summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbsiegert <bsiegert@pkgsrc.org>2017-02-24 19:18:04 +0000
committerbsiegert <bsiegert@pkgsrc.org>2017-02-24 19:18:04 +0000
commitbc1ef0bfe75689d05a3fe8104395eeac4a82152c (patch)
tree4445bf79c8ddc6402442c214a40e98bcb07b53bf
parent4f29947aca42ed3b92efbdb686798f440af9121d (diff)
downloadpkgsrc-bc1ef0bfe75689d05a3fe8104395eeac4a82152c.tar.gz
Pullup ticket #5216 - requested by leot
print/mupdf: security fix Revisions pulled up: - print/mupdf/Makefile 1.44,1.46 - print/mupdf/distinfo 1.30-1.31 - print/mupdf/patches/patch-source_fitz_pixmap.c 1.1 - print/mupdf/patches/patch-source_tools_mudraw.c 1.1 - print/mupdf/patches/patch-thirdparty_mujs_jsdate.c 1.1 - print/mupdf/patches/patch-thirdparty_mujs_jsrun.c 1.1 --- Module Name: pkgsrc Committed By: leot Date: Mon Jan 30 14:06:05 UTC 2017 Modified Files: pkgsrc/print/mupdf: Makefile distinfo Added Files: pkgsrc/print/mupdf/patches: patch-thirdparty_mujs_jsdate.c patch-thirdparty_mujs_jsrun.c Log Message: Backport fixes to mupdf-1.10a from upstream for CVE-2017-562[78] PKGREVISION++ --- Module Name: pkgsrc Committed By: leot Date: Sat Feb 11 09:39:05 UTC 2017 Modified Files: pkgsrc/print/mupdf: Makefile distinfo Added Files: pkgsrc/print/mupdf/patches: patch-source_fitz_pixmap.c patch-source_tools_mudraw.c Log Message: Backport security fixes for upstream bugs 697514 and 697515 (CVE-2017-5896) to PKGREVISON++
-rw-r--r--print/mupdf/Makefile3
-rw-r--r--print/mupdf/distinfo6
-rw-r--r--print/mupdf/patches/patch-source_fitz_pixmap.c44
-rw-r--r--print/mupdf/patches/patch-source_tools_mudraw.c17
-rw-r--r--print/mupdf/patches/patch-thirdparty_mujs_jsdate.c27
-rw-r--r--print/mupdf/patches/patch-thirdparty_mujs_jsrun.c21
6 files changed, 116 insertions, 2 deletions
diff --git a/print/mupdf/Makefile b/print/mupdf/Makefile
index cf37568973e..73b54c3de04 100644
--- a/print/mupdf/Makefile
+++ b/print/mupdf/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.42 2016/12/09 08:19:31 leot Exp $
+# $NetBSD: Makefile,v 1.42.2.1 2017/02/24 19:18:04 bsiegert Exp $
DISTNAME= mupdf-1.10a-source
PKGNAME= ${DISTNAME:S/-source//}
+PKGREVISION= 4
CATEGORIES= print
MASTER_SITES= http://mupdf.com/downloads/archive/
diff --git a/print/mupdf/distinfo b/print/mupdf/distinfo
index d71df999a61..ea8bee36fd1 100644
--- a/print/mupdf/distinfo
+++ b/print/mupdf/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.29 2016/12/09 08:19:31 leot Exp $
+$NetBSD: distinfo,v 1.29.2.1 2017/02/24 19:18:04 bsiegert Exp $
SHA1 (mupdf-1.10a-source.tar.gz) = 1c3a6e1d4406912004b8e2c09435199e6b425191
RMD160 (mupdf-1.10a-source.tar.gz) = bfb482681c6804db8a0fd9ec46b16ac6f9fffdf2
@@ -9,4 +9,8 @@ SHA1 (patch-ab) = 7bee583086078359ce04eacd9db3b4f03737a7bb
SHA1 (patch-ac) = d75afe8b05b85d042dc1baeaf8a9988f2e60338a
SHA1 (patch-ae) = c6b113818b32cb4470e8549c00a16e0b2f364ede
SHA1 (patch-source_fitz_load-jpx.c) = fbe6814536d37835a4daa5bb90b1f6cf8698f807
+SHA1 (patch-source_fitz_pixmap.c) = d0b3e44780fd64381424e367e5233ce1013dc974
+SHA1 (patch-source_tools_mudraw.c) = 99b827e39767559a8d5b6b380f0bbb100f5125e7
SHA1 (patch-thirdparty_mujs_Makefile) = f1da7cdf2c9e2e4bbac3e80ef486204a39b27e34
+SHA1 (patch-thirdparty_mujs_jsdate.c) = 020fcb9d1e77bd7ba10943070673d53bbcee573b
+SHA1 (patch-thirdparty_mujs_jsrun.c) = 79f730436b1f67780468c10096d3dbfb5e14d5a5
diff --git a/print/mupdf/patches/patch-source_fitz_pixmap.c b/print/mupdf/patches/patch-source_fitz_pixmap.c
new file mode 100644
index 00000000000..e89562e5020
--- /dev/null
+++ b/print/mupdf/patches/patch-source_fitz_pixmap.c
@@ -0,0 +1,44 @@
+$NetBSD: patch-source_fitz_pixmap.c,v 1.1.2.2 2017/02/24 19:18:04 bsiegert Exp $
+
+Backport a fix from upstream for CVE-2017-5896:
+
+bug 697515: Fix out of bounds read in fz_subsample_pixmap
+
+Pointer arithmetic for final special case was going wrong.
