diff --git a/SOURCES/poppler-0.26.5-annotink.patch b/SOURCES/poppler-0.26.5-annotink.patch new file mode 100644 index 0000000..d91c06f --- /dev/null +++ b/SOURCES/poppler-0.26.5-annotink.patch @@ -0,0 +1,34 @@ +From 942adfc25e7a00ac3cf032ced2d8949e99099f70 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Fri, 25 Sep 2015 00:30:58 +0200 +Subject: [PATCH] Fix crash on AnnotInk::draw for malformed documents + +--- + poppler/Annot.cc | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/poppler/Annot.cc b/poppler/Annot.cc +index 85a8ac4a..29f3621f 100644 +--- a/poppler/Annot.cc ++++ b/poppler/Annot.cc +@@ -15,7 +15,7 @@ + // + // Copyright (C) 2006 Scott Turner + // Copyright (C) 2007, 2008 Julien Rebetez +-// Copyright (C) 2007-2013 Albert Astals Cid ++// Copyright (C) 2007-2013, 2015 Albert Astals Cid + // Copyright (C) 2007-2013 Carlos Garcia Campos + // Copyright (C) 2007, 2008 Iñigo Martínez + // Copyright (C) 2007 Jeff Muizelaar +@@ -6151,7 +6151,7 @@ void AnnotInk::draw(Gfx *gfx, GBool printing) { + + for (int i = 0; i < inkListLength; ++i) { + const AnnotPath * path = inkList[i]; +- if (path->getCoordsLength() != 0) { ++ if (path && path->getCoordsLength() != 0) { + appearBuf->appendf ("{0:.2f} {1:.2f} m\n", path->getX(0) - rect->x1, path->getY(0) - rect->y1); + appearBBox->extendTo (path->getX(0) - rect->x1, path->getY(0) - rect->y1); + +-- +2.17.0 + diff --git a/SOURCES/poppler-0.26.5-infinite-recursion.patch b/SOURCES/poppler-0.26.5-infinite-recursion.patch new file mode 100644 index 0000000..35b8110 --- /dev/null +++ b/SOURCES/poppler-0.26.5-infinite-recursion.patch @@ -0,0 +1,52 @@ +From 60b4fe65bc9dc9b82bbadf0be2e3781be796a13d Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Tue, 1 May 2018 02:46:17 +0200 +Subject: FoFiType1C::cvtGlyph: Fix infinite recursion on malformed documents + +Bugs #104942, #103238 +--- + fofi/FoFiType1C.cc | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fofi/FoFiType1C.cc b/fofi/FoFiType1C.cc +index 03e7799..b14561f 100644 +--- a/fofi/FoFiType1C.cc ++++ b/fofi/FoFiType1C.cc +@@ -13,7 +13,7 @@ + // All changes made under the Poppler project to this file are licensed + // under GPL version 2 or later + // +-// Copyright (C) 2009, 2010 Albert Astals Cid ++// Copyright (C) 2009, 2010, 2017, 2018 Albert Astals Cid + // Copyright (C) 2012 Thomas Freitag + // + // To see a description of the changes please see the Changelog file that +@@ -32,6 +32,7 @@ + #include + #include "goo/gmem.h" + #include "goo/gstrtod.h" ++#include "goo/GooLikely.h" + #include "goo/GooString.h" + #include "FoFiEncodings.h" + #include "FoFiType1C.h" +@@ -1361,7 +1362,7 @@ void FoFiType1C::cvtGlyph(int offset, int nBytes, GooString *charBuf, + --nOps; + ok = gTrue; + getIndexVal(subrIdx, k, &val, &ok); +- if (ok) { ++ if (likely(ok && val.pos != offset)) { + cvtGlyph(val.pos, val.len, charBuf, subrIdx, pDict, gFalse); + } + } else { +@@ -1596,7 +1597,7 @@ void FoFiType1C::cvtGlyph(int offset, int nBytes, GooString *charBuf, + --nOps; + ok = gTrue; + getIndexVal(&gsubrIdx, k, &val, &ok); +- if (ok) { ++ if (likely(ok && val.pos != offset)) { + cvtGlyph(val.pos, val.len, charBuf, subrIdx, pDict, gFalse); + } + } else { +-- +cgit v1.1 + diff --git a/SOURCES/poppler-0.26.5-negative-object-number.patch b/SOURCES/poppler-0.26.5-negative-object-number.patch new file mode 100644 index 0000000..9cf8200 --- /dev/null +++ b/SOURCES/poppler-0.26.5-negative-object-number.patch @@ -0,0 +1,31 @@ +From 004e3c10df0abda214f0c293f9e269fdd979c5ee Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Wed, 18 Jul 2018 20:31:27 +0200 +Subject: Fix crash when Object has negative number + +Spec says object number has to be > 0 and gen has to be >= 0 + +Reported by email + +Modified by Marek Kasik for older release + +diff --git a/poppler/Parser.cc b/poppler/Parser.cc +index 39c9a967..8b0093e3 100644 +--- a/poppler/Parser.cc ++++ b/poppler/Parser.cc +@@ -154,9 +154,14 @@ Object Parser::getObj(GBool simpleOnly, + num = buf1.getInt(); + shift(); + if (buf1.isInt() && buf2.isCmd("R")) { ++ const int gen = buf1.getInt(); +- obj->initRef(num, buf1.getInt()); ++ obj->initRef(num, gen); + shift(); + shift(); ++ ++ if (unlikely(num <= 0 || gen < 0)) { ++ obj->free(); ++ } + } else { + obj->initInt(num); + } diff --git a/SPECS/poppler.spec b/SPECS/poppler.spec index 089511b..eab104a 100644 --- a/SPECS/poppler.spec +++ b/SPECS/poppler.spec @@ -1,7 +1,7 @@ Summary: PDF rendering library Name: poppler Version: 0.26.5 -Release: 17%{?dist} +Release: 20%{?dist} License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT Group: Development/Libraries URL: http://poppler.freedesktop.org/ @@ -60,6 +60,15 @@ Patch19: CVE-2017-9776.patch Patch20: CVE-2017-9775-1.patch Patch21: CVE-2017-9775-2.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1588610 +Patch22: poppler-0.26.5-annotink.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1579180 +Patch23: poppler-0.26.5-infinite-recursion.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1602838 +Patch24: poppler-0.26.5-negative-object-number.patch + Requires: poppler-data >= 0.4.0 BuildRequires: automake libtool BuildRequires: gettext-devel @@ -197,6 +206,9 @@ Requires: %{name}%{?_isa} = %{version}-%{release} %patch19 -p1 -b .CVE-2017-9776 %patch20 -p1 -b .CVE-2017-9775-1 %patch21 -p1 -b .CVE-2017-9775-1 +%patch22 -p1 -b .annotink +%patch23 -p1 -b .infinite-recursion +%patch24 -p1 -b .negative-object-number # hammer to nuke rpaths, recheck on new releases autoreconf -i -f @@ -318,8 +330,20 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}" %changelog -* Fri Aug 18 2016 Caolán McNamara - 0.26.5-17 -- Resolves: rhbz#1482934 CVE-2017-9776 +* Mon Jul 30 2018 Marek Kasik - 0.26.5-20 +- Fix crash when Object has negative number (CVE-2018-13988) +- Resolves: #1609036 + +* Thu Jun 21 2018 Marek Kasik - 0.26.5-19 +- Fix infinite recursion on malformed documents (CVE-2017-18267) +- Resolves: #1579180 + +* Thu Jun 21 2018 Marek Kasik - 0.26.5-18 +- Fix crash inn AnnotInk::draw() (CVE-2018-10768) +- Resolves: #1588610 + +* Thu Aug 18 2016 Caolán McNamara - 0.26.5-17 +- Resolves:rhbz#1482935 CVE-2017-9776 * Wed Mar 9 2016 Martin Hatina - 0.26.5-16 - Fix crash in Splash