From 667e777b4e4b7303b6f30a001fe2539b7207b65b Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Mon, 7 Nov 2016 22:56:53 -0500 Subject: gnu: mupdf: Fix CVE-2016-{7504,7505,7506,7563,7564,9017,9136} in bundled mujs. * gnu/packages/patches/mupdf-CVE-2016-7504.patch, gnu/packages/patches/mupdf-CVE-2016-7505.patch gnu/packages/patches/mupdf-CVE-2016-7506.patch gnu/packages/patches/mupdf-CVE-2016-7563.patch gnu/packages/patches/mupdf-CVE-2016-7564.patch gnu/packages/patches/mupdf-CVE-2016-9017.patch gnu/packages/patches/mupdf-CVE-2016-9136.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/pdf.scm (mupdf)[source]: Use them. --- gnu/local.mk | 7 ++ gnu/packages/patches/mupdf-CVE-2016-7504.patch | 99 ++++++++++++++++++++++++++ gnu/packages/patches/mupdf-CVE-2016-7505.patch | 32 +++++++++ gnu/packages/patches/mupdf-CVE-2016-7506.patch | 42 +++++++++++ gnu/packages/patches/mupdf-CVE-2016-7563.patch | 37 ++++++++++ gnu/packages/patches/mupdf-CVE-2016-7564.patch | 34 +++++++++ gnu/packages/patches/mupdf-CVE-2016-9017.patch | 46 ++++++++++++ gnu/packages/patches/mupdf-CVE-2016-9136.patch | 32 +++++++++ gnu/packages/pdf.scm | 9 ++- 9 files changed, 337 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/mupdf-CVE-2016-7504.patch create mode 100644 gnu/packages/patches/mupdf-CVE-2016-7505.patch create mode 100644 gnu/packages/patches/mupdf-CVE-2016-7506.patch create mode 100644 gnu/packages/patches/mupdf-CVE-2016-7563.patch create mode 100644 gnu/packages/patches/mupdf-CVE-2016-7564.patch create mode 100644 gnu/packages/patches/mupdf-CVE-2016-9017.patch create mode 100644 gnu/packages/patches/mupdf-CVE-2016-9136.patch diff --git a/gnu/local.mk b/gnu/local.mk index 3fbd0e16d8..73c4dc2cf5 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -721,7 +721,14 @@ dist_patch_DATA = \ %D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch \ %D%/packages/patches/mupdf-CVE-2016-6265.patch \ %D%/packages/patches/mupdf-CVE-2016-6525.patch \ + %D%/packages/patches/mupdf-CVE-2016-7504.patch \ + %D%/packages/patches/mupdf-CVE-2016-7505.patch \ + %D%/packages/patches/mupdf-CVE-2016-7506.patch \ + %D%/packages/patches/mupdf-CVE-2016-7563.patch \ + %D%/packages/patches/mupdf-CVE-2016-7564.patch \ %D%/packages/patches/mupdf-CVE-2016-8674.patch \ + %D%/packages/patches/mupdf-CVE-2016-9017.patch \ + %D%/packages/patches/mupdf-CVE-2016-9136.patch \ %D%/packages/patches/mupen64plus-ui-console-notice.patch \ %D%/packages/patches/musl-CVE-2016-8859.patch \ %D%/packages/patches/mutt-store-references.patch \ diff --git a/gnu/packages/patches/mupdf-CVE-2016-7504.patch b/gnu/packages/patches/mupdf-CVE-2016-7504.patch new file mode 100644 index 0000000000..4bbb4411c0 --- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2016-7504.patch @@ -0,0 +1,99 @@ +Fix CVE-2016-7504: +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7504 +http://bugs.ghostscript.com/show_bug.cgi?id=697142 + +Patch copied from upstream source repository: +http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=5c337af4b3df80cf967e4f9f6a21522de84b392a + +From 5c337af4b3df80cf967e4f9f6a21522de84b392a Mon Sep 17 00:00:00 2001 +From: Tor Andersson +Date: Wed, 21 Sep 2016 16:01:08 +0200 +Subject: [PATCH] Fix bug 697142: Stale string pointer stored in regexp object. + +Make sure to make a copy of the source pattern string. +A case we missed when adding short and memory strings to the runtime. +The code assumed all strings passed to it were either literal or interned. +--- + jsgc.c | 4 +++- + jsi.h | 1 + + jsregexp.c | 2 +- + jsrun.c | 8 ++++++++ + jsvalue.h | 2 +- + 5 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/jsgc.c b/jsgc.c +index 9bd6482..4f7e7dc 100644 +--- a/thirdparty/mujs/jsgc.c ++++ b/thirdparty/mujs/jsgc.c +@@ -44,8 +44,10 @@ static void jsG_freeobject(js_State *J, js_Object *obj) + { + if (obj->head) + jsG_freeproperty(J, obj->head); +- if (obj->type == JS_CREGEXP) ++ if (obj->type == JS_CREGEXP) { ++ js_free(J, obj->u.r.source); + js_regfree(obj->u.r.prog); ++ } + if (obj->type == JS_CITERATOR) + jsG_freeiterator(J, obj->u.iter.head); + if (obj->type == JS_CUSERDATA && obj->u.user.finalize) +diff --git a/jsi.h b/jsi.h +index 7d9f7c7..e855045 100644 +--- a/thirdparty/mujs/jsi.h ++++ b/thirdparty/mujs/jsi.h +@@ -79,6 +79,7 @@ typedef unsigned short js_Instruction; + + /* String interning */ + ++char *js_strdup(js_State *J, const char *s); + const char *js_intern(js_State *J, const char *s); + void jsS_dumpstrings(js_State *J); + void jsS_freestrings(js_State *J); +diff --git a/jsregexp.c b/jsregexp.c +index 2a056b7..a2d5156 100644 +--- a/thirdparty/mujs/jsregexp.c ++++ b/thirdparty/mujs/jsregexp.c +@@ -21,7 +21,7 @@ void js_newregexp(js_State *J, const char *pattern, int flags) + js_syntaxerror(J, "regular expression: %s", error); + + obj->u.r.prog = prog; +- obj->u.r.source = pattern; ++ obj->u.r.source = js_strdup(J, pattern); + obj->u.r.flags = flags; + obj->u.r.last = 0; + js_pushobject(J, obj); +diff --git a/jsrun.c b/jsrun.c +index 2648c4c..ee80845 100644 +--- a/thirdparty/mujs/jsrun.c ++++ b/thirdparty/mujs/jsrun.c +@@ -45,6 +45,14 @@ void *js_realloc(js_State *J, void *ptr, int size) + return ptr; + } + ++char *js_strdup(js_State *J, const char *s) ++{ ++ int n = strlen(s) + 1; ++ char *p = js_malloc(J, n); ++ memcpy(p, s, n); ++ return p; ++} ++ + void js_free(js_State *J, void *ptr) + { + J->alloc(J->actx, ptr, 0); +diff --git a/jsvalue.h b/jsvalue.h +index 6cfbd89..8fb5016 100644 +--- a/thirdparty/mujs/jsvalue.h ++++ b/thirdparty/mujs/jsvalue.h +@@ -71,7 +71,7 @@ struct js_String + struct js_Regexp + { + void *prog; +- const char *source; ++ char *source; + unsigned short flags; + unsigned short last; + }; +-- +2.10.2 + diff --git a/gnu/packages/patches/mupdf-CVE-2016-7505.patch b/gnu/packages/patches/mupdf-CVE-2016-7505.patch new file mode 100644 index 0000000000..15e4f374d6 --- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2016-7505.patch @@ -0,0 +1,32 @@ +Fix CVE-2016-7505: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7505 +http://bugs.ghostscript.com/show_bug.cgi?id=697140 + +Patch copied from upstream source repository: +http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=8c805b4eb19cf2af689c860b77e6111d2ee439d5 + +From 8c805b4eb19cf2af689c860b77e6111d2ee439d5 Mon Sep 17 00:00:00 2001 +From: Tor Andersson +Date: Wed, 21 Sep 2016 15:21:04 +0200 +Subject: [PATCH] Fix bug 697140: Overflow check in ascii division in strtod. + +--- + jsdtoa.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/jsdtoa.c b/jsdtoa.c +index 2e52368..920c1a7 100644 +--- a/thirdparty/mujs/jsdtoa.c ++++ b/thirdparty/mujs/jsdtoa.c +@@ -735,6 +735,7 @@ xx: + n -= c<= Ndig) break; /* abort if overflowing */ + } + *p = 0; + } +-- +2.10.2 + diff --git a/gnu/packages/patches/mupdf-CVE-2016-7506.patch b/gnu/packages/patches/mupdf-CVE-2016-7506.patch new file mode 100644 index 0000000000..733249acaa --- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2016-7506.patch @@ -0,0 +1,42 @@ +Fix CVE-2016-7506: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7506 +http://bugs.ghostscript.com/show_bug.cgi?id=697141 + +Patch copied from upstream source repository: +http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=5000749f5afe3b956fc916e407309de840997f4a + +From 5000749f5afe3b956fc916e407309de840997f4a Mon Sep 17 00:00:00 2001 +From: Tor Andersson +Date: Wed, 21 Sep 2016 16:02:11 +0200 +Subject: [PATCH] Fix bug 697141: buffer overrun in regexp string substitution. + +A '$' escape at the end of the string would read past the zero terminator +when looking for the escaped character. +--- + jsstring.