diff --git a/CVE-2019-15142.patch b/CVE-2019-15142.patch deleted file mode 100644 index c3cb020..0000000 --- a/CVE-2019-15142.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 970fb11a296b5bbdc5e8425851253d2c5913c45e Mon Sep 17 00:00:00 2001 -From: Leon Bottou -Date: Tue, 26 Mar 2019 20:36:31 -0400 -Subject: [PATCH] Fix bug#296 - ---- - libdjvu/DjVmDir.cpp | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp -index 153e3c7..5834da6 100644 ---- a/libdjvu/DjVmDir.cpp -+++ b/libdjvu/DjVmDir.cpp -@@ -300,6 +300,9 @@ DjVmDir::decode(const GP &gstr) - memcpy((char*) strings+strings_size, buffer, length); - } - DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n"); -+ int strings_size=strings.size(); -+ strings.resize(strings_size+3); -+ memset((char*) strings+strings_size, 0, 4); - - // Copy names into the files - const char * ptr=strings; -@@ -307,6 +310,8 @@ DjVmDir::decode(const GP &gstr) - { - GP file=files_list[pos]; - -+ if (ptr >= (const char*)strings + strings_size) -+ G_THROW( "DjVu document is corrupted (DjVmDir)" ); - file->id=ptr; - ptr+=file->id.length()+1; - if (file->flags & File::HAS_NAME) --- -2.23.0 - diff --git a/CVE-2019-15143.patch b/CVE-2019-15143.patch deleted file mode 100644 index 015dd8f..0000000 --- a/CVE-2019-15143.patch +++ /dev/null @@ -1,46 +0,0 @@ -From b1f4e1b2187d9e5010cd01ceccf20b4a11ce723f Mon Sep 17 00:00:00 2001 -From: Leon Bottou -Date: Tue, 26 Mar 2019 20:45:46 -0400 -Subject: [PATCH] fix for bug #297 - ---- - libdjvu/DjVmDir.cpp | 2 +- - libdjvu/GBitmap.cpp | 6 ++++-- - 2 files changed, 5 insertions(+), 3 deletions(-) - -diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp -index 0a0fac6..5a49015 100644 ---- a/libdjvu/DjVmDir.cpp -+++ b/libdjvu/DjVmDir.cpp -@@ -309,7 +309,7 @@ DjVmDir::decode(const GP &gstr) - GP file=files_list[pos]; - - if (ptr >= (const char*)strings + strings_size) -- G_THROW( "DjVu document is corrupted (DjVmDir)" ); -+ G_THROW( ByteStream::EndOfFile ); - file->id=ptr; - ptr+=file->id.length()+1; - if (file->flags & File::HAS_NAME) -diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp -index 0e487f0..c2fdbe4 100644 ---- a/libdjvu/GBitmap.cpp -+++ b/libdjvu/GBitmap.cpp -@@ -890,11 +890,13 @@ GBitmap::read_rle_raw(ByteStream &bs) - int c = 0; - while (n >= 0) - { -- bs.read(&h, 1); -+ if (bs.read(&h, 1) <= 0) -+ G_THROW( ByteStream::EndOfFile ); - int x = h; - if (x >= (int)RUNOVERFLOWVALUE) - { -- bs.read(&h, 1); -+ if (bs.read(&h, 1) <= 0) -+ G_THROW( ByteStream::EndOfFile ); - x = h + ((x - (int)RUNOVERFLOWVALUE) << 8); - } - if (c+x > ncolumns) --- -2.23.0 - diff --git a/CVE-2019-15144.patch b/CVE-2019-15144.patch deleted file mode 100644 index 6798076..0000000 --- a/CVE-2019-15144.patch +++ /dev/null @@ -1,111 +0,0 @@ -From e15d51510048927f172f1bf1f27ede65907d940d Mon Sep 17 00:00:00 2001 -From: Leon Bottou -Date: Mon, 8 Apr 2019 22:25:55 -0400 -Subject: bug 299 fixed - - -diff --git a/libdjvu/GContainer.h b/libdjvu/GContainer.h -index 96b067c..0140211 100644 ---- a/libdjvu/GContainer.h -+++ b/libdjvu/GContainer.h -@@ -550,52 +550,61 @@ public: - template void - GArrayTemplate::sort(int lo, int hi) - { -- if (hi <= lo) -- return; -- if (hi > hibound || lo hibound || lo=lo) && !