Bug#933637: marked as done (buster-pu: package pdfresurrect/0.15-2)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 28 Mar 2021 21:35:00 -0700
with message-id <YGFY9FAFekSJWbBb@akranes.dyn.fmarier.org>
and subject line Re: Bug#933637: Bug#933636: CVE-2019-14934
has caused the Debian Bug report #933637,
regarding buster-pu: package pdfresurrect/0.15-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
933637: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933637
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: buster-pu: package pdfresurrect/0.15-2
• From: Francois Marier <francois@debian.org>
• Date: Thu, 1 Aug 2019 01:55:07 -0700
• Message-id: <20190801085507.GA23386@akranes.dyn.fmarier.org>

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

I'd like to fix a buffer overflow in the pdfresurrect version that's in
buster.

See https://security-tracker.debian.org/tracker/CVE-2019-14267.

Attached is the debdiff.

Francois

diff -Nru pdfresurrect-0.15/debian/changelog pdfresurrect-0.15/debian/changelog
--- pdfresurrect-0.15/debian/changelog	2019-03-01 23:12:55.000000000 -0800
+++ pdfresurrect-0.15/debian/changelog	2019-07-30 08:41:35.000000000 -0700
@@ -1,3 +1,9 @@
+pdfresurrect (0.15-2+deb10u1) buster; urgency=high
+
+  * Fix buffer overflow (CVE-2019-14267).
+
+ -- Francois Marier <francois@debian.org>  Tue, 30 Jul 2019 08:41:35 -0700
+
 pdfresurrect (0.15-2) unstable; urgency=medium
 
   * Bump Standars-Version up to 4.3.0
diff -Nru pdfresurrect-0.15/debian/patches/CVE-2019-14267.patch pdfresurrect-0.15/debian/patches/CVE-2019-14267.patch
--- pdfresurrect-0.15/debian/patches/CVE-2019-14267.patch	1969-12-31 16:00:00.000000000 -0800
+++ pdfresurrect-0.15/debian/patches/CVE-2019-14267.patch	2019-07-30 08:41:35.000000000 -0700
@@ -0,0 +1,46 @@
+commit 4ea7a6f4f51d0440da651d099247e2273f811dbc
+Author: Matt Davis <mattdavis9@gmail.com>
+Date:   Thu Jul 25 20:30:04 2019 -0700
+
+    Prevent a buffer overflow in possibly corrupt PDFs.
+    
+    The startxref identification logic assumed a worse case of having to
+    inspect 256 bytes.  However, that is not always the case (e.g.,
+    corrupted PDFs).  This patch prevents that situation.
+    
+    This bug was identified by j0lamma.  Thanks!
+
+    CVE-2019-14267
+
+diff --git a/main.c b/main.c
+index d604613..de2f8e9 100644
+--- a/main.c
++++ b/main.c
+@@ -203,7 +203,10 @@ static pdf_t *init_pdf(FILE *fp, const char *name)
+ 
+     pdf = pdf_new(name);
+     pdf_get_version(fp, pdf);
+-    pdf_load_xrefs(fp, pdf);
++    if (pdf_load_xrefs(fp, pdf) == -1) {
++      pdf_delete(pdf);
++      return NULL;
++    }
+     pdf_load_pages_kids(fp, pdf);
+ 
+     return pdf;
+diff --git a/pdf.c b/pdf.c
+index 4cd7f12..b23b50a 100644
+--- a/pdf.c
++++ b/pdf.c
+@@ -233,6 +233,11 @@ int pdf_load_xrefs(FILE *fp, pdf_t *pdf)
+           fseek(fp, pos - (++pos_count), SEEK_SET);
+         
+         /* Suck in end of "startxref" to start of %%EOF */
++        if (pos_count >= sizeof(buf)) {
++          ERR("Failed to locate the startxref token. "
++              "This might be a corrupt PDF.\n");
++          return -1;
++        }
+         memset(buf, 0, sizeof(buf));
+         SAFE_E(fread(buf, 1, pos_count, fp), pos_count,
+                "Failed to read startxref.\n");
diff -Nru pdfresurrect-0.15/debian/patches/series pdfresurrect-0.15/debian/patches/series
--- pdfresurrect-0.15/debian/patches/series	1969-12-31 16:00:00.000000000 -0800
+++ pdfresurrect-0.15/debian/patches/series	2019-07-30 08:41:35.000000000 -0700
@@ -0,0 +1 @@
+CVE-2019-14267.patch

--- End Message ---

--- Begin Message ---

• To: Salvatore Bonaccorso <carnil@debian.org>
• Cc: 933637-done@bugs.debian.org
• Subject: Re: Bug#933637: Bug#933636: CVE-2019-14934
• From: Francois Marier <francois@debian.org>
• Date: Sun, 28 Mar 2021 21:35:00 -0700
• Message-id: <YGFY9FAFekSJWbBb@akranes.dyn.fmarier.org>
• In-reply-to: <YF1+z0kaTa/ZB9xC@eldamar.lan>
• References: <20190801085401.GA23159@akranes.dyn.fmarier.org> <20190814062955.GD29207@akranes.dyn.fmarier.org> <20190801085401.GA23159@akranes.dyn.fmarier.org> <d8b96b85c7c39f7db5a8bcd91e3660b1b3eae46d.camel@adam-barratt.org.uk> <20200207091424.GA1690332@eldamar.local> <20190801085507.GA23386@akranes.dyn.fmarier.org> <20200210235922.GA1979781@akranes.dyn.fmarier.org> <20190801085507.GA23386@akranes.dyn.fmarier.org> <20200731081823.GA574119@eldamar.local> <YF1+z0kaTa/ZB9xC@eldamar.lan>

On 2021-03-25 at 23:27:27, Salvatore Bonaccorso (carnil@debian.org) wrote:
> There are in meanwhile one more CVE which might be included. They are
> at this time CVE-2019-14267, CVE-2020-9549, CVE-2019-14934 and
> CVE-2020-20740 which are all marked no-dsa or unimportant (with
> negligible security impact), but maybe if you still would like to fix
> those for buster, we can close this report and then open a new one
> with a revisited debdiff?
> 
> What do you think?

You're right. There's not much point in keeping this bug open since it's not
just the one CVE anymore. If we're going to prepare an update for buster, we
should tackle all four.

I can't promise I'll get to it anytime soon since I've been pretty busy with
non-Debian things lately, but it's still on my TODO list.

Francois

-- 
https://fmarier.org/

--- End Message ---