Control: tags -1 moreinfo confirmed
On 2021-07-23 17:52:44 +0900, Kan-Ru Chen wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
>
> Please unblock package mupdf
>
> [ Reason ]
> To fix two CVEs
> - https://security-tracker.debian.org/tracker/CVE-2021-37220
> - https://security-tracker.debian.org/tracker/CVE-2020-19609
>
> [ Impact ]
> Potential denial of service caused by crashes or arbitrary code
> execution caused by buffer overflow
>
> [ Tests ]
> I tested manually with reproducer files from upstream bug reports.
> I also did some regression test with some PDF files.
>
> [ Risks ]
> Risks should be low. The changes are cherry-picked from
> upstream and there weren't any other changes applied by upstream
> between the two versions. The risk of faulty backport is low.
>
> [ Checklist ]
> [x] all changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in testing
>
> [ Other info ]
> The source package src:mupdf produces the following binary packages:
> - mupdf
> - mupdf-dbgsym
> - mupdf-tools
> - mupdf-tools-dbgsym
> - libmupdf-dev
>
> unblock mupdf/1.17.0+ds1-2
Assuming the upload happens soon, please go ahead and remove the
moreinfo tag once the new version is available in unstable.
Cheers
> diff -Nru mupdf-1.17.0+ds1/debian/changelog mupdf-1.17.0+ds1/debian/changelog
> --- mupdf-1.17.0+ds1/debian/changelog 2021-02-28 21:40:40.000000000 +0900
> +++ mupdf-1.17.0+ds1/debian/changelog 2021-07-23 17:09:37.000000000 +0900
> @@ -1,3 +1,11 @@
> +mupdf (1.17.0+ds1-2) unstable; urgency=medium
> +
> + * Fix buffer overrun in tiff decoder (CVE-2020-19609) (Closes: #991401)
> + * Stay within hash table max key size in cached color converter
> + (CVE-2021-37220) (Closes: #991402)
> +
> + -- Kan-Ru Chen (陳侃如) <koster@debian.org> Fri, 23 Jul 2021 17:09:37 +0900
> +
> mupdf (1.17.0+ds1-1.3) unstable; urgency=medium
>
> * Non-maintainer upload.
> diff -Nru mupdf-1.17.0+ds1/debian/patches/0012-tiff-Avoid-limiting-palette-colors-to-8-bits.patch mupdf-1.17.0+ds1/debian/patches/0012-tiff-Avoid-limiting-palette-colors-to-8-bits.patch
> --- mupdf-1.17.0+ds1/debian/patches/0012-tiff-Avoid-limiting-palette-colors-to-8-bits.patch 1970-01-01 09:00:00.000000000 +0900
> +++ mupdf-1.17.0+ds1/debian/patches/0012-tiff-Avoid-limiting-palette-colors-to-8-bits.patch 2021-07-23 16:54:49.000000000 +0900
> @@ -0,0 +1,65 @@
> +From: Sebastian Rasmussen <sebras@gmail.com>
> +Date: Fri, 23 Jul 2021 16:32:29 +0900
> +Subject: tiff: Avoid limiting palette colors to 8 bits.
> +
> +Previously fz_unpack_tile() could not handle >8 bit images,
> +so palettized tiff colors had to be limited to 8 bits.
> +Now when fz_unpack_tile() does handles >8 bit images do not
> +limit the samples in the colormap to 8 bits.
> +
> +This fixes Coverity CID 150612.
