From 9d975a16f6054ccfa09bcd932da9f18eff7d37d1 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Tue, 24 Sep 2019 17:04:51 -0500 Subject: user/djvulibre: patch multiple CVEs (#185) --- user/djvulibre/APKBUILD | 25 ++++++-- user/djvulibre/CVE-2019-15142.patch | 94 +++++++++++++++++++++++++++++ user/djvulibre/CVE-2019-15143.patch | 46 ++++++++++++++ user/djvulibre/CVE-2019-15144.patch | 117 ++++++++++++++++++++++++++++++++++++ user/djvulibre/CVE-2019-15145.patch | 34 +++++++++++ 5 files changed, 310 insertions(+), 6 deletions(-) create mode 100644 user/djvulibre/CVE-2019-15142.patch create mode 100644 user/djvulibre/CVE-2019-15143.patch create mode 100644 user/djvulibre/CVE-2019-15144.patch create mode 100644 user/djvulibre/CVE-2019-15145.patch (limited to 'user') diff --git a/user/djvulibre/APKBUILD b/user/djvulibre/APKBUILD index a90485e6a..2b4a3ed0e 100644 --- a/user/djvulibre/APKBUILD +++ b/user/djvulibre/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox pkgname=djvulibre pkgver=3.5.27 -pkgrel=0 +pkgrel=1 pkgdesc="Format for distributing documents and images" url="http://djvu.sourceforge.net/" arch="all" @@ -11,10 +11,20 @@ depends="" depends_dev="" makedepends="$depends_dev imagemagick libjpeg-turbo-dev tiff-dev" subpackages="$pkgname-dev $pkgname-doc" -source="https://downloads.sourceforge.net/djvu/djvulibre-$pkgver.tar.gz" +source="https://downloads.sourceforge.net/djvu/djvulibre-$pkgver.tar.gz + CVE-2019-15142.patch + CVE-2019-15143.patch + CVE-2019-15144.patch + CVE-2019-15145.patch" + +# secfixes: +# 3.5.27-r1: +# - CVE-2019-15142 +# - CVE-2019-15143 +# - CVE-2019-15144 +# - CVE-2019-15145 build() { - cd "$builddir" ./configure \ --build=$CBUILD \ --host=$CHOST \ @@ -26,13 +36,16 @@ build() { } check() { - cd "$builddir" + # This doesn't actually do anything yet make check } package() { - cd "$builddir" make DESTDIR="$pkgdir" install } -sha512sums="62abcaa2fe7edab536477929ba38b882453dab1a06e119a3f838b38d5c61f5d8c252e4769e6534582b826e49bcfb490513179580fab9c3afa84aa92053ccebee djvulibre-3.5.27.tar.gz" +sha512sums="62abcaa2fe7edab536477929ba38b882453dab1a06e119a3f838b38d5c61f5d8c252e4769e6534582b826e49bcfb490513179580fab9c3afa84aa92053ccebee djvulibre-3.5.27.tar.gz +d9e4301fb98a35b8c2f1854eb4be53611f98b3fc9fdd357dd5502b5b189bdf61957a48b220f3ab7465bbf1df8606ce04513e10df74643a9e289c349f94721561 CVE-2019-15142.patch +3527e1c84f7c7d36f902cb3d7e9ddb6866acbdd4b47675ce3ffd164accf2e2931a4c6bbaae2ea775b4710d88ae34dd4dcd39a5846fce13bef2c82a99d608b8c1 CVE-2019-15143.patch +f8f1abf328a97d69514b2626e4c6449c0c7b7e2b5518d56bba6a61a944aaf4b7fffd1371c26396353728f6a1399c6d87492af5c17e6b623dae7751b81eac11f9 CVE-2019-15144.patch +790ef1e05874635c762600c990ecbd3e29e2eb01c59e25a0f8b2a15dbadbd3673d9dbb651d9dcb53fd3e5f4cb6bded47c3eefaaef8b4ccac39bd28f8bbec2068 CVE-2019-15145.patch" diff --git a/user/djvulibre/CVE-2019-15142.patch b/user/djvulibre/CVE-2019-15142.patch new file mode 100644 index 000000000..84ed64e24 --- /dev/null +++ b/user/djvulibre/CVE-2019-15142.patch @@ -0,0 +1,94 @@ +Lifted from SUSE: backport of two upstream commits + +https://sourceforge.net/p/djvu/djvulibre-git/ci/970fb11a296b5bbdc5e8425851253d2c5913c45e +https://sourceforge.net/p/djvu/djvulibre-git/ci/89d71b01d606e57ecec2c2930c145bb20ba5bbe3 +https://bugzilla.suse.com/show_bug.cgi?id=1146702#c3 +https://build.opensuse.org/package/view_file/graphics/djvulibre/djvulibre-CVE-2019-15142.patch + +Index: djvulibre-3.5.27/libdjvu/DjVmDir.cpp +=================================================================== +--- djvulibre-3.5.27.orig/libdjvu/DjVmDir.cpp 2014-07-08 23:15:07.000000000 +0200 ++++ djvulibre-3.5.27/libdjvu/DjVmDir.cpp 2019-09-02 13:46:28.076374501 +0200 +@@ -300,36 +300,44 @@ DjVmDir::decode(const GP &gs + memcpy((char*) strings+strings_size, buffer, length); + } + DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n"); +- +- // Copy names into the files ++ int strings_size=strings.size(); ++ strings.resize(strings_size+3); ++ memset((char*) strings+strings_size, 0, 4); ++ ++ // Copy names into the files + const char * ptr=strings; + for(pos=files_list;pos;++pos) + { + GP file=files_list[pos]; +- ++ if (ptr >= (const char*)strings + strings_size) ++ G_THROW( "DjVu document is corrupted (DjVmDir)" ); + file->id=ptr; + ptr+=file->id.length()+1; + if (file->flags & File::HAS_NAME) + { +- file->name=ptr; +- ptr+=file->name.length()+1; +- } else ++ file->name=ptr; ++ ptr+=file->name.length()+1; ++ } ++ else + { + file->name=file->id; + } + if (file->flags & File::HAS_TITLE) + { +- file->title=ptr; +- ptr+=file->title.length()+1; +- } else +- file->title=file->id; +- /* msr debug: multipage file, file->title is null. ++ file->title=ptr; ++ ptr+=file->title.length()+1; ++ } ++ else ++ { ++ file->title=file->id; ++ } ++ /* msr debug: multipage file, file->title is null. + DEBUG_MSG(file->name << ", " << file->id << ", " << file->title << ", " << + file->offset << ", " << file->size << ", " << + file->is_page() << "\n"); */ + } + +- // Check that there is only one file with SHARED_ANNO flag on ++ // Check that there is only one file with SHARED_ANNO flag on + int shared_anno_cnt=0; + for(pos=files_list;pos;++pos) + { +Index: djvulibre-3.5.27/libdjvu/miniexp.cpp +=================================================================== +--- djvulibre-3.5.27.orig/libdjvu/miniexp.cpp 2015-02-11 05:35:37.000000000 +0100 ++++ djvulibre-3.5.27/libdjvu/miniexp.cpp 2019-09-02 13:46:28.072374476 +0200 +@@ -1028,7 +1028,7 @@ print_c_string(const char *s, char *d, i + { + if (char_quoted(c, flags)) + { +- char buffer[10]; ++ char buffer[16]; /* 10+1 */ + static const char *tr1 = "\"\\tnrbf"; + static const char *tr2 = "\"\\\t\n\r\b\f"; + buffer[0] = buffer[1] = 0; +Index: djvulibre-3.5.27/tools/csepdjvu.cpp +=================================================================== +--- djvulibre-3.5.27.orig/tools/csepdjvu.cpp 2014-07-24 23:12:05.000000000 +0200 ++++ djvulibre-3.5.27/tools/csepdjvu.cpp 2019-09-02 13:46:28.072374476 +0200 +@@ -1814,7 +1814,7 @@ main(int argc, const char **argv) + ByteStream::create(GURL::Filename::UTF8(arg),"rb"); + BufferByteStream ibs(*fbs); + do { +- char pagename[16]; ++ char pagename[20]; + sprintf(pagename, "p%04d.djvu", ++pageno); + if (opts.verbose > 1) + DjVuPrintErrorUTF8("%s","--------------------\n"); diff --git a/user/djvulibre/CVE-2019-15143.patch b/user/djvulibre/CVE-2019-15143.patch new file mode 100644 index 000000000..db04087e1 --- /dev/null +++ b/user/djvulibre/CVE-2019-15143.patch @@ -0,0 +1,46 @@ +From b1f4e1b2187d9e5010cd01ceccf20b4a11ce723f Mon Sep 17 00:00:00 2001 +From: Leon Bottou +Date: Tue, 26 Mar 2019 20:45:46 -0400 +Subject: [PATCH] fix for bug #297 + +--- + libdjvu/DjVmDir.cpp | 2 +- + libdjvu/GBitmap.cpp | 6 ++++-- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp +index 0a0fac6..5a49015 100644 +--- a/libdjvu/DjVmDir.cpp ++++ b/libdjvu/DjVmDir.cpp +@@ -309,7 +309,7 @@ DjVmDir::decode(const GP &gstr) + { + GP file=files_list[pos]; + if (ptr >= (const char*)strings + strings_size) +- G_THROW( "DjVu document is corrupted (DjVmDir)" ); ++ G_THROW( ByteStream::EndOfFile ); + file->id=ptr; + ptr+=file->id.length()+1; + if (file->flags & File::HAS_NAME) +diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp +index 0e487f0..c2fdbe4 100644 +--- a/libdjvu/GBitmap.cpp ++++ b/libdjvu/GBitmap.cpp +@@ -890,11 +890,13 @@ GBitmap::read_rle_raw(ByteStream &bs) + int c = 0; + while (n >= 0) + { +- bs.read(&h, 1); ++ if (bs.read(&h, 1) <= 0) ++ G_THROW( ByteStream::EndOfFile ); + int x = h; + if (x >= (int)RUNOVERFLOWVALUE) + { +- bs.read(&h, 1); ++ if (bs.read(&h, 1) <= 0) ++ G_THROW( ByteStream::EndOfFile ); + x = h + ((x - (int)RUNOVERFLOWVALUE) << 8); + } + if (c+x > ncolumns) +-- +2.22.1 + diff --git a/user/djvulibre/CVE-2019-15144.patch b/user/djvulibre/CVE-2019-15144.patch new file mode 100644 index 000000000..1b0c71c5f --- /dev/null +++ b/user/djvulibre/CVE-2019-15144.patch @@ -0,0 +1,117 @@ +From e15d51510048927f172f1bf1f27ede65907d940d Mon Sep 17 00:00:00 2001 +From: Leon Bottou +Date: Mon, 8 Apr 2019 22:25:55 -0400 +Subject: [PATCH] bug 299 fixed + +--- + libdjvu/GContainer.h | 87 ++++++++++++++++++++++++-------------------- + 1 file changed, 48 insertions(+), 39 deletions(-) + +diff --git a/libdjvu/GContainer.h b/libdjvu/GContainer.h +index 96b067c..0140211 100644 +--- a/libdjvu/GContainer.h ++++ b/libdjvu/GContainer.h +@@ -550,52 +550,61 @@ public: + template void + GArrayTemplate::sort(int lo, int hi) + { +- if (hi <= lo) +- return; +- if (hi > hibound || lo hibound || lo=lo) && !