Bug#988339: unblock: djvulibre/3.5.28-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#988339: unblock: djvulibre/3.5.28-2
From: "Barak A. Pearlmutter" <bap@debian.org>
Date: Mon, 10 May 2021 19:17:56 +0100
Message-id: <[🔎] 162067067663.1994012.10582421965425113063.reportbug@tarsk.cs.nuim.ie>
Reply-to: "Barak A. Pearlmutter" <bap@debian.org>, 988339@bugs.debian.org
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package djvulibre

[ Reason ]

Address CVE-2021-3500 and some other potential security issues by
importing Fedora patches.

[ Impact ]

Programs using libdjvulibre to handle .djvu files will remain
vulnerable to crafted input.

[ Tests ]

n/a

[ Risks ]

All but one of these patches have been in Fedora for quite some time.
The last one is currently in Fedora, but recently. All the patches are
very simple: testing and bailing when various error conditions pop up,
like a memory allocation failure or page sizes that cause overflow.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock djvulibre/3.5.28-2

----------------------------------------------------------------

diff -Nru djvulibre-3.5.28/debian/changelog djvulibre-3.5.28/debian/changelog
--- djvulibre-3.5.28/debian/changelog	2020-11-23 13:10:15.000000000 +0000
+++ djvulibre-3.5.28/debian/changelog	2021-05-10 18:56:59.000000000 +0100
@@ -1,3 +1,26 @@
+djvulibre (3.5.28-2) unstable; urgency=high
+
+  * bump policy version
+  * Include Fedora 3.5.27 patches, foward ported, taken from djvulibre.spec in
+    https://src.fedoraproject.org/rpms/djvulibre.git
+    - Patch0: djvulibre-3.5.22-cdefs.patch                    (forward ported)
+    - #Patch1: djvulibre-3.5.25.3-cflags.patch              (disabled in Fedora)
+    - Patch2: djvulibre-3.5.27-buffer-overflow.patch        (UPSTREAMED)
+    - Patch3: djvulibre-3.5.27-infinite-loop.patch          (UPSTREAMED)
+    - Patch4: djvulibre-3.5.27-stack-overflow.patch         (UPSTREAMED)
+    - Patch5: djvulibre-3.5.27-zero-bytes-check.patch       (UPSTREAMED)
+    - Patch6: djvulibre-3.5.27-export-file.patch              (forward ported)
+    - Patch7: djvulibre-3.5.27-null-dereference.patch       (UPSTREAMED)
+    - Patch8: djvulibre-3.5.27-check-image-size.patch         (forward ported)
+    - Patch9: djvulibre-3.5.27-integer-overflow.patch         (forward ported)
+    - Patch10: djvulibre-3.5.27-check-input-pool.patch        (forward ported)
+    - Patch11: djvulibre-3.5.27-djvuport-stack-overflow.patch (forward ported)
+    - Patch12: djvulibre-3.5.27-unsigned-short-overflow.patch (forward ported)
+    These address a number of crashes and security issues, including
+    CVE-2021-3500 (closes: #988215)
+
+ -- Barak A. Pearlmutter <bap@debian.org>  Mon, 10 May 2021 18:56:59 +0100
+
 djvulibre (3.5.28-1) unstable; urgency=medium
 
   [ Leon Bottou ]
diff -Nru djvulibre-3.5.28/debian/control djvulibre-3.5.28/debian/control
--- djvulibre-3.5.28/debian/control	2020-11-23 13:10:15.000000000 +0000
+++ djvulibre-3.5.28/debian/control	2021-05-10 18:44:15.000000000 +0100
@@ -11,7 +11,7 @@
 Vcs-Git: https://salsa.debian.org/debian/djvulibre.git
 Vcs-Browser: https://salsa.debian.org/debian/djvulibre
 Homepage: http://djvu.sourceforge.net/
-Standards-Version: 4.5.0
+Standards-Version: 4.5.1
 Rules-Requires-Root: no
 
