From 2b2ab39cfc694e3c0cb37c0136bb606b20d41661 Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Sun, 11 Nov 2018 13:00:35 +0100 Subject: gnu: libharu: Fetch sources from git. * gnu/packages/pdf.scm (libharu)[source]: Fetch from git. --- gnu/packages/pdf.scm | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'gnu/packages/pdf.scm') diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index 1d37de70d7..1ecd49215b 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -223,15 +223,16 @@ Poppler PDF rendering library.") (name "libharu") (version "2.3.0") (source (origin - (method url-fetch) - (uri (string-append "https://github.com/libharu/libharu/archive/" - "RELEASE_" - (string-join (string-split version #\.) "_") - ".tar.gz")) - (file-name (string-append name "-" version ".tar.gz")) + (method git-fetch) + (uri (git-reference + (url "https://github.com/libharu/libharu.git") + (commit (string-append + "RELEASE_" + (string-join (string-split version #\.) "_"))))) + (file-name (git-file-name name version)) (sha256 (base32 - "1lm4v539y9cb1lvbq387j57sy7yxda3yv8b1pk8m6zazbp66i7lg")))) + "15s9hswnl3qqi7yh29jyrg0hma2n99haxznvcywmsp8kjqlyg75q")))) (build-system gnu-build-system) (arguments `(#:configure-flags -- cgit v1.2.3 From 6f3dd09f8d5e2bd16bd26891d71829f4dd19f772 Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Sun, 11 Nov 2018 13:00:53 +0100 Subject: gnu: libharu: Remove custom bootstrap phase. * gnu/packages/pdf.scm (libharu)[arguments]: Remove autogen phase. --- gnu/packages/pdf.scm | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'gnu/packages/pdf.scm') diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index 1ecd49215b..dc966b64d8 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -239,11 +239,7 @@ Poppler PDF rendering library.") (list (string-append "--with-zlib=" (assoc-ref %build-inputs "zlib")) (string-append "--with-png=" - (assoc-ref %build-inputs "libpng"))) - #:phases - (modify-phases %standard-phases - (add-after 'unpack 'autogen - (lambda _ (invoke "autoreconf" "-vif")))))) + (assoc-ref %build-inputs "libpng"))))) (inputs `(("zlib" ,zlib) ("libpng" ,libpng))) -- cgit v1.2.3 From 021bf6af182099dbb0178e19a2f461aeb0eef686 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Tue, 13 Nov 2018 10:33:27 -0500 Subject: gnu: Poppler: Fix CVE-2018-19149. * gnu/packages/patches/poppler-CVE-2018-19149.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/pdf.scm (poppler)[replacement]: New field. (poppler/fixed): New variable. (poppler-qt4, poppler-qt5): Use package/inherit. --- gnu/local.mk | 1 + gnu/packages/patches/poppler-CVE-2018-19149.patch | 80 +++++++++++++++++++++++ gnu/packages/pdf.scm | 13 +++- 3 files changed, 92 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/poppler-CVE-2018-19149.patch (limited to 'gnu/packages/pdf.scm') diff --git a/gnu/local.mk b/gnu/local.mk index 48ee438a6e..23a6cb34b5 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1046,6 +1046,7 @@ dist_patch_DATA = \ %D%/packages/patches/plink-1.07-unclobber-i.patch \ %D%/packages/patches/plink-endian-detection.patch \ %D%/packages/patches/plotutils-libpng-jmpbuf.patch \ + %D%/packages/patches/poppler-CVE-2018-19149.patch \ %D%/packages/patches/portaudio-audacity-compat.patch \ %D%/packages/patches/portmidi-modular-build.patch \ %D%/packages/patches/potrace-tests.patch \ diff --git a/gnu/packages/patches/poppler-CVE-2018-19149.patch b/gnu/packages/patches/poppler-CVE-2018-19149.patch new file mode 100644 index 0000000000..3641f5f078 --- /dev/null +++ b/gnu/packages/patches/poppler-CVE-2018-19149.patch @@ -0,0 +1,80 @@ +Fix CVE-2018-19149: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19149 +https://gitlab.freedesktop.org/poppler/poppler/issues/664 + +Patch copied from upstream source repository: + +https://gitlab.freedesktop.org/poppler/poppler/commit/f162ecdea0dda5dbbdb45503c1d55d9afaa41d44 + +From f162ecdea0dda5dbbdb45503c1d55d9afaa41d44 Mon Sep 17 00:00:00 2001 +From: Marek Kasik +Date: Fri, 20 Apr 2018 11:38:13 +0200 +Subject: [PATCH] Fix crash on missing embedded file + +Check whether an embedded file is actually present in the PDF +and show warning in that case. + +https://bugs.freedesktop.org/show_bug.cgi?id=106137 +https://gitlab.freedesktop.org/poppler/poppler/issues/236 +--- + glib/poppler-attachment.cc | 26 +++++++++++++++++--------- + glib/poppler-document.cc | 3 ++- + 2 files changed, 19 insertions(+), 10 deletions(-) + +diff --git a/glib/poppler-attachment.cc b/glib/poppler-attachment.cc +index c6502e9d..11ba5bb5 100644 +--- a/glib/poppler-attachment.cc ++++ b/glib/poppler-attachment.cc +@@ -111,17 +111,25 @@ _poppler_attachment_new (FileSpec *emb_file) + attachment->description = _poppler_goo_string_to_utf8 (emb_file->getDescription ()); + + embFile = emb_file->getEmbeddedFile(); +- attachment->size = embFile->size (); ++ if (embFile != NULL && embFile->streamObject()->isStream()) ++ { ++ attachment->size = embFile->size (); + +- if (embFile->createDate ()) +- _poppler_convert_pdf_date_to_gtime (embFile->createDate (), (time_t *)&attachment->ctime); +- if (embFile->modDate ()) +- _poppler_convert_pdf_date_to_gtime (embFile->modDate (), (time_t *)&attachment->mtime); ++ if (embFile->createDate ()) ++ _poppler_convert_pdf_date_to_gtime (embFile->createDate (), (time_t *)&attachment->ctime); ++ if (embFile->modDate ()) ++ _poppler_convert_pdf_date_to_gtime (embFile->modDate (), (time_t *)&attachment->mtime); + +- if (embFile->checksum () && embFile->checksum ()->getLength () > 0) +- attachment->checksum = g_string_new_len (embFile->checksum ()->getCString (), +- embFile->checksum ()->getLength ()); +- priv->obj_stream = embFile->streamObject()->copy(); ++ if (embFile->checksum () && embFile->checksum ()->getLength () > 0) ++ attachment->checksum = g_string_new_len (embFile->checksum ()->getCString (), ++ embFile->checksum ()->getLength ()); ++ priv->obj_stream = embFile->streamObject()->copy(); ++ } ++ else ++ { ++ g_warning ("Missing stream object for embedded file"); ++ g_clear_object (&attachment); ++ } + + return attachment; + } +diff --git a/glib/poppler-document.cc b/glib/poppler-document.cc +index 83f6aea6..ea319344 100644 +--- a/glib/poppler-document.cc ++++ b/glib/poppler-document.cc +@@ -670,7 +670,8 @@ poppler_document_get_attachments (PopplerDocument *document) + attachment = _poppler_attachment_new (emb_file); + delete emb_file; + +- retval = g_list_prepend (retval, attachment); ++ if (attachment != NULL) ++ retval = g_list_prepend (retval, attachment); + } + return g_list_reverse (retval); + } +-- +2.19.1 + diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index dc966b64d8..9ffc5cb9bb 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -82,6 +82,7 @@ (define-public poppler (package (name "poppler") + (replacement poppler/fixed) (version "0.63.0") (source (origin (method url-fetch) @@ -127,6 +128,14 @@ (license license:gpl2+) (home-page "https://poppler.freedesktop.org/"))) +(define poppler/fixed + (package + (inherit poppler) + (source (origin + (inherit (package-source poppler)) + (patches (append (origin-patches (package-source poppler)) + (search-patches "poppler-CVE-2018-19149.patch"))))))) + (define-public poppler-data (package (name "poppler-data") @@ -158,14 +167,14 @@ When present, Poppler is able to correctly render CJK and Cyrillic text.") license:gpl2)))) (define-public poppler-qt4 - (package (inherit poppler) + (package/inherit poppler (name "poppler-qt4") (inputs `(("qt-4" ,qt-4) ,@(package-inputs poppler))) (synopsis "Qt4 frontend for the Poppler PDF rendering library"))) (define-public poppler-qt5 - (package (inherit poppler) + (package/inherit poppler (name "poppler-qt5") (inputs `(("qtbase" ,qtbase) ,@(package-inputs poppler))) -- cgit v1.2.3