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/jsstring.c b/jsstring.c +index 66f6a89..0209a8e 100644 +--- a/thirdparty/mujs/jsstring.c ++++ b/thirdparty/mujs/jsstring.c +@@ -421,6 +421,7 @@ loop: + while (*r) { + if (*r == '$') { + switch (*(++r)) { ++ case 0: --r; /* end of string; back up and fall through */ + case '$': js_putc(J, &sb, '$'); break; + case '`': js_putm(J, &sb, source, s); break; + case '\'': js_puts(J, &sb, s + n); break; +@@ -516,6 +517,7 @@ static void Sp_replace_string(js_State *J) + while (*r) { + if (*r == '$') { + switch (*(++r)) { ++ case 0: --r; /* end of string; back up and fall through */ + case '$': js_putc(J, &sb, '$'); break; + case '&': js_putm(J, &sb, s, s + n); break; + case '`': js_putm(J, &sb, source, s); break; +-- +2.10.2 + diff --git a/gnu/packages/patches/mupdf-CVE-2016-7563.patch b/gnu/packages/patches/mupdf-CVE-2016-7563.patch new file mode 100644 index 0000000000..288c9ab2df --- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2016-7563.patch @@ -0,0 +1,37 @@ +Fix CVE-2016-7563: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7563 +http://bugs.ghostscript.com/show_bug.cgi?id=697136 + +Patch copied from upstream source repository: +http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=f8234d830e17fc5e8fe09eb76d86dad3f6233c59 + +From f8234d830e17fc5e8fe09eb76d86dad3f6233c59 Mon Sep 17 00:00:00 2001 +From: Tor Andersson +Date: Tue, 20 Sep 2016 17:11:32 +0200 +Subject: [PATCH] Fix bug 697136. + +We were unconditionally reading the next character if we encountered +a '*' in a multi-line comment; possibly reading past the end of +the input. +--- + jslex.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/jslex.c b/jslex.c +index 7b80800..cbd0eeb 100644 +--- a/thirdparty/mujs/jslex.c ++++ b/thirdparty/mujs/jslex.c +@@ -225,7 +225,8 @@ static int lexcomment(js_State *J) + if (jsY_accept(J, '/')) + return 0; + } +- jsY_next(J); ++ else ++ jsY_next(J); + } + return -1; + } +-- +2.10.2 + diff --git a/gnu/packages/patches/mupdf-CVE-2016-7564.patch b/gnu/packages/patches/mupdf-CVE-2016-7564.patch new file mode 100644 index 0000000000..c2ce33d1df --- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2016-7564.patch @@ -0,0 +1,34 @@ +Fix CVE-2016-7564: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7564 +http://bugs.ghostscript.com/show_bug.cgi?id=697137 + +Patch copied from upstream source repository: +http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a3a4fe840b80706c706e86160352af5936f292d8 + +From a3a4fe840b80706c706e86160352af5936f292d8 Mon Sep 17 00:00:00 2001 +From: Tor Andersson +Date: Tue, 20 Sep 2016 17:19:06 +0200 +Subject: [PATCH] Fix bug 697137: off by one in string length calculation. + +We were not allocating space for the terminating zero byte. +--- + jsfunction.