From 4fc43e752b70f8a9ed60a83214c5207da9eff84c Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Wed, 13 Mar 2019 23:29:29 +0100 Subject: [PATCH] Backport security fixes: CVE-2019-9199, CVE-2019-9687 --- podofo-0.9.4-freetype.patch | 2 +- podofo.spec | 11 ++++++- podofo_CVE-2018-11254.patch | 8 +++--- podofo_CVE-2018-11255.patch | 2 +- podofo_CVE-2018-11256.patch | 2 +- podofo_CVE-2018-12982.patch | 4 +-- podofo_CVE-2018-14320.patch | 4 +-- podofo_CVE-2018-19532.patch | 2 +- podofo_CVE-2018-20751.patch | 2 +- podofo_CVE-2018-5783.patch | 6 ++-- podofo_CVE-2019-9199.patch | 17 +++++++++++ podofo_CVE-2019-9687.patch | 57 +++++++++++++++++++++++++++++++++++++ podofo_tests.patch | 2 +- 13 files changed, 101 insertions(+), 18 deletions(-) create mode 100644 podofo_CVE-2019-9199.patch create mode 100644 podofo_CVE-2019-9687.patch diff --git a/podofo-0.9.4-freetype.patch b/podofo-0.9.4-freetype.patch index 829b47d..a696eeb 100644 --- a/podofo-0.9.4-freetype.patch +++ b/podofo-0.9.4-freetype.patch @@ -1,6 +1,6 @@ diff -rupN podofo-0.9.6/CMakeLists.txt podofo-0.9.6-new/CMakeLists.txt --- podofo-0.9.6/CMakeLists.txt 2018-07-08 12:33:27.000000000 +0200 -+++ podofo-0.9.6-new/CMakeLists.txt 2018-12-19 22:42:36.833111799 +0100 ++++ podofo-0.9.6-new/CMakeLists.txt 2019-03-13 23:15:12.088138762 +0100 @@ -398,8 +398,8 @@ ENDIF(NOT PODOFO_BUILD_LIB_ONLY) FIND_PACKAGE(OpenSSL) diff --git a/podofo.spec b/podofo.spec index d4e7e32..f44f669 100644 --- a/podofo.spec +++ b/podofo.spec @@ -1,6 +1,6 @@ Name: podofo Version: 0.9.6 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Tools and libraries to work with the PDF file format # The library is licensed under the LGPL. @@ -38,6 +38,12 @@ Patch16: podofo_CVE-2018-19532.patch # Backport patch for CVE-2018-20751 # https://sourceforge.net/p/podofo/code/1954 Patch17: podofo_CVE-2018-20751.patch +# Backport patch for CVE-2019-9199 +# https://sourceforge.net/p/podofo/code/1971/ +Patch18: podofo_CVE-2019-9199.patch +# Backport patch for CVE-2019-9687 +# https://sourceforge.net/p/podofo/code/1969 +Patch19: podofo_CVE-2019-9687.patch BuildRequires: gcc-c++ %if %{?el7:1}%{!?el7:0} @@ -149,6 +155,9 @@ find doc/html -exec touch -r %{SOURCE0} {} \; %changelog +* Wed Mar 13 2019 Sandro Mani - 0.9.6-6 +- Backport security fixes: CVE-2019-9199, CVE-2019-9687 + * Tue Feb 05 2019 Sandro Mani - 0.9.6-5 - Backport security fix for CVE-2018-20751 diff --git a/podofo_CVE-2018-11254.patch b/podofo_CVE-2018-11254.patch index 5ff07ad..88c84c2 100644 --- a/podofo_CVE-2018-11254.patch +++ b/podofo_CVE-2018-11254.patch @@ -1,6 +1,6 @@ diff -rupN podofo-0.9.6/src/doc/PdfPagesTree.cpp podofo-0.9.6-new/src/doc/PdfPagesTree.cpp --- podofo-0.9.6/src/doc/PdfPagesTree.cpp 2018-02-25 23:36:48.000000000 +0100 -+++ podofo-0.9.6-new/src/doc/PdfPagesTree.cpp 2018-12-19 22:42:36.898106630 +0100 ++++ podofo-0.9.6-new/src/doc/PdfPagesTree.cpp 2019-03-13 23:15:12.173138741 +0100 @@ -51,7 +51,7 @@ PdfPagesTree::PdfPagesTree( PdfVecObject : PdfElement( "Pages", pParent ), m_cache( 0 ) @@ -634,7 +634,7 @@ diff -rupN podofo-0.9.6/src/doc/PdfPagesTree.cpp podofo-0.9.6-new/src/doc/PdfPag } diff -rupN podofo-0.9.6/src/doc/PdfPagesTree.h podofo-0.9.6-new/src/doc/PdfPagesTree.h --- podofo-0.9.6/src/doc/PdfPagesTree.h 2014-06-15 14:27:46.000000000 +0200 -+++ podofo-0.9.6-new/src/doc/PdfPagesTree.h 2018-12-19 22:42:36.898106630 +0100 ++++ podofo-0.9.6-new/src/doc/PdfPagesTree.h 2019-03-13 23:15:12.174138740 +0100 @@ -190,7 +190,6 @@ class PODOFO_DOC_API PdfPagesTree : publ PdfPagesTree(); // don't allow construction from nothing! @@ -645,7 +645,7 @@ diff -rupN podofo-0.9.6/src/doc/PdfPagesTree.h podofo-0.9.6-new/src/doc/PdfPages diff -rupN podofo-0.9.6/test/unit/PagesTreeTest.cpp podofo-0.9.6-new/test/unit/PagesTreeTest.cpp --- podofo-0.9.6/test/unit/PagesTreeTest.cpp 2016-05-12 22:08:20.000000000 +0200 -+++ podofo-0.9.6-new/test/unit/PagesTreeTest.cpp 2018-12-19 22:42:36.899106551 +0100 ++++ podofo-0.9.6-new/test/unit/PagesTreeTest.cpp 2019-03-13 23:15:12.174138740 +0100 @@ -22,6 +22,8 @@ #include @@ -903,7 +903,7 @@ diff -rupN podofo-0.9.6/test/unit/PagesTreeTest.cpp podofo-0.9.6-new/test/unit/P +} diff -rupN podofo-0.9.6/test/unit/PagesTreeTest.h podofo-0.9.6-new/test/unit/PagesTreeTest.h --- podofo-0.9.6/test/unit/PagesTreeTest.h 2009-05-08 19:45:52.000000000 +0200 -+++ podofo-0.9.6-new/test/unit/PagesTreeTest.h 2018-12-19 22:42:36.899106551 +0100 ++++ podofo-0.9.6-new/test/unit/PagesTreeTest.h 2019-03-13 23:15:12.174138740 +0100 @@ -21,11 +21,14 @@ #ifndef _PAGES_TREE_TEST_H_ #define _PAGES_TREE_TEST_H_ diff --git a/podofo_CVE-2018-11255.patch b/podofo_CVE-2018-11255.patch index fbb4072..4df6679 100644 --- a/podofo_CVE-2018-11255.patch +++ b/podofo_CVE-2018-11255.patch @@ -1,6 +1,6 @@ diff -rupN podofo-0.9.6/src/doc/PdfPage.cpp podofo-0.9.6-new/src/doc/PdfPage.cpp --- podofo-0.9.6/src/doc/PdfPage.cpp 2018-03-11 20:40:59.000000000 +0100 -+++ podofo-0.9.6-new/src/doc/PdfPage.cpp 2018-12-19 22:42:36.937103529 +0100 ++++ podofo-0.9.6-new/src/doc/PdfPage.cpp 2019-03-13 23:15:12.206138732 +0100 @@ -595,6 +595,13 @@ unsigned int PdfPage::GetPageNumber() co while( it != kids.end() && (*it).GetReference() != ref ) { diff --git a/podofo_CVE-2018-11256.patch b/podofo_CVE-2018-11256.patch index 6150f84..50bf8ad 100644 --- a/podofo_CVE-2018-11256.patch +++ b/podofo_CVE-2018-11256.patch @@ -1,6 +1,6 @@ diff -rupN podofo-0.9.6/src/doc/PdfDocument.cpp podofo-0.9.6-new/src/doc/PdfDocument.cpp --- podofo-0.9.6/src/doc/PdfDocument.cpp 2016-11-18 20:08:56.000000000 +0100 -+++ podofo-0.9.6-new/src/doc/PdfDocument.cpp 2018-12-19 22:42:36.969100985 +0100 ++++ podofo-0.9.6-new/src/doc/PdfDocument.cpp 2019-03-13 23:15:12.234138725 +0100 @@ -325,6 +325,12 @@ const PdfDocument & PdfDocument::Append( for(int i=0;iWrite( pDevice, eWriteMode, pEncrypt, PdfName::KeyNull ); diff -rupN podofo-0.9.6/src/base/PdfEncrypt.cpp podofo-0.9.6-new/src/base/PdfEncrypt.cpp --- podofo-0.9.6/src/base/PdfEncrypt.cpp 2017-02-26 21:48:19.000000000 +0100 -+++ podofo-0.9.6-new/src/base/PdfEncrypt.cpp 2018-12-19 22:42:37.001098440 +0100 ++++ podofo-0.9.6-new/src/base/PdfEncrypt.cpp 2019-03-13 23:15:12.260138718 +0100 @@ -561,13 +561,13 @@ PdfEncrypt* PdfEncrypt::CreatePdfEncrypt try { PdfString sTmp; diff --git a/podofo_CVE-2018-14320.patch b/podofo_CVE-2018-14320.patch index ede7f4b..b892418 100644 --- a/podofo_CVE-2018-14320.patch +++ b/podofo_CVE-2018-14320.patch @@ -1,6 +1,6 @@ diff -rupN podofo-0.9.6/src/base/PdfEncoding.cpp podofo-0.9.6-new/src/base/PdfEncoding.cpp --- podofo-0.9.6/src/base/PdfEncoding.cpp 2017-04-28 18:49:01.000000000 +0200 -+++ podofo-0.9.6-new/src/base/PdfEncoding.cpp 2018-12-19 22:42:37.033095901 +0100 ++++ podofo-0.9.6-new/src/base/PdfEncoding.cpp 2019-03-13 23:15:12.294138709 +0100 @@ -285,6 +285,12 @@ void PdfEncoding::ParseToUnicode() if (strcmp (streamToken, "beginbfrange") == 0) @@ -29,7 +29,7 @@ diff -rupN podofo-0.9.6/src/base/PdfEncoding.cpp podofo-0.9.6-new/src/base/PdfEn stkToken.pop (); diff -rupN podofo-0.9.6/test/unit/EncodingTest.cpp podofo-0.9.6-new/test/unit/EncodingTest.cpp --- podofo-0.9.6/test/unit/EncodingTest.cpp 2018-03-10 18:01:08.000000000 +0100 -+++ podofo-0.9.6-new/test/unit/EncodingTest.cpp 2018-12-19 22:42:37.033095901 +0100 ++++ podofo-0.9.6-new/test/unit/EncodingTest.cpp 2019-03-13 23:15:12.294138709 +0100 @@ -359,6 +359,57 @@ void EncodingTest::testToUnicodeParse() #endif CPPUNIT_ASSERT_EQUAL( expects, unicodeStr[ii] ); diff --git a/podofo_CVE-2018-19532.patch b/podofo_CVE-2018-19532.patch index 12284aa..ecb8634 100644 --- a/podofo_CVE-2018-19532.patch +++ b/podofo_CVE-2018-19532.patch @@ -1,6 +1,6 @@ diff -rupN podofo-0.9.6/tools/podofoimpose/pdftranslator.cpp podofo-0.9.6-new/tools/podofoimpose/pdftranslator.cpp --- podofo-0.9.6/tools/podofoimpose/pdftranslator.cpp 2016-11-18 20:08:56.000000000 +0100 -+++ podofo-0.9.6-new/tools/podofoimpose/pdftranslator.cpp 2018-12-19 22:42:37.061093680 +0100 ++++ podofo-0.9.6-new/tools/podofoimpose/pdftranslator.cpp 2019-03-13 23:15:12.323138702 +0100 @@ -256,7 +256,13 @@ namespace PoDoFo PdfPage * page = sourceDoc->GetPage ( i ); PdfMemoryOutputStream outMemStream ( 1 ); diff --git a/podofo_CVE-2018-20751.patch b/podofo_CVE-2018-20751.patch index 1403adc..2ccc728 100644 --- a/podofo_CVE-2018-20751.patch +++ b/podofo_CVE-2018-20751.patch @@ -1,6 +1,6 @@ diff -rupN podofo-0.9.6/tools/podofocrop/podofocrop.cpp podofo-0.9.6-new/tools/podofocrop/podofocrop.cpp --- podofo-0.9.6/tools/podofocrop/podofocrop.cpp 2016-11-18 20:08:56.000000000 +0100 -+++ podofo-0.9.6-new/tools/podofocrop/podofocrop.cpp 2019-02-05 15:10:16.723460528 +0100 ++++ podofo-0.9.6-new/tools/podofocrop/podofocrop.cpp 2019-03-13 23:15:12.352138694 +0100 @@ -61,6 +61,11 @@ void crop_page( PdfPage* pPage, const Pd rCropBox.GetHeight()); */ diff --git a/podofo_CVE-2018-5783.patch b/podofo_CVE-2018-5783.patch index daa979e..3b68977 100644 --- a/podofo_CVE-2018-5783.patch +++ b/podofo_CVE-2018-5783.patch @@ -1,6 +1,6 @@ diff -rupN