> +
> +Cherry-picked-from: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=666c62d491ca76ade9a281dfe4c4e945cc71f8e8
> +---
> + source/fitz/load-tiff.c | 16 +++++++++++-----
> + 1 file changed, 11 insertions(+), 5 deletions(-)
> +
> +diff --git a/source/fitz/load-tiff.c b/source/fitz/load-tiff.c
> +index c7c0bcf..bb69e2f 100644
> +--- a/source/fitz/load-tiff.c
> ++++ b/source/fitz/load-tiff.c
> +@@ -253,7 +253,7 @@ tiff_expand_colormap(fz_context *ctx, struct tiff *tiff)
> + if (tiff->imagelength > UINT_MAX / tiff->imagewidth / (tiff->samplesperpixel + 2))
> + fz_throw(ctx, FZ_ERROR_GENERIC, "image too large");
> +
> +- stride = tiff->imagewidth * (tiff->samplesperpixel + 2);
> ++ stride = tiff->imagewidth * (tiff->samplesperpixel + 2) * 2;
> +
> + samples = Memento_label(fz_malloc(ctx, stride * tiff->imagelength), "tiff_samples");
> +
> +@@ -269,25 +269,31 @@ tiff_expand_colormap(fz_context *ctx, struct tiff *tiff)
> + int c = tiff_getcomp(src, x * 2, tiff->bitspersample);
> + int a = tiff_getcomp(src, x * 2 + 1, tiff->bitspersample);
> + *dst++ = tiff->colormap[c + 0] >> 8;
> ++ *dst++ = tiff->colormap[c + 0];
> + *dst++ = tiff->colormap[c + maxval] >> 8;
> ++ *dst++ = tiff->colormap[c + maxval];
> + *dst++ = tiff->colormap[c + maxval * 2] >> 8;
> +- if (tiff->bitspersample <= 8)
> +- *dst++ = a << (8 - tiff->bitspersample);
> ++ *dst++ = tiff->colormap[c + maxval * 2];
> ++ if (tiff->bitspersample <= 16)
> ++ *dst++ = a << (16 - tiff->bitspersample);
> + else
> +- *dst++ = a >> (tiff->bitspersample - 8);
> ++ *dst++ = a >> (tiff->bitspersample - 16);
> + }
> + else
> + {
> + int c = tiff_getcomp(src, x, tiff->bitspersample);
> + *dst++ = tiff->colormap[c + 0] >> 8;
> ++ *dst++ = tiff->colormap[c + 0];
> + *dst++ = tiff->colormap[c + maxval] >> 8;
> ++ *dst++ = tiff->colormap[c + maxval];
> + *dst++ = tiff->colormap[c + maxval * 2] >> 8;
> ++ *dst++ = tiff->colormap[c + maxval * 2];
> + }
> + }
> + }
> +
> + tiff->samplesperpixel += 2;
> +- tiff->bitspersample = 8;
> ++ tiff->bitspersample = 16;
> + tiff->stride = stride;
> + fz_free(ctx, tiff->samples);
> + tiff->samples = samples;
> diff -Nru mupdf-1.17.0+ds1/debian/patches/0013-Bug-703076-Fix-buffer-overrun-in-tiff-decoder.patch mupdf-1.17.0+ds1/debian/patches/0013-Bug-703076-Fix-buffer-overrun-in-tiff-decoder.patch
> --- mupdf-1.17.0+ds1/debian/patches/0013-Bug-703076-Fix-buffer-overrun-in-tiff-decoder.patch 1970-01-01 09:00:00.000000000 +0900
> +++ mupdf-1.17.0+ds1/debian/patches/0013-Bug-703076-Fix-buffer-overrun-in-tiff-decoder.patch 2021-07-23 16:54:49.000000000 +0900
> @@ -0,0 +1,87 @@
> +From: Robin Watts <Robin.Watts@artifex.com>
> +Date: Fri, 23 Jul 2021 16:35:21 +0900
> +Subject: Bug 703076: Fix buffer overrun in tiff decoder.
> +
> +Harden tiff_expand_colormap against badly formed TIFFs.
> +Correctly allocate space, and avoid overreading. Skip any excess
> +input data.
> +
> +Cherry-picked-from: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=2c4f11f8dcdbd18c35a65e58cc789be0e46012a8
> +---
> + source/fitz/load-tiff.c | 42 +++++++++++++++++++++---------------------
> + 1 file changed, 21 insertions(+), 21 deletions(-)
> +
> +diff --git a/source/fitz/load-tiff.c b/source/fitz/load-tiff.c
> +index bb69e2f..40db0fe 100644
> +--- a/source/fitz/load-tiff.c
> ++++ b/source/fitz/load-tiff.c
> +@@ -236,6 +236,7 @@ tiff_expand_colormap(fz_context *ctx, struct tiff *tiff)
> + unsigned char *src, *dst;
> + unsigned int x, y;
> + unsigned int stride;
> ++ unsigned int srcstride;
> +
> + /* colormap has first all red, then all green, then all blue values */
> + /* colormap values are 0..65535, bits is 4 or 8 */
> +@@ -253,41 +254,40 @@ tiff_expand_colormap(fz_context *ctx, struct tiff *tiff)
