Received: by mail.netbsd.org (Postfix, from userid 605) id C3C4F856A5; Sat, 5 Aug 2017 22:03:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 1C5B1856A5 for ; Sat, 5 Aug 2017 22:03:41 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 1hAHuiTWkkdO for ; Sat, 5 Aug 2017 22:03:40 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.netbsd.org [199.233.217.197]) by mail.netbsd.org (Postfix) with ESMTP id 710968566A for ; Sat, 5 Aug 2017 08:03:05 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id 6B516FACD; Sat, 5 Aug 2017 08:03:05 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1501920185129670" MIME-Version: 1.0 Date: Sat, 5 Aug 2017 08:03:05 +0000 From: "Niclas Rosenvik" Subject: CVS commit: pkgsrc/graphics/jbig2dec To: pkgsrc-changes@NetBSD.org Reply-To: nros@netbsd.org X-Mailer: log_accum Message-Id: <20170805080305.6B516FACD@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_1501920185129670 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: nros Date: Sat Aug 5 08:03:05 UTC 2017 Modified Files: pkgsrc/graphics/jbig2dec: Makefile distinfo Added Files: pkgsrc/graphics/jbig2dec/patches: patch-jbig2__huffman.c patch-jbig2__image.c patch-jbig2__symbol__dict.c Log Message: Add patches to fix CVEs: CVE-2017-7885 CVE-2017-7975 CVE-2017-7976 CVE-2017-9216 Bump PKGREVISION. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 pkgsrc/graphics/jbig2dec/Makefile cvs rdiff -u -r1.5 -r1.6 pkgsrc/graphics/jbig2dec/distinfo cvs rdiff -u -r0 -r1.1 \ pkgsrc/graphics/jbig2dec/patches/patch-jbig2__huffman.c \ pkgsrc/graphics/jbig2dec/patches/patch-jbig2__image.c \ pkgsrc/graphics/jbig2dec/patches/patch-jbig2__symbol__dict.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1501920185129670 Content-Disposition: inline Content-Length: 5753 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/graphics/jbig2dec/Makefile diff -u pkgsrc/graphics/jbig2dec/Makefile:1.6 pkgsrc/graphics/jbig2dec/Makefile:1.7 --- pkgsrc/graphics/jbig2dec/Makefile:1.6 Wed Apr 13 17:59:34 2016 +++ pkgsrc/graphics/jbig2dec/Makefile Sat Aug 5 08:03:05 2017 @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.6 2016/04/13 17:59:34 wiz Exp $ +# $NetBSD: Makefile,v 1.7 2017/08/05 08:03:05 nros Exp $ DISTNAME= jbig2dec-0.13 +PKGREVISION= 1 CATEGORIES= graphics MASTER_SITES= http://downloads.ghostscript.com/public/jbig2dec/ Index: pkgsrc/graphics/jbig2dec/distinfo diff -u pkgsrc/graphics/jbig2dec/distinfo:1.5 pkgsrc/graphics/jbig2dec/distinfo:1.6 --- pkgsrc/graphics/jbig2dec/distinfo:1.5 Wed Apr 13 17:59:34 2016 +++ pkgsrc/graphics/jbig2dec/distinfo Sat Aug 5 08:03:05 2017 @@ -1,6 +1,9 @@ -$NetBSD: distinfo,v 1.5 2016/04/13 17:59:34 wiz Exp $ +$NetBSD: distinfo,v 1.6 2017/08/05 08:03:05 nros Exp $ SHA1 (jbig2dec-0.13.tar.gz) = d7b07ef308e95dc44a83f2193ca4f445630e6355 RMD160 (jbig2dec-0.13.tar.gz) = 84b4c9730d3a62e75524f4a251379b884cfe00d3 SHA512 (jbig2dec-0.13.tar.gz) = ef64a65c54bec65f61602de7130dc9594aae58aaea7958f7cc987f25d0794511e15a423e86501ace4f40c0364796fb97ceab72edb0b69232926767ba16c1b05d Size (jbig2dec-0.13.tar.gz) = 442571 bytes +SHA1 (patch-jbig2__huffman.c) = be3e48b6d324090ffd607babccc602003be54788 +SHA1 (patch-jbig2__image.c) = c0f18948e009be0dc3ba5f0ef67d51538c0cc932 +SHA1 (patch-jbig2__symbol__dict.c) = 5cf647fa56577e540f21772e64e6c2f89f1d647c Added files: Index: pkgsrc/graphics/jbig2dec/patches/patch-jbig2__huffman.c diff -u /dev/null