From 7456f0b54ee362ba68f386d030f17dbf77db4e32 Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Mon, 25 Jun 2018 10:50:31 +0200 Subject: [PATCH] 8.1.0 --- .gitignore | 1 + qpdf-CVE-2018-9918.patch | 90 ---------------------------------------- qpdf.spec | 12 +++--- sources | 2 +- 4 files changed, 8 insertions(+), 97 deletions(-) delete mode 100644 qpdf-CVE-2018-9918.patch diff --git a/.gitignore b/.gitignore index 1a63f88..f00cd75 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,4 @@ /qpdf-8.0.0.tar.gz /qpdf-8.0.1.tar.gz /qpdf-8.0.2.tar.gz +/qpdf-8.1.0.tar.gz diff --git a/qpdf-CVE-2018-9918.patch b/qpdf-CVE-2018-9918.patch deleted file mode 100644 index 7497f37..0000000 --- a/qpdf-CVE-2018-9918.patch +++ /dev/null @@ -1,90 +0,0 @@ -From b4d6cf6836ce025ba1811b7bbec52680c7204223 Mon Sep 17 00:00:00 2001 -From: Jay Berkenbilt -Date: Sun, 15 Apr 2018 16:11:22 -0400 -Subject: [PATCH] Limit depth of nesting in direct objects (fixes #202) - -This fixes CVE-2018-9918. ---- - ChangeLog | 5 +++++ - libqpdf/QPDFObjectHandle.cc | 26 ++++++++++++++++++++------ - qpdf/qpdf.testcov | 1 + - qpdf/qtest/qpdf.test | 1 + - qpdf/qtest/qpdf/issue-146.out | 4 +--- - qpdf/qtest/qpdf/issue-202.out | 5 +++++ - 4 files changed, 27 insertions(+), 9 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index 3a88135..17c7a1c 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,8 @@ -+2018-04-15 Jay Berkenbilt -+ -+ * Arbitrarily limit the depth of data structures represented by -+ direct object. This is CVE-2018-9918. Fixes #202. -+ - 2018-03-06 Jay Berkenbilt - - * 8.0.2: release -diff --git a/libqpdf/QPDFObjectHandle.cc b/libqpdf/QPDFObjectHandle.cc -index c178a49..149668e 100644 ---- a/libqpdf/QPDFObjectHandle.cc -+++ b/libqpdf/QPDFObjectHandle.cc -@@ -1487,12 +1487,26 @@ QPDFObjectHandle::parseInternal(PointerHolder input, - - case QPDFTokenizer::tt_array_open: - case QPDFTokenizer::tt_dict_open: -- olist_stack.push_back(std::vector()); -- state = st_start; -- offset_stack.push_back(input->tell()); -- state_stack.push_back( -- (token.getType() == QPDFTokenizer::tt_array_open) ? -- st_array : st_dictionary); -+ if (olist_stack.size() > 500) -+ { -+ QTC::TC("qpdf", "QPDFObjectHandle too deep"); -+ warn(context, -+ QPDFExc(qpdf_e_damaged_pdf, input->getName(), -+ object_description, -+ input->getLastOffset(), -+ "ignoring excessively deeply nested data structure")); -+ object = newNull(); -+ state = st_top; -+ } -+ else -+ { -+ olist_stack.push_back(std::vector()); -+ state = st_start; -+ offset_stack.push_back(input->tell()); -+ state_stack.push_back( -+ (token.getType() == QPDFTokenizer::tt_array_open) ? -+ st_array : st_dictionary); -+ } - break; - - case QPDFTokenizer::tt_bool: -diff --git a/qpdf/qpdf.testcov b/qpdf/qpdf.testcov -index 5374302..3f055a8 100644 ---- a/qpdf/qpdf.testcov -+++ b/qpdf/qpdf.testcov -@@ -335,3 +335,4 @@ QPDFObjectHandle numeric non-numeric 0 - QPDFObjectHandle erase array bounds 0 - qpdf-c called qpdf_check_pdf 0 - QPDF xref loop 0 -+QPDFObjectHandle too deep 0 -diff --git a/qpdf/qtest/qpdf/issue-146.out b/qpdf/qtest/qpdf/issue-146.out -index 79bb811..a275957 100644 ---- a/qpdf/qtest/qpdf/issue-146.out -+++ b/qpdf/qtest/qpdf/issue-146.out -@@ -1,7 +1,5 @@ - WARNING: issue-146.pdf: file is damaged - WARNING: issue-146.pdf: can't find startxref - WARNING: issue-146.pdf: Attempting to reconstruct cross-reference table --WARNING: issue-146.pdf (trailer, offset 20728): unknown token while reading object; treating as string --WARNING: issue-146.pdf (trailer, offset 20732): unexpected EOF --WARNING: issue-146.pdf (trailer, offset 20732): parse error while reading object -+WARNING: issue-146.pdf (trailer, offset 695): ignoring excessively deeply nested data structure - issue-146.pdf: unable to find trailer dictionary while recovering damaged file --- -2.14.3 - diff --git a/qpdf.spec b/qpdf.spec index 6d5af70..000ea55 100644 --- a/qpdf.spec +++ b/qpdf.spec @@ -1,14 +1,13 @@ Summary: Command-line tools and library for transforming PDF files Name: qpdf -Version: 8.0.2 -Release: 3%{?dist} +Version: 8.1.0 +Release: 1%{?dist} # MIT: e.g. libqpdf/sha2.c License: Artistic 2.0 URL: http://qpdf.sourceforge.net/ Source0: http://downloads.sourceforge.net/sourceforge/qpdf/qpdf-%{version}.tar.gz Patch0: qpdf-doc.patch -Patch1: qpdf-CVE-2018-9918.patch # zlib has optimalization for aarch64 now, which gives different output after # compression - patch erases 3 tests with generated object stream which were failing Patch2: qpdf-erase-tests-with-generated-object-stream.patch @@ -71,8 +70,6 @@ QPDF Manual # fix 'complete manual location' note in man pages %patch0 -p1 -b .doc -# CVE-2018-9918 qpdf: stack exhaustion in QPDFObjectHandle and QPDF_Dictionary classes in libqpdf.a [fedora-all] -%patch1 -p1 -b .CVE-2018-9918 %ifarch aarch64 %patch2 -p1 -b .erase-tests-with-generated-object-stream %endif @@ -108,7 +105,7 @@ make check %doc README.md TODO ChangeLog %license Artistic-2.0 %{_libdir}/libqpdf.so.21 -%{_libdir}/libqpdf.so.21.0.2 +%{_libdir}/libqpdf.so.21.1.0 %files devel %doc examples/*.cc examples/*.c @@ -121,6 +118,9 @@ make check %changelog +* Mon Jun 25 2018 Zdenek Dohnal - 8.1.0-1 +- 8.1.0 + * Fri May 25 2018 Zdenek Dohnal - 8.0.2-3 - erase failing tests for aarch64 because of zlib optimization diff --git a/sources b/sources index 37eb326..5782db3 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (qpdf-8.0.2.tar.gz) = f6d062f011d87f3f1df44e96e5dec0cd4b1b5f800dc6c088bf1313b2c96922d2f3c1b6eb1109a6ef00c558144b85dc20aeb85f937b73a3b594633aa67104f5e3 +SHA512 (qpdf-8.1.0.tar.gz) = 1831bcaaed87dae268db5d61805d1483ec5c101f6ce594be660664c119597ae67cf011c2b50092964d785a814d5f6c780935127a89401fe37a1026ae4d3af15c