Discussion:
Bug#988339: unblock: djvulibre/3.5.28-2
(too old to reply)
Barak A. Pearlmutter
2021-05-10 19:20:02 UTC
Permalink
Package: release.debian.org
Severity: normal
User: ***@packages.debian.org
Usertags: unblock

Please unblock package djvulibre

[ Reason ]

Address CVE-2021-3500 and some other potential security issues by
importing Fedora patches.

[ Impact ]

Programs using libdjvulibre to handle .djvu files will remain
vulnerable to crafted input.

[ Tests ]

n/a

[ Risks ]

All but one of these patches have been in Fedora for quite some time.
The last one is currently in Fedora, but recently. All the patches are
very simple: testing and bailing when various error conditions pop up,
like a memory allocation failure or page sizes that cause overflow.

[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing

unblock djvulibre/3.5.28-2

----------------------------------------------------------------

diff -Nru djvulibre-3.5.28/debian/changelog djvulibre-3.5.28/debian/changelog
--- djvulibre-3.5.28/debian/changelog 2020-11-23 13:10:15.000000000 +0000
+++ djvulibre-3.5.28/debian/changelog 2021-05-10 18:56:59.000000000 +0100
@@ -1,3 +1,26 @@
+djvulibre (3.5.28-2) unstable; urgency=high
+
+ * bump policy version
+ * Include Fedora 3.5.27 patches, foward ported, taken from djvulibre.spec in
+ https://src.fedoraproject.org/rpms/djvulibre.git
+ - Patch0: djvulibre-3.5.22-cdefs.patch (forward ported)
+ - #Patch1: djvulibre-3.5.25.3-cflags.patch (disabled in Fedora)
+ - Patch2: djvulibre-3.5.27-buffer-overflow.patch (UPSTREAMED)
+ - Patch3: djvulibre-3.5.27-infinite-loop.patch (UPSTREAMED)
+ - Patch4: djvulibre-3.5.27-stack-overflow.patch (UPSTREAMED)
+ - Patch5: djvulibre-3.5.27-zero-bytes-check.patch (UPSTREAMED)
+ - Patch6: djvulibre-3.5.27-export-file.patch (forward ported)
+ - Patch7: djvulibre-3.5.27-null-dereference.patch (UPSTREAMED)
+ - Patch8: djvulibre-3.5.27-check-image-size.patch (forward ported)
+ - Patch9: djvulibre-3.5.27-integer-overflow.patch (forward ported)
+ - Patch10: djvulibre-3.5.27-check-input-pool.patch (forward ported)
+ - Patch11: djvulibre-3.5.27-djvuport-stack-overflow.patch (forward ported)
+ - Patch12: djvulibre-3.5.27-unsigned-short-overflow.patch (forward ported)
+ These address a number of crashes and security issues, including
+ CVE-2021-3500 (closes: #988215)
+
+ -- Barak A. Pearlmutter <***@debian.org> Mon, 10 May 2021 18:56:59 +0100
+
djvulibre (3.5.28-1) unstable; urgency=medium

[ Leon Bottou ]
diff -Nru djvulibre-3.5.28/debian/control djvulibre-3.5.28/debian/control
--- djvulibre-3.5.28/debian/control 2020-11-23 13:10:15.000000000 +0000
+++ djvulibre-3.5.28/debian/control 2021-05-10 18:44:15.000000000 +0100
@@ -11,7 +11,7 @@
Vcs-Git: https://salsa.debian.org/debian/djvulibre.git
Vcs-Browser: https://salsa.debian.org/debian/djvulibre
Homepage: http://djvu.sourceforge.net/
-Standards-Version: 4.5.0
+Standards-Version: 4.5.1
Rules-Requires-Root: no

