summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMax Rees <maxcrees@me.com>2019-09-24 17:04:51 -0500
committerMax Rees <maxcrees@me.com>2019-09-24 17:04:51 -0500
commit9d975a16f6054ccfa09bcd932da9f18eff7d37d1 (patch)
treeee2fd7595644bdc4a06c52c2ded6b3055a5249c6
parentb0e0d5808b32e66e12d096a66854b7bc65d418f9 (diff)
downloadpackages-9d975a16f6054ccfa09bcd932da9f18eff7d37d1.tar.gz
packages-9d975a16f6054ccfa09bcd932da9f18eff7d37d1.tar.bz2
packages-9d975a16f6054ccfa09bcd932da9f18eff7d37d1.tar.xz
packages-9d975a16f6054ccfa09bcd932da9f18eff7d37d1.zip
user/djvulibre: patch multiple CVEs (#185)
-rw-r--r--user/djvulibre/APKBUILD25
-rw-r--r--user/djvulibre/CVE-2019-15142.patch94
-rw-r--r--user/djvulibre/CVE-2019-15143.patch46
-rw-r--r--user/djvulibre/CVE-2019-15144.patch117
-rw-r--r--user/djvulibre/CVE-2019-15145.patch34
5 files changed, 310 insertions, 6 deletions
diff --git a/user/djvulibre/APKBUILD b/user/djvulibre/APKBUILD
index a90485e6a..2b4a3ed0e 100644
--- a/user/djvulibre/APKBUILD
+++ b/user/djvulibre/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=djvulibre
pkgver=3.5.27
-pkgrel=0
+pkgrel=1
pkgdesc="Format for distributing documents and images"
url="http://djvu.sourceforge.net/"
arch="all"
@@ -11,10 +11,20 @@ depends=""
depends_dev=""
makedepends="$depends_dev imagemagick libjpeg-turbo-dev tiff-dev"
subpackages="$pkgname-dev $pkgname-doc"
-source="https://downloads.sourceforge.net/djvu/djvulibre-$pkgver.tar.gz"
+source="https://downloads.sourceforge.net/djvu/djvulibre-$pkgver.tar.gz
+ CVE-2019-15142.patch
+ CVE-2019-15143.patch
+ CVE-2019-15144.patch
+ CVE-2019-15145.patch"
+
+# secfixes:
+# 3.5.27-r1:
+# - CVE-2019-15142
+# - CVE-2019-15143
+# - CVE-2019-15144
+# - CVE-2019-15145
build() {
- cd "$builddir"
./configure \
--build=$CBUILD \
--host=$CHOST \
@@ -26,13 +36,16 @@ build() {
}
check() {
- cd "$builddir"
+ # This doesn't actually do anything yet
make check
}
package() {
- cd "$builddir"
make DESTDIR="$pkgdir" install
}
-sha512sums="62abcaa2fe7edab536477929ba38b882453dab1a06e119a3f838b38d5c61f5d8c252e4769e6534582b826e49bcfb490513179580fab9c3afa84aa92053ccebee djvulibre-3.5.27.tar.gz"
+sha512sums="62abcaa2fe7edab536477929ba38b882453dab1a06e119a3f838b38d5c61f5d8c252e4769e6534582b826e49bcfb490513179580fab9c3afa84aa92053ccebee djvulibre-3.5.27.tar.gz
+d9e4301fb98a35b8c2f1854eb4be53611f98b3fc9fdd357dd5502b5b189bdf61957a48b220f3ab7465bbf1df8606ce04513e10df74643a9e289c349f94721561 CVE-2019-15142.patch
+3527e1c84f7c7d36f902cb3d7e9ddb6866acbdd4b47675ce3ffd164accf2e2931a4c6bbaae2ea775b4710d88ae34dd4dcd39a5846fce13bef2c82a99d608b8c1 CVE-2019-15143.patch
+f8f1abf328a97d69514b2626e4c6449c0c7b7e2b5518d56bba6a61a944aaf4b7fffd1371c26396353728f6a1399c6d87492af5c17e6b623dae7751b81eac11f9 CVE-2019-15144.patch
+790ef1e05874635c762600c990ecbd3e29e2eb01c59e25a0f8b2a15dbadbd3673d9dbb651d9dcb53fd3e5f4cb6bded47c3eefaaef8b4ccac39bd28f8bbec2068 CVE-2019-15145.patch"
diff --git a/user/djvulibre/CVE-2019-15142.patch b/user/djvulibre/CVE-2019-15142.patch
