diff options
Diffstat (limited to 'user/atril')
| -rw-r--r-- | user/atril/APKBUILD | 19 | ||||
| -rw-r--r-- | user/atril/CVE-2019-1010006.patch | 56 | ||||
| -rw-r--r-- | user/atril/CVE-2019-11459.patch | 69 |
3 files changed, 80 insertions, 64 deletions
diff --git a/user/atril/APKBUILD b/user/atril/APKBUILD index d9f1127a9..d36e45f69 100644 --- a/user/atril/APKBUILD +++ b/user/atril/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Kiyoshi Aman <kiyoshi.aman+adelie@gmail.com> # Maintainer: Kiyoshi Aman <kiyoshi.aman+adelie@gmail.com> pkgname=atril -pkgver=1.22.1 -pkgrel=1 +pkgver=1.22.2 +pkgrel=0 pkgdesc="Document viewer for the MATE desktop environment" url="https://mate-desktop.org" arch="all" @@ -14,10 +14,15 @@ makedepends="caja-dev djvulibre-dev gobject-introspection-dev gtk+3.0-dev libxml2-dev libxml2-utils poppler-dev python3 tiff-dev" subpackages="$pkgname-dev $pkgname-doc $pkgname-lang" source="https://pub.mate-desktop.org/releases/1.22/atril-$pkgver.tar.xz - CVE-2019-1010006.patch" + CVE-2019-11459.patch" + +# secfixes: +# 1.22.1-r1: +# - CVE-2019-1010006 +# 1.22.1-r2: +# - CVE-2019-11459 build() { - cd "$builddir" ./configure \ --build=$CBUILD \ --host=$CHOST \ @@ -33,14 +38,12 @@ build() { } check() { - cd "$builddir" make check } package() { - cd "$builddir" make DESTDIR="$pkgdir" install } -sha512sums="838ae397c868ac417c9266e4a06525d66214650cf8647e91c1472d83d50c8954f6dbb29411384892a98f0929e1fbac9947118bd0db10d50400fc0d5270a3619d atril-1.22.1.tar.xz -ea6db09fe033a8ddf6d90f080858057fad5452a23801e0f41f7a90ec352b71344e8b596a0913deabca333ff24dc5023628eab7c18bc526c0a7f8fb0d680acdf7 CVE-2019-1010006.patch" +sha512sums="99ff55f84649dfb8de931ff2506ff0339852fbb7ed368cee1f6632ba243d2b0384cd0bd649d16c30317fbf786612f54c2404da43d14141e6f9c0944e64c34653 atril-1.22.2.tar.xz +ba4ec4b0e10d87f44f189a16cfe2419906e3776edc9bc14f7da9356a8953683e3f7efc441691df131497b08b892d3b291aab416310f259ee6bc0706cc4f02880 CVE-2019-11459.patch" diff --git a/user/atril/CVE-2019-1010006.patch b/user/atril/CVE-2019-1010006.patch deleted file mode 100644 index ce107d193..000000000 --- a/user/atril/CVE-2019-1010006.patch +++ /dev/null @@ -1,56 +0,0 @@ -From e02fe9170ad0ac2fd46c75329c4f1d4502d4a362 Mon Sep 17 00:00:00 2001 -From: Jason Crain <jcrain@src.gnome.org> -Date: Sat, 2 Dec 2017 20:24:33 -0600 -Subject: [PATCH] Fix overflow checks in tiff backend - -The overflow checks in tiff_document_render and -tiff_document_get_thumbnail don't work when optimizations are enabled. -Change the checks so they don't rely on undefined behavior. - -https://bugzilla.gnome.org/show_bug.cgi?id=788980 ---- - backend/tiff/tiff-document.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c -index 8f40934e..7bf95c2b 100644 ---- a/backend/tiff/tiff-document.c -+++ b/backend/tiff/tiff-document.c -@@ -284,12 +284,12 @@ tiff_document_render (EvDocument *document, - return NULL; - } - -- bytes = height * rowstride; -- if (bytes / rowstride != height) { -+ if (height >= INT_MAX / rowstride) { - g_warning("Overflow while rendering document."); - /* overflow */ - return NULL; - } -+ bytes = height * rowstride; - - pixels = g_try_malloc (bytes); - if (!pixels) { -@@ -374,15 +374,15 @@ tiff_document_get_thumbnail (EvDocument *document, - if (width <= 0 || height <= 0) - return NULL; - -- rowstride = width * 4; -- if (rowstride / 4 != width) -+ if (width >= INT_MAX / 4) - /* overflow */ - return NULL; -+ rowstride = width * 4; - -- bytes = height * rowstride; -- if (bytes / rowstride != height) -+ if (height >= INT_MAX / rowstride) - /* overflow */ - return NULL; -+ bytes = height * rowstride; - - pixels = g_try_malloc (bytes); - if (!pixels) --- -2.21.0 - diff --git a/user/atril/CVE-2019-11459.patch b/user/atril/CVE-2019-11459.patch new file mode 100644 index 000000000..a826cbd29 --- /dev/null +++ b/user/atril/CVE-2019-11459.patch @@ -0,0 +1,69 @@ +Backport of the following, since it did not apply due to whitespace / +formatting + +From bd4ce9171fef52720e74ffeeeeca3b0c5b5d4808 Mon Sep 17 00:00:00 2001 +From: Victor Kareh <vkareh@redhat.com> +Date: Sun, 11 Aug 2019 05:20:09 +0300 +Subject: [PATCH] tiff: Handle failure from TIFFReadRGBAImageOriented + +The TIFFReadRGBAImageOriented function returns zero if it was unable to +read the image. Return NULL in this case instead of displaying +uninitialized memory. + +This addresses CVE-2019-11459 + +upstream commit: +https://gitlab.gnome.org/GNOME/evince/commit/234f034a4 +--- + +--- atril-1.22.1/backend/tiff/tiff-document.c ++++ atril-1.22.1/backend/tiff/tiff-document.c +@@ -282,17 +282,21 @@ tiff_document_render (EvDocument *d + return NULL; + } + ++ if (!TIFFReadRGBAImageOriented (tiff_document->tiff, ++ width, height, ++ (uint32 *)pixels, ++ orientation, 0)) { ++ g_warning ("Failed to read TIFF image."); ++ g_free (pixels); ++ return NULL; ++ } ++ + surface = cairo_image_surface_create_for_data (pixels, + CAIRO_FORMAT_RGB24, + width, height, + rowstride); + cairo_surface_set_user_data (surface, &key, + pixels, (cairo_destroy_func_t)g_free); +- +- TIFFReadRGBAImageOriented (tiff_document->tiff, +- width, height, +- (uint32 *)pixels, +- orientation, 0); + pop_handlers (); + + /* Convert the format returned by libtiff to +@@ -373,13 +377,17 @@ tiff_document_render_pixbuf (EvDocument + if (!pixels) + return NULL; + ++ if (!TIFFReadRGBAImageOriented (tiff_document->tiff, ++ width, height, ++ (uint32 *)pixels, ++ ORIENTATION_TOPLEFT, 0)) { ++ g_free (pixels); ++ return NULL; ++ } ++ + pixbuf = gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, TRUE, 8, + width, height, rowstride, + (GdkPixbufDestroyNotify) g_free, NULL); +- TIFFReadRGBAImageOriented (tiff_document->tiff, +- width, height, +- (uint32 *)pixels, +- ORIENTATION_TOPLEFT, 0); + pop_handlers (); + + scaled_pixbuf = gdk_pixbuf_scale_simple (pixbuf, |