summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--user/atril/APKBUILD17
-rw-r--r--user/atril/CVE-2019-1010006.patch40
-rw-r--r--user/atril/CVE-2019-11459.patch69
3 files changed, 99 insertions, 27 deletions
diff --git a/user/atril/APKBUILD b/user/atril/APKBUILD
index d9f1127a9..52f26e4a0 100644
--- a/user/atril/APKBUILD
+++ b/user/atril/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Kiyoshi Aman <kiyoshi.aman+adelie@gmail.com>
pkgname=atril
pkgver=1.22.1
-pkgrel=1
+pkgrel=2
pkgdesc="Document viewer for the MATE desktop environment"
url="https://mate-desktop.org"
arch="all"
@@ -14,10 +14,16 @@ makedepends="caja-dev djvulibre-dev gobject-introspection-dev gtk+3.0-dev
libxml2-dev libxml2-utils poppler-dev python3 tiff-dev"
subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
source="https://pub.mate-desktop.org/releases/1.22/atril-$pkgver.tar.xz
- CVE-2019-1010006.patch"
+ CVE-2019-1010006.patch
+ CVE-2019-11459.patch"
+
+# secfixes:
+# 1.22.1-r1:
+# - CVE-2019-1010006
+# 1.22.1-r2:
+# - CVE-2019-11459
build() {
- cd "$builddir"
./configure \
--build=$CBUILD \
--host=$CHOST \
@@ -33,14 +39,13 @@ build() {
}
check() {
- cd "$builddir"
make check
}
package() {
- cd "$builddir"
make DESTDIR="$pkgdir" install
}
sha512sums="838ae397c868ac417c9266e4a06525d66214650cf8647e91c1472d83d50c8954f6dbb29411384892a98f0929e1fbac9947118bd0db10d50400fc0d5270a3619d atril-1.22.1.tar.xz
-ea6db09fe033a8ddf6d90f080858057fad5452a23801e0f41f7a90ec352b71344e8b596a0913deabca333ff24dc5023628eab7c18bc526c0a7f8fb0d680acdf7 CVE-2019-1010006.patch"
+38ea99130fba5ce174eb4351a8c5b2c4dd9591a81aff72876fa17581be8960f75592184e18d3653fa3286035d9e4899ca1b53e830328a64fc15d0bb4b8176b39 CVE-2019-1010006.patch
+ba4ec4b0e10d87f44f189a16cfe2419906e3776edc9bc14f7da9356a8953683e3f7efc441691df131497b08b892d3b291aab416310f259ee6bc0706cc4f02880 CVE-2019-11459.patch"
diff --git a/user/atril/CVE-2019-1010006.patch b/user/atril/CVE-2019-1010006.patch
index ce107d193..913e40312 100644
--- a/user/atril/CVE-2019-1010006.patch
+++ b/user/atril/CVE-2019-1010006.patch
@@ -1,22 +1,18 @@
-From e02fe9170ad0ac2fd46c75329c4f1d4502d4a362 Mon Sep 17 00:00:00 2001
-From: Jason Crain <jcrain@src.gnome.org>
-Date: Sat, 2 Dec 2017 20:24:33 -0600
-Subject: [PATCH] Fix overflow checks in tiff backend
+From aa8c51c24a3d716986ace9a4104a9632436ccff5 Mon Sep 17 00:00:00 2001
+From: lukefromdc <lukefromdc@hushmail.com>
+Date: Sat, 27 Jul 2019 15:07:13 -0400
+Subject: [PATCH] Fix buffer overflow in backend/tiff-document.c
-The overflow checks in tiff_document_render and
-tiff_document_get_thumbnail don't work when optimizations are enabled.
-Change the checks so they don't rely on undefined behavior.