 Package: libdjvulibre-dev
diff -Nru djvulibre-3.5.28/debian/patches/0001-djvulibre-fedora-Patch0-djvulibre-3.5.22-cdefs.patch.patch djvulibre-3.5.28/debian/patches/0001-djvulibre-fedora-Patch0-djvulibre-3.5.22-cdefs.patch.patch
--- djvulibre-3.5.28/debian/patches/0001-djvulibre-fedora-Patch0-djvulibre-3.5.22-cdefs.patch.patch	1970-01-01 01:00:00.000000000 +0100
+++ djvulibre-3.5.28/debian/patches/0001-djvulibre-fedora-Patch0-djvulibre-3.5.22-cdefs.patch.patch	2021-05-10 18:46:09.000000000 +0100
@@ -0,0 +1,21 @@
+From: "Barak A. Pearlmutter" <barak+git@pearlmutter.net>
+Date: Mon, 10 May 2021 15:43:26 +0100
+Subject: djvulibre-fedora Patch0 djvulibre-3.5.22-cdefs.patch
+
+---
+ libdjvu/GSmartPointer.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libdjvu/GSmartPointer.h b/libdjvu/GSmartPointer.h
+index 8a8bb8a..08540f7 100644
+--- a/libdjvu/GSmartPointer.h
++++ b/libdjvu/GSmartPointer.h
+@@ -62,6 +62,8 @@
+ # pragma interface
+ #endif
+ 
++#include <cstddef>
++
+ /** @name GSmartPointer.h
+ 
+     Files #"GSmartPointer.h"# and #"GSmartPointer.cpp"# define a smart-pointer
diff -Nru djvulibre-3.5.28/debian/patches/0002-djvulibre-fedora-Patch6-djvulibre-3.5.27-export-file.patch djvulibre-3.5.28/debian/patches/0002-djvulibre-fedora-Patch6-djvulibre-3.5.27-export-file.patch
--- djvulibre-3.5.28/debian/patches/0002-djvulibre-fedora-Patch6-djvulibre-3.5.27-export-file.patch	1970-01-01 01:00:00.000000000 +0100
+++ djvulibre-3.5.28/debian/patches/0002-djvulibre-fedora-Patch6-djvulibre-3.5.27-export-file.patch	2021-05-10 18:46:09.000000000 +0100
@@ -0,0 +1,24 @@
+From: "Barak A. Pearlmutter" <barak+git@pearlmutter.net>
+Date: Mon, 10 May 2021 15:47:32 +0100
+Subject: djvulibre-fedora Patch6 djvulibre-3.5.27-export-file.patch
+
+---
+ desktopfiles/Makefile.am | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/desktopfiles/Makefile.am b/desktopfiles/Makefile.am
+index 9e952e1..5b8cae3 100644
+--- a/desktopfiles/Makefile.am
++++ b/desktopfiles/Makefile.am
+@@ -32,10 +32,9 @@ if HAVE_CONVERSION_INKSCAPE
+ convert_icons_process = \
+ s=`echo $@ | sed -e 's/[a-z]*\([0-9]*\).*/\1/'`; \
+ ${INKSCAPE} \
+---without-gui \
+ --export-width=$${s} \
+ --export-height=$${s} \
+---export-png=$@ $<
++--export-filename=$@ $<
+ endif
+ 
+ if HAVE_CONVERSION_CONVERT
diff -Nru djvulibre-3.5.28/debian/patches/0003-djvulibre-fedora-Patch8-djvulibre-3.5.27-check-image.patch djvulibre-3.5.28/debian/patches/0003-djvulibre-fedora-Patch8-djvulibre-3.5.27-check-image.patch
--- djvulibre-3.5.28/debian/patches/0003-djvulibre-fedora-Patch8-djvulibre-3.5.27-check-image.patch	1970-01-01 01:00:00.000000000 +0100
+++ djvulibre-3.5.28/debian/patches/0003-djvulibre-fedora-Patch8-djvulibre-3.5.27-check-image.patch	2021-05-10 18:46:09.000000000 +0100
@@ -0,0 +1,24 @@
+From: "Barak A. Pearlmutter" <barak+git@pearlmutter.net>
+Date: Mon, 10 May 2021 15:48:24 +0100
+Subject: djvulibre-fedora Patch8 djvulibre-3.5.27-check-image-size.patch
+
+---
+ libdjvu/IW44Image.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/libdjvu/IW44Image.cpp b/libdjvu/IW44Image.cpp
+index e8d4b44..aa3d554 100644
+--- a/libdjvu/IW44Image.cpp
++++ b/libdjvu/IW44Image.cpp
+@@ -678,7 +678,11 @@ IW44Image::Map::image(signed char *img8, int rowsize, int pixsep, int fast)
+   size_t sz = bw * bh;
+   if (sz / (size_t)bw != (size_t)bh) // multiplication overflow
+     G_THROW("IW44Image: image size exceeds maximum (corrupted file?)");
++  if (sz == 0)
++    G_THROW("IW44Image: zero size image (corrupted file?)");
+   GPBuffer<short> gdata16(data16,sz);
++  if (data16 == NULL)