(data[j]<=tmp)) +- data[j+1] = data[j]; +- data[j+1] = tmp; ++ for (int i=lo+1; i<=hi; i++) ++ { ++ int j = i; ++ TYPE tmp = data[i]; ++ while ((--j>=lo) && !(data[j]<=tmp)) ++ data[j+1] = data[j]; ++ data[j+1] = tmp; ++ } ++ return; + } +- return; +- } +- // -- determine suitable quick-sort pivot +- TYPE tmp = data[lo]; +- TYPE pivot = data[(lo+hi)/2]; +- if (pivot <= tmp) +- { tmp = pivot; pivot=data[lo]; } +- if (data[hi] <= tmp) +- { pivot = tmp; } +- else if (data[hi] <= pivot) +- { pivot = data[hi]; } +- // -- partition set +- int h = hi; +- int l = lo; +- while (l < h) +- { +- while (! (pivot <= data[l])) l++; +- while (! (data[h] <= pivot)) h--; +- if (l < h) ++ // -- determine median-of-three pivot ++ TYPE tmp = data[lo]; ++ TYPE pivot = data[(lo+hi)/2]; ++ if (pivot <= tmp) ++ { tmp = pivot; pivot=data[lo]; } ++ if (data[hi] <= tmp) ++ { pivot = tmp; } ++ else if (data[hi] <= pivot) ++ { pivot = data[hi]; } ++ // -- partition set ++ int h = hi; ++ int l = lo; ++ while (l < h) + { +- tmp = data[l]; +- data[l] = data[h]; +- data[h] = tmp; +- l = l+1; +- h = h-1; ++ while (! (pivot <= data[l])) l++; ++ while (! (data[h] <= pivot)) h--; ++ if (l < h) ++ { ++ tmp = data[l]; ++ data[l] = data[h]; ++ data[h] = tmp; ++ l = l+1; ++ h = h-1; ++ } ++ } ++ // -- recurse, small partition first ++ // tail-recursion elimination ++ if (h - lo <= hi - l) { ++ sort(lo,h); ++ lo = l; // sort(l,hi) ++ } else { ++ sort(l,hi); ++ hi = h; // sort(lo,h) + } + } +- // -- recursively restart +- sort(lo, h); +- sort(l, hi); + } + + template inline TYPE& +-- +2.22.1 + diff --git a/user/djvulibre/CVE-2019-15145.patch b/user/djvulibre/CVE-2019-15145.patch new file mode 100644 index 000000000..2a545cee2 --- /dev/null +++ b/user/djvulibre/CVE-2019-15145.patch @@ -0,0 +1,34 @@ +From 9658b01431cd7ff6344d7787f855179e73fe81a7 Mon Sep 17 00:00:00 2001 +From: Leon Bottou +Date: Mon, 8 Apr 2019 22:55:38 -0400 +Subject: [PATCH] fix bug #298 + +--- + libdjvu/GBitmap.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libdjvu/GBitmap.h b/libdjvu/GBitmap.h +index e8e0c9b..ca89a19 100644 +--- a/libdjvu/GBitmap.h ++++ b/libdjvu/GBitmap.h +@@ -566,7 +566,7 @@ GBitmap::operator[](int row) + { + if (!bytes) + uncompress(); +- if (row<0 || row>=nrows) { ++ if (row<0 || row>=nrows || !bytes) { + #ifndef NDEBUG + if (zerosize < bytes_per_row + border) + G_THROW( ERR_MSG("GBitmap.zero_small") ); +@@ -581,7 +581,7 @@ GBitmap::operator[](int row) const + { + if (!bytes) + ((GBitmap*)this)->uncompress(); +- if (row<0 || row>=nrows) { ++ if (row<0 || row>=nrows || !bytes) { + #ifndef NDEBUG + if (zerosize < bytes_per_row + border) + G_THROW( ERR_MSG("GBitmap.zero_small") ); +-- +2.22.1 + -- cgit v1.2.3-60-g2f50