Bring F26 branch back to sane state
F26 had deviated from master/branch due to individual "rebuild commits" ("we" still use distgit as if it were cvs). Bring back the F27/master state so that all current security fixes are in F26, and future fixes can be built on top efficiently. Branching in Fedora is hard, it seems...
This commit is contained in:
commit
2cb0705a9c
1
.gitignore
vendored
1
.gitignore
vendored
@ -10,3 +10,4 @@
|
||||
/mupdf-1.7a-source.tar.gz
|
||||
/mupdf-1.8-source.tar.gz
|
||||
/mupdf-1.10a-source.tar.gz
|
||||
/mupdf-1.11-source.tar.gz
|
||||
|
@ -1,31 +0,0 @@
|
||||
--- a/source/fitz/load-jpx.c
|
||||
+++ b/source/fitz/load-jpx.c
|
||||
@@ -484,13 +484,18 @@
|
||||
/* Without the definition of OPJ_STATIC, compilation fails on windows
|
||||
* due to the use of __stdcall. We believe it is required on some
|
||||
* linux toolchains too. */
|
||||
+
|
||||
+#ifdef __cplusplus
|
||||
+extern "C"
|
||||
+{
|
||||
#define OPJ_STATIC
|
||||
#ifndef _MSC_VER
|
||||
#define OPJ_HAVE_STDINT_H
|
||||
#endif
|
||||
+#endif
|
||||
|
||||
-#include <openjpeg.h>
|
||||
-
|
||||
+#include <openjpeg-2.1/openjpeg.h>
|
||||
+
|
||||
/* OpenJPEG does not provide a safe mechanism to intercept
|
||||
* allocations. In the latest version all allocations go
|
||||
* though opj_malloc etc, but no context is passed around.
|
||||
@@ -972,3 +977,7 @@
|
||||
}
|
||||
|
||||
#endif /* HAVE_LURATECH */
|
||||
+
|
||||
+#ifdef __cplusplus
|
||||
+}
|
||||
+#endif
|
45
mupdf-1.11-CVE-2017-15369.patch
Normal file
45
mupdf-1.11-CVE-2017-15369.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From c2663e51238ec8256da7fc61ad580db891d9fe9a Mon Sep 17 00:00:00 2001
|
||||
From: Sebastian Rasmussen <sebras@gmail.com>
|
||||
Date: Mon, 25 Sep 2017 13:04:11 +0200
|
||||
Subject: [PATCH] Bug 698592: Mark variable fz_var(), avoiding optimization.
|
||||
|
||||
The change in 2707fa9e8e6d17d794330e719dec1b08161fb045
|
||||
in build_filter_chain() allows for the variable chain
|
||||
to reside in a register, which means that the bug is
|
||||
likely to only be visible if built under optimization.
|
||||
|
||||
First the chain variable is transferred to chain2, then
|
||||
set to NULL, then when an exception occurs in build_filter()
|
||||
the filter chain will be freed by build_filter(). Next
|
||||
the expectation is that execution proceeds to fz_catch()
|
||||
where fz_drop_stream() would be called with chain == NULL.
|
||||
|
||||
However due to the chain variable residing in a register,
|
||||
its value is not NULL as expected, but was reset to its
|
||||
original value upon the exception (since they use setjmp()),
|
||||
hence fz_drop_stream() is called with a non-NULL value.
|
||||
|
||||
Marking the chain variable with fz_var() prevents the
|
||||
compiler from allowing the chain variable to reside in
|
||||
a register and hence its value will remain NULL and
|
||||
never be reset.
|
||||
---
|
||||
source/pdf/pdf-stream.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c
|
||||
index baf9f0a..56592b0 100644
|
||||
--- a/source/pdf/pdf-stream.c
|
||||
+++ b/source/pdf/pdf-stream.c
|
||||
@@ -246,6 +246,8 @@ build_filter_chain(fz_context *ctx, fz_stream *chain, pdf_document *doc, pdf_obj
|
||||
pdf_obj *p;
|
||||
int i, n;
|
||||
|
||||
+ fz_var(chain);
|
||||
+
|
||||
fz_try(ctx)
|
||||
{
|
||||
n = pdf_array_len(ctx, fs);
|
||||
--
|
||||
2.9.1
|
||||
|
26
mupdf-1.11-CVE-2017-15587.patch
Normal file
26
mupdf-1.11-CVE-2017-15587.patch
Normal file
@ -0,0 +1,26 @@
|
||||
From 82df2631d7d0446b206ea6b434ea609b6c28b0e8 Mon Sep 17 00:00:00 2001
|
||||
From: Tor Andersson <tor.andersson@artifex.com>
|
||||
Date: Mon, 16 Oct 2017 13:14:25 +0200
|
||||
Subject: [PATCH] Check for integer overflow when validating new style xref
|
||||
Index.
