diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..434bfae --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/qpdf-7.1.1.tar.gz diff --git a/.qpdf.metadata b/.qpdf.metadata new file mode 100644 index 0000000..093631d --- /dev/null +++ b/.qpdf.metadata @@ -0,0 +1 @@ +d2bbc564c0b6abe3c3c939d092870574ab7025c2 SOURCES/qpdf-7.1.1.tar.gz diff --git a/SOURCES/qpdf-CVE-2018-9918.patch b/SOURCES/qpdf-CVE-2018-9918.patch new file mode 100644 index 0000000..76f4e21 --- /dev/null +++ b/SOURCES/qpdf-CVE-2018-9918.patch @@ -0,0 +1,55 @@ +diff -up qpdf-7.1.1/libqpdf/QPDFObjectHandle.cc.CVE-2018-9918 qpdf-7.1.1/libqpdf/QPDFObjectHandle.cc +--- qpdf-7.1.1/libqpdf/QPDFObjectHandle.cc.CVE-2018-9918 2018-02-05 00:31:42.000000000 +0100 ++++ qpdf-7.1.1/libqpdf/QPDFObjectHandle.cc 2018-04-16 15:35:36.378343714 +0200 +@@ -1054,12 +1054,26 @@ QPDFObjectHandle::parseInternal(PointerH + + case QPDFTokenizer::tt_array_open: + case QPDFTokenizer::tt_dict_open: +- olist_stack.push_back(std::vector()); +- state = st_start; +- offset_stack.push_back(input->tell()); +- state_stack.push_back( +- (token.getType() == QPDFTokenizer::tt_array_open) ? +- st_array : st_dictionary); ++ if (olist_stack.size() > 500) ++ { ++ QTC::TC("qpdf", "QPDFObjectHandle too deep"); ++ warn(context, ++ QPDFExc(qpdf_e_damaged_pdf, input->getName(), ++ object_description, ++ input->getLastOffset(), ++ "ignoring excessively deeply nested data structure")); ++ object = newNull(); ++ state = st_top; ++ } ++ else ++ { ++ olist_stack.push_back(std::vector()); ++ state = st_start; ++ offset_stack.push_back(input->tell()); ++ state_stack.push_back( ++ (token.getType() == QPDFTokenizer::tt_array_open) ? ++ st_array : st_dictionary); ++ } + break; + + case QPDFTokenizer::tt_bool: +diff -up qpdf-7.1.1/qpdf/qpdf.testcov.CVE-2018-9918 qpdf-7.1.1/qpdf/qpdf.testcov +--- qpdf-7.1.1/qpdf/qpdf.testcov.CVE-2018-9918 2018-02-05 00:31:42.000000000 +0100 ++++ qpdf-7.1.1/qpdf/qpdf.testcov 2018-04-16 15:35:36.379343705 +0200 +@@ -302,3 +302,4 @@ qpdf-c called qpdf_set_compress_streams + qpdf-c called qpdf_set_preserve_unreferenced_objects 0 + qpdf-c called qpdf_set_newline_before_endstream 0 + QPDF_Stream TIFF predictor 0 ++QPDFObjectHandle too deep 0 +diff -up qpdf-7.1.1/qpdf/qtest/qpdf/issue-146.out.CVE-2018-9918 qpdf-7.1.1/qpdf/qtest/qpdf/issue-146.out +--- qpdf-7.1.1/qpdf/qtest/qpdf/issue-146.out.CVE-2018-9918 2018-02-05 00:31:42.000000000 +0100 ++++ qpdf-7.1.1/qpdf/qtest/qpdf/issue-146.out 2018-04-16 15:53:17.499476948 +0200 +@@ -1,5 +1,5 @@ + WARNING: issue-146.pdf: file is damaged + WARNING: issue-146.pdf: can't find startxref + WARNING: issue-146.pdf: Attempting to reconstruct cross-reference table +-WARNING: issue-146.pdf (trailer, file position 20728): unknown token while reading object; treating as string +-issue-146.pdf (trailer, file position 20732): EOF while reading token ++WARNING: issue-146.pdf (trailer, file position 695): ignoring excessively deeply