1454820 - CVE-2017-9210

2017-08-03 10:23:22 +02:00 · 2017-08-03 10:23:22 +02:00 · d3e085c5a0
commit d3e085c5a0
parent 012cad66a4 3222630145
5 changed files with 162 additions and 1 deletions
--- a/qpdf-6.0.0-CVE-2017-9208.patch
+++ b/qpdf-6.0.0-CVE-2017-9208.patch
@ -0,0 +1,36 @@
+diff -up qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9208 qpdf-6.0.0/libqpdf/QPDF.cc
+--- qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9208	2017-08-03 08:53:32.806072781 +0200
+++ qpdf-6.0.0/libqpdf/QPDF.cc	2017-08-03 08:55:39.529073703 +0200
+@@ -1340,6 +1340,13 @@ QPDF::readObjectAtOffset(bool try_recove
+ 	objid = atoi(tobjid.getValue().c_str());
+ 	generation = atoi(tgen.getValue().c_str());
+ 
+   if (objid == 0)
+   {
+       throw QPDFExc(qpdf_e_damaged_pdf, this->file->getName(),
+                     this->last_object_description, offset,
+                     "object with ID 0");
+   }
+
+ 	if ((exp_objid >= 0) &&
+ 	    (! ((objid == exp_objid) && (generation == exp_generation))))
+ 	{
+diff -up qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9208 qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc
+--- qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9208	2015-11-10 18:48:52.000000000 +0100
+++ qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc	2017-08-03 08:54:50.264499428 +0200
+@@ -1090,6 +1090,15 @@ QPDFObjectHandle::parseInternal(PointerH
+ QPDFObjectHandle
+ QPDFObjectHandle::newIndirect(QPDF* qpdf, int objid, int generation)
+ {
+    if (objid == 0)
+    {
+        // Special case: QPDF uses objid 0 as a sentinel for direct
+        // objects, and the PDF specification doesn't allow for object
+        // 0. Treat indirect references to object 0 as null so that we
+        // never create an indirect object with objid 0.
+        return newNull();
+    }
+
+     return QPDFObjectHandle(qpdf, objid, generation);
+ }
+ 
--- a/qpdf-6.0.0-CVE-2017-9209.patch
+++ b/qpdf-6.0.0-CVE-2017-9209.patch
@ -0,0 +1,37 @@
+diff -up qpdf-6.0.0/include/qpdf/QPDF.hh.CVE-2017-9209 qpdf-6.0.0/include/qpdf/QPDF.hh
+--- qpdf-6.0.0/include/qpdf/QPDF.hh.CVE-2017-9209	2017-08-03 10:00:17.489291722 +0200
+++ qpdf-6.0.0/include/qpdf/QPDF.hh	2017-08-03 10:00:17.494291685 +0200
+@@ -1095,6 +1095,7 @@ class QPDF
+     // copied_stream_data_provider is owned by copied_streams
+     CopiedStreamDataProvider* copied_stream_data_provider;
+     std::set<QPDFObjGen> attachment_streams;
+    bool reconstructed_xref;    
+ 
+     // Linearization data
+     qpdf_offset_t first_xref_item_offset; // actual value from file
+diff -up qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9209 qpdf-6.0.0/libqpdf/QPDF.cc
+--- qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9209	2017-08-03 10:00:17.491291707 +0200
+++ qpdf-6.0.0/libqpdf/QPDF.cc	2017-08-03 10:01:43.243661883 +0200
+@@ -93,6 +93,7 @@ QPDF::QPDF() :
+     cached_key_generation(0),
+     pushed_inherited_attributes_to_pages(false),
+     copied_stream_data_provider(0),
+    reconstructed_xref(false),
+     first_xref_item_offset(0),
+     uncompressed_after_compressed(false)
+ {
+@@ -331,6 +332,14 @@ QPDF::setTrailer(QPDFObjectHandle obj)
+ void
+ QPDF::reconstruct_xref(QPDFExc& e)
+ {
+    if (this->reconstructed_xref)
+    {
+        // Avoid xref reconstruction infinite loops
+        throw e;
+    }
+
+    this->reconstructed_xref = true;
+
+     PCRE obj_re("^\\s*(\\d+)\\s+(\\d+)\\s+obj\\b");
+     PCRE endobj_re("^\\s*endobj\\b");
+     PCRE trailer_re("^\\s*trailer\\b");
--- a/qpdf-6.0.0-CVE-2017-9210.patch
+++ b/qpdf-6.0.0-CVE-2017-9210.patch
@ -0,0 +1,13 @@