(data[j]<=tmp)) -- data[j+1] = data[j]; -- data[j+1] = tmp; -+ for (int i=lo+1; i<=hi; i++) -+ { -+ int j = i; -+ TYPE tmp = data[i]; -+ while ((--j>=lo) && !(data[j]<=tmp)) -+ data[j+1] = data[j]; -+ data[j+1] = tmp; -+ } -+ return; - } -- return; -- } -- // -- determine suitable quick-sort pivot -- TYPE tmp = data[lo]; -- TYPE pivot = data[(lo+hi)/2]; -- if (pivot <= tmp) -- { tmp = pivot; pivot=data[lo]; } -- if (data[hi] <= tmp) -- { pivot = tmp; } -- else if (data[hi] <= pivot) -- { pivot = data[hi]; } -- // -- partition set -- int h = hi; -- int l = lo; -- while (l < h) -- { -- while (! (pivot <= data[l])) l++; -- while (! (data[h] <= pivot)) h--; -- if (l < h) -+ // -- determine median-of-three pivot -+ TYPE tmp = data[lo]; -+ TYPE pivot = data[(lo+hi)/2]; -+ if (pivot <= tmp) -+ { tmp = pivot; pivot=data[lo]; } -+ if (data[hi] <= tmp) -+ { pivot = tmp; } -+ else if (data[hi] <= pivot) -+ { pivot = data[hi]; } -+ // -- partition set -+ int h = hi; -+ int l = lo; -+ while (l < h) - { -- tmp = data[l]; -- data[l] = data[h]; -- data[h] = tmp; -- l = l+1; -- h = h-1; -+ while (! (pivot <= data[l])) l++; -+ while (! (data[h] <= pivot)) h--; -+ if (l < h) -+ { -+ tmp = data[l]; -+ data[l] = data[h]; -+ data[h] = tmp; -+ l = l+1; -+ h = h-1; -+ } -+ } -+ // -- recurse, small partition first -+ // tail-recursion elimination -+ if (h - lo <= hi - l) { -+ sort(lo,h); -+ lo = l; // sort(l,hi) -+ } else { -+ sort(l,hi); -+ hi = h; // sort(lo,h) - } - } -- // -- recursively restart -- sort(lo, h); -- sort(l, hi); - } - - template inline TYPE& diff --git a/CVE-2019-15145.patch b/CVE-2019-15145.patch deleted file mode 100644 index 144c8eb..0000000 --- a/CVE-2019-15145.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 9658b01431cd7ff6344d7787f855179e73fe81a7 Mon Sep 17 00:00:00 2001 -From: Leon Bottou -Date: Mon, 8 Apr 2019 22:55:38 -0400 -Subject: fix bug #298 - -diff --git a/libdjvu/GBitmap.h b/libdjvu/GBitmap.h -index e8e0c9b..ca89a19 100644 ---- a/libdjvu/GBitmap.h -+++ b/libdjvu/GBitmap.h -@@ -566,7 +566,7 @@ GBitmap::operator[](int row) - { - if (!bytes) - uncompress(); -- if (row<0 || row>=nrows) { -+ if (row<0 || row>=nrows || !bytes) { - #ifndef NDEBUG - if (zerosize < bytes_per_row + border) - G_THROW( ERR_MSG("GBitmap.zero_small") ); -@@ -581,7 +581,7 @@ GBitmap::operator[](int row) const - { - if (!bytes) - ((GBitmap*)this)->uncompress(); -- if (row<0 || row>=nrows) { -+ if (row<0 || row>=nrows || !bytes) { - #ifndef NDEBUG - if (zerosize < bytes_per_row + border) - G_THROW( ERR_MSG("GBitmap.zero_small") ); diff --git a/CVE-2019-18804.patch b/CVE-2019-18804.patch deleted file mode 100644 index a881a21..0000000 --- a/CVE-2019-18804.patch +++ /dev/null @@ -1,36 +0,0 @@ -From c8bec6549c10ffaa2f2fbad8bbc629efdf0dd125 Mon Sep 17 00:00:00 2001 -From: Leon Bottou -Date: Thu, 17 Oct 2019 22:20:31 -0400 -Subject: [PATCH 1/2] Fixed bug 309 - ---- - libdjvu/IW44EncodeCodec.cpp | 2 +- - tools/ddjvu.cpp| 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/libdjvu/IW44EncodeCodec.cpp b/libdjvu/IW44EncodeCodec.cpp -index 00752a0..f81eaeb 100644 ---- a/libdjvu/IW44EncodeCodec.cpp -+++ b/libdjvu/IW44EncodeCodec.cpp -@@ -405,7 +405,7 @@ filter_fv(short *p, int w, int h, int rowsize, int scale) - int y = 0; - int s = scale*rowsize; - int s3 = s+s+s; -- h = ((h-1)/scale)+1; -+ h = (h>0) ? ((h-1)/scale)+1 : 0; - y += 1; - p += s; - while (y-3 < h) -diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp -index 6d0df3b..7109952 100644 ---- a/tools/ddjvu.cpp -+++ b/tools/ddjvu.cpp -@@ -279,7 +279,7 @@ render(ddjvu_page_t *page, int pageno) - prect.h = (ih * 100) / dpi; - } - /* Process aspect ratio */ -- if (flag_aspect <= 0) -+ if (flag_aspect <= 0 && iw>0 && ih>0) - { - double dw = (double)iw / prect.w; - double dh = (double)ih / prect.h; diff --git a/CVE-2021-3630.patch b/CVE-2021-3630.patch deleted file mode 100644 index 2bcefb8..0000000 --- a/CVE-2021-3630.patch +++ /dev/null @@ -1,30 +0,0 @@ -From a613ff8a73585b55359e9b7128b4a30665b1f191 Mon Sep 17 00:00:00 2001 -Author: Leon Bottou -Date: Thu Jun 27 18:38:03 2019 -0400 - ---- - libdjvu/GString.cpp | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/libdjvu/GString.cpp b/libdjvu/GString.cpp -index 181c0b2..f71e6b3 100644 ---- a/libdjvu/GString.cpp -+++ b/libdjvu/GString.cpp -@@ -1212,11 +1212,11 @@ GP - GStringRep::getbuf(int n) const - { - GP retval; -- if(n< 0) -+ if(n < 0) - n=strlen(data); -- if(n>0) -+ if(n >= 0) - { -- retval=blank(n); -+ retval=blank((n>0) ? n : 1); - char *ndata=retval->data; - strncpy(ndata,data,n); - ndata[n]=0; --- -2.23.0 - diff --git a/djvulibre-3.5.27.tar.gz b/djvulibre-3.5.27.tar.gz deleted file mode 100644 index 612e05e..0000000 Binary files a/djvulibre-3.5.27.tar.gz and /dev/null differ diff --git a/djvulibre-3.5.28.tar.gz b/djvulibre-3.5.28.tar.gz new file mode 100644 index 0000000..d4e5136 Binary files /dev/null and b/djvulibre-3.5.28.tar.gz differ diff --git a/djvulibre.spec b/djvulibre.spec index edf7b99..6e33dd2 100644 --- a/djvulibre.spec +++ b/djvulibre.spec @@ -1,25 +1,18 @@ Name: djvulibre Summary: An open source (GPL'ed) implementation of DjVu -Version: 3.5.27 -Release: 19 +Version: 3.5.28 +Release: 1 License: GPLv2+ URL: http://djvu.sourceforge.net/ Source0: http://downloads.sourceforge.net/djvu/djvulibre-%{version}.tar.gz Patch0: djvulibre-3.5.22-cdefs.patch -Patch1: