--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package pdfresurrect/0.15-2
- From: Francois Marier <francois@debian.org>
- Date: Thu, 1 Aug 2019 01:55:07 -0700
- Message-id: <20190801085507.GA23386@akranes.dyn.fmarier.org>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
I'd like to fix a buffer overflow in the pdfresurrect version that's in
buster.
See https://security-tracker.debian.org/tracker/CVE-2019-14267.
Attached is the debdiff.
Francois
diff -Nru pdfresurrect-0.15/debian/changelog pdfresurrect-0.15/debian/changelog
--- pdfresurrect-0.15/debian/changelog 2019-03-01 23:12:55.000000000 -0800
+++ pdfresurrect-0.15/debian/changelog 2019-07-30 08:41:35.000000000 -0700
@@ -1,3 +1,9 @@
+pdfresurrect (0.15-2+deb10u1) buster; urgency=high
+
+ * Fix buffer overflow (CVE-2019-14267).
+
+ -- Francois Marier <francois@debian.org> Tue, 30 Jul 2019 08:41:35 -0700
+
pdfresurrect (0.15-2) unstable; urgency=medium
* Bump Standars-Version up to 4.3.0
diff -Nru pdfresurrect-0.15/debian/patches/CVE-2019-14267.patch pdfresurrect-0.15/debian/patches/CVE-2019-14267.patch
--- pdfresurrect-0.15/debian/patches/CVE-2019-14267.patch 1969-12-31 16:00:00.000000000 -0800
+++ pdfresurrect-0.15/debian/patches/CVE-2019-14267.patch 2019-07-30 08:41:35.000000000 -0700
@@ -0,0 +1,46 @@
+commit 4ea7a6f4f51d0440da651d099247e2273f811dbc
+Author: Matt Davis <mattdavis9@gmail.com>
+Date: Thu Jul 25 20:30:04 2019 -0700
+
+ Prevent a buffer overflow in possibly corrupt PDFs.
+
+ The startxref identification logic assumed a worse case of having to
+ inspect 256 bytes. However, that is not always the case (e.g.,
+ corrupted PDFs). This patch prevents that situation.
+
+ This bug was identified by j0lamma. Thanks!
+
+ CVE-2019-14267
+
+diff --git a/main.c b/main.c
+index d604613..de2f8e9 100644
+--- a/main.c
++++ b/main.c
+@@ -203,7 +203,10 @@ static pdf_t *init_pdf(FILE *fp, const char *name)
+
+ pdf = pdf_new(name);
+ pdf_get_version(fp, pdf);
+- pdf_load_xrefs(fp, pdf);
++ if (pdf_load_xrefs(fp, pdf) == -1) {
++ pdf_delete(pdf);
++ return NULL;
++ }
+ pdf_load_pages_kids(fp, pdf);
+
+ return pdf;
+diff --git a/pdf.c b/pdf.c
+index 4cd7f12..b23b50a 100644
+--- a/pdf.c
++++ b/pdf.c
+@@ -233,6 +233,11 @@ int pdf_load_xrefs(FILE *fp, pdf_t *pdf)
+ fseek(fp, pos - (++pos_count), SEEK_SET);
+
+ /* Suck in end of "startxref" to start of %%EOF */
++ if (pos_count >= sizeof(buf)) {
++ ERR("Failed to locate the startxref token. "
++ "This might be a corrupt PDF.\n");
++ return -1;
++ }
+ memset(buf, 0, sizeof(buf));
+ SAFE_E(fread(buf, 1, pos_count, fp), pos_count,
+ "Failed to read startxref.\n");
diff -Nru pdfresurrect-0.15/debian/patches/series pdfresurrect-0.15/debian/patches/series
--- pdfresurrect-0.15/debian/patches/series 1969-12-31 16:00:00.000000000 -0800
+++ pdfresurrect-0.15/debian/patches/series 2019-07-30 08:41:35.000000000 -0700
@@ -0,0 +1 @@
+CVE-2019-14267.patch
--- End Message ---
--- Begin Message ---
- To: Salvatore Bonaccorso <carnil@debian.org>
- Cc: 933637-done@bugs.debian.org
- Subject: Re: Bug#933637: Bug#933636: CVE-2019-14934
- From: Francois Marier <francois@debian.org>
- Date: Sun, 28 Mar 2021 21:35:00 -0700
- Message-id: <YGFY9FAFekSJWbBb@akranes.dyn.fmarier.org>
- In-reply-to: <YF1+z0kaTa/ZB9xC@eldamar.lan>
- References: <20190801085401.GA23159@akranes.dyn.fmarier.org> <20190814062955.GD29207@akranes.dyn.fmarier.org> <20190801085401.GA23159@akranes.dyn.fmarier.org> <d8b96b85c7c39f7db5a8bcd91e3660b1b3eae46d.camel@adam-barratt.org.uk> <20200207091424.GA1690332@eldamar.local> <20190801085507.GA23386@akranes.dyn.fmarier.org> <20200210235922.GA1979781@akranes.dyn.fmarier.org> <20190801085507.GA23386@akranes.dyn.fmarier.org> <20200731081823.GA574119@eldamar.local> <YF1+z0kaTa/ZB9xC@eldamar.lan>
On 2021-03-25 at 23:27:27, Salvatore Bonaccorso (carnil@debian.org) wrote:
> There are in meanwhile one more CVE which might be included. They are
> at this time CVE-2019-14267, CVE-2020-9549, CVE-2019-14934 and
> CVE-2020-20740 which are all marked no-dsa or unimportant (with
> negligible security impact), but maybe if you still would like to fix
> those for buster, we can close this report and then open a new one
> with a revisited debdiff?
>
> What do you think?
You're right. There's not much point in keeping this bug open since it's not
just the one CVE anymore. If we're going to prepare an update for buster, we
should tackle all four.
I can't promise I'll get to it anytime soon since I've been pretty busy with
non-Debian things lately, but it's still on my TODO list.
Francois
--
https://fmarier.org/
--- End Message ---