> + if (tiff->imagelength > UINT_MAX / tiff->imagewidth / (tiff->samplesperpixel + 2))
> + fz_throw(ctx, FZ_ERROR_GENERIC, "image too large");
> +
> +- stride = tiff->imagewidth * (tiff->samplesperpixel + 2) * 2;
> ++ srcstride = ((1 + tiff->extrasamples) * tiff->bitspersample + 7) & ~7;
> ++ if (tiff->stride < 0 || srcstride > (unsigned int)tiff->stride)
> ++ fz_throw(ctx, FZ_ERROR_GENERIC, "insufficient data for format");
> ++
> ++ stride = tiff->imagewidth * (3 + !!tiff->extrasamples) * 2;
> +
> + samples = Memento_label(fz_malloc(ctx, stride * tiff->imagelength), "tiff_samples");
> +
> + for (y = 0; y < tiff->imagelength; y++)
> + {
> ++ int s = 0;
> + src = tiff->samples + (unsigned int)(tiff->stride * y);
> + dst = samples + (unsigned int)(stride * y);
> +
> + for (x = 0; x < tiff->imagewidth; x++)
> + {
> ++ int c = tiff_getcomp(src, s++, tiff->bitspersample);
> ++ *dst++ = tiff->colormap[c + 0] >> 8;
> ++ *dst++ = tiff->colormap[c + 0];
> ++ *dst++ = tiff->colormap[c + maxval] >> 8;
> ++ *dst++ = tiff->colormap[c + maxval];
> ++ *dst++ = tiff->colormap[c + maxval * 2] >> 8;
> ++ *dst++ = tiff->colormap[c + maxval * 2];
> + if (tiff->extrasamples)
> + {
> +- int c = tiff_getcomp(src, x * 2, tiff->bitspersample);
> +- int a = tiff_getcomp(src, x * 2 + 1, tiff->bitspersample);
> +- *dst++ = tiff->colormap[c + 0] >> 8;
> +- *dst++ = tiff->colormap[c + 0];
> +- *dst++ = tiff->colormap[c + maxval] >> 8;
> +- *dst++ = tiff->colormap[c + maxval];
> +- *dst++ = tiff->colormap[c + maxval * 2] >> 8;
> +- *dst++ = tiff->colormap[c + maxval * 2];
> ++ /* Assume the first is alpha, and skip the rest. */
> ++ int a = tiff_getcomp(src, s++, tiff->bitspersample);
> + if (tiff->bitspersample <= 16)
> +- *dst++ = a << (16 - tiff->bitspersample);
> ++ a = a << (16 - tiff->bitspersample);
> + else
> +- *dst++ = a >> (tiff->bitspersample - 16);
> +- }
> +- else
> +- {
> +- int c = tiff_getcomp(src, x, tiff->bitspersample);
> +- *dst++ = tiff->colormap[c + 0] >> 8;
> +- *dst++ = tiff->colormap[c + 0];
> +- *dst++ = tiff->colormap[c + maxval] >> 8;
> +- *dst++ = tiff->colormap[c + maxval];
> +- *dst++ = tiff->colormap[c + maxval * 2] >> 8;
> +- *dst++ = tiff->colormap[c + maxval * 2];
> ++ a = a >> (tiff->bitspersample - 16);
> ++ *dst++ = a >> 8;
> ++ *dst++ = a;
> ++ s += tiff->extrasamples-1;
> + }
> + }
> + }
> diff -Nru mupdf-1.17.0+ds1/debian/patches/0014-Bug-703791-Stay-within-hash-table-max-key-size-in-ca.patch mupdf-1.17.0+ds1/debian/patches/0014-Bug-703791-Stay-within-hash-table-max-key-size-in-ca.patch
> --- mupdf-1.17.0+ds1/debian/patches/0014-Bug-703791-Stay-within-hash-table-max-key-size-in-ca.patch 1970-01-01 09:00:00.000000000 +0900
> +++ mupdf-1.17.0+ds1/debian/patches/0014-Bug-703791-Stay-within-hash-table-max-key-size-in-ca.patch 2021-07-23 16:54:49.000000000 +0900
> @@ -0,0 +1,113 @@
> +From: Tor Andersson <tor.andersson@artifex.com>
> +Date: Fri, 23 Jul 2021 16:54:00 +0900
> +Subject: Bug 703791: Stay within hash table max key size in cached color
> + converter.
> +
> +Cherry-picked-from: http://git.ghostscript.com/?p=mupdf.git;h=f5712c9949d026e4b891b25837edd2edc166151f
> +---
> + include/mupdf/fitz/hash.h | 2 ++
> + source/fitz/colorspace.c | 40 +++++++++++++++++++++++++---------------
> + source/fitz/hash.c | 7 +++----
> + 3 files changed, 30 insertions(+), 19 deletions(-)
> +
> +diff --git a/include/mupdf/fitz/hash.h b/include/mupdf/fitz/hash.h
> +index ab6159e..6a1b87f 100644
> +--- a/include/mupdf/fitz/hash.h
> ++++ b/include/mupdf/fitz/hash.h
> +@@ -5,6 +5,8 @@
> + #include "mupdf/fitz/context.h"
> + #include "mupdf/fitz/output.h"
> +
> ++#define FZ_HASH_TABLE_KEY_LENGTH 48
> ++
> + /**
> + Generic hash-table with fixed-length keys.