CVE-2019-15142.patch -Patch2: CVE-2019-15143.patch -Patch3: CVE-2019-15144.patch -Patch4: CVE-2019-15145.patch -Patch5: CVE-2019-18804.patch -Patch6: update-any2djvu-server-hostname.patch -Patch7: CVE-2021-32490.patch -Patch8: CVE-2021-32491.patch -Patch9: CVE-2021-32492.patch -Patch10: CVE-2021-32493.patch -Patch11: CVE-2021-3500.patch -Patch12: CVE-2021-3630.patch -Patch13: CVE-2021-46310.patch -Patch14: CVE-2021-46312.patch +Patch1: CVE-2021-32490.patch +Patch2: CVE-2021-32491.patch +Patch3: CVE-2021-32492.patch +Patch4: CVE-2021-32493.patch +Patch5: CVE-2021-3500.patch +Patch6: CVE-2021-46310.patch +Patch7: CVE-2021-46312.patch Requires(post): xdg-utils Requires(preun): xdg-utils @@ -103,6 +96,9 @@ rm -f %{_datadir}/icons/hicolor/32x32/apps/djvulibre-djview3.png || : %{_mandir}/man1/* %changelog +* Mon Oct 16 2023 chenyaqiang - 3.5.28-1 +- Update to 3.5.28 + * Wed Sep 13 2023 wangkai <13474090681@163.com> - 3.5.27-19 - Fix CVE-2021-46310,CVE-2021-46312 diff --git a/update-any2djvu-server-hostname.patch b/update-any2djvu-server-hostname.patch deleted file mode 100644 index d0c5da2..0000000 --- a/update-any2djvu-server-hostname.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 24380c9940078e2eab4e73c859885a015bfcd93a Mon Sep 17 00:00:00 2001 -From: "Barak A. Pearlmutter" -Date: Thu, 3 Nov 2016 10:52:47 +0000 -Subject: [PATCH] update any2djvu server hostname - -Thanks to Dylan Thurston for the report, -see https://bugs.debian.org/843009 - -Also update example URL. ---- - tools/any2djvu | 4 ++-- - tools/any2djvu.1 | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/tools/any2djvu b/tools/any2djvu -index 1ad64c8..581766a 100755 ---- a/tools/any2djvu -+++ b/tools/any2djvu -@@ -28,7 +28,7 @@ function disclaimer() - # TO DO: - # - error handling - --rurl="http://any2djvu.djvuzone.org" -+rurl="http://any2djvu.djvu.org" - rcgi="any2djvu.php" - res=400 - ocr=1 -@@ -83,7 +83,7 @@ function usage() - echo "Examples:" - echo " cd ~bap/public_html/foo" - echo " # uploads from web-accessible directory" -- echo " any2djvu http://www.bcl.hamilton.ie/~barak/papers mesh-preprint.ps.gz" -+ echo " any2djvu http://barak.pearlmutter.net/papers mesh-preprint.ps.gz" - echo " any2djvu http://www.inference.phy.cam.ac.uk/mackay *.ps.gz bar.pdf" - echo " # uploads from current directory" - echo " any2djvu b*.pdf" -diff --git a/tools/any2djvu.1 b/tools/any2djvu.1 -index 5ab8422..ccfe03f 100644 ---- a/tools/any2djvu.1 -+++ b/tools/any2djvu.1 -@@ -14,7 +14,7 @@ Invoke with \-h switch for usage information. - Non-empty value of DJVU_ONLINE_ACK acknowledges transmission of the - documents to the server (so that no warning dialog is displayed). - .SH EXAMPLES --any2djvu http://www.bcl.hamilton.ie/~barak/papers mesh-preprint.ps.gz -+any2djvu http://barak.pearlmutter.net/papers mesh-preprint.ps.gz - .PP - any2djvu localfile.pdf - .SH AUTHORS