new file mode 100644
index 000000000..84ed64e24
--- /dev/null
+++ b/user/djvulibre/CVE-2019-15142.patch
@@ -0,0 +1,94 @@
+Lifted from SUSE: backport of two upstream commits
+
+https://sourceforge.net/p/djvu/djvulibre-git/ci/970fb11a296b5bbdc5e8425851253d2c5913c45e
+https://sourceforge.net/p/djvu/djvulibre-git/ci/89d71b01d606e57ecec2c2930c145bb20ba5bbe3
+https://bugzilla.suse.com/show_bug.cgi?id=1146702#c3
+https://build.opensuse.org/package/view_file/graphics/djvulibre/djvulibre-CVE-2019-15142.patch
+
+Index: djvulibre-3.5.27/libdjvu/DjVmDir.cpp
+===================================================================
+--- djvulibre-3.5.27.orig/libdjvu/DjVmDir.cpp 2014-07-08 23:15:07.000000000 +0200
++++ djvulibre-3.5.27/libdjvu/DjVmDir.cpp 2019-09-02 13:46:28.076374501 +0200
+@@ -300,36 +300,44 @@ DjVmDir::decode(const GP<ByteStream> &gs
+ memcpy((char*) strings+strings_size, buffer, length);
+ }
+ DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n");
+-
+- // Copy names into the files
++ int strings_size=strings.size();
++ strings.resize(strings_size+3);
++ memset((char*) strings+strings_size, 0, 4);
++
++ // Copy names into the files
+ const char * ptr=strings;
+ for(pos=files_list;pos;++pos)
+ {
+ GP<File> file=files_list[pos];
+-
++ if (ptr >= (const char*)strings + strings_size)
++ G_THROW( "DjVu document is corrupted (DjVmDir)" );
+ file->id=ptr;
+ ptr+=file->id.length()+1;
+ if (file->flags & File::HAS_NAME)
+ {
+- file->name=ptr;
+- ptr+=file->name.length()+1;
+- } else
++ file->name=ptr;
++ ptr+=file->name.length()+1;
++ }
++ else
+ {
+ file->name=file->id;
+ }
+ if (file->flags & File::HAS_TITLE)
+ {
+- file->title=ptr;
+- ptr+=file->title.length()+1;
+- } else
+- file->title=file->id;
+- /* msr debug: multipage file, file->title is null.
++ file->title=ptr;
++ ptr+=file->title.length()+1;
++ }
++ else
++ {
++ file->title=file->id;
++ }
++ /* msr debug: multipage file, file->title is null.
+ DEBUG_MSG(file->name << ", " << file->id << ", " << file->title << ", " <<
+ file->offset << ", " << file->size << ", " <<
+ file->is_page() << "\n"); */
+ }
+
+- // Check that there is only one file with SHARED_ANNO flag on
++ // Check that there is only one file with SHARED_ANNO flag on
+ int shared_anno_cnt=0;
+ for(pos=files_list;pos;++pos)
+ {
+Index: djvulibre-3.5.27/libdjvu/miniexp.cpp
+===================================================================
+--- djvulibre-3.5.27.orig/libdjvu/miniexp.cpp 2015-02-11 05:35:37.000000000 +0100
++++ djvulibre-3.5.27/libdjvu/miniexp.cpp 2019-09-02 13:46:28.072374476 +0200
+@@ -1028,7 +1028,7 @@ print_c_string(const char *s, char *d, i
+ {
+ if (char_quoted(c, flags))
+ {
+- char buffer[10];
++ char buffer[16]; /* 10+1 */
+ static const char *tr1 = "\"\\tnrbf";
+ static const char *tr2 = "\"\\\t\n\r\b\f";
+ buffer[0] = buffer[1] = 0;
+Index: djvulibre-3.5.27/tools/csepdjvu.cpp
+===================================================================
