CVE-2017-15369, CVE-2017-15587

mupdf-1.11-CVE-2017-15369.patch

@@ -0,0 +1,45 @@
+From c2663e51238ec8256da7fc61ad580db891d9fe9a Mon Sep 17 00:00:00 2001
+From: Sebastian Rasmussen <sebras@gmail.com>
+Date: Mon, 25 Sep 2017 13:04:11 +0200
+Subject: [PATCH] Bug 698592: Mark variable fz_var(), avoiding optimization.
+
+The change in 2707fa9e8e6d17d794330e719dec1b08161fb045
+in build_filter_chain() allows for the variable chain
+to reside in a register, which means that the bug is
+likely to only be visible if built under optimization.
+
+First the chain variable is transferred to chain2, then
+set to NULL, then when an exception occurs in build_filter()
+the filter chain will be freed by build_filter(). Next
+the expectation is that execution proceeds to fz_catch()
+where fz_drop_stream() would be called with chain == NULL.
+
+However due to the chain variable residing in a register,
+its value is not NULL as expected, but was reset to its
+original value upon the exception (since they use setjmp()),
+hence fz_drop_stream() is called with a non-NULL value.
+
+Marking the chain variable with fz_var() prevents the
+compiler from allowing the chain variable to reside in
+a register and hence its value will remain NULL and
+never be reset.
+---
+ source/pdf/pdf-stream.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c
+index baf9f0a..56592b0 100644
+--- a/source/pdf/pdf-stream.c
++++ b/source/pdf/pdf-stream.c
+@@ -246,6 +246,8 @@ build_filter_chain(fz_context *ctx, fz_stream *chain, pdf_document *doc, pdf_obj
+ 	pdf_obj *p;
+ 	int i, n;
+ 
++	fz_var(chain);
++
+ 	fz_try(ctx)
+ 	{
+ 		n = pdf_array_len(ctx, fs);
+-- 
+2.9.1
+

mupdf-1.11-CVE-2017-15587.patch

@@ -0,0 +1,26 @@
+From 82df2631d7d0446b206ea6b434ea609b6c28b0e8 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Mon, 16 Oct 2017 13:14:25 +0200
+Subject: [PATCH] Check for integer overflow when validating new style xref
+ Index.
+
+---
+ source/pdf/pdf-xref.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 66bd0ed..6292793 100644
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -924,7 +924,7 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, fz
+ 	pdf_xref_entry *table;
+ 	int i, n;
+ 
+-	if (i0 < 0 || i1 < 0)
++	if (i0 < 0 || i1 < 0 || (i0+i1) < 0)
+ 		fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
+ 	//if (i0 + i1 > pdf_xref_len(ctx, doc))
+ 	//	fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");
+-- 
+2.9.1
+

mupdf.spec

@@ -1,6 +1,6 @@
 Name:           mupdf
 Version:        1.11
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        A lightweight PDF viewer and toolkit
 Group:          Applications/Publishing
 License:        GPLv3
@@ -13,6 +13,8 @@ BuildRequires:  libjpeg-devel freetype-devel libXext-devel curl-devel
 BuildRequires:  harfbuzz-devel
 BuildRequires:  glfw-devel mesa-libGL-devel
 Patch0:         %{name}-1.11-openjpeg.patch
+Patch1:         %{name}-1.11-CVE-2017-15369.patch
+Patch2:         %{name}-1.11-CVE-2017-15587.patch
 
 
 %description
@@ -44,6 +46,8 @@ applications that use mupdf and static libraries
 %setup -q -n %{name}-%{version}-source
 rm -rf thirdparty
 %patch0 -p1
+%patch1 -p1
+%patch2 -p1
 
 %build
 export XCFLAGS="%{optflags} -fPIC -DJBIG_NO_MEMENTO -DTOFU -DTOFU_CJK"
@@ -81,6 +85,10 @@ update-desktop-database &> /dev/null || :
 %{_libdir}/lib%{name}*.a
 
 %changelog
+* Sat Nov 11 2017 Michael J Gruber <mjg@fedoraproject.org> - 1.11-9
+* CVE-2017-15369
+* CVE-2017-15587
+
 * Sat Nov 11 2017 Michael J Gruber <mjg@fedoraproject.org> - 1.11-8
 * repair FTBFS from version specific patch in 412e729 ("New release 1.11", 2017-04-11)