-
-https://bugzilla.gnome.org/show_bug.cgi?id=788980
+ Apply https://gitlab.gnome.org/GNOME/evince/commit/e02fe9170ad0ac2fd46c75329c4f1d4502d4a362
---
- backend/tiff/tiff-document.c | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
+ backend/tiff/tiff-document.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c
-index 8f40934e..7bf95c2b 100644
+index 0aa31cb6..94adc400 100644
--- a/backend/tiff/tiff-document.c
+++ b/backend/tiff/tiff-document.c
-@@ -284,12 +284,12 @@ tiff_document_render (EvDocument *document,
+@@ -268,13 +268,14 @@ tiff_document_render (EvDocument *document,
return NULL;
}
@@ -27,11 +23,13 @@ index 8f40934e..7bf95c2b 100644
/* overflow */
return NULL;
}
-+ bytes = height * rowstride;
++ bytes = height * rowstride;
++
pixels = g_try_malloc (bytes);
if (!pixels) {
-@@ -374,15 +374,15 @@ tiff_document_get_thumbnail (EvDocument *document,
+ g_warning("Failed to allocate memory for rendering.");
+@@ -356,15 +357,17 @@ tiff_document_render_pixbuf (EvDocument *document,
if (width <= 0 || height <= 0)
return NULL;
@@ -40,17 +38,17 @@ index 8f40934e..7bf95c2b 100644
+ if (width >= INT_MAX / 4)
/* overflow */
return NULL;
-+ rowstride = width * 4;
- bytes = height * rowstride;
- if (bytes / rowstride != height)
++ rowstride = width * 4;
++
+ if (height >= INT_MAX / rowstride)
/* overflow */
- return NULL;
-+ bytes = height * rowstride;
+- return NULL;
++ return NULL;
++
++ bytes = height * rowstride;
pixels = g_try_malloc (bytes);
if (!pixels)
---
-2.21.0
-
diff --git a/user/atril/CVE-2019-11459.patch b/user/atril/CVE-2019-11459.patch
new file mode 100644
index 000000000..a826cbd29
--- /dev/null
+++ b/user/atril/CVE-2019-11459.patch
@@ -0,0 +1,69 @@
+Backport of the following, since it did not apply due to whitespace /
+formatting
+
+From bd4ce9171fef52720e74ffeeeeca3b0c5b5d4808 Mon Sep 17 00:00:00 2001
+From: Victor Kareh <vkareh@redhat.com>
+Date: Sun, 11 Aug 2019 05:20:09 +0300
+Subject: [PATCH] tiff: Handle failure from TIFFReadRGBAImageOriented
+
+The TIFFReadRGBAImageOriented function returns zero if it was unable to
+read the image. Return NULL in this case instead of displaying
+uninitialized memory.
+
+This addresses CVE-2019-11459
+
+upstream commit:
+https://gitlab.gnome.org/GNOME/evince/commit/234f034a4
+---
+
+--- atril-1.22.1/backend/tiff/tiff-document.c
++++ atril-1.22.1/backend/tiff/tiff-document.c
+@@ -282,17 +282,21 @@ tiff_document_render (EvDocument *d
+ return NULL;
+ }
+
++ if (!TIFFReadRGBAImageOriented (tiff_document->tiff,
++ width, height,
++ (uint32 *)pixels,
++ orientation, 0)) {
++ g_warning ("Failed to read TIFF image.");
++ g_free (pixels);
++ return NULL;
++ }
++
+ surface = cairo_image_surface_create_for_data (pixels,
+ CAIRO_FORMAT_RGB24,
+ width, height,
+ rowstride);
+ cairo_surface_set_user_data (surface, &key,
+ pixels, (cairo_destroy_func_t)g_free);
+-
+- TIFFReadRGBAImageOriented (tiff_document->tiff,
+- width, height,
+- (uint32 *)pixels,
+- orientation, 0);
+ pop_handlers ();
+
+ /* Convert the format returned by libtiff to
+@@ -373,13 +377,17 @@ tiff_document_render_pixbuf (EvDocument
+ if (!pixels)
+ return NULL;
+
++ if (!TIFFReadRGBAImageOriented (tiff_document->tiff,
++ width, height,
++ (uint32 *)pixels,
++ ORIENTATION_TOPLEFT, 0)) {
++ g_free (pixels);
++ return NULL;
++ }
++
+ pixbuf = gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, TRUE, 8,
+ width, height, rowstride,
+ (GdkPixbufDestroyNotify) g_free, NULL);
+- TIFFReadRGBAImageOriented (tiff_document->tiff,
+- width, height,
+- (uint32 *)pixels,
+- ORIENTATION_TOPLEFT, 0);
+ pop_handlers ();
+
+ scaled_pixbuf = gdk_pixbuf_scale_simple (pixbuf,