|
||||
|
||||
---
|
||||
source/pdf/pdf-xref.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
|
||||
index 66bd0ed..6292793 100644
|
||||
--- a/source/pdf/pdf-xref.c
|
||||
+++ b/source/pdf/pdf-xref.c
|
||||
@@ -924,7 +924,7 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, fz
|
||||
pdf_xref_entry *table;
|
||||
int i, n;
|
||||
|
||||
- if (i0 < 0 || i1 < 0)
|
||||
+ if (i0 < 0 || i1 < 0 || (i0+i1) < 0)
|
||||
fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
|
||||
//if (i0 + i1 > pdf_xref_len(ctx, doc))
|
||||
// fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");
|
||||
--
|
||||
2.9.1
|
||||
|
31
mupdf-1.11-openjpeg.patch
Normal file
31
mupdf-1.11-openjpeg.patch
Normal file
@ -0,0 +1,31 @@
|
||||
diff --git i/source/fitz/load-jpx.c w/source/fitz/load-jpx.c
|
||||
index d01de585..9934e47a 100644
|
||||
--- i/source/fitz/load-jpx.c
|
||||
+++ w/source/fitz/load-jpx.c
|
||||
@@ -443,12 +443,15 @@ fz_load_jpx_info(fz_context *ctx, unsigned char *data, size_t size, int *wp, int
|
||||
}
|
||||
|
||||
#else /* HAVE_LURATECH */
|
||||
-
|
||||
+#ifdef __cplusplus
|
||||
+extern "C"
|
||||
+{
|
||||
#define OPJ_STATIC
|
||||
#define OPJ_HAVE_INTTYPES_H
|
||||
#if !defined(_WIN32) && !defined(_WIN64)
|
||||
#define OPJ_HAVE_STDINT_H
|
||||
#endif
|
||||
+#endif
|
||||
#define USE_JPIP
|
||||
|
||||
#include <openjpeg.h>
|
||||
@@ -920,6 +923,9 @@ fz_load_jpx_info(fz_context *ctx, unsigned char *data, size_t size, int *wp, int
|
||||
}
|
||||
|
||||
#endif /* HAVE_LURATECH */
|
||||
+#ifdef __cplusplus
|
||||
+}
|
||||
+#endif
|
||||
|
||||
#else /* FZ_ENABLE_JPX */
|
||||
|
@ -1,91 +0,0 @@
|
||||
From 1912de5f08e90af1d9d0a9791f58ba3afdb9d465 Mon Sep 17 00:00:00 2001
|
||||
From: Robin Watts <robin.watts@artifex.com>
|
||||
Date: Thu, 9 Feb 2017 15:49:15 +0000
|
||||
Subject: [PATCH 2/2] Bug 697500: Fix NULL ptr access.
|
||||
|
||||
Cope better with errors during rendering - avoid letting the
|
||||
gstate stack get out of sync.
|
||||
|
||||
This avoids us ever getting into the situation of popping
|
||||
a clip when we should be popping a mask or a group. This was
|
||||
causing an unexpected case in the painting.