Package: libdjvulibre-dev
diff -Nru djvulibre-3.5.28/debian/patches/0001-djvulibre-fedora-Patch0-djvulibre-3.5.22-cdefs.patch.patch djvulibre-3.5.28/debian/patches/0001-djvulibre-fedora-Patch0-djvulibre-3.5.22-cdefs.patch.patch
--- djvulibre-3.5.28/debian/patches/0001-djvulibre-fedora-Patch0-djvulibre-3.5.22-cdefs.patch.patch 1970-01-01 01:00:00.000000000 +0100
+++ djvulibre-3.5.28/debian/patches/0001-djvulibre-fedora-Patch0-djvulibre-3.5.22-cdefs.patch.patch 2021-05-10 18:46:09.000000000 +0100
@@ -0,0 +1,21 @@
+From: "Barak A. Pearlmutter" <barak+***@pearlmutter.net>
+Date: Mon, 10 May 2021 15:43:26 +0100
+Subject: djvulibre-fedora Patch0 djvulibre-3.5.22-cdefs.patch
+
+---
+ libdjvu/GSmartPointer.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libdjvu/GSmartPointer.h b/libdjvu/GSmartPointer.h
+index 8a8bb8a..08540f7 100644
+--- a/libdjvu/GSmartPointer.h
++++ b/libdjvu/GSmartPointer.h
+@@ -62,6 +62,8 @@
+ # pragma interface
+ #endif
+
++#include <cstddef>
++
+ /** @name GSmartPointer.h
+
+ Files #"GSmartPointer.h"# and #"GSmartPointer.cpp"# define a smart-pointer
diff -Nru djvulibre-3.5.28/debian/patches/0002-djvulibre-fedora-Patch6-djvulibre-3.5.27-export-file.patch djvulibre-3.5.28/debian/patches/0002-djvulibre-fedora-Patch6-djvulibre-3.5.27-export-file.patch
--- djvulibre-3.5.28/debian/patches/0002-djvulibre-fedora-Patch6-djvulibre-3.5.27-export-file.patch 1970-01-01 01:00:00.000000000 +0100
+++ djvulibre-3.5.28/debian/patches/0002-djvulibre-fedora-Patch6-djvulibre-3.5.27-export-file.patch 2021-05-10 18:46:09.000000000 +0100
@@ -0,0 +1,24 @@
+From: "Barak A. Pearlmutter" <barak+***@pearlmutter.net>
+Date: Mon, 10 May 2021 15:47:32 +0100
+Subject: djvulibre-fedora Patch6 djvulibre-3.5.27-export-file.patch
+
+---
+ desktopfiles/Makefile.am | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/desktopfiles/Makefile.am b/desktopfiles/Makefile.am
+index 9e952e1..5b8cae3 100644
+--- a/desktopfiles/Makefile.am
++++ b/desktopfiles/Makefile.am
+@@ -32,10 +32,9 @@ if HAVE_CONVERSION_INKSCAPE
+ convert_icons_process = \
+ s=`echo $@ | sed -e 's/[a-z]*\([0-9]*\).*/\1/'`; \
+ ${INKSCAPE} \
+---without-gui \
+ --export-width=$${s} \
+ --export-height=$${s} \
+---export-png=$@ $<
++--export-filename=$@ $<
+ endif
+
+ if HAVE_CONVERSION_CONVERT
diff -Nru djvulibre-3.5.28/debian/patches/0003-djvulibre-fedora-Patch8-djvulibre-3.5.27-check-image.patch djvulibre-3.5.28/debian/patches/0003-djvulibre-fedora-Patch8-djvulibre-3.5.27-check-image.patch
--- djvulibre-3.5.28/debian/patches/0003-djvulibre-fedora-Patch8-djvulibre-3.5.27-check-image.patch 1970-01-01 01:00:00.000000000 +0100
+++ djvulibre-3.5.28/debian/patches/0003-djvulibre-fedora-Patch8-djvulibre-3.5.27-check-image.patch 2021-05-10 18:46:09.000000000 +0100
@@ -0,0 +1,24 @@
+From: "Barak A. Pearlmutter" <barak+***@pearlmutter.net>
+Date: Mon, 10 May 2021 15:48:24 +0100
+Subject: djvulibre-fedora Patch8 djvulibre-3.5.27-check-image-size.patch
+
+---
+ libdjvu/IW44Image.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/libdjvu/IW44Image.cpp b/libdjvu/IW44Image.cpp
+index e8d4b44..aa3d554 100644
+--- a/libdjvu/IW44Image.cpp
++++ b/libdjvu/IW44Image.cpp
+@@ -678,7 +678,11 @@ IW44Image::Map::image(signed char *img8, int rowsize, int pixsep, int fast)
+ size_t sz = bw * bh;
+ if (sz / (size_t)bw != (size_t)bh) // multiplication overflow
+ G_THROW("IW44Image: image size exceeds maximum (corrupted file?)");
++ if (sz == 0)
++ G_THROW("IW44Image: zero size image (corrupted file?)");
+ GPBuffer<short> gdata16(data16,sz);
