Received: by mail.netbsd.org (Postfix, from userid 605)
	id 1E3C584D93; Wed, 25 Oct 2017 11:00:05 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by mail.netbsd.org (Postfix) with ESMTP id 9067E84D84
	for <pkgsrc-changes@NetBSD.org>; Wed, 25 Oct 2017 11:00:04 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([127.0.0.1])
	by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025)
	with ESMTP id uwYyAYM25JAP for <pkgsrc-changes@netbsd.org>;
	Wed, 25 Oct 2017 11:00:03 +0000 (UTC)
Received: from cvs.NetBSD.org (ivanova.netbsd.org [199.233.217.197])
	by mail.netbsd.org (Postfix) with ESMTP id 9716484CED
	for <pkgsrc-changes@NetBSD.org>; Wed, 25 Oct 2017 11:00:03 +0000 (UTC)
Received: by cvs.NetBSD.org (Postfix, from userid 500)
	id 91E30FBDE; Wed, 25 Oct 2017 11:00:03 +0000 (UTC)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1508929203152660"
MIME-Version: 1.0
Date: Wed, 25 Oct 2017 11:00:03 +0000
From: "Leonardo Taccari" <leot@netbsd.org>
Subject: CVS commit: pkgsrc/print/mupdf
To: pkgsrc-changes@NetBSD.org
Reply-To: leot@netbsd.org
X-Mailer: log_accum
Message-Id: <20171025110003.91E30FBDE@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
List-Id: pkgsrc-changes.NetBSD.org
Precedence: bulk
List-Unsubscribe: <mailto:majordomo@NetBSD.org?subject=Unsubscribe%20pkgsrc-changes&body=unsubscribe%20pkgsrc-changes>

This is a multi-part message in MIME format.

--_----------=_1508929203152660
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	leot
Date:		Wed Oct 25 11:00:03 UTC 2017

Modified Files:
	pkgsrc/print/mupdf: Makefile distinfo
Added Files:
	pkgsrc/print/mupdf/patches: patch-CVE-2017-14685 patch-CVE-2017-14686
	    patch-CVE-2017-14687 patch-CVE-2017-15369 patch-CVE-2017-15587

Log Message:
mupdf: backport patches to fix several possible security issues

Backport patches from upstream to address CVE-2017-14685, CVE-2017-14686,
CVE-2017-14687, CVE-2017-15369 and CVE-2017-15587.

These will not be needed for the next mupdf stable release.

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.53 -r1.54 pkgsrc/print/mupdf/Makefile
cvs rdiff -u -r1.37 -r1.38 pkgsrc/print/mupdf/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/print/mupdf/patches/patch-CVE-2017-14685 \
    pkgsrc/print/mupdf/patches/patch-CVE-2017-14686 \
    pkgsrc/print/mupdf/patches/patch-CVE-2017-14687 \
    pkgsrc/print/mupdf/patches/patch-CVE-2017-15369 \
    pkgsrc/print/mupdf/patches/patch-CVE-2017-15587

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1508929203152660
Content-Disposition: inline
Content-Length: 10538
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/print/mupdf/Makefile
diff -u pkgsrc/print/mupdf/Makefile:1.53 pkgsrc/print/mupdf/Makefile:1.54
--- pkgsrc/print/mupdf/Makefile:1.53	Thu Oct 19 20:32:07 2017
+++ pkgsrc/print/mupdf/Makefile	Wed Oct 25 11:00:03 2017
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.53 2017/10/19 20:32:07 leot Exp $
+# $NetBSD: Makefile,v 1.54 2017/10/25 11:00:03 leot Exp $
 
 DISTNAME=	mupdf-1.11-source
 PKGNAME=	${DISTNAME:S/-source//}
-PKGREVISION=	4
+PKGREVISION=	5
 CATEGORIES=	print
 MASTER_SITES=	https://mupdf.com/downloads/archive/
 

Index: pkgsrc/print/mupdf/distinfo
diff -u pkgsrc/print/mupdf/distinfo:1.37 pkgsrc/print/mupdf/distinfo:1.38
--- pkgsrc/print/mupdf/distinfo:1.37	Thu Oct 19 20:32:07 2017
+++ pkgsrc/print/mupdf/distinfo	Wed Oct 25 11:00:03 2017
@@ -1,9 +1,14 @@
-$NetBSD: distinfo,v 1.37 2017/10/19 20:32:07 leot Exp $
+$NetBSD: distinfo,v 1.38 2017/10/25 11:00:03 leot Exp $
 