|
||||
---
|
||||
source/pdf/pdf-op-run.c | 26 ++++++++++++++++++--------
|
||||
1 file changed, 18 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/source/pdf/pdf-op-run.c b/source/pdf/pdf-op-run.c
|
||||
index a3ea895..f1eac8d 100644
|
||||
--- a/source/pdf/pdf-op-run.c
|
||||
+++ b/source/pdf/pdf-op-run.c
|
||||
@@ -1213,6 +1213,7 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
|
||||
pdf_run_processor *pr = (pdf_run_processor *)proc;
|
||||
pdf_gstate *gstate = NULL;
|
||||
int oldtop = 0;
|
||||
+ int oldbot = -1;
|
||||
fz_matrix local_transform = *transform;
|
||||
softmask_save softmask = { NULL };
|
||||
int gparent_save;
|
||||
@@ -1232,16 +1233,17 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
|
||||
fz_var(cleanup_state);
|
||||
fz_var(gstate);
|
||||
fz_var(oldtop);
|
||||
+ fz_var(oldbot);
|
||||
|
||||
gparent_save = pr->gparent;
|
||||
pr->gparent = pr->gtop;
|
||||
+ oldtop = pr->gtop;
|
||||
|
||||
fz_try(ctx)
|
||||
{
|
||||
pdf_gsave(ctx, pr);
|
||||
|
||||
gstate = pr->gstate + pr->gtop;
|
||||
- oldtop = pr->gtop;
|
||||
|
||||
pdf_xobject_bbox(ctx, xobj, &xobj_bbox);
|
||||
pdf_xobject_matrix(ctx, xobj, &xobj_matrix);
|
||||
@@ -1302,12 +1304,25 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
|
||||
|
||||
doc = pdf_get_bound_document(ctx, xobj->obj);
|
||||
|
||||
+ oldbot = pr->gbot;
|
||||
+ pr->gbot = pr->gtop;
|
||||
+
|
||||
pdf_process_contents(ctx, (pdf_processor*)pr, doc, resources, xobj->obj, NULL);
|
||||
}
|
||||
fz_always(ctx)
|
||||
{
|
||||
+ /* Undo any gstate mismatches due to the pdf_process_contents call */
|
||||
+ if (oldbot != -1)
|
||||
+ {
|
||||
+ while (pr->gtop > pr->gbot)
|
||||
+ {
|
||||
+ pdf_grestore(ctx, pr);
|
||||
+ }
|
||||
+ pr->gbot = oldbot;
|
||||
+ }
|
||||
+
|
||||
if (cleanup_state >= 3)
|
||||
- pdf_grestore(ctx, pr); /* Remove the clippath */
|
||||
+ pdf_grestore(ctx, pr); /* Remove the state we pushed for the clippath */
|
||||
|
||||
/* wrap up transparency stacks */
|
||||
if (transparency)
|
||||
@@ -1341,13 +1356,8 @@ pdf_run_xobject(fz_context *ctx, pdf_run_processor *proc, pdf_xobject *xobj, pdf
|
||||
pr->gstate[pr->gparent].ctm = gparent_save_ctm;
|
||||
pr->gparent = gparent_save;
|
||||
|
||||
- if (gstate)
|
||||
- {
|
||||
- while (oldtop < pr->gtop)
|
||||
- pdf_grestore(ctx, pr);
|
||||
-
|
||||
+ while (oldtop < pr->gtop)
|
||||
pdf_grestore(ctx, pr);
|
||||
- }
|
||||
|
||||
pdf_unmark_obj(ctx, xobj->obj);
|
||||
}
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,51 +0,0 @@
|
||||
From 2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 Mon Sep 17 00:00:00 2001
|
||||
From: Robin Watts <Robin.Watts@artifex.com>
|
||||
Date: Thu, 9 Feb 2017 07:12:16 -0800
|
||||
Subject: [PATCH 1/2] bug 697515: Fix out of bounds read in fz_subsample_pixmap
|
||||
|
||||
Pointer arithmetic for final special case was going wrong.
