guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/02: gnu: mupdf: Fix CVE-2016-{10132,10133} in bundled mujs.


From: Leo Famulari
Subject: 01/02: gnu: mupdf: Fix CVE-2016-{10132,10133} in bundled mujs.
Date: Mon, 16 Jan 2017 01:25:19 +0000 (UTC)

lfam pushed a commit to branch master
in repository guix.

commit af8c7e10147acd105fe33f60baab2d1d21f38f7b
Author: Marius Bakke <address@hidden>
Date:   Thu Jan 12 19:06:55 2017 +0100

    gnu: mupdf: Fix CVE-2016-{10132,10133} in bundled mujs.
    
    * gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch,
    gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch: New files.
    * gnu/local.mk (dist_patch_DATA): Add them.
    * gnu/packages/pdf.scm (mupdf)[replacement]: New field.
    (mupdf/fixed): New variable.
    
    Co-authored-by: Leo Famulari <address@hidden>
---
 gnu/local.mk                                       |    2 +
 .../patches/mupdf-mujs-CVE-2016-10132.patch        |  188 ++++++++++++++++++++
 .../patches/mupdf-mujs-CVE-2016-10133.patch        |   36 ++++
 gnu/packages/pdf.scm                               |   16 +-
 4 files changed, 241 insertions(+), 1 deletion(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index 81d774e..5855416 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -755,6 +755,8 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/multiqc-fix-git-subprocess-error.patch  \
   %D%/packages/patches/mumps-build-parallelism.patch           \
   %D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch     \
+  %D%/packages/patches/mupdf-mujs-CVE-2016-10132.patch         \
+  %D%/packages/patches/mupdf-mujs-CVE-2016-10133.patch         \
   %D%/packages/patches/mupen64plus-ui-console-notice.patch     \
   %D%/packages/patches/musl-CVE-2016-8859.patch                        \
   %D%/packages/patches/mutt-store-references.patch             \
diff --git a/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch 
b/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch
new file mode 100644
index 0000000..e752e57
--- /dev/null
+++ b/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch
@@ -0,0 +1,188 @@
+Fix CVE-2016-10132:
+
+https://bugs.ghostscript.com/show_bug.cgi?id=697381
+http://seclists.org/oss-sec/2017/q1/74
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10132
+
+Patch lifted from upstream source repository:
+
+http://git.ghostscript.com/?p=mujs.git;h=fd003eceda531e13fbdd1aeb6e9c73156496e569
+
+From fd003eceda531e13fbdd1aeb6e9c73156496e569 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <address@hidden>
+Date: Fri, 2 Dec 2016 14:56:20 -0500
+Subject: [PATCH] Fix 697381: check allocation when compiling regular
+ expressions.
+
+Also use allocator callback function.
+---
+ thirdparty/mujs/jsgc.c     |  2 +-
+ thirdparty/mujs/jsregexp.c |  2 +-
+ thirdparty/mujs/jsstate.c  |  6 ------
+ thirdparty/mujs/regexp.c   | 45 +++++++++++++++++++++++++++++++++++----------
+ thirdparty/mujs/regexp.h   |  7 +++++++
+ 5 files changed, 44 insertions(+), 18 deletions(-)
+
+diff --git a/thirdparty/mujs/jsgc.c b/thirdparty/mujs/jsgc.c
+index 4f7e7dc..f80111e 100644
+--- a/thirdparty/mujs/jsgc.c
++++ b/thirdparty/mujs/jsgc.c
+@@ -46,7 +46,7 @@ static void jsG_freeobject(js_State *J, js_Object *obj)
+               jsG_freeproperty(J, obj->head);
+       if (obj->type == JS_CREGEXP) {
+               js_free(J, obj->u.r.source);
+-              js_regfree(obj->u.r.prog);
++              js_regfreex(J->alloc, J->actx, obj->u.r.prog);
+       }
+       if (obj->type == JS_CITERATOR)
+               jsG_freeiterator(J, obj->u.iter.head);
+diff --git a/thirdparty/mujs/jsregexp.c b/thirdparty/mujs/jsregexp.c
+index a2d5156..7b09c06 100644
+--- a/thirdparty/mujs/jsregexp.c
++++ b/thirdparty/mujs/jsregexp.c
