Patchwork [1/1] gnu: mupdf: Fix CVE-2016-{7504, 7505, 7506, 7563, 7564, 9017, 9136} in bundled mujs.

login
register
mail settings
Submitter Leo Famulari
Date Nov. 8, 2016, 5:06 a.m.
Message ID <996e97f9777a1c92668af69973b82acf3b12b0ff.1478581593.git.leo@famulari.name>
Download mbox | patch
Permalink /patch/17278/
State New
Headers show

Comments

Leo Famulari - Nov. 8, 2016, 5:06 a.m.
* gnu/packages/patches/mupdf-CVE-2016-7504.patch,
gnu/packages/patches/mupdf-CVE-2016-7505.patch
gnu/packages/patches/mupdf-CVE-2016-7506.patch
gnu/packages/patches/mupdf-CVE-2016-7563.patch
gnu/packages/patches/mupdf-CVE-2016-7564.patch
gnu/packages/patches/mupdf-CVE-2016-9017.patch
gnu/packages/patches/mupdf-CVE-2016-9136.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/pdf.scm (mupdf)[source]: Use them.
---
 gnu/local.mk                                   |  7 ++
 gnu/packages/patches/mupdf-CVE-2016-7504.patch | 99 ++++++++++++++++++++++++++
 gnu/packages/patches/mupdf-CVE-2016-7505.patch | 32 +++++++++
 gnu/packages/patches/mupdf-CVE-2016-7506.patch | 42 +++++++++++
 gnu/packages/patches/mupdf-CVE-2016-7563.patch | 37 ++++++++++
 gnu/packages/patches/mupdf-CVE-2016-7564.patch | 34 +++++++++
 gnu/packages/patches/mupdf-CVE-2016-9017.patch | 46 ++++++++++++
 gnu/packages/patches/mupdf-CVE-2016-9136.patch | 32 +++++++++
 gnu/packages/pdf.scm                           |  9 ++-
 9 files changed, 337 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/mupdf-CVE-2016-7504.patch
 create mode 100644 gnu/packages/patches/mupdf-CVE-2016-7505.patch
 create mode 100644 gnu/packages/patches/mupdf-CVE-2016-7506.patch
 create mode 100644 gnu/packages/patches/mupdf-CVE-2016-7563.patch
 create mode 100644 gnu/packages/patches/mupdf-CVE-2016-7564.patch
 create mode 100644 gnu/packages/patches/mupdf-CVE-2016-9017.patch
 create mode 100644 gnu/packages/patches/mupdf-CVE-2016-9136.patch
Marius Bakke - Nov. 8, 2016, 11:34 a.m.
Leo Famulari <leo@famulari.name> writes:

> * gnu/packages/patches/mupdf-CVE-2016-7504.patch,
> gnu/packages/patches/mupdf-CVE-2016-7505.patch
> gnu/packages/patches/mupdf-CVE-2016-7506.patch
> gnu/packages/patches/mupdf-CVE-2016-7563.patch
> gnu/packages/patches/mupdf-CVE-2016-7564.patch
> gnu/packages/patches/mupdf-CVE-2016-9017.patch
> gnu/packages/patches/mupdf-CVE-2016-9136.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/pdf.scm (mupdf)[source]: Use them.

LGTM, thanks for staying on top of this!
Leo Famulari - Nov. 8, 2016, 4:05 p.m.
On Tue, Nov 08, 2016 at 11:34:48AM +0000, Marius Bakke wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> > * gnu/packages/patches/mupdf-CVE-2016-7504.patch,
> > gnu/packages/patches/mupdf-CVE-2016-7505.patch
> > gnu/packages/patches/mupdf-CVE-2016-7506.patch
> > gnu/packages/patches/mupdf-CVE-2016-7563.patch
> > gnu/packages/patches/mupdf-CVE-2016-7564.patch
> > gnu/packages/patches/mupdf-CVE-2016-9017.patch
> > gnu/packages/patches/mupdf-CVE-2016-9136.patch: New files.
> > * gnu/local.mk (dist_patch_DATA): Add them.