+--- djvulibre-3.5.27.orig/tools/csepdjvu.cpp 2014-07-24 23:12:05.000000000 +0200
++++ djvulibre-3.5.27/tools/csepdjvu.cpp 2019-09-02 13:46:28.072374476 +0200
+@@ -1814,7 +1814,7 @@ main(int argc, const char **argv)
+ ByteStream::create(GURL::Filename::UTF8(arg),"rb");
+ BufferByteStream ibs(*fbs);
+ do {
+- char pagename[16];
++ char pagename[20];
+ sprintf(pagename, "p%04d.djvu", ++pageno);
+ if (opts.verbose > 1)
+ DjVuPrintErrorUTF8("%s","--------------------\n");
diff --git a/user/djvulibre/CVE-2019-15143.patch b/user/djvulibre/CVE-2019-15143.patch
new file mode 100644
index 000000000..db04087e1
--- /dev/null
+++ b/user/djvulibre/CVE-2019-15143.patch
@@ -0,0 +1,46 @@
+From b1f4e1b2187d9e5010cd01ceccf20b4a11ce723f Mon Sep 17 00:00:00 2001
+From: Leon Bottou <leon@bottou.org>
+Date: Tue, 26 Mar 2019 20:45:46 -0400
+Subject: [PATCH] fix for bug #297
+
+---
+ libdjvu/DjVmDir.cpp | 2 +-
+ libdjvu/GBitmap.cpp | 6 ++++--
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp
+index 0a0fac6..5a49015 100644
+--- a/libdjvu/DjVmDir.cpp
++++ b/libdjvu/DjVmDir.cpp
+@@ -309,7 +309,7 @@ DjVmDir::decode(const GP<ByteStream> &gstr)
+ {
+ GP<File> file=files_list[pos];
+ if (ptr >= (const char*)strings + strings_size)
+- G_THROW( "DjVu document is corrupted (DjVmDir)" );
++ G_THROW( ByteStream::EndOfFile );
+ file->id=ptr;
+ ptr+=file->id.length()+1;
+ if (file->flags & File::HAS_NAME)
+diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp
+index 0e487f0..c2fdbe4 100644
+--- a/libdjvu/GBitmap.cpp
++++ b/libdjvu/GBitmap.cpp
+@@ -890,11 +890,13 @@ GBitmap::read_rle_raw(ByteStream &bs)
+ int c = 0;
+ while (n >= 0)
+ {
+- bs.read(&h, 1);
++ if (bs.read(&h, 1) <= 0)
++ G_THROW( ByteStream::EndOfFile );
+ int x = h;
+ if (x >= (int)RUNOVERFLOWVALUE)
+ {
+- bs.read(&h, 1);
++ if (bs.read(&h, 1) <= 0)
++ G_THROW( ByteStream::EndOfFile );
+ x = h + ((x - (int)RUNOVERFLOWVALUE) << 8);
+ }
+ if (c+x > ncolumns)
+--
+2.22.1
+
diff --git a/user/djvulibre/CVE-2019-15144.patch b/user/djvulibre/CVE-2019-15144.patch
new file mode 100644
index 000000000..1b0c71c5f
--- /dev/null
+++ b/user/djvulibre/CVE-2019-15144.patch
@@ -0,0 +1,117 @@
+From e15d51510048927f172f1bf1f27ede65907d940d Mon Sep 17 00:00:00 2001
+From: Leon Bottou <leon@bottou.org>
+Date: Mon, 8 Apr 2019 22:25:55 -0400
+Subject: [PATCH] bug 299 fixed
+
+---
+ libdjvu/GContainer.h | 87 ++++++++++++++++++++++++--------------------
+ 1 file changed, 48 insertions(+), 39 deletions(-)
+
+diff --git a/libdjvu/GContainer.h b/libdjvu/GContainer.h
+index 96b067c..0140211 100644
+--- a/libdjvu/GContainer.h
++++ b/libdjvu/GContainer.h
+@@ -550,52 +550,61 @@ public:
+ template <class TYPE> void
+ GArrayTemplate<TYPE>::sort(int lo, int hi)
+ {
+- if (hi <= lo)
+- return;
+- if (hi > hibound || lo<lobound)
+- G_THROW( ERR_MSG("GContainer.illegal_subscript") );
+ TYPE *data = (TYPE*)(*this);
+- // Test for insertion sort
+- if (hi <= lo + 50)
++ while(true)
+ {
+- for (int i=lo+1; i<=hi; i++)