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/jsfunction.c b/jsfunction.c +index 8b5b18e..28f7aa7 100644 +--- a/thirdparty/mujs/jsfunction.c ++++ b/thirdparty/mujs/jsfunction.c +@@ -61,7 +61,7 @@ static void Fp_toString(js_State *J) + n += strlen(F->name); + for (i = 0; i < F->numparams; ++i) + n += strlen(F->vartab[i]) + 1; +- s = js_malloc(J, n); ++ s = js_malloc(J, n + 1); + strcpy(s, "function "); + strcat(s, F->name); + strcat(s, "("); +-- +2.10.2 + diff --git a/gnu/packages/patches/mupdf-CVE-2016-9017.patch b/gnu/packages/patches/mupdf-CVE-2016-9017.patch new file mode 100644 index 0000000000..1e2b7c3258 --- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2016-9017.patch @@ -0,0 +1,46 @@ +Fix CVE-2016-9017: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9107 +http://bugs.ghostscript.com/show_bug.cgi?id=697171 + +Patch copied from upstream source repository: +http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a5c747f1d40e8d6659a37a8d25f13fb5acf8e767 + +From a5c747f1d40e8d6659a37a8d25f13fb5acf8e767 Mon Sep 17 00:00:00 2001 +From: Tor Andersson +Date: Tue, 25 Oct 2016 14:08:27 +0200 +Subject: [PATCH] Fix 697171: missed an operand in the bytecode debugger dump. + +--- + jscompile.h | 2 +- + jsdump.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/jscompile.h b/jscompile.h +index 802cc9e..3054d13 100644 +--- a/thirdparty/mujs/jscompile.h ++++ b/thirdparty/mujs/jscompile.h +@@ -21,7 +21,7 @@ enum js_OpCode + + OP_NEWARRAY, + OP_NEWOBJECT, +- OP_NEWREGEXP, ++ OP_NEWREGEXP, /* -S,opts- */ + + OP_UNDEF, + OP_NULL, +diff --git a/jsdump.c b/jsdump.c +index 1c51c29..37ad88c 100644 +--- a/thirdparty/mujs/jsdump.c ++++ b/thirdparty/mujs/jsdump.c +@@ -750,6 +750,7 @@ void jsC_dumpfunction(js_State *J, js_Function *F) + case OP_INITVAR: + case OP_DEFVAR: + case OP_GETVAR: ++ case OP_HASVAR: + case OP_SETVAR: + case OP_DELVAR: + case OP_GETPROP_S: +-- +2.10.2 + diff --git a/gnu/packages/patches/mupdf-CVE-2016-9136.patch b/gnu/packages/patches/mupdf-CVE-2016-9136.patch new file mode 100644 index 0000000000..1f68839a52 --- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2016-9136.patch @@ -0,0 +1,32 @@ +Fix CVE-2016-9136: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9136 +http://bugs.ghostscript.com/show_bug.cgi?id=697244 + +Patch copied from upstream source repository: +http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a0ceaf5050faf419401fe1b83acfa950ec8a8a89 +From a0ceaf5050faf419401fe1b83acfa950ec8a8a89 Mon Sep 17 00:00:00 2001 +From: Tor Andersson +Date: Mon, 31 Oct 2016 13:05:37 +0100 +Subject: [PATCH] Fix 697244: Check for incomplete escape sequence at end of + input. + +--- + jslex.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/jslex.c b/jslex.c +index cbd0eeb..aaafdac 100644 +--- a/thirdparty/mujs/jslex.c ++++ b/thirdparty/mujs/jslex.c +@@ -377,6 +377,7 @@ static int lexescape(js_State *J) + return 0; + + switch (J->lexchar) { ++ case 0: jsY_error(J, "unterminated escape sequence"); + case 'u': + jsY_next(J); + if (!jsY_ishex(J->lexchar)) return 1; else { x |= jsY_tohex(J->lexchar) << 12; jsY_next(J); } +-- +2.10.2 + diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index 8aabacc9cc..ee33e3c9d1 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -491,7 +491,14 @@ extracting content or merging files.") (patches (search-patches "mupdf-build-with-openjpeg-2.1.patch" "mupdf-CVE-2016-6265.patch" "mupdf-CVE-2016-6525.patch" - "mupdf-CVE-2016-8674.patch")) + "mupdf-CVE-2016-7504.patch" + "mupdf-CVE-2016-7505.patch" + "mupdf-CVE-2016-7506.patch" + "mupdf-CVE-2016-7563.patch" + "mupdf-CVE-2016-7564.patch" + "mupdf-CVE-2016-8674.patch" + "mupdf-CVE-2016-9017.patch" + "mupdf-CVE-2016-9136.patch")) (modules '((guix build utils))) (snippet ;; Delete all the bundled libraries except for mujs, which is -- cgit v1.2.3