Control: tags -1 moreinfo confirmed On 2021-07-23 17:52:44 +0900, Kan-Ru Chen wrote: > Package: release.debian.org > Severity: normal > User: release.debian.org@packages.debian.org > Usertags: unblock > > Please unblock package mupdf > > [ Reason ] > To fix two CVEs > - https://security-tracker.debian.org/tracker/CVE-2021-37220 > - https://security-tracker.debian.org/tracker/CVE-2020-19609 > > [ Impact ] > Potential denial of service caused by crashes or arbitrary code > execution caused by buffer overflow > > [ Tests ] > I tested manually with reproducer files from upstream bug reports. > I also did some regression test with some PDF files. > > [ Risks ] > Risks should be low. The changes are cherry-picked from > upstream and there weren't any other changes applied by upstream > between the two versions. The risk of faulty backport is low. > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > [ Other info ] > The source package src:mupdf produces the following binary packages: > - mupdf > - mupdf-dbgsym > - mupdf-tools > - mupdf-tools-dbgsym > - libmupdf-dev > > unblock mupdf/1.17.0+ds1-2 Assuming the upload happens soon, please go ahead and remove the moreinfo tag once the new version is available in unstable. Cheers > diff -Nru mupdf-1.17.0+ds1/debian/changelog mupdf-1.17.0+ds1/debian/changelog > --- mupdf-1.17.0+ds1/debian/changelog 2021-02-28 21:40:40.000000000 +0900 > +++ mupdf-1.17.0+ds1/debian/changelog 2021-07-23 17:09:37.000000000 +0900 > @@ -1,3 +1,11 @@ > +mupdf (1.17.0+ds1-2) unstable; urgency=medium > + > + * Fix buffer overrun in tiff decoder (CVE-2020-19609) (Closes: #991401) > + * Stay within hash table max key size in cached color converter > + (CVE-2021-37220) (Closes: #991402) > + > + -- Kan-Ru Chen (陳侃如) <koster@debian.org> Fri, 23 Jul 2021 17:09:37 +0900 > + > mupdf (1.17.0+ds1-1.3) unstable; urgency=medium > > * Non-maintainer upload. > diff -Nru mupdf-1.17.0+ds1/debian/patches/0012-tiff-Avoid-limiting-palette-colors-to-8-bits.patch mupdf-1.17.0+ds1/debian/patches/0012-tiff-Avoid-limiting-palette-colors-to-8-bits.patch > --- mupdf-1.17.0+ds1/debian/patches/0012-tiff-Avoid-limiting-palette-colors-to-8-bits.patch 1970-01-01 09:00:00.000000000 +0900 > +++ mupdf-1.17.0+ds1/debian/patches/0012-tiff-Avoid-limiting-palette-colors-to-8-bits.patch 2021-07-23 16:54:49.000000000 +0900 > @@ -0,0 +1,65 @@ > +From: Sebastian Rasmussen <sebras@gmail.com> > +Date: Fri, 23 Jul 2021 16:32:29 +0900 > +Subject: tiff: Avoid limiting palette colors to 8 bits. > + > +Previously fz_unpack_tile() could not handle >8 bit images, > +so palettized tiff colors had to be limited to 8 bits. > +Now when fz_unpack_tile() does handles >8 bit images do not > +limit the samples in the colormap to 8 bits. > + > +This fixes Coverity CID 150612. > + > +Cherry-picked-from: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=666c62d491ca76ade9a281dfe4c4e945cc71f8e8 > +--- > + source/fitz/load-tiff.c | 16 +++++++++++----- > + 1 file changed, 11 insertions(+), 5 deletions(-) > + > +diff --git a/source/fitz/load-tiff.c b/source/fitz/load-tiff.c > +index c7c0bcf..bb69e2f 100644 > +--- a/source/fitz/load-tiff.c > ++++ b/source/fitz/load-tiff.c > +@@ -253,7 +253,7 @@ tiff_expand_colormap(fz_context *ctx, struct tiff *tiff) > + if (tiff->imagelength > UINT_MAX / tiff->imagewidth / (tiff->samplesperpixel + 2)) > + fz_throw(ctx, FZ_ERROR_GENERIC, "image too large"); > + > +- stride = tiff->imagewidth * (tiff->samplesperpixel + 2); > ++ stride = tiff->imagewidth * (tiff->samplesperpixel + 2) * 2; > + > + samples = Memento_label(fz_malloc(ctx, stride * tiff->imagelength), "tiff_samples"); > + > +@@ -269,25 +269,31 @@ tiff_expand_colormap(fz_context *ctx, struct tiff *tiff) > + int c = tiff_getcomp(src, x * 2, tiff->bitspersample); > + int a = tiff_getcomp(src, x * 2 + 1, tiff->bitspersample); > + *dst++ = tiff->colormap[c + 0] >> 8; > ++ *dst++ = tiff->colormap[c + 0]; > + *dst++ = tiff->colormap[c + maxval] >> 8; > ++ *dst++ = tiff->colormap[c + maxval]; > + *dst++ = tiff->colormap[c + maxval * 2] >> 8; > +- if (tiff->bitspersample <= 8) > +- *dst++ = a << (8 - tiff->bitspersample); > ++ *dst++ = tiff->colormap[c + maxval * 2]; > ++ if (tiff->bitspersample <= 16) > ++ *dst++ = a << (16 - tiff->bitspersample); > + else > +- *dst++ = a >> (tiff->bitspersample - 8); > ++ *dst++ = a >> (tiff->bitspersample - 16); > + } > + else > + { > + int c = tiff_getcomp(src, x, tiff->bitspersample); > + *dst++ = tiff->colormap[c + 0] >> 8; > ++ *dst++ = tiff->colormap[c + 0]; > + *dst++ = tiff->colormap[c + maxval] >> 8; > ++ *dst++ = tiff->colormap[c + maxval]; > + *dst++ = tiff->colormap[c + maxval * 2] >> 8; > ++ *dst++ = tiff->colormap[c + maxval * 2]; > + } > + } > + } > + > + tiff->samplesperpixel += 2; > +- tiff->bitspersample = 8; > ++ tiff->bitspersample = 16; > + tiff->stride = stride; > + fz_free(ctx, tiff->samples); > + tiff->samples = samples; > diff -Nru mupdf-1.17.0+ds1/debian/patches/0013-Bug-703076-Fix-buffer-overrun-in-tiff-decoder.patch mupdf-1.17.0+ds1/debian/patches/0013-Bug-703076-Fix-buffer-overrun-in-tiff-decoder.patch > --- mupdf-1.17.0+ds1/debian/patches/0013-Bug-703076-Fix-buffer-overrun-in-tiff-decoder.patch 1970-01-01 09:00:00.000000000 +0900 > +++ mupdf-1.17.0+ds1/debian/patches/0013-Bug-703076-Fix-buffer-overrun-in-tiff-decoder.patch 2021-07-23 16:54:49.000000000 +0900 > @@ -0,0 +1,87 @@ > +From: Robin Watts <Robin.Watts@artifex.com> > +Date: Fri, 23 Jul 2021 16:35:21 +0900 > +Subject: Bug 703076: Fix buffer overrun in tiff decoder. > + > +Harden tiff_expand_colormap against badly formed TIFFs. > +Correctly allocate space, and avoid overreading. Skip any excess > +input data. > + > +Cherry-picked-from: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=2c4f11f8dcdbd18c35a65e58cc789be0e46012a8 > +--- > + source/fitz/load-tiff.c | 42 +++++++++++++++++++++--------------------- > + 1 file changed, 21 insertions(+), 21 deletions(-) > + > +diff --git a/source/fitz/load-tiff.c b/source/fitz/load-tiff.c > +index bb69e2f..40db0fe 100644 > +--- a/source/fitz/load-tiff.c > ++++ b/source/fitz/load-tiff.c > +@@ -236,6 +236,7 @@ tiff_expand_colormap(fz_context *ctx, struct tiff *tiff) > + unsigned char *src, *dst; > + unsigned int x, y; > + unsigned int stride; > ++ unsigned int srcstride; > + > + /* colormap has first all red, then all green, then all blue values */ > + /* colormap values are 0..65535, bits is 4 or 8 */ > +@@ -253,41 +254,40 @@ tiff_expand_colormap(fz_context *ctx, struct tiff *tiff) > + if (tiff->imagelength > UINT_MAX / tiff->imagewidth / (tiff->samplesperpixel + 2)) > + fz_throw(ctx, FZ_ERROR_GENERIC, "image too large"); > + > +- stride = tiff->imagewidth * (tiff->samplesperpixel + 2) * 2; > ++ srcstride = ((1 + tiff->extrasamples) * tiff->bitspersample + 7) & ~7; > ++ if (tiff->stride < 0 || srcstride > (unsigned int)tiff->stride) > ++ fz_throw(ctx, FZ_ERROR_GENERIC, "insufficient data for format"); > ++ > ++ stride = tiff->imagewidth * (3 + !!tiff->extrasamples) * 2; > + > + samples = Memento_label(fz_malloc(ctx, stride * tiff->imagelength), "tiff_samples"); > + > + for (y = 0; y < tiff->imagelength; y++) > + { > ++ int s = 0; > + src = tiff->samples + (unsigned int)(tiff->stride * y); > + dst = samples + (unsigned int)(stride * y); > + > + for (x = 0; x < tiff->imagewidth; x++) > + { > ++ int c = tiff_getcomp(src, s++, tiff->bitspersample); > ++ *dst++ = tiff->colormap[c + 0] >> 8; > ++ *dst++ = tiff->colormap[c + 0]; > ++ *dst++ = tiff->colormap[c + maxval] >> 8; > ++ *dst++ = tiff->colormap[c + maxval]; > ++ *dst++ = tiff->colormap[c + maxval * 2] >> 8; > ++ *dst++ = tiff->colormap[c + maxval * 2]; > + if (tiff->extrasamples) > + { > +- int c = tiff_getcomp(src, x * 2, tiff->bitspersample); > +- int a = tiff_getcomp(src, x * 2 + 1, tiff->bitspersample); > +- *dst++ = tiff->colormap[c + 0] >> 8; > +- *dst++ = tiff->colormap[c + 0]; > +- *dst++ = tiff->colormap[c + maxval] >> 8; > +- *dst++ = tiff->colormap[c + maxval]; > +- *dst++ = tiff->colormap[c + maxval * 2] >> 8; > +- *dst++ = tiff->colormap[c + maxval * 2]; > ++ /* Assume the first is alpha, and skip the rest. */ > ++ int a = tiff_getcomp(src, s++, tiff->bitspersample); > + if (tiff->bitspersample <= 16) > +- *dst++ = a << (16 - tiff->bitspersample); > ++ a = a << (16 - tiff->bitspersample); > + else > +- *dst++ = a >> (tiff->bitspersample - 16); > +- } > +- else > +- { > +- int c = tiff_getcomp(src, x, tiff->bitspersample); > +- *dst++ = tiff->colormap[c + 0] >> 8; > +- *dst++ = tiff->colormap[c + 0]; > +- *dst++ = tiff->colormap[c + maxval] >> 8; > +- *dst++ = tiff->colormap[c + maxval]; > +- *dst++ = tiff->colormap[c + maxval * 2] >> 8; > +- *dst++ = tiff->colormap[c + maxval * 2]; > ++ a = a >> (tiff->bitspersample - 16); > ++ *dst++ = a >> 8; > ++ *dst++ = a; > ++ s += tiff->extrasamples-1; > + } > + } > + } > diff -Nru mupdf-1.17.0+ds1/debian/patches/0014-Bug-703791-Stay-within-hash-table-max-key-size-in-ca.patch mupdf-1.17.0+ds1/debian/patches/0014-Bug-703791-Stay-within-hash-table-max-key-size-in-ca.patch > --- mupdf-1.17.0+ds1/debian/patches/0014-Bug-703791-Stay-within-hash-table-max-key-size-in-ca.patch 1970-01-01 09:00:00.000000000 +0900 > +++ mupdf-1.17.0+ds1/debian/patches/0014-Bug-703791-Stay-within-hash-table-max-key-size-in-ca.patch 2021-07-23 16:54:49.000000000 +0900 > @@ -0,0 +1,113 @@ > +From: Tor Andersson <tor.andersson@artifex.com> > +Date: Fri, 23 Jul 2021 16:54:00 +0900 > +Subject: Bug 703791: Stay within hash table max key size in cached color > + converter. > + > +Cherry-picked-from: http://git.ghostscript.com/?p=mupdf.git;h=f5712c9949d026e4b891b25837edd2edc166151f > +--- > + include/mupdf/fitz/hash.h | 2 ++ > + source/fitz/colorspace.c | 40 +++++++++++++++++++++++++--------------- > + source/fitz/hash.c | 7 +++---- > + 3 files changed, 30 insertions(+), 19 deletions(-) > + > +diff --git a/include/mupdf/fitz/hash.h b/include/mupdf/fitz/hash.h > +index ab6159e..6a1b87f 100644 > +--- a/include/mupdf/fitz/hash.h > ++++ b/include/mupdf/fitz/hash.h > +@@ -5,6 +5,8 @@ > + #include "mupdf/fitz/context.h" > + #include "mupdf/fitz/output.h" > + > ++#define FZ_HASH_TABLE_KEY_LENGTH 48 > ++ > + /** > + Generic hash-table with fixed-length keys. > + > +diff --git a/source/fitz/colorspace.c b/source/fitz/colorspace.c > +index b095a7c..200f264 100644 > +--- a/source/fitz/colorspace.c > ++++ b/source/fitz/colorspace.c > +@@ -990,23 +990,30 @@ typedef struct fz_cached_color_converter > + static void fz_cached_color_convert(fz_context *ctx, fz_color_converter *cc_, const float *ss, float *ds) > + { > + fz_cached_color_converter *cc = cc_->opaque; > +- float *val = fz_hash_find(ctx, cc->hash, ss); > +- int n = cc->base.ds->n * sizeof(float); > +- > +- if (val) > ++ if (cc->hash) > + { > +- memcpy(ds, val, n); > +- return; > +- } > ++ float *val = fz_hash_find(ctx, cc->hash, ss); > ++ int n = cc->base.ds->n * sizeof(float); > + > +- cc->base.convert(ctx, &cc->base, ss, ds); > ++ if (val) > ++ { > ++ memcpy(ds, val, n); > ++ return; > ++ } > + > +- val = Memento_label(fz_malloc_array(ctx, cc->base.ds->n, float), "cached_color_convert"); > +- memcpy(val, ds, n); > +- fz_try(ctx) > +- fz_hash_insert(ctx, cc->hash, ss, val); > +- fz_catch(ctx) > +- fz_free(ctx, val); > ++ cc->base.convert(ctx, &cc->base, ss, ds); > ++ > ++ val = Memento_label(fz_malloc_array(ctx, cc->base.ds->n, float), "cached_color_convert"); > ++ memcpy(val, ds, n); > ++ fz_try(ctx) > ++ fz_hash_insert(ctx, cc->hash, ss, val); > ++ fz_catch(ctx) > ++ fz_free(ctx, val); > ++ } > ++ else > ++ { > ++ cc->base.convert(ctx, &cc->base, ss, ds); > ++ } > + } > + > + void fz_init_cached_color_converter(fz_context *ctx, fz_color_converter *cc, fz_colorspace *ss, fz_colorspace *ds, fz_colorspace *is, fz_color_params params) > +@@ -1025,7 +1032,10 @@ void fz_init_cached_color_converter(fz_context *ctx, fz_color_converter *cc, fz_ > + fz_try(ctx) > + { > + fz_find_color_converter(ctx, &cached->base, ss, ds, is, params); > +- cached->hash = fz_new_hash_table(ctx, 256, n * sizeof(float), -1, fz_free); > ++ if (n * sizeof(float) <= FZ_HASH_TABLE_KEY_LENGTH) > ++ cached->hash = fz_new_hash_table(ctx, 256, n * sizeof(float), -1, fz_free); > ++ else > ++ fz_warn(ctx, "colorspace has too many components to be cached"); > + } > + fz_catch(ctx) > + { > +diff --git a/source/fitz/hash.c b/source/fitz/hash.c > +index c787f9e..0ff320e 100644 > +--- a/source/fitz/hash.c > ++++ b/source/fitz/hash.c > +@@ -11,11 +11,9 @@ > + and removed frequently. > + */ > + > +-enum { MAX_KEY_LEN = 48 }; > +- > + typedef struct > + { > +- unsigned char key[MAX_KEY_LEN]; > ++ unsigned char key[FZ_HASH_TABLE_KEY_LENGTH]; > + void *val; > + } fz_hash_entry; > + > +@@ -50,7 +48,8 @@ fz_new_hash_table(fz_context *ctx, int initialsize, int keylen, int lock, fz_has > + { > + fz_hash_table *table; > + > +- assert(keylen <= MAX_KEY_LEN); > ++ if (keylen > FZ_HASH_TABLE_KEY_LENGTH) > ++ fz_throw(ctx, FZ_ERROR_GENERIC, "hash table key length too large"); > + > + table = fz_malloc_struct(ctx, fz_hash_table); > + table->keylen = keylen; > diff -Nru mupdf-1.17.0+ds1/debian/patches/series mupdf-1.17.0+ds1/debian/patches/series > --- mupdf-1.17.0+ds1/debian/patches/series 2021-02-28 21:40:40.000000000 +0900 > +++ mupdf-1.17.0+ds1/debian/patches/series 2021-07-23 16:54:49.000000000 +0900 > @@ -9,3 +9,6 @@ > 0010-Prevent-thirdparty-archive-build.patch > 0011-Bug-702857-Detect-avoid-overflow-when-calculating-si.patch > 0012-Bug-703366-Fix-double-free-of-object-during-lineariz.patch > +0012-tiff-Avoid-limiting-palette-colors-to-8-bits.patch > +0013-Bug-703076-Fix-buffer-overrun-in-tiff-decoder.patch > +0014-Bug-703791-Stay-within-hash-table-max-key-size-in-ca.patch -- Sebastian Ramacher
Attachment:
signature.asc
Description: PGP signature