nested data structure ++issue-146.pdf: unable to find trailer dictionary while recovering damaged file diff --git a/SOURCES/qpdf-doc.patch b/SOURCES/qpdf-doc.patch new file mode 100644 index 0000000..732f8f3 --- /dev/null +++ b/SOURCES/qpdf-doc.patch @@ -0,0 +1,30 @@ +diff -up qpdf-4.1.0/manual/fix-qdf.1.in.doc qpdf-4.1.0/manual/fix-qdf.1.in +--- qpdf-4.1.0/manual/fix-qdf.1.in.doc 2013-04-14 21:03:51.000000000 +0200 ++++ qpdf-4.1.0/manual/fix-qdf.1.in 2013-05-23 18:12:21.506581935 +0200 +@@ -14,5 +14,4 @@ the same file with stream lengths, cross + object stream offset tables regenerated. + .PP + For details about fix-qdf and about PDF files in QDF mode, please see +-the qpdf manual, which can be found in @docdir@/qpdf-manual.html or +-@docdir@/qpdf-manual.pdf. ++the qpdf manual, which can be found in qpdf-doc package. +diff -up qpdf-4.1.0/manual/qpdf.1.in.doc qpdf-4.1.0/manual/qpdf.1.in +--- qpdf-4.1.0/manual/qpdf.1.in.doc 2013-04-14 21:03:51.000000000 +0200 ++++ qpdf-4.1.0/manual/qpdf.1.in 2013-05-23 18:12:13.723690019 +0200 +@@ -16,4 +16,4 @@ useful primarily to PDF developers. + .PP + For a summary of qpdf's options, please run + \fBqpdf --help\fR. A complete manual can be found in +-@docdir@/qpdf-manual.html or @docdir@/qpdf-manual.pdf. ++qpdf-doc package. +diff -up qpdf-4.1.0/manual/zlib-flate.1.in.doc qpdf-4.1.0/manual/zlib-flate.1.in +--- qpdf-4.1.0/manual/zlib-flate.1.in.doc 2013-04-14 21:03:51.000000000 +0200 ++++ qpdf-4.1.0/manual/zlib-flate.1.in 2013-05-23 18:12:07.571775453 +0200 +@@ -21,6 +21,6 @@ This program should not be used as a gen + tool. Use something like gzip(1) instead. + .PP + For details about qpdf, please see the qpdf manual, which can be found +-in @docdir@/qpdf-manual.html or @docdir@/qpdf-manual.pdf. ++in qpdf-doc package. + .SH "SEE ALSO" + qpdf(1), gzip(1) diff --git a/SPECS/qpdf.spec b/SPECS/qpdf.spec new file mode 100644 index 0000000..513d8e6 --- /dev/null +++ b/SPECS/qpdf.spec @@ -0,0 +1,261 @@ +Summary: Command-line tools and library for transforming PDF files +Name: qpdf +Version: 7.1.1 +Release: 7%{?dist} +# MIT: e.g. libqpdf/sha2.c +# upstream uses ASL 2.0 now, but he allowed others to distribute qpdf under +# old license (see README) +License: (Artistic 2.0 or ASL 2.0) and MIT +URL: http://qpdf.sourceforge.net/ +Source0: http://downloads.sourceforge.net/sourceforge/qpdf/qpdf-%{version}.tar.gz + +Patch0: qpdf-doc.patch +Patch1: qpdf-CVE-2018-9918.patch + +# gcc and gcc-c++ are no longer in buildroot by default +# gcc is needed for qpdf-ctest.c +BuildRequires: gcc +# gcc-c++ is need for everything except for qpdf-ctest +BuildRequires: gcc-c++ + +BuildRequires: zlib-devel +BuildRequires: libjpeg-turbo-devel +BuildRequires: pcre-devel + +# for fix-qdf and test suite +BuildRequires: perl-interpreter +BuildRequires: perl-generators +BuildRequires: perl(Digest::MD5) + +# for autoreconf +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool + +Requires: qpdf-libs%{?