> > * gnu/packages/pdf.scm (mupdf)[source]: Use them.
> 
> LGTM, thanks for staying on top of this!

Thanks for the review! Pushed as
667e777b4e4b7303b6f30a001fe2539b7207b65b

Patch

diff --git a/gnu/local.mk b/gnu/local.mk
index aaa9f5c..7eb1792 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -720,7 +720,14 @@  dist_patch_DATA =						\
   %D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch	\
   %D%/packages/patches/mupdf-CVE-2016-6265.patch		\
   %D%/packages/patches/mupdf-CVE-2016-6525.patch		\
+  %D%/packages/patches/mupdf-CVE-2016-7504.patch		\
+  %D%/packages/patches/mupdf-CVE-2016-7505.patch		\
+  %D%/packages/patches/mupdf-CVE-2016-7506.patch		\
+  %D%/packages/patches/mupdf-CVE-2016-7563.patch		\
+  %D%/packages/patches/mupdf-CVE-2016-7564.patch		\
   %D%/packages/patches/mupdf-CVE-2016-8674.patch		\
+  %D%/packages/patches/mupdf-CVE-2016-9017.patch		\
+  %D%/packages/patches/mupdf-CVE-2016-9136.patch		\
   %D%/packages/patches/mupen64plus-ui-console-notice.patch	\
   %D%/packages/patches/musl-CVE-2016-8859.patch			\
   %D%/packages/patches/mutt-store-references.patch		\
diff --git a/gnu/packages/patches/mupdf-CVE-2016-7504.patch b/gnu/packages/patches/mupdf-CVE-2016-7504.patch
new file mode 100644
index 0000000..4bbb441
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2016-7504.patch
@@ -0,0 +1,99 @@ 
+Fix CVE-2016-7504:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7504
+http://bugs.ghostscript.com/show_bug.cgi?id=697142
+
+Patch copied from upstream source repository:
+http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=5c337af4b3df80cf967e4f9f6a21522de84b392a
+
+From 5c337af4b3df80cf967e4f9f6a21522de84b392a Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Wed, 21 Sep 2016 16:01:08 +0200
+Subject: [PATCH] Fix bug 697142: Stale string pointer stored in regexp object.
+
+Make sure to make a copy of the source pattern string.
+A case we missed when adding short and memory strings to the runtime.
+The code assumed all strings passed to it were either literal or interned.
+---
+ jsgc.c     | 4 +++-
+ jsi.h      | 1 +
+ jsregexp.c | 2 +-
+ jsrun.c    | 8 ++++++++
+ jsvalue.h  | 2 +-
+ 5 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/jsgc.c b/jsgc.c
+index 9bd6482..4f7e7dc 100644
+--- a/thirdparty/mujs/jsgc.c
++++ b/thirdparty/mujs/jsgc.c
+@@ -44,8 +44,10 @@ static void jsG_freeobject(js_State *J, js_Object *obj)
+ {
+ 	if (obj->head)
+ 		jsG_freeproperty(J, obj->head);
+-	if (obj->type == JS_CREGEXP)
++	if (obj->type == JS_CREGEXP) {
++		js_free(J, obj->u.r.source);
+ 		js_regfree(obj->u.r.prog);
++	}
+ 	if (obj->type == JS_CITERATOR)
+ 		jsG_freeiterator(J, obj->u.iter.head);
+ 	if (obj->type == JS_CUSERDATA && obj->u.user.finalize)
+diff --git a/jsi.h b/jsi.h
+index 7d9f7c7..e855045 100644
+--- a/thirdparty/mujs/jsi.h
++++ b/thirdparty/mujs/jsi.h
+@@ -79,6 +79,7 @@ typedef unsigned short js_Instruction;
+ 
+ /* String interning */
+ 
++char *js_strdup(js_State *J, const char *s);
+ const char *js_intern(js_State *J, const char *s);
+ void jsS_dumpstrings(js_State *J);
+ void jsS_freestrings(js_State *J);