++    G_THROW("IW44Image: unable to allocate image data");
+   // Copy coefficients
+   int i;
+   short *p = data16;
diff -Nru djvulibre-3.5.28/debian/patches/0004-djvulibre-fedora-Patch9-djvulibre-3.5.27-interger-ov.patch djvulibre-3.5.28/debian/patches/0004-djvulibre-fedora-Patch9-djvulibre-3.5.27-interger-ov.patch
--- djvulibre-3.5.28/debian/patches/0004-djvulibre-fedora-Patch9-djvulibre-3.5.27-interger-ov.patch	1970-01-01 01:00:00.000000000 +0100
+++ djvulibre-3.5.28/debian/patches/0004-djvulibre-fedora-Patch9-djvulibre-3.5.27-interger-ov.patch	2021-05-10 18:46:09.000000000 +0100
@@ -0,0 +1,31 @@
+From: "Barak A. Pearlmutter" <barak+git@pearlmutter.net>
+Date: Mon, 10 May 2021 15:48:53 +0100
+Subject: djvulibre-fedora Patch9 djvulibre-3.5.27-interger-overflow.patch
+
+---
+ tools/ddjvu.cpp | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp
+index 7109952..2f3e0f9 100644
+--- a/tools/ddjvu.cpp
++++ b/tools/ddjvu.cpp
+@@ -70,6 +70,7 @@
+ #include <locale.h>
+ #include <fcntl.h>
+ #include <errno.h>
++#include <stdint.h>
+ 
+ #ifdef UNIX
+ # include <sys/time.h>
+@@ -394,7 +395,9 @@ render(ddjvu_page_t *page, int pageno)
+     rowsize = rrect.w;
+   else
+     rowsize = rrect.w * 3; 
+-  if (! (image = (char*)malloc(rowsize * rrect.h)))
++  if ((size_t)rowsize > SIZE_MAX / rrect.h)
++    die(i18n("Integer overflow when allocating image buffer for page %d"), pageno);
++  if (! (image = (char*)malloc((size_t)rowsize * rrect.h)))
+     die(i18n("Cannot allocate image buffer for page %d"), pageno);
+ 
+   /* Render */
diff -Nru djvulibre-3.5.28/debian/patches/0005-djvulibre-fedora-Patch10-djvulibre-3.5.27-check-inpu.patch djvulibre-3.5.28/debian/patches/0005-djvulibre-fedora-Patch10-djvulibre-3.5.27-check-inpu.patch
--- djvulibre-3.5.28/debian/patches/0005-djvulibre-fedora-Patch10-djvulibre-3.5.27-check-inpu.patch	1970-01-01 01:00:00.000000000 +0100
+++ djvulibre-3.5.28/debian/patches/0005-djvulibre-fedora-Patch10-djvulibre-3.5.27-check-inpu.patch	2021-05-10 18:46:09.000000000 +0100
@@ -0,0 +1,21 @@
+From: "Barak A. Pearlmutter" <barak+git@pearlmutter.net>
+Date: Mon, 10 May 2021 15:49:14 +0100
+Subject: djvulibre-fedora Patch10 djvulibre-3.5.27-check-input-pool.patch
+
+---
+ libdjvu/DataPool.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libdjvu/DataPool.cpp b/libdjvu/DataPool.cpp
+index 5fcbedf..4c2eaf0 100644
+--- a/libdjvu/DataPool.cpp
++++ b/libdjvu/DataPool.cpp
+@@ -791,6 +791,8 @@ DataPool::create(const GP<DataPool> & pool, int start, int length)
+   DEBUG_MSG("DataPool::DataPool: pool=" << (void *)((DataPool *)pool) << " start=" << start << " length= " << length << "\n");
+   DEBUG_MAKE_INDENT(3);
+ 
++  if (!pool) G_THROW( ERR_MSG("DataPool.zero_DataPool") );
++
+   DataPool *xpool=new DataPool();
+   GP<DataPool> retval=xpool;
+   xpool->init();
diff -Nru djvulibre-3.5.28/debian/patches/0006-djvulibre-fedora-Patch11-djvulibre-3.5.27-djvuport-s.patch djvulibre-3.5.28/debian/patches/0006-djvulibre-fedora-Patch11-djvulibre-3.5.27-djvuport-s.patch
--- djvulibre-3.5.28/debian/patches/0006-djvulibre-fedora-Patch11-djvulibre-3.5.27-djvuport-s.patch	1970-01-01 01:00:00.000000000 +0100
+++ djvulibre-3.5.28/debian/patches/0006-djvulibre-fedora-Patch11-djvulibre-3.5.27-djvuport-s.patch	2021-05-10 18:46:09.000000000 +0100
@@ -0,0 +1,46 @@
+From: "Barak A. Pearlmutter" <barak+git@pearlmutter.net>
+Date: Mon, 10 May 2021 15:49:55 +0100
+Subject: djvulibre-fedora Patch11
+ djvulibre-3.5.27-djvuport-stack-overflow.patch
+
+---
+ libdjvu/DjVuPort.cpp | 9 +++++++++
+ libdjvu/DjVuPort.h   | 1 +
+ 2 files changed, 10 insertions(+)
