rpms/qpdf
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import qpdf-7.1.1-10.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-01-21 13:09:46 -05:00 committed by Stepan Oksanichenko
parent ab68b2a147
commit 52282b0b32
3 changed files with 1322 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1142
SOURCES/qpdf-gnutls-crypto.patch Normal file
View File

File diff suppressed because it is too large Load Diff

158
SOURCES/qpdf-relax.patch Normal file
View File

@ -0,0 +1,158 @@
diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
index 3475afe..f93ba0d 100644
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@@ -19,6 +19,10 @@
#include <qpdf/QPDF_Null.hh>
#include <qpdf/QPDF_Dictionary.hh>
+#ifdef HAVE_GNUTLS
+# include <gnutls/crypto.h>
+#endif
+
std::string QPDF::qpdf_version = "7.1.1";
static char const* EMPTY_PDF =
@@ -139,7 +143,13 @@ QPDF::processFile(char const* filename, char const* password)
{
FileInputSource* fi = new FileInputSource();
fi->setFilename(filename);
+#ifdef HAVE_GNUTLS
+ GNUTLS_FIPS140_SET_LAX_MODE();
+#endif
processInputSource(fi, password);
+#ifdef HAVE_GNUTLS
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+#endif
}
void
@@ -148,7 +158,13 @@ QPDF::processFile(char const* description, FILE* filep,
{
FileInputSource* fi = new FileInputSource();
fi->setFile(description, filep, close_file);
+#ifdef HAVE_GNUTLS
+ GNUTLS_FIPS140_SET_LAX_MODE();
+#endif
processInputSource(fi, password);
+#ifdef HAVE_GNUTLS
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+#endif
}
void
diff --git a/libqpdf/QPDFWriter.cc b/libqpdf/QPDFWriter.cc
index 0544640..48fe50d 100644
--- a/libqpdf/QPDFWriter.cc
+++ b/libqpdf/QPDFWriter.cc
@@ -23,6 +23,10 @@
#include <algorithm>
#include <stdlib.h>
+#ifdef HAVE_GNUTLS
+#include <gnutls/crypto.h>
+#endif
+
QPDFWriter::Members::Members(QPDF& pdf) :
pdf(pdf),
filename(0),
@@ -323,6 +327,13 @@ void
QPDFWriter::setDeterministicID(bool val)
{
this->m->deterministic_id = val;
+
+#ifdef HAVE_GNUTLS
+ if (val)
+ GNUTLS_FIPS140_SET_LAX_MODE();
+ else
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+#endif
}
void
@@ -344,6 +355,13 @@ void
QPDFWriter::setPreserveEncryption(bool val)
{
this->m->preserve_encryption = val;
+
+#ifdef HAVE_GNUTLS
+ if (val)
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+ else
+ GNUTLS_FIPS140_SET_LAX_MODE();
+#endif
}
void
diff --git a/libqpdf/QPDF_encryption.cc b/libqpdf/QPDF_encryption.cc
index fd717c3..9b38914 100644
--- a/libqpdf/QPDF_encryption.cc
+++ b/libqpdf/QPDF_encryption.cc
@@ -1,6 +1,8 @@
// This file implements methods from the QPDF class that involve
// encryption.
+#include <qpdf/qpdf-config.h>
+
#include <qpdf/QPDF.hh>
#include <qpdf/QPDFExc.hh>
@@ -18,6 +20,10 @@
#include <assert.h>
#include <string.h>
+#ifdef HAVE_GNUTLS
+# include <gnutls/crypto.h>
+#endif
+
static unsigned char const padding_string[] = {
0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41,
0x64, 0x00, 0x4e, 0x56, 0xff, 0xfa, 0x01, 0x08,
@@ -1084,6 +1090,12 @@ QPDF::getKeyForObject(int objid, int generation, bool use_aes)
void
QPDF::decryptString(std::string& str, int objid, int generation)
{
+#ifdef HAVE_GNUTLS
+ unsigned oldmode = gnutls_fips140_mode_enabled();
+
+ gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
+#endif
+
if (objid == 0)
{
return;
@@ -1162,6 +1174,10 @@ QPDF::decryptString(std::string& str, int objid, int generation)
QUtil::int_to_string(objid) + " " +
QUtil::int_to_string(generation) + ": " + e.what());
}
+
+#ifdef HAVE_GNUTLS
+ gnutls_fips140_set_mode(static_cast<gnutls_fips_mode_t>(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD);
+#endif
}
void
@@ -1169,6 +1185,12 @@ QPDF::decryptStream(Pipeline*& pipeline, int objid, int generation,
QPDFObjectHandle& stream_dict,
std::vector<PointerHolder<Pipeline> >& heap)
{
+#ifdef HAVE_GNUTLS
+ unsigned oldmode = gnutls_fips140_mode_enabled();
+
+ gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
+#endif
+
std::string type;
if (stream_dict.getKey("/Type").isName())
{
@@ -1297,6 +1319,10 @@ QPDF::decryptStream(Pipeline*& pipeline, int objid, int generation,
key.length());
}
heap.push_back(pipeline);
+
+#ifdef HAVE_GNUTLS
+ gnutls_fips140_set_mode(static_cast<gnutls_fips_mode_t>(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD);
+#endif
}
void