+diff --git a/jsregexp.c b/jsregexp.c
+index 2a056b7..a2d5156 100644
+--- a/thirdparty/mujs/jsregexp.c
++++ b/thirdparty/mujs/jsregexp.c
+@@ -21,7 +21,7 @@ void js_newregexp(js_State *J, const char *pattern, int flags)
+ 		js_syntaxerror(J, "regular expression: %s", error);
+ 
+ 	obj->u.r.prog = prog;
+-	obj->u.r.source = pattern;
++	obj->u.r.source = js_strdup(J, pattern);
+ 	obj->u.r.flags = flags;
+ 	obj->u.r.last = 0;
+ 	js_pushobject(J, obj);
+diff --git a/jsrun.c b/jsrun.c
+index 2648c4c..ee80845 100644
+--- a/thirdparty/mujs/jsrun.c
++++ b/thirdparty/mujs/jsrun.c
+@@ -45,6 +45,14 @@ void *js_realloc(js_State *J, void *ptr, int size)
+ 	return ptr;
+ }
+ 
++char *js_strdup(js_State *J, const char *s)
++{
++	int n = strlen(s) + 1;
++	char *p = js_malloc(J, n);
++	memcpy(p, s, n);
++	return p;
++}
++
+ void js_free(js_State *J, void *ptr)
+ {
+ 	J->alloc(J->actx, ptr, 0);
+diff --git a/jsvalue.h b/jsvalue.h
+index 6cfbd89..8fb5016 100644
+--- a/thirdparty/mujs/jsvalue.h
++++ b/thirdparty/mujs/jsvalue.h
+@@ -71,7 +71,7 @@ struct js_String
+ struct js_Regexp
+ {
+ 	void *prog;
+-	const char *source;
++	char *source;
+ 	unsigned short flags;
+ 	unsigned short last;
+ };
+-- 
+2.10.2
+
diff --git a/gnu/packages/patches/mupdf-CVE-2016-7505.patch b/gnu/packages/patches/mupdf-CVE-2016-7505.patch
new file mode 100644
index 0000000..15e4f37
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2016-7505.patch
@@ -0,0 +1,32 @@ 
+Fix CVE-2016-7505:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7505
+http://bugs.ghostscript.com/show_bug.cgi?id=697140
+
+Patch copied from upstream source repository:
+http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=8c805b4eb19cf2af689c860b77e6111d2ee439d5
+
+From 8c805b4eb19cf2af689c860b77e6111d2ee439d5 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Wed, 21 Sep 2016 15:21:04 +0200
+Subject: [PATCH] Fix bug 697140: Overflow check in ascii division in strtod.
+
+---
+ jsdtoa.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/jsdtoa.c b/jsdtoa.c
+index 2e52368..920c1a7 100644
+--- a/thirdparty/mujs/jsdtoa.c
++++ b/thirdparty/mujs/jsdtoa.c
+@@ -735,6 +735,7 @@ xx:
+ 		n -= c<<b;
+ 		*p++ = c + '0';
+ 		(*na)++;
++		if (*na >= Ndig) break; /* abort if overflowing */
+ 	}
+ 	*p = 0;
+ }
+-- 
+2.10.2
+
diff --git a/gnu/packages/patches/mupdf-CVE-2016-7506.patch b/gnu/packages/patches/mupdf-CVE-2016-7506.patch
new file mode 100644
index 0000000..733249a
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2016-7506.patch
@@ -0,0 +1,42 @@ 
+Fix CVE-2016-7506:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7506
+http://bugs.ghostscript.com/show_bug.cgi?id=697141
+
+Patch copied from upstream source repository:
+http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=5000749f5afe3b956fc916e407309de840997f4a
+
+From 5000749f5afe3b956fc916e407309de840997f4a Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Wed, 21 Sep 2016 16:02:11 +0200
+Subject: [PATCH] Fix bug 697141: buffer overrun in regexp string substitution.
+
+A '$' escape at the end of the string would read past the zero terminator
+when looking for the escaped character.