_isa} = %{version}-%{release} + +%package libs +Summary: QPDF library for transforming PDF files + +%package devel +Summary: Development files for QPDF library +Requires: qpdf-libs%{?_isa} = %{version}-%{release} + +%package doc +Summary: QPDF Manual +BuildArch: noarch +Requires: qpdf-libs = %{version}-%{release} + +%description +QPDF is a command-line program that does structural, content-preserving +transformations on PDF files. It could have been called something +like pdf-to-pdf. It includes support for merging and splitting PDFs +and to manipulate the list of pages in a PDF file. It is not a PDF viewer +or a program capable of converting PDF into other formats. + +%description libs +QPDF is a C++ library that inspect and manipulate the structure of PDF files. +It can encrypt and linearize files, expose the internals of a PDF file, +and do many other operations useful to PDF developers. + +%description devel +Header files and libraries necessary +for developing programs using the QPDF library. + +%description doc +QPDF Manual + +%prep +%setup -q + +# fix 'complete manual location' note in man pages +%patch0 -p1 -b .doc +# CVE-2018-9918 qpdf: stack exhaustion in QPDFObjectHandle and QPDF_Dictionary classes in libqpdf.a [fedora-all] +%patch1 -p1 -b .CVE-2018-9918 + +sed -i -e '1s,^#!/usr/bin/env perl,#!/usr/bin/perl,' qpdf/fix-qdf + +%build +# work-around check-rpaths errors +autoreconf --verbose --force --install + +%configure --disable-static \ + --enable-show-failed-test-output + +make %{?_smp_mflags} + +%install +make install DESTDIR=%{buildroot} + +rm -f %{buildroot}%{_libdir}/libqpdf.la + +%check +make check + +%post libs -p /sbin/ldconfig + +%postun libs -p /sbin/ldconfig + +%files +%{_bindir}/fix-qdf +%{_bindir}/qpdf +%{_bindir}/zlib-flate +%{_mandir}/man1/* + +%files libs +%doc README.md TODO ChangeLog +%license Artistic-2.0 +%{_libdir}/libqpdf*.so.* + +%files devel +%doc examples/*.cc examples/*.c +%{_includedir}/* +%{_libdir}/libqpdf*.so +%{_libdir}/pkgconfig/libqpdf.pc + +%files doc +%{_pkgdocdir} + + +%changelog +* Tue Jul 24 2018 Zdenek Dohnal - 7.1.1-7 +- correcting license + +* Wed Jul 11 2018 Zdenek Dohnal - 7.1.1-6 +- ship license in correct tag, mention optional change of license + +* Mon Apr 16 2018 Zdenek Dohnal - 7.1.1-5 +- CVE-2018-9918 qpdf: stack exhaustion in QPDFObjectHandle and QPDF_Dictionary classes in libqpdf.a [fedora-all] + +* Mon Feb 19 2018 Zdenek Dohnal - 7.1.1-4 +- gcc and gcc-c++ are no longer in buildroot by default + +* Fri Feb 09 2018 Fedora Release Engineering - 7.1.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Feb 08 2018 Zdenek Dohnal - 7.1.1-2 +- remove old stuff + +* Mon Feb 05 2018 Zdenek Dohnal - 7.1.1-1 +- rebase to 7.1.1 + +* Tue Sep 19 2017 Zdenek Dohnal - 7.0.0-1 +- rebase to 7.0.0 + +* Fri Aug 11 2017 Zdenek Dohnal - 6.0.0-10 +- adding patches for CVE back (cups-filters needed to rebuild) + +* Mon Aug 07 2017 Zdenek Dohnal - 6.0.0-9 +- removing patches for CVEs, because they break other things now + +* Thu Aug 03 2017 Zdenek Dohnal - 6.0.0-8 +- 1477213 - Detect recursions loop resolving objects +- 1454820 - CVE-2017-9208 +- 1454820 - CVE-2017-9209 +- 1454820 - CVE-2017-9210 + +* Thu Aug 03 2017 Fedora Release Engineering - 6.0.