+@@ -16,7 +16,7 @@ void js_newregexp(js_State *J, const char *pattern, int 
flags)
+       if (flags & JS_REGEXP_I) opts |= REG_ICASE;
+       if (flags & JS_REGEXP_M) opts |= REG_NEWLINE;
+ 
+-      prog = js_regcomp(pattern, opts, &error);
++      prog = js_regcompx(J->alloc, J->actx, pattern, opts, &error);
+       if (!prog)
+               js_syntaxerror(J, "regular expression: %s", error);
+ 
+diff --git a/thirdparty/mujs/jsstate.c b/thirdparty/mujs/jsstate.c
+index 638cab3..fd5bcf6 100644
+--- a/thirdparty/mujs/jsstate.c
++++ b/thirdparty/mujs/jsstate.c
+@@ -9,12 +9,6 @@
+ 
+ static void *js_defaultalloc(void *actx, void *ptr, int size)
+ {
+-      if (size == 0) {
+-              free(ptr);
+-              return NULL;
+-      }
+-      if (!ptr)
+-              return malloc((size_t)size);
+       return realloc(ptr, (size_t)size);
+ }
+ 
+diff --git a/thirdparty/mujs/regexp.c b/thirdparty/mujs/regexp.c
+index 9852be2..01c18a3 100644
+--- a/thirdparty/mujs/regexp.c
++++ b/thirdparty/mujs/regexp.c
+@@ -807,23 +807,31 @@ static void dumpprog(Reprog *prog)
+ }
+ #endif
+ 
+-Reprog *regcomp(const char *pattern, int cflags, const char **errorp)
++Reprog *regcompx(void *(*alloc)(void *ctx, void *p, int n), void *ctx,
++      const char *pattern, int cflags, const char **errorp)
+ {
+       struct cstate g;
+       Renode *node;
+       Reinst *split, *jump;
+       int i;
+ 
+-      g.prog = malloc(sizeof (Reprog));
+-      g.pstart = g.pend = malloc(sizeof (Renode) * strlen(pattern) * 2);
++      g.pstart = NULL;
++      g.prog = NULL;
+ 
+       if (setjmp(g.kaboom)) {
+               if (errorp) *errorp = g.error;
+-              free(g.pstart);
+-              free(g.prog);
++              alloc(ctx, g.pstart, 0);
++              alloc(ctx, g.prog, 0);
+               return NULL;
+       }
+ 
++      g.prog = alloc(ctx, NULL, sizeof (Reprog));
++      if (!g.prog)
++              die(&g, "cannot allocate regular expression");
++      g.pstart = g.pend = alloc(ctx, NULL, sizeof (Renode) * strlen(pattern) 
* 2);
++      if (!g.pstart)
++              die(&g, "cannot allocate regular expression parse list");
++
+       g.source = pattern;
+       g.ncclass = 0;
+       g.nsub = 1;
+@@ -840,7 +848,9 @@ Reprog *regcomp(const char *pattern, int cflags, const 
char **errorp)
+               die(&g, "syntax error");
+ 
+       g.prog->nsub = g.nsub;
+-      g.prog->start = g.prog->end = malloc((count(node) + 6) * sizeof 
(Reinst));
++      g.prog->start = g.prog->end = alloc(ctx, NULL, (count(node) + 6) * 
sizeof (Reinst));
++      if (!g.prog->start)
++              die(&g, "cannot allocate regular expression instruction list");
+ 
+       split = emit(g.prog, I_SPLIT);
+       split->x = split + 3;
+@@ -859,20 +869,35 @@ Reprog *regcomp(const char *pattern, int cflags, const 
char **errorp)
+       dumpprog(g.prog);
+ #endif
+ 
+-      free(g.pstart);
++      alloc(ctx, g.pstart, 0);
+ 
+       if (errorp) *errorp = NULL;
+       return g.prog;
+ }
+ 
+-void regfree(Reprog *prog)
++void regfreex(void *(*alloc)(void *ctx, void *p, int n), void *ctx, Reprog 
*prog)
+ {
+       if (prog) {
+-              free(prog->start);
+-              free(prog);
++              alloc(ctx, prog->start, 0);
++              alloc(ctx, prog, 0);
+       }
+ }
+ 
++static void *default_alloc(void *ctx, void *p, int n)
++{
++      return realloc(p, (size_t)n);
++}
++
++Reprog *regcomp(const char *pattern, int cflags, const char **errorp)
++{
++      return regcompx(default_alloc, NULL, pattern, cflags, errorp);
++}
++
++void regfree(Reprog *prog)
++{
++      regfreex(default_alloc, NULL, prog);
++}
++
+ /* Match */
+ 
+ static int isnewline(int c)
+diff --git a/thirdparty/mujs/regexp.h b/thirdparty/mujs/regexp.h
