable; urgency=medium
 
   * Run wrap-and-sort
diff -Nru pdfresurrect-0.12/debian/patches/CVE-2019-14267.patch pdfresurrect-0.12/debian/patches/CVE-2019-14267.patch
--- pdfresurrect-0.12/debian/patches/CVE-2019-14267.patch	1969-12-31 16:00:00.000000000 -0800
+++ pdfresurrect-0.12/debian/patches/CVE-2019-14267.patch	2019-07-30 08:54:01.000000000 -0700
@@ -0,0 +1,47 @@
+commit 4ea7a6f4f51d0440da651d099247e2273f811dbc
+Author: Matt Davis <mattdavis9@gmail.com>
+Date:   Thu Jul 25 20:30:04 2019 -0700
+Last-Update: 2019-07-30
+
+    Prevent a buffer overflow in possibly corrupt PDFs.
+    
+    The startxref identification logic assumed a worse case of having to
+    inspect 256 bytes.  However, that is not always the case (e.g.,
+    corrupted PDFs).  This patch prevents that situation.
+    
+    This bug was identified by j0lamma.  Thanks!
+
+    CVE-2019-14267
+
+diff --git a/main.c b/main.c
+index d274acc..18ba696 100644
+--- a/main.c
++++ b/main.c
+@@ -230,7 +230,10 @@ static pdf_t *init_pdf(FILE *fp, const char *name)
+ 
+     pdf = pdf_new(name);
+     pdf_get_version(fp, pdf);
+-    pdf_load_xrefs(fp, pdf);
++    if (pdf_load_xrefs(fp, pdf) == -1) {
++      pdf_delete(pdf);
++      return NULL;
++    }
+     pdf_load_pages_kids(fp, pdf);
+ 
+     return pdf;
+diff --git a/pdf.c b/pdf.c
+index 27b09a1..b671537 100644
+--- a/pdf.c
++++ b/pdf.c
+@@ -210,6 +210,11 @@ int pdf_load_xrefs(FILE *fp, pdf_t *pdf)
+           fseek(fp, pos - (++pos_count), SEEK_SET);
+         
+         /* Suck in end of "startxref" to start of %%EOF */
++        if (pos_count >= sizeof(buf)) {
++          ERR("Failed to locate the startxref token. "
++              "This might be a corrupt PDF.\n");
++          return -1;
++        }
+         memset(buf, 0, sizeof(buf));
+         fread(buf, 1, pos_count, fp);
+         c = buf;
diff -Nru pdfresurrect-0.12/debian/patches/series pdfresurrect-0.12/debian/patches/series
--- pdfresurrect-0.12/debian/patches/series	2015-09-13 18:30:02.000000000 -0700
+++ pdfresurrect-0.12/debian/patches/series	2019-07-30 08:54:01.000000000 -0700
@@ -1 +1,2 @@
 fix_manpage_path.patch
+CVE-2019-14267.patch

--- End Message ---

--- Begin Message ---

• To: 933636-done@bugs.debian.org, Francois Marier <francois@debian.org>, Salvatore Bonaccorso <carnil@debian.org>
• Subject: Re: Bug#933636: CVE-2019-14934
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sun, 12 Jul 2020 20:59:50 +0100
• Message-id: <7dd799d2831ac70f90a3dd670616c7f9f12ef09b.camel@adam-barratt.org.uk>
• In-reply-to: <c2329b265b1ce218dde757f2462748d67b0899fd.camel@adam-barratt.org.uk>
• References: <20190801085401.GA23159@akranes.dyn.fmarier.org> <20190814062955.GD29207@akranes.dyn.fmarier.org> <20190801085401.GA23159@akranes.dyn.fmarier.org> <d8b96b85c7c39f7db5a8bcd91e3660b1b3eae46d.camel@adam-barratt.org.uk> <20200207091424.GA1690332@eldamar.local> <20190801085401.GA23159@akranes.dyn.fmarier.org> <20200210235922.GA1979781@akranes.dyn.fmarier.org> <20190801085401.GA23159@akranes.dyn.fmarier.org> <c2329b265b1ce218dde757f2462748d67b0899fd.camel@adam-barratt.org.uk>

On Mon, 2020-06-15 at 20:30 +0100, Adam D. Barratt wrote:
> On Mon, 2020-02-10 at 15:59 -0800, Francois Marier wrote:
> > On 2020-02-07 at 10:14:24, Salvatore Bonaccorso wrote:
> > > > It looks OK to me. Tagging moreinfo until there's a final diff.
> > > 
> > > Friendly ping, any news? (It's too late now for the upcoming
> > > point
> > > release though).
> > 
> > It's still on my list, but not a very high priority. Definitely
> > won't
> > happen
> > until at least after the Ubuntu 20.04 Debian merge deadline.
> > 
> 
> For the record, we're now planning for the final stretch point
> release
> before it moves to LTS.

The window for getting fixes into that point release just closed, so
I'm afraid that I'm going to close this request now.

Regards,

Adam

--- End Message ---