24
SPECS/qpdf.spec
View File

@ -1,7 +1,7 @@
Summary: Command-line tools and library for transforming PDF files Summary: Command-line tools and library for transforming PDF files
Name: qpdf Name: qpdf
Version: 7.1.1 Version: 7.1.1
Release: 7%{?dist} Release: 10%{?dist}
# MIT: e.g. libqpdf/sha2.c # MIT: e.g. libqpdf/sha2.c
# upstream uses ASL 2.0 now, but he allowed others to distribute qpdf under # upstream uses ASL 2.0 now, but he allowed others to distribute qpdf under
# old license (see README) # old license (see README)
@ -11,6 +11,8 @@ Source0: http://downloads.sourceforge.net/sourceforge/qpdf/qpdf-%{version}.tar.g
Patch0: qpdf-doc.patch Patch0: qpdf-doc.patch
Patch1: qpdf-CVE-2018-9918.patch Patch1: qpdf-CVE-2018-9918.patch
Patch2: qpdf-gnutls-crypto.patch
Patch3: qpdf-relax.patch
# gcc and gcc-c++ are no longer in buildroot by default # gcc and gcc-c++ are no longer in buildroot by default
# gcc is needed for qpdf-ctest.c # gcc is needed for qpdf-ctest.c
@ -32,6 +34,10 @@ BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: libtool BuildRequires: libtool
# for crypto by gnutls
BuildRequires: gnutls-devel
BuildRequires: pkgconf-pkg-config
Requires: qpdf-libs%{?_isa} = %{version}-%{release} Requires: qpdf-libs%{?_isa} = %{version}-%{release}
%package libs %package libs
@ -72,6 +78,10 @@ QPDF Manual
%patch0 -p1 -b .doc %patch0 -p1 -b .doc
# CVE-2018-9918 qpdf: stack exhaustion in QPDFObjectHandle and QPDF_Dictionary classes in libqpdf.a [fedora-all] # CVE-2018-9918 qpdf: stack exhaustion in QPDFObjectHandle and QPDF_Dictionary classes in libqpdf.a [fedora-all]
%patch1 -p1 -b .CVE-2018-9918 %patch1 -p1 -b .CVE-2018-9918
# 1605101 - qpdf: should not re-implement crypto
%patch2 -p1 -b .gnutls-crypto
# 1605101 - downstream patch for relaxing crypto for deterministic id and decrypt
%patch3 -p1 -b .relax
sed -i -e '1s,^#!/usr/bin/env perl,#!/usr/bin/perl,' qpdf/fix-qdf sed -i -e '1s,^#!/usr/bin/env perl,#!/usr/bin/perl,' qpdf/fix-qdf
@ -80,7 +90,8 @@ sed -i -e '1s,^#!/usr/bin/env perl,#!/usr/bin/perl,' qpdf/fix-qdf
autoreconf --verbose --force --install autoreconf --verbose --force --install
%configure --disable-static \ %configure --disable-static \
--enable-show-failed-test-output --enable-show-failed-test-output \
--enable-gnutls
make %{?_smp_mflags} make %{?_smp_mflags}
@ -118,6 +129,15 @@ make check
%changelog %changelog
* Tue Sep 10 2019 Zdenek Dohnal <zdohnal@redhat.com> - 7.1.1-10
- used bad define in previous commit
* Tue Sep 10 2019 Zdenek Dohnal <zdohnal@redhat.com> - 7.1.1-9
- 1605101 - qpdf: should not re-implement crypto - episode II - relaxing crypto for decrypt
* Thu Sep 05 2019 Zdenek Dohnal <zdohnal@redhat.com> - 7.1.1-8
- 1605101 - qpdf: should not re-implement crypto
* Tue Jul 24 2018 Zdenek Dohnal <zdohnal@redhat.com> - 7.1.1-7 * Tue Jul 24 2018 Zdenek Dohnal <zdohnal@redhat.com> - 7.1.1-7
- correcting license - correcting license