podofo-0.9.6/src/base/PdfCompilerCompat.h podofo-0.9.6-new/src/base/PdfCompilerCompat.h --- podofo-0.9.6/src/base/PdfCompilerCompat.h 2017-10-27 08:38:19.000000000 +0200 -+++ podofo-0.9.6-new/src/base/PdfCompilerCompat.h 2018-12-19 22:42:36.864109334 +0100 ++++ podofo-0.9.6-new/src/base/PdfCompilerCompat.h 2019-03-13 23:15:12.143138748 +0100 @@ -184,12 +184,15 @@ namespace PoDoFo { #if defined(_MSC_VER) # define PDF_FORMAT_INT64 "I64d" @@ -19,7 +19,7 @@ diff -rupN podofo-0.9.6/src/base/PdfCompilerCompat.h podofo-0.9.6-new/src/base/P diff -rupN podofo-0.9.6/src/base/PdfVecObjects.cpp podofo-0.9.6-new/src/base/PdfVecObjects.cpp --- podofo-0.9.6/src/base/PdfVecObjects.cpp 2017-06-04 15:28:32.000000000 +0200 -+++ podofo-0.9.6-new/src/base/PdfVecObjects.cpp 2018-12-19 22:42:36.865109254 +0100 ++++ podofo-0.9.6-new/src/base/PdfVecObjects.cpp 2019-03-13 23:15:12.144138748 +0100 @@ -100,6 +100,10 @@ private: const PdfReference m_ref; }; @@ -33,7 +33,7 @@ diff -rupN podofo-0.9.6/src/base/PdfVecObjects.cpp podofo-0.9.6-new/src/base/Pdf { diff -rupN podofo-0.9.6/src/base/PdfVecObjects.h podofo-0.9.6-new/src/base/PdfVecObjects.h --- podofo-0.9.6/src/base/PdfVecObjects.h 2016-11-14 17:21:06.000000000 +0100 -+++ podofo-0.9.6-new/src/base/PdfVecObjects.h 2018-12-19 22:42:36.865109254 +0100 ++++ podofo-0.9.6-new/src/base/PdfVecObjects.h 2019-03-13 23:15:12.144138748 +0100 @@ -414,6 +414,25 @@ class PODOFO_API PdfVecObjects { inline PdfObject* GetBack(); diff --git a/podofo_CVE-2019-9199.patch b/podofo_CVE-2019-9199.patch new file mode 100644 index 0000000..8dd8c10 --- /dev/null +++ b/podofo_CVE-2019-9199.patch @@ -0,0 +1,17 @@ +diff -rupN podofo-0.9.6/tools/podofoimpose/pdftranslator.cpp podofo-0.9.6-new/tools/podofoimpose/pdftranslator.cpp +--- podofo-0.9.6/tools/podofoimpose/pdftranslator.cpp 2019-03-13 23:15:12.348138695 +0100 ++++ podofo-0.9.6-new/tools/podofoimpose/pdftranslator.cpp 2019-03-13 23:15:12.381138687 +0100 +@@ -148,7 +148,12 @@ namespace PoDoFo + // std::cerr << "Document has "<< pcount << " page(s) " << endl; + if ( pcount > 0 ) // only here to avoid possible segfault, but PDF without page is not conform IIRC + { +- PoDoFo::PdfRect rect ( sourceDoc->GetPage ( 0 )->GetMediaBox() ); ++ PoDoFo::PdfPage* pFirstPage = sourceDoc->GetPage ( 0 ); ++ if ( NULL == pFirstPage ) // Fixes CVE-2019-9199 (issue #40) ++ { ++ PODOFO_RAISE_ERROR_INFO( ePdfError_PageNotFound, "First page (0) of source document not found" ); ++ } ++ PoDoFo::PdfRect rect ( pFirstPage->GetMediaBox() ); + // keep in mind it’s just a hint since PDF can have different page sizes in a same doc + sourceWidth = rect.GetWidth() - rect.GetLeft(); + sourceHeight = rect.GetHeight() - rect.GetBottom() ; diff --git a/podofo_CVE-2019-9687.patch b/podofo_CVE-2019-9687.patch new file mode 100644 index 0000000..e4df8b4 --- /dev/null +++ b/podofo_CVE-2019-9687.patch @@ -0,0 +1,57 @@ +diff -rupN podofo-0.9.6/src/base/PdfString.cpp podofo-0.9.6-new/src/base/PdfString.cpp +--- podofo-0.9.6/src/base/PdfString.cpp 