+
+diff --git a/libdjvu/DjVuPort.cpp b/libdjvu/DjVuPort.cpp
+index 2b3e0d2..a377920 100644
+--- a/libdjvu/DjVuPort.cpp
++++ b/libdjvu/DjVuPort.cpp
+@@ -507,10 +507,19 @@ GP<DjVuFile>
+ DjVuPortcaster::id_to_file(const DjVuPort * source, const GUTF8String &id)
+ {
+    GPList<DjVuPort> list;
++
++   if (!!opening_id && opening_id == id)
++      G_THROW("DjVuPortcaster: recursive opening of the same file (corrupted file?)");
++   else
++      opening_id = id;
++
+    compute_closure(source, list, true);
+    GP<DjVuFile> file;
+    for(GPosition pos=list;pos;++pos)
+       if ((file=list[pos]->id_to_file(source, id))) break;
++
++   opening_id = GUTF8String();
++
+    return file;
+ }
+ 
+diff --git a/libdjvu/DjVuPort.h b/libdjvu/DjVuPort.h
+index e2b3125..313dc2b 100644
+--- a/libdjvu/DjVuPort.h
++++ b/libdjvu/DjVuPort.h
+@@ -484,6 +484,7 @@ private:
+                        const DjVuPort *dst, int distance);
+    void compute_closure(const DjVuPort *src, GPList<DjVuPort> &list,
+                         bool sorted=false);
++   GUTF8String opening_id;
+ };
+ 
+ 
diff -Nru djvulibre-3.5.28/debian/patches/0007-djvulibre-fedora-Patch12-djvulibre-3.5.27-unsigned-s.patch djvulibre-3.5.28/debian/patches/0007-djvulibre-fedora-Patch12-djvulibre-3.5.27-unsigned-s.patch
--- djvulibre-3.5.28/debian/patches/0007-djvulibre-fedora-Patch12-djvulibre-3.5.27-unsigned-s.patch	1970-01-01 01:00:00.000000000 +0100
+++ djvulibre-3.5.28/debian/patches/0007-djvulibre-fedora-Patch12-djvulibre-3.5.27-unsigned-s.patch	2021-05-10 18:46:09.000000000 +0100
@@ -0,0 +1,30 @@
+From: "Barak A. Pearlmutter" <barak+git@pearlmutter.net>
+Date: Mon, 10 May 2021 15:50:19 +0100
+Subject: djvulibre-fedora Patch12
+ djvulibre-3.5.27-unsigned-short-overflow.patch
+
+---
+ libdjvu/GBitmap.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp
+index c2fdbe4..3d552a6 100644
+--- a/libdjvu/GBitmap.cpp
++++ b/libdjvu/GBitmap.cpp
+@@ -69,6 +69,7 @@
+ #include <stddef.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ 
+ // - Author: Leon Bottou, 05/1997
+ 
+@@ -1284,6 +1285,8 @@ GBitmap::decode(unsigned char *runs)
+   // initialize pixel array
+   if (nrows==0 || ncolumns==0)
+     G_THROW( ERR_MSG("GBitmap.not_init") );
++  if (ncolumns > USHRT_MAX - border)
++    G_THROW("GBitmap: row size exceeds maximum (corrupted file?)");
+   bytes_per_row = ncolumns + border;
+   if (runs==0)
+     G_THROW( ERR_MSG("GBitmap.null_arg") );
diff -Nru djvulibre-3.5.28/debian/patches/series djvulibre-3.5.28/debian/patches/series
--- djvulibre-3.5.28/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ djvulibre-3.5.28/debian/patches/series	2021-05-10 18:46:09.000000000 +0100
@@ -0,0 +1,7 @@
+0001-djvulibre-fedora-Patch0-djvulibre-3.5.22-cdefs.patch.patch
+0002-djvulibre-fedora-Patch6-djvulibre-3.5.27-export-file.patch
+0003-djvulibre-fedora-Patch8-djvulibre-3.5.27-check-image.patch
+0004-djvulibre-fedora-Patch9-djvulibre-3.5.27-interger-ov.patch
+0005-djvulibre-fedora-Patch10-djvulibre-3.5.27-check-inpu.patch
+0006-djvulibre-fedora-Patch11-djvulibre-3.5.27-djvuport-s.patch
+0007-djvulibre-fedora-Patch12-djvulibre-3.5.27-unsigned-s.patch
Reply to:
Follow-Ups:
- Bug#988339: marked as done (unblock: djvulibre/3.5.28-2)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Prev by Date: Bug#988338: unblock: pkg-js-tools/0.9.65
Next by Date: Bug#988340: unblock: node-got/11.8.1+~cs53.13.17-2
Previous by thread: Bug#988338: marked as done (unblock: pkg-js-tools/0.9.65)
Next by thread: Bug#988339: marked as done (unblock: djvulibre/3.5.28-2)
Index(es):
- Date
- Thread