From f9803c1fd2ce8518ed4560161bdfdd8e028d585c Mon Sep 17 00:00:00 2001 From: zhanglu Date: Mon, 20 Jan 2020 11:12:00 +0800 Subject: [PATCH] fix cves --- CVE-2018-19058.patch | 28 +++++++++++++++++++++++++++ CVE-2018-19059.patch | 46 ++++++++++++++++++++++++++++++++++++++++++++ CVE-2018-20650.patch | 35 +++++++++++++++++++++++++++++++++ CVE-2019-11026.patch | 35 +++++++++++++++++++++++++++++++++ poppler.spec | 13 ++++++++++++- 5 files changed, 156 insertions(+), 1 deletion(-) create mode 100644 CVE-2018-19058.patch create mode 100644 CVE-2018-19059.patch create mode 100644 CVE-2018-20650.patch create mode 100644 CVE-2019-11026.patch diff --git a/CVE-2018-19058.patch b/CVE-2018-19058.patch new file mode 100644 index 0000000..3576278 --- /dev/null +++ b/CVE-2018-19058.patch @@ -0,0 +1,28 @@ +From 6912e06d9ab19ba28991b5cab3319d61d856bd6d Mon Sep 17 00:00:00 2001 +From: Adam Reichold +Date: Tue, 6 Nov 2018 09:00:02 +0100 +Subject: [PATCH] Check for stream before calling stream methods when saving an + embedded file. + +Closes #659 +--- + poppler/FileSpec.cc | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/poppler/FileSpec.cc b/poppler/FileSpec.cc +index 7479c2d2..d5543041 100644 +--- a/poppler/FileSpec.cc ++++ b/poppler/FileSpec.cc +@@ -93,6 +93,9 @@ bool EmbFile::save(const char *path) { + GBool EmbFile::save2(FILE *f) { + int c; + ++ if (unlikely(!m_objStr.isStream())) ++ return false; ++ + m_objStr.streamReset(); + while ((c = m_objStr.streamGetChar()) != EOF) { + fputc(c, f); +-- +2.24.1 + diff --git a/CVE-2018-19059.patch b/CVE-2018-19059.patch new file mode 100644 index 0000000..0c3d0d6 --- /dev/null +++ b/CVE-2018-19059.patch @@ -0,0 +1,46 @@ +From 77a30e94d96220d7e22dff5b3f0a7f296f01b118 Mon Sep 17 00:00:00 2001 +From: Adam Reichold +Date: Tue, 6 Nov 2018 09:13:41 +0100 +Subject: [PATCH] pdfdetach: Check for valid embedded file before trying to + save it. + +Closes #661 +--- + utils/pdfdetach.cc | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/utils/pdfdetach.cc b/utils/pdfdetach.cc +index 846584a4..a8720c64 100644 +--- a/utils/pdfdetach.cc ++++ b/utils/pdfdetach.cc +@@ -250,7 +250,12 @@ int main(int argc, char *argv[]) { + } + *p = '\0'; + +- if (!fileSpec->getEmbeddedFile()->save(path)) { ++ auto *embFile = fileSpec->getEmbeddedFile(); ++ if (!embFile || !embFile->isOk()) { ++ exitCode = 3; ++ goto err2; ++ } ++ if (!embFile->save(path)) { + error(errIO, -1, "Error saving embedded file as '{0:s}'", p); + exitCode = 2; + goto err2; +@@ -295,7 +300,12 @@ int main(int argc, char *argv[]) { + p = path; + } + +- if (!fileSpec->getEmbeddedFile()->save(p)) { ++ auto *embFile = fileSpec->getEmbeddedFile(); ++ if (!embFile || !embFile->isOk()) { ++ exitCode = 3; ++ goto err2; ++ } ++ if (!embFile->save(p)) { + error(errIO, -1, "Error saving embedded file as '{0:s}'", p); + exitCode = 2; + goto err2; +-- +2.24.1 + diff --git a/CVE-2018-20650.patch b/CVE-2018-20650.patch new file mode 100644 index 0000000..d527dc9 --- /dev/null +++ b/CVE-2018-20650.patch @@ -0,0 +1,35 @@ +From de0c0b8324e776f0b851485e0fc9622fc35695b7 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Sat, 29 Dec 2018 01:25:17 +0100 +Subject: [PATCH] FileSpec: Move the fileSpec.dictLookup call inside + fileSpec.isDict if + +Fixes #704 +--- + poppler/FileSpec.cc | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/poppler/FileSpec.cc b/poppler/FileSpec.cc +index 8a8b9e7e..7c12da63 100644 +--- a/poppler/FileSpec.cc ++++ b/poppler/FileSpec.cc +@@ -132,11 +132,12 @@ FileSpec::FileSpec(const Object *fileSpecA) + return; + } + } +- } + +- obj1 = fileSpec.dictLookup("Desc"); +- if (obj1.isString()) +- desc = obj1.getString()->copy(); ++ obj1 = fileSpec.dictLookup("Desc"); ++ if (obj1.isString()) { ++ desc = obj1.getString()->copy(); ++ } ++ } + } + + FileSpec::~FileSpec() +-- +2.24.1 + diff --git a/CVE-2019-11026.patch b/CVE-2019-11026.patch new file mode 100644 index 0000000..e7f7da3 --- /dev/null +++ b/CVE-2019-11026.patch @@ -0,0 +1,35 @@ +From 8051f678b3b43326e5fdfd7c03f39de21059f426 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Fri, 5 Apr 2019 16:34:48 +0200 +Subject: [PATCH] FontInfoScanner::scanFonts Fix infinite loop in broken files + +Fixes #752 +--- + poppler/FontInfo.cc | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/poppler/FontInfo.cc b/poppler/FontInfo.cc +index 2c3be4c6..cd335771 100644 +--- a/poppler/FontInfo.cc ++++ b/poppler/FontInfo.cc +@@ -144,7 +144,17 @@ void FontInfoScanner::scanFonts(XRef *xrefA, Dict *resDict, std::vectorlookup("Resources"); ++ Ref resourcesRef; ++ const Object resObj = obj2.streamGetDict()->lookup("Resources"); ++ ++ if (resourcesRef.num != -1) { ++ if (visitedObjects.find(resourcesRef.num) != visitedObjects.end()) { ++ continue; ++ } ++ ++ visitedObjects.insert(resourcesRef.num); ++ } ++ + if (resObj.isDict() && resObj.getDict() != resDict) { + scanFonts(xrefA, resObj.getDict(), fontsList); + } +-- +2.20.1 diff --git a/poppler.spec b/poppler.spec index 9393471..d90630e 100644 --- a/poppler.spec +++ b/poppler.spec @@ -3,7 +3,7 @@ Name: poppler Version: 0.67.0 -Release: 3 +Release: 4 Summary: Poppler is a PDF rendering library based on the xpdf-3.0 code base License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT URL: https://poppler.freedesktop.org/ @@ -25,6 +25,11 @@ Patch6004: CVE-2019-9903.patch Patch6005: CVE-2019-9631-1.patch Patch6006: CVE-2019-9631-2.patch Patch6007: CVE-2019-9959.patch +Patch6008: CVE-2019-11026.patch +Patch6009: CVE-2018-19058.patch +Patch6010: CVE-2018-19059.patch +Patch6011: CVE-2018-20650.patch + BuildRequires: cmake gcc-c++ gettext-devel qt5-qtbase-devel qt-devel cairo-devel fontconfig-devel BuildRequires: freetype-devel gdk-pixbuf2-devel glib2-devel gobject-introspection-devel gtk3-devel @@ -233,6 +238,12 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}" %{_mandir}/man1/* %changelog +* Mon Jan 20 2020 openEuler Buildteam - 0.67.0-4 +- Type:cve +- Id:NA +- SUG:NA +- DESC:fix cves + * Mon Oct 14 2019 openEuler Buildteam - 0.67.0-3 - Type:enhancement - Id:NA