2018-03-10 17:30:53.000000000 +0100 ++++ podofo-0.9.6-new/src/base/PdfString.cpp 2019-03-13 23:15:12.410138679 +0100 +@@ -626,8 +626,19 @@ void PdfString::InitUtf8() + pdf_long lUtf8 = PdfString::ConvertUTF16toUTF8( reinterpret_cast(m_buffer.GetBuffer()), + this->GetUnicodeLength(), + reinterpret_cast(pBuffer), lBufferLen, ePdfStringConversion_Lenient ); ++ if (lUtf8 + 1 > lBufferLen) // + 1 to account for 2 bytes termination here vs. 1 byte there ++ { ++ pBuffer = static_cast(podofo_realloc( pBuffer, lUtf8 + 1 ) ); ++ if( !pBuffer ) ++ { ++ PODOFO_RAISE_ERROR( ePdfError_OutOfMemory ); ++ } ++ if (lUtf8 - 1 > lBufferLen) ++ lUtf8 = PdfString::ConvertUTF16toUTF8( reinterpret_cast(m_buffer.GetBuffer()), ++ this->GetUnicodeLength(), reinterpret_cast(pBuffer), lUtf8 + 1); ++ } + +- pBuffer[lUtf8-1] = '\0'; ++ pBuffer[lUtf8 - 1] = '\0'; + pBuffer[lUtf8] = '\0'; + m_sUtf8 = pBuffer; + podofo_free( pBuffer ); +@@ -811,6 +822,7 @@ pdf_long PdfString::ConvertUTF16toUTF8( + return ConvertUTF16toUTF8( pszUtf16, lLen, pszUtf8, lLenUtf8 ); + } + ++// returns used, or if not enough memory passed in, needed length incl. 1 byte termination + pdf_long PdfString::ConvertUTF16toUTF8( const pdf_utf16be* pszUtf16, pdf_long lLenUtf16, + pdf_utf8* pszUtf8, pdf_long lLenUtf8, + EPdfStringConversion eConversion ) +@@ -828,12 +840,21 @@ pdf_long PdfString::ConvertUTF16toUTF8( + size_t sLength = lLenUtf16; + size_t resultBufLength = lLenUtf8; + +- u16_to_u8 ( s, sLength, pResultBuf, &resultBufLength); ++ uint8_t* pReturnBuf = u16_to_u8( s, sLength, pResultBuf, &resultBufLength ); ++ if (pReturnBuf != pResultBuf) ++ { ++ free(pReturnBuf); // allocated by libunistring, so don't use podofo_free() ++ PdfError::LogMessage( eLogSeverity_Warning, "Output string size too little to hold it\n" ); ++ return resultBufLength + 1; ++ } + + pdf_long lBufferLen = PODOFO_MIN( static_cast(resultBufLength + 1), lLenUtf8 ); + +- // Make sure buffer is 0 termnated +- pszUtf8[resultBufLength] = 0; ++ // Make sure buffer is 0 terminated ++ if ( static_cast(resultBufLength + 1) <= lLenUtf8 ) ++ pszUtf8[resultBufLength] = 0; ++ else ++ return resultBufLength + 1; // means: check for this in the caller to detect non-termination + + return lBufferLen; + } diff --git a/podofo_tests.patch b/podofo_tests.patch index 36a4499..3c7ef21 100644 --- a/podofo_tests.patch +++ b/podofo_tests.patch @@ -1,6 +1,6 @@ diff -rupN podofo-0.9.6/test/TokenizerTest/CMakeLists.txt podofo-0.9.6-new/test/TokenizerTest/CMakeLists.txt --- podofo-0.9.6/test/TokenizerTest/CMakeLists.txt 2007-09-16 11:33:38.000000000 +0200 -+++ podofo-0.9.6-new/test/TokenizerTest/CMakeLists.txt 2018-12-19 23:54:17.173226972 +0100 ++++ podofo-0.9.6-new/test/TokenizerTest/CMakeLists.txt 2019-03-13 23:15:12.116138755 +0100 @@ -2,10 +2,3 @@ ADD_EXECUTABLE(TokenizerTest TokenizerTe TARGET_LINK_LIBRARIES(TokenizerTest ${PODOFO_LIB} ${PODOFO_LIB_DEPENDS}) SET_TARGET_PROPERTIES(TokenizerTest PROPERTIES COMPILE_FLAGS "${PODOFO_CFLAGS}")