+---
+ jsstring.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/jsstring.c b/jsstring.c
+index 66f6a89..0209a8e 100644
+--- a/thirdparty/mujs/jsstring.c
++++ b/thirdparty/mujs/jsstring.c
+@@ -421,6 +421,7 @@ loop:
+ 		while (*r) {
+ 			if (*r == '$') {
+ 				switch (*(++r)) {
++				case 0: --r; /* end of string; back up and fall through */
+ 				case '$': js_putc(J, &sb, '$'); break;
+ 				case '`': js_putm(J, &sb, source, s); break;
+ 				case '\'': js_puts(J, &sb, s + n); break;
+@@ -516,6 +517,7 @@ static void Sp_replace_string(js_State *J)
+ 		while (*r) {
+ 			if (*r == '$') {
+ 				switch (*(++r)) {
++				case 0: --r; /* end of string; back up and fall through */
+ 				case '$': js_putc(J, &sb, '$'); break;
+ 				case '&': js_putm(J, &sb, s, s + n); break;
+ 				case '`': js_putm(J, &sb, source, s); break;
+-- 
+2.10.2
+
diff --git a/gnu/packages/patches/mupdf-CVE-2016-7563.patch b/gnu/packages/patches/mupdf-CVE-2016-7563.patch
new file mode 100644
index 0000000..288c9ab
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2016-7563.patch
@@ -0,0 +1,37 @@ 
+Fix CVE-2016-7563:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7563
+http://bugs.ghostscript.com/show_bug.cgi?id=697136
+
+Patch copied from upstream source repository:
+http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=f8234d830e17fc5e8fe09eb76d86dad3f6233c59
+
+From f8234d830e17fc5e8fe09eb76d86dad3f6233c59 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Tue, 20 Sep 2016 17:11:32 +0200
+Subject: [PATCH] Fix bug 697136.
+
+We were unconditionally reading the next character if we encountered
+a '*' in a multi-line comment; possibly reading past the end of
+the input.
+---
+ jslex.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/jslex.c b/jslex.c
+index 7b80800..cbd0eeb 100644
+--- a/thirdparty/mujs/jslex.c
++++ b/thirdparty/mujs/jslex.c
+@@ -225,7 +225,8 @@ static int lexcomment(js_State *J)
+ 			if (jsY_accept(J, '/'))
+ 				return 0;
+ 		}
+-		jsY_next(J);
++		else
++			jsY_next(J);
+ 	}
+ 	return -1;
+ }
+-- 
+2.10.2
+
diff --git a/gnu/packages/patches/mupdf-CVE-2016-7564.patch b/gnu/packages/patches/mupdf-CVE-2016-7564.patch
new file mode 100644
index 0000000..c2ce33d
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2016-7564.patch
@@ -0,0 +1,34 @@ 
+Fix CVE-2016-7564:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7564
+http://bugs.ghostscript.com/show_bug.cgi?id=697137
+
+Patch copied from upstream source repository:
+http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a3a4fe840b80706c706e86160352af5936f292d8
+
+From a3a4fe840b80706c706e86160352af5936f292d8 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Tue, 20 Sep 2016 17:19:06 +0200
+Subject: [PATCH] Fix bug 697137: off by one in string length calculation.
+
+We were not allocating space for the terminating zero byte.
+---
+ jsfunction.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/jsfunction.c b/jsfunction.c
+index 8b5b18e..28f7aa7 100644
+--- a/thirdparty/mujs/jsfunction.c
++++ b/thirdparty/mujs/jsfunction.c
+@@ -61,7 +61,7 @@ static void Fp_toString(js_State *J)
+ 		n += strlen(F->name);
+ 		for (i = 0; i < F->numparams; ++i)
+ 			n += strlen(F->vartab[i]) + 1;
+-		s = js_malloc(J, n);
++		s = js_malloc(J, n + 1);
+ 		strcpy(s, "function ");
+ 		strcat(s, F->name);
+ 		strcat(s, "(");
+-- 
+2.10.2
+
diff --git a/gnu/packages/patches/mupdf-CVE-2016-9017.patch b/gnu/packages/patches/mupdf-CVE-2016-9017.patch
new file mode 100644
index 0000000..1e2b7c3
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2016-9017.patch
@@ -0,0 +1,46 @@ 
+Fix CVE-2016-9017:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9107
+http://bugs.ghostscript.com/show_bug.cgi?id=697171
+
+Patch copied from upstream source repository:
+http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a5c747f1d40e8d6659a37a8d25f13fb5acf8e767
+
+From a5c747f1d40e8d6659a37a8d25f13fb5acf8e767 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Tue, 25 Oct 2016 14:08:27 +0200
+Subject: [PATCH] Fix 697171: missed an operand in the bytecode debugger dump.
