diff --git a/gnu/local.mk b/gnu/local.mk index b8c5378a17..98c8848135 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -668,6 +668,8 @@ dist_patch_DATA = \ %D%/packages/patches/mplayer2-theora-fix.patch \ %D%/packages/patches/module-init-tools-moduledir.patch \ %D%/packages/patches/mumps-build-parallelism.patch \ + %D%/packages/patches/mupdf-CVE-2016-6265.patch \ + %D%/packages/patches/mupdf-CVE-2016-6525.patch \ %D%/packages/patches/mupen64plus-ui-console-notice.patch \ %D%/packages/patches/mutt-store-references.patch \ %D%/packages/patches/mysql-fix-failing-test.patch \ diff --git a/gnu/packages/patches/mupdf-CVE-2016-6265.patch b/gnu/packages/patches/mupdf-CVE-2016-6265.patch new file mode 100644 index 0000000000..58f5c3726c --- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2016-6265.patch @@ -0,0 +1,30 @@ +Fix CVE-2016-6265 (use after free in pdf_load_xref()). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6265 +https://security-tracker.debian.org/tracker/CVE-2016-6265 + +Patch copied from upstream source repository: + +http://git.ghostscript.com/?p=mupdf.git;h=fa1936405b6a84e5c9bb440912c23d532772f958 + +diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c +index 576c315..3222599 100644 +--- a/source/pdf/pdf-xref.c ++++ b/source/pdf/pdf-xref.c +@@ -1184,8 +1184,14 @@ pdf_load_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf) + fz_throw(ctx, FZ_ERROR_GENERIC, "object offset out of range: %d (%d 0 R)", (int)entry->ofs, i); + } + if (entry->type == 'o') +- if (entry->ofs <= 0 || entry->ofs >= xref_len || pdf_get_xref_entry(ctx, doc, entry->ofs)->type != 'n') +- fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)entry->ofs, i); ++ { ++ /* Read this into a local variable here, because pdf_get_xref_entry ++ * may solidify the xref, hence invalidating "entry", meaning we ++ * need a stashed value for the throw. */ ++ fz_off_t ofs = entry->ofs; ++ if (ofs <= 0 || ofs >= xref_len || pdf_get_xref_entry(ctx, doc, ofs)->type != 'n') ++ fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)ofs, i); ++ } + } + } + diff --git a/gnu/packages/patches/mupdf-CVE-2016-6525.patch b/gnu/packages/patches/mupdf-CVE-2016-6525.patch new file mode 100644 index 0000000000..370af5ade6 --- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2016-6525.patch @@ -0,0 +1,21 @@ +Fix CVE-2016-6525 (heap overflow in pdf_load_mesh_params()). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6525 +https://security-tracker.debian.org/tracker/CVE-2016-6525 + +Patch copied from upstream source repository: +http://git.ghostscript.com/?p=mupdf.git;h=39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e + +diff --git a/source/pdf/pdf-shade.c b/source/pdf/pdf-shade.c +index 7815b3c..6e25efa 100644 +--- a/source/pdf/pdf-shade.c ++++ b/source/pdf/pdf-shade.c +@@ -206,7 +206,7 @@ pdf_load_mesh_params(fz_context *ctx, pdf_document *doc, fz_shade *shade, pdf_ob + obj = pdf_dict_get(ctx, dict, PDF_NAME_Decode); + if (pdf_array_len(ctx, obj) >= 6) + { +- n = (pdf_array_len(ctx, obj) - 4) / 2; ++ n = fz_mini(FZ_MAX_COLORS, (pdf_array_len(ctx, obj) - 4) / 2); + shade->u.m.x0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 0)); + shade->u.m.x1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 1)); + shade->u.m.y0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 2)); diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index f9523c6fc1..74e89070b8 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -474,6 +474,8 @@ extracting content or merging files.") name "-" version "-source.tar.gz")) (sha256 (base32 "01n26cy41lc2fjri63s4js23ixxb4nd37aafry3hz4i4id6wd8x2")) + (patches (search-patches "mupdf-CVE-2016-6265.patch" + "mupdf-CVE-2016-6525.patch")) (modules '((guix build utils))) (snippet ;; Don't build the bundled-in third party libraries.