|
||||
---
|
||||
source/fitz/pixmap.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/source/fitz/pixmap.c b/source/fitz/pixmap.c
|
||||
index a831712..f1291dc 100644
|
||||
--- a/source/fitz/pixmap.c
|
||||
+++ b/source/fitz/pixmap.c
|
||||
@@ -1104,6 +1104,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
|
||||
"@STACK:r1,<9>,factor,n,fwd,back,back2,fwd2,divX,back4,fwd4,fwd3,divY,back5,divXY\n"
|
||||
"ldr r4, [r13,#4*22] @ r4 = divXY \n"
|
||||
"ldr r5, [r13,#4*11] @ for (nn = n; nn > 0; n--) { \n"
|
||||
+ "ldr r8, [r13,#4*17] @ r8 = back4 \n"
|
||||
"18: @ \n"
|
||||
"mov r14,#0 @ r14= v = 0 \n"
|
||||
"sub r5, r5, r1, LSL #8 @ for (xx = x; xx > 0; x--) { \n"
|
||||
@@ -1120,7 +1121,7 @@ fz_subsample_pixmap_ARM(unsigned char *ptr, int w, int h, int f, int factor,
|
||||
"mul r14,r4, r14 @ r14= v *= divX \n"
|
||||
"mov r14,r14,LSR #16 @ r14= v >>= 16 \n"
|
||||
"strb r14,[r9], #1 @ *d++ = r14 \n"
|
||||
- "sub r0, r0, r8 @ s -= back2 \n"
|
||||
+ "sub r0, r0, r8 @ s -= back4 \n"
|
||||
"subs r5, r5, #1 @ n-- \n"
|
||||
"bgt 18b @ } \n"
|
||||
"21: @ \n"
|
||||
@@ -1249,6 +1250,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
|
||||
x += f;
|
||||
if (x > 0)
|
||||
{
|
||||
+ int back4 = x * n - 1;
|
||||
div = x * y;
|
||||
for (nn = n; nn > 0; nn--)
|
||||
{
|
||||
@@ -1263,7 +1265,7 @@ fz_subsample_pixmap(fz_context *ctx, fz_pixmap *tile, int factor)
|
||||
s -= back5;
|
||||
}
|
||||
*d++ = v / div;
|
||||
- s -= back2;
|
||||
+ s -= back4;
|
||||
}
|
||||
}
|
||||
}
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,44 +0,0 @@
|
||||
commit 2590fed7a355a421f062ebd4293df892800fa7ac
|
||||
Author: Sebastian Rasmussen <sebras@gmail.com>
|
||||
Date: Thu Dec 1 17:15:27 2016 -0500
|
||||
|
||||
Bug 697400: Mark visited objects when counting OCG layer entries.
|
||||
|
||||
diff --git a/source/pdf/pdf-layer.c b/source/pdf/pdf-layer.c
|
||||
index 3296b6c..fc29c9d 100644
|
||||
--- a/source/pdf/pdf-layer.c
|
||||
+++ b/source/pdf/pdf-layer.c
|
||||
@@ -90,7 +90,14 @@ count_entries(fz_context *ctx, pdf_obj *obj)
|
||||
for (i = 0; i < len; i++)
|
||||
{
|
||||
pdf_obj *o = pdf_array_get(ctx, obj, i);
|
||||
- count += (pdf_is_array(ctx, o) ? count_entries(ctx, o) : 1);
|
||||
+ if (pdf_mark_obj(ctx, o))
|
||||
+ continue;
|
||||
+ fz_try(ctx)
|
||||
+ count += (pdf_is_array(ctx, o) ? count_entries(ctx, o) : 1);
|
||||
+ fz_always(ctx)
|
||||
+ pdf_unmark_obj(ctx, o);
|
||||
+ fz_catch(ctx)
|
||||
+ fz_rethrow(ctx);
|
||||
}
|
||||
return count;
|
||||
}
|
||||
@@ -106,7 +113,16 @@ populate_ui(fz_context *ctx, pdf_ocg_descriptor *desc, pdf_ocg_ui *ui, pdf_obj *
|
||||
pdf_obj *o = pdf_array_get(ctx, order, i);
|
||||
if (pdf_is_array(ctx, o))
|
||||
{
|
||||
- ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked);
|
||||
+ if (pdf_mark_obj(ctx, o))
|
||||
+ continue;
|
||||
+
|
||||
+ fz_try(ctx)
|
||||
+ ui = populate_ui(ctx, desc, ui, o, depth+1, rbgroups, locked);
|
||||
+ fz_always(ctx)
|
||||
+ pdf_unmark_obj(ctx, o);
|
||||
+ fz_catch(ctx)
|
||||
+ fz_rethrow(ctx);
|
||||
+
|
||||
continue;
|
||||
}
|
||||
ui->depth = depth;
|
36
mupdf.spec
36
mupdf.spec
@ -1,6 +1,6 @@
|
||||
Name: mupdf
|
||||
Version: 1.10a
|