> +
> +diff --git a/source/fitz/colorspace.c b/source/fitz/colorspace.c
> +index b095a7c..200f264 100644
> +--- a/source/fitz/colorspace.c
> ++++ b/source/fitz/colorspace.c
> +@@ -990,23 +990,30 @@ typedef struct fz_cached_color_converter
> + static void fz_cached_color_convert(fz_context *ctx, fz_color_converter *cc_, const float *ss, float *ds)
> + {
> + fz_cached_color_converter *cc = cc_->opaque;
> +- float *val = fz_hash_find(ctx, cc->hash, ss);
> +- int n = cc->base.ds->n * sizeof(float);
> +-
> +- if (val)
> ++ if (cc->hash)
> + {
> +- memcpy(ds, val, n);
> +- return;
> +- }
> ++ float *val = fz_hash_find(ctx, cc->hash, ss);
> ++ int n = cc->base.ds->n * sizeof(float);
> +
> +- cc->base.convert(ctx, &cc->base, ss, ds);
> ++ if (val)
> ++ {
> ++ memcpy(ds, val, n);
> ++ return;
> ++ }
> +
> +- val = Memento_label(fz_malloc_array(ctx, cc->base.ds->n, float), "cached_color_convert");
> +- memcpy(val, ds, n);
> +- fz_try(ctx)
> +- fz_hash_insert(ctx, cc->hash, ss, val);
> +- fz_catch(ctx)
> +- fz_free(ctx, val);
> ++ cc->base.convert(ctx, &cc->base, ss, ds);
> ++
> ++ val = Memento_label(fz_malloc_array(ctx, cc->base.ds->n, float), "cached_color_convert");
> ++ memcpy(val, ds, n);
> ++ fz_try(ctx)
> ++ fz_hash_insert(ctx, cc->hash, ss, val);
> ++ fz_catch(ctx)
> ++ fz_free(ctx, val);
> ++ }
> ++ else
> ++ {
> ++ cc->base.convert(ctx, &cc->base, ss, ds);
> ++ }
> + }
> +
> + void fz_init_cached_color_converter(fz_context *ctx, fz_color_converter *cc, fz_colorspace *ss, fz_colorspace *ds, fz_colorspace *is, fz_color_params params)
> +@@ -1025,7 +1032,10 @@ void fz_init_cached_color_converter(fz_context *ctx, fz_color_converter *cc, fz_
> + fz_try(ctx)
> + {
> + fz_find_color_converter(ctx, &cached->base, ss, ds, is, params);
> +- cached->hash = fz_new_hash_table(ctx, 256, n * sizeof(float), -1, fz_free);
> ++ if (n * sizeof(float) <= FZ_HASH_TABLE_KEY_LENGTH)
> ++ cached->hash = fz_new_hash_table(ctx, 256, n * sizeof(float), -1, fz_free);
> ++ else
> ++ fz_warn(ctx, "colorspace has too many components to be cached");
> + }
> + fz_catch(ctx)
> + {
> +diff --git a/source/fitz/hash.c b/source/fitz/hash.c
> +index c787f9e..0ff320e 100644
> +--- a/source/fitz/hash.c
> ++++ b/source/fitz/hash.c
> +@@ -11,11 +11,9 @@
> + and removed frequently.
> + */
> +
> +-enum { MAX_KEY_LEN = 48 };
> +-
> + typedef struct
> + {
> +- unsigned char key[MAX_KEY_LEN];
> ++ unsigned char key[FZ_HASH_TABLE_KEY_LENGTH];
> + void *val;
> + } fz_hash_entry;
> +
> +@@ -50,7 +48,8 @@ fz_new_hash_table(fz_context *ctx, int initialsize, int keylen, int lock, fz_has
> + {
> + fz_hash_table *table;
> +
> +- assert(keylen <= MAX_KEY_LEN);
> ++ if (keylen > FZ_HASH_TABLE_KEY_LENGTH)
> ++ fz_throw(ctx, FZ_ERROR_GENERIC, "hash table key length too large");
> +
> + table = fz_malloc_struct(ctx, fz_hash_table);
> + table->keylen = keylen;
> diff -Nru mupdf-1.17.0+ds1/debian/patches/series mupdf-1.17.0+ds1/debian/patches/series
> --- mupdf-1.17.0+ds1/debian/patches/series 2021-02-28 21:40:40.000000000 +0900
> +++ mupdf-1.17.0+ds1/debian/patches/series 2021-07-23 16:54:49.000000000 +0900
> @@ -9,3 +9,6 @@
> 0010-Prevent-thirdparty-archive-build.patch
> 0011-Bug-702857-Detect-avoid-overflow-when-calculating-si.patch
> 0012-Bug-703366-Fix-double-free-of-object-during-lineariz.patch
> +0012-tiff-Avoid-limiting-palette-colors-to-8-bits.patch
> +0013-Bug-703076-Fix-buffer-overrun-in-tiff-decoder.patch
> +0014-Bug-703791-Stay-within-hash-table-max-key-size-in-ca.patch
--
Sebastian Ramacher
Attachment:
signature.asc
Description: PGP signature