++ if (hi <= lo)
++ return;
++ if (hi > hibound || lo<lobound)
++ G_THROW( ERR_MSG("GContainer.illegal_subscript") );
++ // Test for insertion sort
++ if (hi <= lo + 50)
+ {
+- int j = i;
+- TYPE tmp = data[i];
+- while ((--j>=lo) && !(data[j]<=tmp))
+- data[j+1] = data[j];
+- data[j+1] = tmp;
++ for (int i=lo+1; i<=hi; i++)
++ {
++ int j = i;
++ TYPE tmp = data[i];
++ while ((--j>=lo) && !(data[j]<=tmp))
++ data[j+1] = data[j];
++ data[j+1] = tmp;
++ }
++ return;
+ }
+- return;
+- }
+- // -- determine suitable quick-sort pivot
+- TYPE tmp = data[lo];
+- TYPE pivot = data[(lo+hi)/2];
+- if (pivot <= tmp)
+- { tmp = pivot; pivot=data[lo]; }
+- if (data[hi] <= tmp)
+- { pivot = tmp; }
+- else if (data[hi] <= pivot)
+- { pivot = data[hi]; }
+- // -- partition set
+- int h = hi;
+- int l = lo;
+- while (l < h)
+- {
+- while (! (pivot <= data[l])) l++;
+- while (! (data[h] <= pivot)) h--;
+- if (l < h)
++ // -- determine median-of-three pivot
++ TYPE tmp = data[lo];
++ TYPE pivot = data[(lo+hi)/2];
++ if (pivot <= tmp)
++ { tmp = pivot; pivot=data[lo]; }
++ if (data[hi] <= tmp)
++ { pivot = tmp; }
++ else if (data[hi] <= pivot)
++ { pivot = data[hi]; }
++ // -- partition set
++ int h = hi;
++ int l = lo;
++ while (l < h)
+ {
+- tmp = data[l];
+- data[l] = data[h];
+- data[h] = tmp;
+- l = l+1;
+- h = h-1;
++ while (! (pivot <= data[l])) l++;
++ while (! (data[h] <= pivot)) h--;
++ if (l < h)
++ {
++ tmp = data[l];
++ data[l] = data[h];
++ data[h] = tmp;
++ l = l+1;
++ h = h-1;
++ }
++ }
++ // -- recurse, small partition first
++ // tail-recursion elimination
++ if (h - lo <= hi - l) {
++ sort(lo,h);
++ lo = l; // sort(l,hi)
++ } else {
++ sort(l,hi);
++ hi = h; // sort(lo,h)
+ }
+ }
+- // -- recursively restart
+- sort(lo, h);
+- sort(l, hi);
+ }
+
+ template<class TYPE> inline TYPE&
+--
+2.22.1
+
diff --git a/user/djvulibre/CVE-2019-15145.patch b/user/djvulibre/CVE-2019-15145.patch
new file mode 100644
index 000000000..2a545cee2
--- /dev/null
+++ b/user/djvulibre/CVE-2019-15145.patch
@@ -0,0 +1,34 @@
+From 9658b01431cd7ff6344d7787f855179e73fe81a7 Mon Sep 17 00:00:00 2001
+From: Leon Bottou <leon@bottou.org>
+Date: Mon, 8 Apr 2019 22:55:38 -0400
+Subject: [PATCH] fix bug #298
+
+---
+ libdjvu/GBitmap.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libdjvu/GBitmap.h b/libdjvu/GBitmap.h
+index e8e0c9b..ca89a19 100644
+--- a/libdjvu/GBitmap.h
++++ b/libdjvu/GBitmap.h
+@@ -566,7 +566,7 @@ GBitmap::operator[](int row)
+ {
+ if (!bytes)
+ uncompress();
+- if (row<0 || row>=nrows) {
++ if (row<0 || row>=nrows || !bytes) {
+ #ifndef NDEBUG
+ if (zerosize < bytes_per_row + border)
+ G_THROW( ERR_MSG("GBitmap.zero_small") );
+@@ -581,7 +581,7 @@ GBitmap::operator[](int row) const
+ {
+ if (!bytes)
+ ((GBitmap*)this)->uncompress();
+- if (row<0 || row>=nrows) {
++ if (row<0 || row>=nrows || !bytes) {
+ #ifndef NDEBUG
+ if (zerosize < bytes_per_row + border)
+ G_THROW( ERR_MSG("GBitmap.zero_small") );
+--
+2.22.1
+