||||
Release: 6%{?dist}
|
||||
Version: 1.11
|
||||
Release: 9%{?dist}
|
||||
Summary: A lightweight PDF viewer and toolkit
|
||||
Group: Applications/Publishing
|
||||
License: GPLv3
|
||||
@ -11,11 +11,10 @@ BuildRequires: gcc make binutils desktop-file-utils coreutils
|
||||
BuildRequires: openjpeg2-devel jbig2dec-devel desktop-file-utils
|
||||
BuildRequires: libjpeg-devel freetype-devel libXext-devel curl-devel
|
||||
BuildRequires: harfbuzz-devel
|
||||
Patch0: %{name}-1.10a-openjpeg.patch
|
||||
## https://bugzilla.redhat.com/show_bug.cgi?id=1425338
|
||||
Patch1: %{name}-Bug-697500-Fix-NULL-ptr-access.patch
|
||||
Patch2: %{name}-bug-697515-Fix-out-of-bounds-read-in-fz_subsample_pi.patch
|
||||
Patch3: %{name}-bz1439643.patch
|
||||
BuildRequires: glfw-devel mesa-libGL-devel
|
||||
Patch0: %{name}-1.11-openjpeg.patch
|
||||
Patch1: %{name}-1.11-CVE-2017-15369.patch
|
||||
Patch2: %{name}-1.11-CVE-2017-15587.patch
|
||||
|
||||
|
||||
%description
|
||||
@ -49,14 +48,13 @@ rm -rf thirdparty
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
|
||||
%build
|
||||
export CFLAGS="%{optflags} -fPIC -DJBIG_NO_MEMENTO -DTOFU -DTOFU_CJK"
|
||||
make %{?_smp_mflags} build=debug verbose=yes
|
||||
export XCFLAGS="%{optflags} -fPIC -DJBIG_NO_MEMENTO -DTOFU -DTOFU_CJK"
|
||||
|
||||
make %{?_smp_mflags} build=debug verbose=yes HAVE_GLFW=yes SYS_GLFW_CFLAGS="-I%{_includedir}/GL -I%{_includedir}/GLFW" GLFW_LIBS="-lGL -lglfw"
|
||||
%install
|
||||
make DESTDIR=%{buildroot} install prefix=%{_prefix} libdir=%{_libdir} build=debug verbose=yes
|
||||
make DESTDIR=%{buildroot} install prefix=%{_prefix} libdir=%{_libdir} build=debug verbose=yes HAVE_GLFW=yes
|
||||
## handle docs on our own
|
||||
rm -rf %{buildroot}/%{_docdir}
|
||||
desktop-file-install --dir=%{buildroot}%{_datadir}/applications %{SOURCE1}
|
||||
@ -87,6 +85,22 @@ update-desktop-database &> /dev/null || :
|
||||
%{_libdir}/lib%{name}*.a
|
||||
|
||||
%changelog
|
||||
* Sat Nov 11 2017 Michael J Gruber <mjg@fedoraproject.org> - 1.11-9
|
||||
- CVE-2017-15369
|
||||
- CVE-2017-15587
|
||||
|
||||
* Sat Nov 11 2017 Michael J Gruber <mjg@fedoraproject.org> - 1.11-8
|
||||
- repair FTBFS from version specific patch in 412e729 ("New release 1.11", 2017-04-11)
|
||||
|
||||
* Sat Nov 11 2017 Michael J Gruber <mjg@fedoraproject.org> - 1.11-7
|
||||
- rebuild with jbig2dec 0.14 (#1456731)
|
||||
|
||||
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.11-6
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||
|
||||
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.11-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||
|
||||
* Tue May 9 2017 Pavel Zhukov <landgraf@fedoraproject.org> - 1.10a-6
|
||||
- Rebuild with new jbig2dec(#1443933)
|
||||
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (mupdf-1.10a-source.tar.gz) = 8c735963364985e74ceb38242afae555a3d2ee7c69abe3fe5c485e8613a83d996a58f231cb689a156019d431fa67d565503247d010b0a404054850483aed9fec
|
||||
SHA512 (mupdf-1.11-source.tar.gz) = 501670f540e298a8126806ebbd9db8b29866f663b7bbf26c9ade1933e42f0c00ad410b9d93f3ddbfb3e45c38722869095de28d832fe3fb3703c55cc9a01dbf63
|
||||
|
Loading…
Reference in New Issue
Block a user