++ if (data16 == NULL)
++ G_THROW("IW44Image: unable to allocate image data");
+ // Copy coefficients
+ int i;
+ short *p = data16;
diff -Nru djvulibre-3.5.28/debian/patches/0004-djvulibre-fedora-Patch9-djvulibre-3.5.27-interger-ov.patch djvulibre-3.5.28/debian/patches/0004-djvulibre-fedora-Patch9-djvulibre-3.5.27-interger-ov.patch
--- djvulibre-3.5.28/debian/patches/0004-djvulibre-fedora-Patch9-djvulibre-3.5.27-interger-ov.patch 1970-01-01 01:00:00.000000000 +0100
+++ djvulibre-3.5.28/debian/patches/0004-djvulibre-fedora-Patch9-djvulibre-3.5.27-interger-ov.patch 2021-05-10 18:46:09.000000000 +0100
@@ -0,0 +1,31 @@
+From: "Barak A. Pearlmutter" <barak+***@pearlmutter.net>
+Date: Mon, 10 May 2021 15:48:53 +0100
+Subject: djvulibre-fedora Patch9 djvulibre-3.5.27-interger-overflow.patch
+
+---
+ tools/ddjvu.cpp | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp
+index 7109952..2f3e0f9 100644
+--- a/tools/ddjvu.cpp
++++ b/tools/ddjvu.cpp
+@@ -70,6 +70,7 @@
+ #include <locale.h>
+ #include <fcntl.h>
+ #include <errno.h>
++#include <stdint.h>
+
+ #ifdef UNIX
+ # include <sys/time.h>
+@@ -394,7 +395,9 @@ render(ddjvu_page_t *page, int pageno)
+ rowsize = rrect.w;
+ else
+ rowsize = rrect.w * 3;
+- if (! (image = (char*)malloc(rowsize * rrect.h)))
++ if ((size_t)rowsize > SIZE_MAX / rrect.h)
++ die(i18n("Integer overflow when allocating image buffer for page %d"), pageno);
++ if (! (image = (char*)malloc((size_t)rowsize * rrect.h)))
+ die(i18n("Cannot allocate image buffer for page %d"), pageno);
+
+ /* Render */
diff -Nru djvulibre-3.5.28/debian/patches/0005-djvulibre-fedora-Patch10-djvulibre-3.5.27-check-inpu.patch djvulibre-3.5.28/debian/patches/0005-djvulibre-fedora-Patch10-djvulibre-3.5.27-check-inpu.patch
--- djvulibre-3.5.28/debian/patches/0005-djvulibre-fedora-Patch10-djvulibre-3.5.27-check-inpu.patch 1970-01-01 01:00:00.000000000 +0100
+++ djvulibre-3.5.28/debian/patches/0005-djvulibre-fedora-Patch10-djvulibre-3.5.27-check-inpu.patch 2021-05-10 18:46:09.000000000 +0100
@@ -0,0 +1,21 @@
+From: "Barak A. Pearlmutter" <barak+***@pearlmutter.net>
+Date: Mon, 10 May 2021 15:49:14 +0100
+Subject: djvulibre-fedora Patch10 djvulibre-3.5.27-check-input-pool.patch
+
+---
+ libdjvu/DataPool.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libdjvu/DataPool.cpp b/libdjvu/DataPool.cpp
+index 5fcbedf..4c2eaf0 100644
+--- a/libdjvu/DataPool.cpp
++++ b/libdjvu/DataPool.cpp
+@@ -791,6 +791,8 @@ DataPool::create(const GP<DataPool> & pool, int start, int length)
+ DEBUG_MSG("DataPool::DataPool: pool=" << (void *)((DataPool *)pool) << " start=" << start << " length= " << length << "\n");
+ DEBUG_MAKE_INDENT(3);
+
++ if (!pool) G_THROW( ERR_MSG("DataPool.zero_DataPool") );
++
+ DataPool *xpool=new DataPool();
+ GP<DataPool> retval=xpool;
+ xpool->init();
diff -Nru djvulibre-3.5.28/debian/patches/0006-djvulibre-fedora-Patch11-djvulibre-3.5.27-djvuport-s.patch djvulibre-3.5.28/debian/patches/0006-djvulibre-fedora-Patch11-djvulibre-3.5.27-djvuport-s.patch
--- djvulibre-3.5.28/debian/patches/0006-djvulibre-fedora-Patch11-djvulibre-3.5.27-djvuport-s.patch 1970-01-01 01:00:00.000000000 +0100
+++ djvulibre-3.5.28/debian/patches/0006-djvulibre-fedora-Patch11-djvulibre-3.5.27-djvuport-s.patch 2021-05-10 18:46:09.000000000 +0100
@@ -0,0 +1,46 @@
+From: "Barak A. Pearlmutter" <barak+***@pearlmutter.net>
+Date: Mon, 10 May 2021 15:49:55 +0100
+Subject: djvulibre-fedora Patch11
+ djvulibre-3.5.27-djvuport-stack-overflow.patch
+
+---
+ libdjvu/DjVuPort.cpp | 9 +++++++++
+ libdjvu/DjVuPort.h | 1 +