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 6.0.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon May 15 2017 Fedora Release Engineering - 6.0.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_27_Mass_Rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 6.0.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Aug 03 2016 Jiri Popelka - 6.0.0-3 +- %%{_defaultdocdir}/qpdf/ -> %%{_pkgdocdir} + +* Thu Feb 04 2016 Fedora Release Engineering - 6.0.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Nov 11 2015 Jiri Popelka - 6.0.0-1 +- 6.0.0 + +* Mon Nov 09 2015 Jiri Popelka - 5.2.0-1 +- 5.2.0 + +* Thu Jun 18 2015 Fedora Release Engineering - 5.1.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon May 25 2015 Jiri Popelka - 5.1.3 +- New upstream release 5.1.3 + +* Tue Apr 14 2015 Jiri Popelka - 5.1.2-5 +- rebuilt + +* Mon Feb 16 2015 Jiri Popelka - 5.1.2-4 +- rebuilt + +* Sun Aug 17 2014 Fedora Release Engineering - 5.1.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Aug 15 2014 Jiri Popelka - 5.1.2-2 +- Use %%_defaultdocdir instead of %%doc + +* Mon Jun 09 2014 Jiri Popelka - 5.1.2-1 +- 5.1.2 + +* Sun Jun 08 2014 Fedora Release Engineering - 5.1.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed Jan 15 2014 Jiri Popelka - 5.1.1-1 +- 5.1.1 + +* Wed Dec 18 2013 Jiri Popelka - 5.1.0-1 +- 5.1.0 + +* Mon Oct 21 2013 Jiri Popelka - 5.0.1-1 +- 5.0.1 + +* Sat Aug 03 2013 Petr Pisar - 5.0.0-4 +- Perl 5.18 rebuild + +* Mon Jul 22 2013 Jiri Popelka - 5.0.0-3 +- change shebang to absolute path (#987040) + +* Wed Jul 17 2013 Petr Pisar - 5.0.0-2 +- Perl 5.18 rebuild + +* Thu Jul 11 2013 Jiri Popelka - 5.0.0-1 +- 5.0.0 + +* Mon Jul 08 2013 Jiri Popelka - 4.2.0-1 +- 4.2.0 + +* Thu May 23 2013 Jiri Popelka - 4.1.0-3 +- fix 'complete manual location' note in man pages (#966534) + +* Tue May 07 2013 Jiri Popelka - 4.1.0-2 +- some source files are under MIT license + +* Mon Apr 15 2013 Jiri Popelka - 4.1.0-1 +- 4.1.0 + +* Tue Mar 05 2013 Jiri Popelka - 4.0.1-3 +- work around gcc 4.8.0 issue on ppc64 (#915321) +- properly handle overridden compressed objects + +* Thu Feb 14 2013 Fedora Release Engineering - 4.0.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Jan 18 2013 Jiri Popelka 4.0.1-1 +- 4.0.1 + +* Wed Jan 02 2013 Jiri Popelka 4.0.0-1 +- 4.0.0 + +* Fri Sep 07 2012 Jiri Popelka 3.0.2-1 +- 3.0.2 + +* Thu Aug 16 2012 Jiri Popelka 3.0.1-3 +- the previously added requirement doesn't need to be arch-specific + +* Thu Aug 16 2012 Jiri Popelka 3.0.1-2 +- doc subpackage requires libs subpackage due to license file (#848466) + +* Wed Aug 15 2012 Jiri Popelka 3.0.1-1 +- initial spec file