 SHA1 (mupdf-1.11-source.tar.gz) = f782d36aaa896319207e81953e5a622201477b5b
 RMD160 (mupdf-1.11-source.tar.gz) = 573307473a1ac81aca4519b0e57a7111aae7803f
 SHA512 (mupdf-1.11-source.tar.gz) = 501670f540e298a8126806ebbd9db8b29866f663b7bbf26c9ade1933e42f0c00ad410b9d93f3ddbfb3e45c38722869095de28d832fe3fb3703c55cc9a01dbf63
 Size (mupdf-1.11-source.tar.gz) = 40156070 bytes
+SHA1 (patch-CVE-2017-14685) = c84be44c21ca29e0d0a455e0d7efe9a38ac46fb5
+SHA1 (patch-CVE-2017-14686) = b573adc7baa25a2f8b2068b1833f4cc17f38f3eb
+SHA1 (patch-CVE-2017-14687) = 651efafea77050216645ded2e2d3592970713b74
+SHA1 (patch-CVE-2017-15369) = 37bc5e52c67591b04640c03f5a227c278a26aa11
+SHA1 (patch-CVE-2017-15587) = 3bdafc7647148b0b29d37804a14306ea4458a529
 SHA1 (patch-Makethird) = a4d1bb3c8d509a84803c9b60521fd9b6b17b9717
 SHA1 (patch-ab) = a18b1e5b82454bdf06e23185e619b7f8c7a24290
 SHA1 (patch-ac) = c2decf6eae4c6343636439c7d7f6621826fc4e3c

Added files:

Index: pkgsrc/print/mupdf/patches/patch-CVE-2017-14685
diff -u /dev/null pkgsrc/print/mupdf/patches/patch-CVE-2017-14685:1.1
--- /dev/null	Wed Oct 25 11:00:03 2017
+++ pkgsrc/print/mupdf/patches/patch-CVE-2017-14685	Wed Oct 25 11:00:03 2017
@@ -0,0 +1,20 @@
+$NetBSD: patch-CVE-2017-14685,v 1.1 2017/10/25 11:00:03 leot Exp $
+
+Fix 698539: Don't use xps font if it could not be loaded.
+(AKA CVE-2017-14685)
+
+xps_load_links_in_glyphs did not cope with font loading failures.
+
+From upstream commit ab1a420613dec93c686acbee2c165274e922f82a
+
+--- source/xps/xps-link.c.orig
++++ source/xps/xps-link.c
+@@ -91,6 +91,8 @@ xps_load_links_in_glyphs(fz_context *ctx, xps_document *doc, const fz_matrix *ct
+ 			bidi_level = atoi(bidi_level_att);
+ 
+ 		font = xps_lookup_font(ctx, doc, base_uri, font_uri_att, style_att);
++		if (!font)
++			return;
+ 		text = xps_parse_glyphs_imp(ctx, doc, &local_ctm, font, fz_atof(font_size_att),
+ 				fz_atof(origin_x_att), fz_atof(origin_y_att),
+ 				is_sideways, bidi_level, indices_att, unicode_att);
Index: pkgsrc/print/mupdf/patches/patch-CVE-2017-14686
diff -u /dev/null pkgsrc/print/mupdf/patches/patch-CVE-2017-14686:1.1
--- /dev/null	Wed Oct 25 11:00:03 2017
+++ pkgsrc/print/mupdf/patches/patch-CVE-2017-14686	Wed Oct 25 11:00:03 2017
@@ -0,0 +1,19 @@
+$NetBSD: patch-CVE-2017-14686,v 1.1 2017/10/25 11:00:03 leot Exp $
+
+Fix bug 698540: Check name, comment and meta size field signs.
+(AKA CVE-2017-14686)
+
+From upstream commit 0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1
+
+--- source/fitz/unzip.c.orig
++++ source/fitz/unzip.c
+@@ -141,6 +141,9 @@ static void read_zip_dir_imp(fz_context *ctx, fz_zip_archive *zip, int start_off
+ 		(void) fz_read_int32_le(ctx, file); /* ext file atts */
+ 		offset = fz_read_int32_le(ctx, file);
+ 
++		if (namesize < 0 || metasize < 0 || commentsize < 0)
++			fz_throw(ctx, FZ_ERROR_GENERIC, "invalid size in zip entry");
++
+ 		name = fz_malloc(ctx, namesize + 1);
+ 		n = fz_read(ctx, file, (unsigned char*)name, namesize);
+ 		if (n < (size_t)namesize)
Index: pkgsrc/print/mupdf/patches/patch-CVE-2017-14687
diff -u /dev/null pkgsrc/print/mupdf/patches/patch-CVE-2017-14687:1.1
--- /dev/null	Wed Oct 25 11:00:03 2017
+++ pkgsrc/print/mupdf/patches/patch-CVE-2017-14687	Wed Oct 25 11:00:03 2017
@@ -0,0 +1,101 @@
+$NetBSD: patch-CVE-2017-14687,v 1.1 2017/10/25 11:00:03 leot Exp $
+
+Fix 698558: Handle non-tags in tag name comparisons.
+(AKA CVE-2017-14687)
+
+Use fz_xml_is_tag instead of fz_xml_tag && !strcmp idiom.
+
+From upstream commit 2b16dbd8f73269cb15ca61ece75cf8d2d196ed28
+
+--- source/html/css-apply.c.orig
++++ source/html/css-apply.c
+@@ -328,7 +328,7 @@ match_selector(fz_css_selector *sel, fz_xml *node)
+ 
+ 	if (sel->name)
+ 	{
+-		if (strcmp(sel->name, fz_xml_tag(node)))
++		if (!fz_xml_is_tag(node, sel->name))
+ 			return 0;
+ 	}
+ 
+--- source/svg/svg-run.c.orig
++++ source/svg/svg-run.c
+@@ -1044,7 +1044,7 @@ svg_run_use(fz_context *ctx, fz_device *dev, svg_document *doc, fz_xml *root, co
+ 		fz_xml *linked = fz_tree_lookup(ctx, doc->idmap, xlink_href_att + 1);
+ 		if (linked)
+ 		{
+-			if (!strcmp(fz_xml_tag(linked), "symbol"))
++			if (fz_xml_is_tag(linked, "symbol"))
+ 				svg_run_use_symbol(ctx, dev, doc, root, linked, &local_state);
+ 			else
+ 				svg_run_element(ctx, dev, doc, linked, &local_state);
+--- source/xps/xps-common.c.orig
++++ source/xps/xps-common.c
+@@ -47,7 +47,7 @@ xps_parse_brush(fz_context *ctx, xps_document *doc, const fz_matrix *ctm, const
+ 	else if (fz_xml_is_tag(node, "RadialGradientBrush"))
+ 		xps_parse_radial_gradient_brush(ctx, doc, ctm, area, base_uri, dict, node);
+ 	else
+-		fz_warn(ctx, "unknown brush tag: %s", fz_xml_tag(node));
++		fz_warn(ctx, "unknown brush tag");
+ }
+ 
+ void
+@@ -85,7 +85,7 @@ xps_begin_opacity(fz_context *ctx, xps_document *doc, const fz_matrix *ctm, cons
+ 	if (opacity_att)
+ 		opacity = fz_atof(opacity_att);
+ 
+-	if (opacity_mask_tag && !strcmp(fz_xml_tag(opacity_mask_tag), "SolidColorBrush"))
++	if (fz_xml_is_tag(opacity_mask_tag, "SolidColorBrush"))
+ 	{
+ 		char *scb_opacity_att = fz_xml_att(opacity_mask_tag, "Opacity");
+ 		char *scb_color_att = fz_xml_att(opacity_mask_tag, "Color");
+@@ -129,7 +129,7 @@ xps_end_opacity(fz_context *ctx, xps_document *doc, char *base_uri, xps_resource
+ 
+ 	if (opacity_mask_tag)
+ 	{