+index 4bb4615..6bb73e8 100644
+--- a/thirdparty/mujs/regexp.h
++++ b/thirdparty/mujs/regexp.h
+@@ -1,6 +1,8 @@
+ #ifndef regexp_h
+ #define regexp_h
+ 
++#define regcompx js_regcompx
++#define regfreex js_regfreex
+ #define regcomp js_regcomp
+ #define regexec js_regexec
+ #define regfree js_regfree
+@@ -8,6 +10,11 @@
+ typedef struct Reprog Reprog;
+ typedef struct Resub Resub;
+ 
++Reprog *regcompx(void *(*alloc)(void *ctx, void *p, int n), void *ctx,
++      const char *pattern, int cflags, const char **errorp);
++void regfreex(void *(*alloc)(void *ctx, void *p, int n), void *ctx,
++      Reprog *prog);
++
+ Reprog *regcomp(const char *pattern, int cflags, const char **errorp);
+ int regexec(Reprog *prog, const char *string, Resub *sub, int eflags);
+ void regfree(Reprog *prog);
+-- 
+2.9.1
+
diff --git a/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch 
b/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch
new file mode 100644
index 0000000..d738492
--- /dev/null
+++ b/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch
@@ -0,0 +1,36 @@
+Fix CVE-2016-10133:
+
+https://bugs.ghostscript.com/show_bug.cgi?id=697401
+http://seclists.org/oss-sec/2017/q1/74
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10133
+
+Patch lifted from upstream source repository:
+
+https://git.ghostscript.com/?p=mujs.git;h=77ab465f1c394bb77f00966cd950650f3f53cb24
+
+From 77ab465f1c394bb77f00966cd950650f3f53cb24 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <address@hidden>
+Date: Thu, 12 Jan 2017 14:47:01 +0100
+Subject: [PATCH] Fix 697401: Error when dropping extra arguments to
+ lightweight functions.
+
+---
+ thirdparty/mujs/jsrun.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/thirdparty/mujs/jsrun.c b/thirdparty/mujs/jsrun.c
+index ee80845..782a6f9 100644
+--- a/thirdparty/mujs/jsrun.c
++++ b/thirdparty/mujs/jsrun.c
+@@ -937,7 +937,7 @@ static void jsR_calllwfunction(js_State *J, int n, 
js_Function *F, js_Environmen
+       jsR_savescope(J, scope);
+ 
+       if (n > F->numparams) {
+-              js_pop(J, F->numparams - n);
++              js_pop(J, n - F->numparams);
+               n = F->numparams;
+       }
+       for (i = n; i < F->varlen; ++i)
+-- 
+2.9.1
+
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index 9b3571e..5e1c0db 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -6,10 +6,11 @@
 ;;; Copyright © 2016 Roel Janssen <address@hidden>
 ;;; Coypright © 2016 ng0 <address@hidden>
 ;;; Coypright © 2016 Efraim Flashner <address@hidden>
-;;; Coypright © 2016 Marius Bakke <address@hidden>
+;;; Coypright © 2016, 2017 Marius Bakke <address@hidden>
 ;;; Coypright © 2016 Ludovic Courtès <address@hidden>
 ;;; Coypright © 2016 Julien Lepiller <address@hidden>
 ;;; Copyright © 2016 Arun Isaac <address@hidden>
+;;; Copyright © 2017 Leo Famulari <address@hidden>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -480,6 +481,7 @@ extracting content or merging files.")
 (define-public mupdf
   (package
     (name "mupdf")
+    (replacement mupdf/fixed)
     (version "1.10a")
     (source
       (origin
@@ -538,6 +540,18 @@ line tools for batch rendering (pdfdraw), rewriting files 
(pdfclean),
 and examining the file structure (pdfshow).")
     (license license:agpl3+)))
 
+(define mupdf/fixed
+  (package
+    (inherit mupdf)
+    (source
+      (origin
+        (inherit (package-source mupdf))
+        (patches
+          (append
+            (origin-patches (package-source mupdf))
+            (search-patches "mupdf-mujs-CVE-2016-10132.patch"
+                            "mupdf-mujs-CVE-2016-10133.patch")))))))
+
 (define-public qpdf
   (package
    (name "qpdf")



reply via email to

[Prev in Thread] Current Thread [Next in Thread]