+ 2 files changed, 10 insertions(+)
+
+diff --git a/libdjvu/DjVuPort.cpp b/libdjvu/DjVuPort.cpp
+index 2b3e0d2..a377920 100644
+--- a/libdjvu/DjVuPort.cpp
++++ b/libdjvu/DjVuPort.cpp
+@@ -507,10 +507,19 @@ GP<DjVuFile>
+ DjVuPortcaster::id_to_file(const DjVuPort * source, const GUTF8String &id)
+ {
+ GPList<DjVuPort> list;
++
++ if (!!opening_id && opening_id == id)
++ G_THROW("DjVuPortcaster: recursive opening of the same file (corrupted file?)");
++ else
++ opening_id = id;
++
+ compute_closure(source, list, true);
+ GP<DjVuFile> file;
+ for(GPosition pos=list;pos;++pos)
+ if ((file=list[pos]->id_to_file(source, id))) break;
++
++ opening_id = GUTF8String();
++
+ return file;
+ }
+
+diff --git a/libdjvu/DjVuPort.h b/libdjvu/DjVuPort.h
+index e2b3125..313dc2b 100644
+--- a/libdjvu/DjVuPort.h
++++ b/libdjvu/DjVuPort.h
+@@ -484,6 +484,7 @@ private:
+ const DjVuPort *dst, int distance);
+ void compute_closure(const DjVuPort *src, GPList<DjVuPort> &list,
+ bool sorted=false);
++ GUTF8String opening_id;
+ };
+
+
diff -Nru djvulibre-3.5.28/debian/patches/0007-djvulibre-fedora-Patch12-djvulibre-3.5.27-unsigned-s.patch djvulibre-3.5.28/debian/patches/0007-djvulibre-fedora-Patch12-djvulibre-3.5.27-unsigned-s.patch
--- djvulibre-3.5.28/debian/patches/0007-djvulibre-fedora-Patch12-djvulibre-3.5.27-unsigned-s.patch 1970-01-01 01:00:00.000000000 +0100
+++ djvulibre-3.5.28/debian/patches/0007-djvulibre-fedora-Patch12-djvulibre-3.5.27-unsigned-s.patch 2021-05-10 18:46:09.000000000 +0100
@@ -0,0 +1,30 @@
+From: "Barak A. Pearlmutter" <barak+***@pearlmutter.net>
+Date: Mon, 10 May 2021 15:50:19 +0100
+Subject: djvulibre-fedora Patch12
+ djvulibre-3.5.27-unsigned-short-overflow.patch
+
+---
+ libdjvu/GBitmap.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp
+index c2fdbe4..3d552a6 100644
+--- a/libdjvu/GBitmap.cpp
++++ b/libdjvu/GBitmap.cpp
+@@ -69,6 +69,7 @@
+ #include <stddef.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+
+ // - Author: Leon Bottou, 05/1997
+
+@@ -1284,6 +1285,8 @@ GBitmap::decode(unsigned char *runs)
+ // initialize pixel array
+ if (nrows==0 || ncolumns==0)
+ G_THROW( ERR_MSG("GBitmap.not_init") );
++ if (ncolumns > USHRT_MAX - border)
++ G_THROW("GBitmap: row size exceeds maximum (corrupted file?)");
+ bytes_per_row = ncolumns + border;
+ if (runs==0)
+ G_THROW( ERR_MSG("GBitmap.null_arg") );
diff -Nru djvulibre-3.5.28/debian/patches/series djvulibre-3.5.28/debian/patches/series
--- djvulibre-3.5.28/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ djvulibre-3.5.28/debian/patches/series 2021-05-10 18:46:09.000000000 +0100
@@ -0,0 +1,7 @@
+0001-djvulibre-fedora-Patch0-djvulibre-3.5.22-cdefs.patch.patch
+0002-djvulibre-fedora-Patch6-djvulibre-3.5.27-export-file.patch
+0003-djvulibre-fedora-Patch8-djvulibre-3.5.27-check-image.patch
+0004-djvulibre-fedora-Patch9-djvulibre-3.5.27-interger-ov.patch
+0005-djvulibre-fedora-Patch10-djvulibre-3.5.27-check-inpu.patch
+0006-djvulibre-fedora-Patch11-djvulibre-3.5.27-djvuport-s.patch
+0007-djvulibre-fedora-Patch12-djvulibre-3.5.27-unsigned-s.patch
Debian Bug Tracking System
2021-05-10 20:10:01 UTC
Permalink
Your message dated Mon, 10 May 2021 20:02:37 +0000
with message-id <E1lgC6v-0000c3-***@respighi.debian.org>
and subject line unblock djvulibre
has caused the Debian Bug report #988339,
regarding unblock: djvulibre/3.5.28-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
988339: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988339
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...