pkgsrc/graphics/jbig2dec/patches/patch-jbig2__huffman.c:1.1 --- /dev/null Sat Aug 5 08:03:05 2017 +++ pkgsrc/graphics/jbig2dec/patches/patch-jbig2__huffman.c Sat Aug 5 08:03:05 2017 @@ -0,0 +1,16 @@ +$NetBSD: patch-jbig2__huffman.c,v 1.1 2017/08/05 08:03:05 nros Exp $ +* fix CVE-2017-7975 + fixed upstrema so remove this patch on the next version update. +--- jbig2_huffman.c.orig 2017-08-05 07:27:45.000000000 +0000 ++++ jbig2_huffman.c +@@ -422,8 +422,8 @@ jbig2_build_huffman_table(Jbig2Ctx *ctx, + + if (PREFLEN == CURLEN) { + int RANGELEN = lines[CURTEMP].RANGELEN; +- int start_j = CURCODE << shift; +- int end_j = (CURCODE + 1) << shift; ++ uint32_t start_j = CURCODE << shift; ++ uint32_t end_j = (CURCODE + 1) << shift; + byte eflags = 0; + + if (end_j > max_j) { Index: pkgsrc/graphics/jbig2dec/patches/patch-jbig2__image.c diff -u /dev/null pkgsrc/graphics/jbig2dec/patches/patch-jbig2__image.c:1.1 --- /dev/null Sat Aug 5 08:03:05 2017 +++ pkgsrc/graphics/jbig2dec/patches/patch-jbig2__image.c Sat Aug 5 08:03:05 2017 @@ -0,0 +1,15 @@ +$NetBSD: patch-jbig2__image.c,v 1.1 2017/08/05 08:03:05 nros Exp $ +* fix CVE-2017-7976 + fixed upstream so remove this patch on the next version update +--- jbig2_image.c.orig 2017-08-05 07:31:46.000000000 +0000 ++++ jbig2_image.c +@@ -256,7 +256,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2 + /* general OR case */ + s = ss; + d = dd = dst->data + y * dst->stride + leftbyte; +- if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) { ++ if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride || ++ s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) { + return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose"); + } + if (leftbyte == rightbyte) { Index: pkgsrc/graphics/jbig2dec/patches/patch-jbig2__symbol__dict.c diff -u /dev/null pkgsrc/graphics/jbig2dec/patches/patch-jbig2__symbol__dict.c:1.1 --- /dev/null Sat Aug 5 08:03:05 2017 +++ pkgsrc/graphics/jbig2dec/patches/patch-jbig2__symbol__dict.c Sat Aug 5 08:03:05 2017 @@ -0,0 +1,26 @@ +$NetBSD: patch-jbig2__symbol__dict.c,v 1.1 2017/08/05 08:03:05 nros Exp $ +* fix CVE-2017-7885 and CVE-2017-9216 + fixed upstream so remove this patch on the next version update +--- jbig2_symbol_dict.c.orig 2017-08-05 07:24:59.000000000 +0000 ++++ jbig2_symbol_dict.c +@@ -499,8 +499,10 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, + } + + /* multiple symbols are handled as a text region */ +- jbig2_decode_text_region(ctx, segment, tparams, (const Jbig2SymbolDict * const *)refagg_dicts, ++ code = jbig2_decode_text_region(ctx, segment, tparams, (const Jbig2SymbolDict * const *)refagg_dicts, + n_refagg_dicts, image, data, size, GR_stats, as, ws); ++ if (code < 0) ++ goto cleanup4; + + SDNEWSYMS->glyphs[NSYMSDECODED] = image; + refagg_dicts[0]->glyphs[params->SDNUMINSYMS + NSYMSDECODED] = jbig2_image_clone(ctx, SDNEWSYMS->glyphs[NSYMSDECODED]); +@@ -633,7 +635,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, + byte *dst = image->data; + + /* SumatraPDF: prevent read access violation */ +- if (size - jbig2_huffman_offset(hs) < image->height * stride) { ++ if ((size - jbig2_huffman_offset(hs) < image->height * stride) || (size < jbig2_huffman_offset(hs))) { + jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", image->height * stride, + size - jbig2_huffman_offset(hs)); + jbig2_image_release(ctx, image); --_----------=_1501920185129670--