+
+--- source/fitz/pixmap.c.orig
++++ source/fitz/pixmap.c
+@@ -1104,6 +1104,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
+ "@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,back5,divXY\n"
+ "ldr r4, [r13,#4*22] @ r4 = divXY \n"
+ "ldr r5, [r13,#4*11] @ for (nn = n; nn > 0; n--) { \n"
++ "ldr r8, [r13,#4*17] @ r8 = back4 \n"
+ "18: @ \n"
+ "mov r14,#0 @ r14= v = 0 \n"
+ "sub r5, r5, r1, LSL #8 @ for (xx = x; xx > 0; x--) { \n"
+@@ -1120,7 +1121,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
+ "mul r14,r4, r14 @ r14= v *= divX \n"
+ "mov r14,r14,LSR #16 @ r14= v >>= 16 \n"
+ "strb r14,[r9], #1 @ *d++ = r14 \n"
+- "sub r0, r0, r8 @ s -= back2 \n"
++ "sub r0, r0, r8 @ s -= back4 \n"
+ "subs r5, r5, #1 @ n-- \n"
+ "bgt 18b @ } \n"
+ "21: @ \n"
+@@ -1249,6 +1250,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
+ x += f;
+ if (x > 0)
+ {
++ int back4 = x * n - 1;
+ div = x * y;
+ for (nn = n; nn > 0; nn--)
+ {
+@@ -1263,7 +1265,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
+ s -= back5;
+ }
+ *d++ = v / div;
+- s -= back2;
++ s -= back4;
+ }
+ }
+ }
diff --git a/print/mupdf/patches/patch-source_tools_mudraw.c b/print/mupdf/patches/patch-source_tools_mudraw.c
new file mode 100644
index 00000000000..92d754aceb0
--- /dev/null
+++ b/print/mupdf/patches/patch-source_tools_mudraw.c
@@ -0,0 +1,17 @@
+$NetBSD: patch-source_tools_mudraw.c,v 1.1.2.2 2017/02/24 19:18:04 bsiegert Exp $
+
+Backport a fix from upstream for bug 697514:
+
+Bug 697514: Write SVG output to stdout if no output specified.
+
+--- source/tools/mudraw.c.orig
++++ source/tools/mudraw.c
+@@ -578,7 +578,7 @@ static void dodrawpage(fz_context *ctx, fz_page *page, fz_display_list *list, in
+ char buf[512];
+ fz_output *out;
+
+- if (!strcmp(output, "-"))
++ if (!output || !strcmp(output, "-"))
+ out = fz_stdout(ctx);
+ else
+ {
diff --git a/print/mupdf/patches/patch-thirdparty_mujs_jsdate.c b/print/mupdf/patches/patch-thirdparty_mujs_jsdate.c
new file mode 100644
index 00000000000..8f276389493
--- /dev/null
+++ b/print/mupdf/patches/patch-thirdparty_mujs_jsdate.c
@@ -0,0 +1,27 @@
+$NetBSD: patch-thirdparty_mujs_jsdate.c,v 1.1.2.2 2017/02/24 19:18:04 bsiegert Exp $
+
+Backport a fix from upstream for CVE-2017-5628:
+
+Fix 697496: Check NAN before accessing array in MakeDay().
+
+--- thirdparty/mujs/jsdate.c.orig
++++ thirdparty/mujs/jsdate.c
+@@ -207,12 +207,17 @@ static double MakeDay(double y, double m, double date)
+ };
+
+ double yd, md;
++ int im;
+
+ y += floor(m / 12);
+ m = pmod(m, 12);
+
++ im = (int)m;
++ if (im < 0 || im >= 12)
++ return NAN;
++
+ yd = floor(TimeFromYear(y) / msPerDay);
+- md = firstDayOfMonth[InLeapYear(y)][(int)m];
++ md = firstDayOfMonth[InLeapYear(y)][im];
+
+ return yd + md + date - 1;
+ }
diff --git a/print/mupdf/patches/patch-thirdparty_mujs_jsrun.c b/print/mupdf/patches/patch-thirdparty_mujs_jsrun.c
new file mode 100644
index 00000000000..23a5d6ef31d
--- /dev/null
+++ b/print/mupdf/patches/patch-thirdparty_mujs_jsrun.c
@@ -0,0 +1,21 @@
+$NetBSD: patch-thirdparty_mujs_jsrun.c,v 1.1.2.2 2017/02/24 19:18:04 bsiegert Exp $
+
+Backport a fix from upstream for CVE-2017-5627:
+
+Fix 697497: Ensure array length is positive.
+
+As a side effect when changing to using regular integers (and avoid the
+nightmare of mixing signed and unsigned) we accidentally allowed negative
+array lengths.
+
+--- thirdparty/mujs/jsrun.c.orig
++++ thirdparty/mujs/jsrun.c
+@@ -544,7 +544,7 @@ static void jsR_setproperty(js_State *J, js_Object *obj, const char *name)
+ if (!strcmp(name, "length")) {
+ double rawlen = jsV_tonumber(J, value);
+ int newlen = jsV_numbertointeger(rawlen);
+- if (newlen != rawlen)
++ if (newlen != rawlen || newlen < 0)
+ js_rangeerror(J, "array length");
+ jsV_resizearray(J, obj, newlen);
+ return;