+-		if (strcmp(fz_xml_tag(opacity_mask_tag), "SolidColorBrush"))
++		if (!fz_xml_is_tag(opacity_mask_tag, "SolidColorBrush"))
+ 			fz_pop_clip(ctx, dev);
+ 	}
+ }
+--- source/xps/xps-glyphs.c.orig
++++ source/xps/xps-glyphs.c
+@@ -592,7 +592,7 @@ xps_parse_glyphs(fz_context *ctx, xps_document *doc, const fz_matrix *ctm,
+ 
+ 	/* If it's a solid color brush fill/stroke do a simple fill */
+ 
+-	if (fill_tag && !strcmp(fz_xml_tag(fill_tag), "SolidColorBrush"))
++	if (fz_xml_is_tag(fill_tag, "SolidColorBrush"))
+ 	{
+ 		fill_opacity_att = fz_xml_att(fill_tag, "Opacity");
+ 		fill_att = fz_xml_att(fill_tag, "Color");
+--- source/xps/xps-path.c.orig
++++ source/xps/xps-path.c
+@@ -879,14 +879,14 @@ xps_parse_path(fz_context *ctx, xps_document *doc, const fz_matrix *ctm, char *b
+ 	if (!data_att && !data_tag)
+ 		return;
+ 
+-	if (fill_tag && !strcmp(fz_xml_tag(fill_tag), "SolidColorBrush"))
++	if (fz_xml_is_tag(fill_tag, "SolidColorBrush"))
+ 	{
+ 		fill_opacity_att = fz_xml_att(fill_tag, "Opacity");
+ 		fill_att = fz_xml_att(fill_tag, "Color");
+ 		fill_tag = NULL;
+ 	}
+ 
+-	if (stroke_tag && !strcmp(fz_xml_tag(stroke_tag), "SolidColorBrush"))
++	if (fz_xml_is_tag(stroke_tag, "SolidColorBrush"))
+ 	{
+ 		stroke_opacity_att = fz_xml_att(stroke_tag, "Opacity");
+ 		stroke_att = fz_xml_att(stroke_tag, "Color");
+--- source/xps/xps-resource.c.orig
++++ source/xps/xps-resource.c
+@@ -84,7 +84,7 @@ xps_parse_remote_resource_dictionary(fz_context *ctx, xps_document *doc, char *b
+ 	if (!xml)
+ 		return NULL;
+ 
+-	if (strcmp(fz_xml_tag(xml), "ResourceDictionary"))
++	if (!fz_xml_is_tag(xml, "ResourceDictionary"))
+ 	{
+ 		fz_drop_xml(ctx, xml);
+ 		fz_throw(ctx, FZ_ERROR_GENERIC, "expected ResourceDictionary element");
Index: pkgsrc/print/mupdf/patches/patch-CVE-2017-15369
diff -u /dev/null pkgsrc/print/mupdf/patches/patch-CVE-2017-15369:1.1
--- /dev/null	Wed Oct 25 11:00:03 2017
+++ pkgsrc/print/mupdf/patches/patch-CVE-2017-15369	Wed Oct 25 11:00:03 2017
@@ -0,0 +1,39 @@
+$NetBSD: patch-CVE-2017-15369,v 1.1 2017/10/25 11:00:03 leot Exp $
+
+Bug 698592: Mark variable fz_var(), avoiding optimization.
+(AKA CVE-2017-15369)
+
+The change in 2707fa9e8e6d17d794330e719dec1b08161fb045
+in build_filter_chain() allows for the variable chain
+to reside in a register, which means that the bug is
+likely to only be visible if built under optimization.
+
+First the chain variable is transferred to chain2, then
+set to NULL, then when an exception occurs in build_filter()
+the filter chain will be freed by build_filter(). Next
+the expectation is that execution proceeds to fz_catch()
+where fz_drop_stream() would be called with chain == NULL.
+
+However due to the chain variable residing in a register,
+its value is not NULL as expected, but was reset to its
+original value upon the exception (since they use setjmp()),
+hence fz_drop_stream() is called with a non-NULL value.
+
+Marking the chain variable with fz_var() prevents the
+compiler from allowing the chain variable to reside in
+a register and hence its value will remain NULL and
+never be reset.
+
+From upstream commit c2663e51238ec8256da7fc61ad580db891d9fe9a
+
+--- source/pdf/pdf-stream.c.orig
++++ source/pdf/pdf-stream.c
+@@ -246,6 +246,8 @@ build_filter_chain(fz_context *ctx, fz_stream *chain, pdf_document *doc, pdf_obj
+ 	pdf_obj *p;
+ 	int i, n;
+ 
++	fz_var(chain);
++
+ 	fz_try(ctx)
+ 	{
+ 		n = pdf_array_len(ctx, fs);
Index: pkgsrc/print/mupdf/patches/patch-CVE-2017-15587
diff -u /dev/null pkgsrc/print/mupdf/patches/patch-CVE-2017-15587:1.1
--- /dev/null	Wed Oct 25 11:00:03 2017
+++ pkgsrc/print/mupdf/patches/patch-CVE-2017-15587	Wed Oct 25 11:00:03 2017
@@ -0,0 +1,18 @@
+$NetBSD: patch-CVE-2017-15587,v 1.1 2017/10/25 11:00:03 leot Exp $
+
+Check for integer overflow when validating new style xref Index.
+(AKA CVE-2017-15587)
+
+From upstream commit 82df2631d7d0446b206ea6b434ea609b6c28b0e8
+
+--- source/pdf/pdf-xref.c.orig
++++ source/pdf/pdf-xref.c
+@@ -924,7 +924,7 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, fz
+ 	pdf_xref_entry *table;
+ 	int i, n;
+ 
+-	if (i0 < 0 || i1 < 0)
++	if (i0 < 0 || i1 < 0 || (i0+i1) < 0)
+ 		fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
+ 	//if (i0 + i1 > pdf_xref_len(ctx, doc))
+ 	//	fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");


--_----------=_1508929203152660--