From e411ce186021540770c389ec13b7b5b42252c4bb Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 29 Apr 2016 03:31:41 -0400 Subject: [PATCH] gnu: poppler: Fix CVE-2015-8868. * gnu/packages/pdf.scm (poppler)[replacement]: New field. (poppler/fixed): New variable. * gnu/packages/patches/poppler-CVE-2015-8868.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + .../patches/poppler-CVE-2015-8868.patch | 30 +++++++++++++++++++ gnu/packages/pdf.scm | 8 +++++ 3 files changed, 39 insertions(+) create mode 100644 gnu/packages/patches/poppler-CVE-2015-8868.patch diff --git a/gnu/local.mk b/gnu/local.mk index 7556fa76e8..e45405fe0e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -681,6 +681,7 @@ dist_patch_DATA = \ gnu/packages/patches/plink-1.07-unclobber-i.patch \ gnu/packages/patches/plotutils-libpng-jmpbuf.patch \ gnu/packages/patches/polkit-drop-test.patch \ + gnu/packages/patches/poppler-CVE-2015-8868.patch \ gnu/packages/patches/portaudio-audacity-compat.patch \ gnu/packages/patches/procmail-ambiguous-getline-debian.patch \ gnu/packages/patches/pt-scotch-build-parallelism.patch \ diff --git a/gnu/packages/patches/poppler-CVE-2015-8868.patch b/gnu/packages/patches/poppler-CVE-2015-8868.patch new file mode 100644 index 0000000000..ac78d32ffa --- /dev/null +++ b/gnu/packages/patches/poppler-CVE-2015-8868.patch @@ -0,0 +1,30 @@ +Fixes CVE-2015-8868 (heap overflow). + +Upstream source: +https://cgit.freedesktop.org/poppler/poppler/commit/?id=b3425dd3261679958cd56c0f71995c15d2124433 + +From b3425dd3261679958cd56c0f71995c15d2124433 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Tue, 22 Dec 2015 22:50:33 +0100 +Subject: Do not crash on invalid files + +Bug #93476 + +diff --git a/poppler/Function.cc b/poppler/Function.cc +index 67283df..ee5afc1 100644 +--- a/poppler/Function.cc ++++ b/poppler/Function.cc +@@ -577,6 +577,10 @@ ExponentialFunction::ExponentialFunction(Object *funcObj, Dict *dict) { + goto err2; + } + n = obj1.arrayGetLength(); ++ if (unlikely(n > funcMaxOutputs)) { ++ error(errSyntaxError, -1, "Function's C0 array is wrong length"); ++ n = funcMaxOutputs; ++ } + for (i = 0; i < n; ++i) { + obj1.arrayGet(i, &obj2); + if (!obj2.isNum()) { +-- +cgit v0.10.2 + diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index 1d33be85d5..8f9f5dd503 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -53,6 +53,7 @@ (package (name "poppler") (version "0.37.0") + (replacement poppler/fixed) (source (origin (method url-fetch) (uri (string-append "https://poppler.freedesktop.org/poppler-" @@ -104,6 +105,13 @@ (license license:gpl2+) (home-page "http://poppler.freedesktop.org/"))) +(define poppler/fixed + (package + (inherit poppler) + (source (origin + (inherit (package-source poppler)) + (patches (search-patches "poppler-CVE-2015-8868.patch")))))) + (define-public poppler-qt4 (package (inherit poppler) (name "poppler-qt4")