xpdf 4.02 fixed an out-of-bounds write, CVE-2019-16927.
The German Federal CERT classified the vulnerability as "high risk",
"remote attack", and "arbitrary code execution".
Based on the report and the vague response...
https://forum.xpdfreader.com/viewtopic.php?f=3&t=41885
... I extracted and adapted the fix from the diff between 4.01.01
and 4.02.
NIST lists this is conjunction with CVE-2019-9877:
https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=CVE-2019-9877&search_type=all
They're basically the same problem, one writing outside the vertical
something array, the other one outside the corresponding horizontal
array. 4.01.01 fixed -9877 by adjusting the lexer, so it wouldn't
overflow a floating point number, but the checks introduced in
response to -16927 should cover this as well.
This could use some more sanity testing over a collection of PDF
files.
While here, also update HOMEPAGE and the dead MASTER_SITES.
OK?
Index: Makefile
===================================================================
RCS file: /cvs/ports/textproc/xpdf/Makefile,v
retrieving revision 1.93
diff -u -p -r1.93 Makefile
--- Makefile 12 Jul 2019 20:50:17 -0000 1.93
+++ Makefile 3 Oct 2019 15:40:19 -0000
@@ -5,12 +5,11 @@ COMMENT= PDF viewer for X11
DISTNAME= xpdf-3.04
CATEGORIES= textproc x11
EPOCH= 0
-REVISION= 0
+REVISION= 1
-MASTER_SITES= ftp://ftp.foolabs.com/pub/xpdf/ \
- http://mirror.ctan.org/support/xpdf/
+MASTER_SITES= https://xpdfreader-dl.s3.amazonaws.com/old/
-HOMEPAGE= http://www.foolabs.com/xpdf/
+HOMEPAGE= https://www.xpdfreader.com/
# GPLv2 only or GPLv3 only or both (at our choice)
PERMIT_PACKAGE= Yes
Index: patches/patch-xpdf_TextOutputDev_cc
===================================================================
RCS file: patches/patch-xpdf_TextOutputDev_cc
diff -N patches/patch-xpdf_TextOutputDev_cc
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-xpdf_TextOutputDev_cc 3 Oct 2019 15:40:19 -0000
@@ -0,0 +1,20 @@
+$OpenBSD$
+
+CVE-2019-16927, CVE-2019-9877 from 4.02
+
+Index: xpdf/TextOutputDev.cc
+--- xpdf/TextOutputDev.cc.orig
++++ xpdf/TextOutputDev.cc
+@@ -2472,6 +2472,12 @@ TextBlock *TextPage::split(GList *charsA, int rot) {
+
+ //----- compute the horizontal and vertical profiles
+
++ if (xMin / splitPrecision < 0.5 * INT_MIN ||
++ xMax / splitPrecision > 0.5 * INT_MAX ||
++ yMin / splitPrecision < 0.5 * INT_MIN ||
++ xMax / splitPrecision > 0.5 * INT_MAX) {
++ return NULL;
++ }
+ // add some slack to the array bounds to avoid floating point
+ // precision problems
+ xMinI = (int)floor(xMin / splitPrecision) - 1;
--
Christian "naddy" Weisgerber naddy@mips.inka.de
No comments:
Post a Comment