+
+---
+ jscompile.h | 2 +-
+ jsdump.c    | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/jscompile.h b/jscompile.h
+index 802cc9e..3054d13 100644
+--- a/thirdparty/mujs/jscompile.h
++++ b/thirdparty/mujs/jscompile.h
+@@ -21,7 +21,7 @@ enum js_OpCode
+ 
+ 	OP_NEWARRAY,
+ 	OP_NEWOBJECT,
+-	OP_NEWREGEXP,
++	OP_NEWREGEXP,	/* -S,opts- <regexp> */
+ 
+ 	OP_UNDEF,
+ 	OP_NULL,
+diff --git a/jsdump.c b/jsdump.c
+index 1c51c29..37ad88c 100644
+--- a/thirdparty/mujs/jsdump.c
++++ b/thirdparty/mujs/jsdump.c
+@@ -750,6 +750,7 @@ void jsC_dumpfunction(js_State *J, js_Function *F)
+ 		case OP_INITVAR:
+ 		case OP_DEFVAR:
+ 		case OP_GETVAR:
++		case OP_HASVAR:
+ 		case OP_SETVAR:
+ 		case OP_DELVAR:
+ 		case OP_GETPROP_S:
+-- 
+2.10.2
+
diff --git a/gnu/packages/patches/mupdf-CVE-2016-9136.patch b/gnu/packages/patches/mupdf-CVE-2016-9136.patch
new file mode 100644
index 0000000..1f68839
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2016-9136.patch
@@ -0,0 +1,32 @@ 
+Fix CVE-2016-9136:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9136
+http://bugs.ghostscript.com/show_bug.cgi?id=697244
+
+Patch copied from upstream source repository:
+http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a0ceaf5050faf419401fe1b83acfa950ec8a8a89
+From a0ceaf5050faf419401fe1b83acfa950ec8a8a89 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Mon, 31 Oct 2016 13:05:37 +0100
+Subject: [PATCH] Fix 697244: Check for incomplete escape sequence at end of
+ input.
+
+---
+ jslex.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/jslex.c b/jslex.c
+index cbd0eeb..aaafdac 100644
+--- a/thirdparty/mujs/jslex.c
++++ b/thirdparty/mujs/jslex.c
+@@ -377,6 +377,7 @@ static int lexescape(js_State *J)
+ 		return 0;
+ 
+ 	switch (J->lexchar) {
++	case 0: jsY_error(J, "unterminated escape sequence");
+ 	case 'u':
+ 		jsY_next(J);
+ 		if (!jsY_ishex(J->lexchar)) return 1; else { x |= jsY_tohex(J->lexchar) << 12; jsY_next(J); }
+-- 
+2.10.2
+
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index 8aabacc..ee33e3c 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -491,7 +491,14 @@  extracting content or merging files.")
         (patches (search-patches "mupdf-build-with-openjpeg-2.1.patch"
                                  "mupdf-CVE-2016-6265.patch"
                                  "mupdf-CVE-2016-6525.patch"
-                                 "mupdf-CVE-2016-8674.patch"))
+                                 "mupdf-CVE-2016-7504.patch"
+                                 "mupdf-CVE-2016-7505.patch"
+                                 "mupdf-CVE-2016-7506.patch"
+                                 "mupdf-CVE-2016-7563.patch"
+                                 "mupdf-CVE-2016-7564.patch"
+                                 "mupdf-CVE-2016-8674.patch"
+                                 "mupdf-CVE-2016-9017.patch"
+                                 "mupdf-CVE-2016-9136.patch"))
         (modules '((guix build utils)))
         (snippet
             ;; Delete all the bundled libraries except for mujs, which is