+diff -up qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9210 qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc
+--- qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9210	2017-08-03 10:09:46.670111267 +0200
+++ qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc	2017-08-03 10:10:56.430600663 +0200
+@@ -1076,8 +1076,7 @@ QPDFObjectHandle::parseInternal(PointerH
+ 		throw QPDFExc(
+ 		    qpdf_e_damaged_pdf,
+ 		    input->getName(), object_description, offset,
+-		    std::string("dictionary key not name (") +
+-		    key_obj.unparse() + ")");
+        std::string("dictionary key is not not a name token"));        
+ 	    }
+ 	    dict[key_obj.getName()] = val;
+ 	}
--- a/qpdf-6.0.0-detect-recursions.patch
+++ b/qpdf-6.0.0-detect-recursions.patch
@ -0,0 +1,61 @@
+diff -up qpdf-6.0.0/include/qpdf/QPDF.hh.detect-recursions qpdf-6.0.0/include/qpdf/QPDF.hh
+--- qpdf-6.0.0/include/qpdf/QPDF.hh.detect-recursions	2015-11-10 18:48:52.000000000 +0100
+++ qpdf-6.0.0/include/qpdf/QPDF.hh	2017-08-02 08:41:17.500831407 +0200
+@@ -603,6 +603,25 @@ class QPDF
+         int gen;
+     };
+ 
+    class ResolveRecorder
+    {
+      public:
+        ResolveRecorder(QPDF* qpdf, QPDFObjGen const& og) :
+            qpdf(qpdf),
+            og(og)
+        {
+            qpdf->resolving.insert(og);
+        }
+        virtual ~ResolveRecorder()
+        {
+            this->qpdf->resolving.erase(og);
+        }
+      private:
+        QPDF* qpdf;
+        QPDFObjGen og;
+    };
+    friend class ResolveRecorder;
+
+     void parse(char const* password);
+     void warn(QPDFExc const& e);
+     void setTrailer(QPDFObjectHandle obj);
+@@ -1065,6 +1084,7 @@ class QPDF
+     std::map<QPDFObjGen, QPDFXRefEntry> xref_table;
+     std::set<int> deleted_objects;
+     std::map<QPDFObjGen, ObjCache> obj_cache;
+    std::set<QPDFObjGen> resolving;
+     QPDFObjectHandle trailer;
+     std::vector<QPDFObjectHandle> all_pages;
+     std::map<QPDFObjGen, int> pageobj_to_pages_pos;
+diff -up qpdf-6.0.0/libqpdf/QPDF.cc.detect-recursions qpdf-6.0.0/libqpdf/QPDF.cc
+--- qpdf-6.0.0/libqpdf/QPDF.cc.detect-recursions	2015-11-10 18:48:52.000000000 +0100
+++ qpdf-6.0.0/libqpdf/QPDF.cc	2017-08-02 08:42:19.070393817 +0200
+@@ -1453,6 +1453,20 @@ QPDF::resolve(int objid, int generation)
+     // to insert things into the object cache that don't actually
+     // exist in the file.
+     QPDFObjGen og(objid, generation);
+    if (this->resolving.count(og))
+    {
+        // This can happen if an object references itself directly or
+        // indirectly in some key that has to be resolved during
+        // object parsing, such as stream length.
+       warn(QPDFExc(qpdf_e_damaged_pdf, this->file->getName(),
+		        "", this->file->getLastOffset(),
+		        "loop detected resolving object " +
+		        QUtil::int_to_string(objid) + " " +
+		        QUtil::int_to_string(generation)));
+        return new QPDF_Null;
+    }
+    ResolveRecorder rr(this, og);
+
+     if (! this->obj_cache.count(og))
+     {
+ 	if (! this->xref_table.count(og))
--- a/qpdf.spec
+++ b/qpdf.spec
@ -1,13 +1,17 @@
 Summary: Command-line tools and library for transforming PDF files
 Name:    qpdf
 Version: 6.0.0
-Release: 5%{?dist}
+Release: 6%{?dist}
 # MIT: e.g. libqpdf/sha2.c
 License: Artistic 2.0 and MIT
 URL:     http://qpdf.sourceforge.net/
 Source0: http://downloads.sourceforge.net/sourceforge/qpdf/qpdf-%{version}.tar.gz

 Patch0:  qpdf-doc.patch
+Patch1:  qpdf-6.0.0-detect-recursions.patch
+Patch2:  qpdf-6.0.0-CVE-2017-9208.patch
+Patch3:  qpdf-6.0.0-CVE-2017-9209.patch
+Patch4:  qpdf-6.0.0-CVE-2017-9210.patch

 BuildRequires: zlib-devel
 BuildRequires: pcre-devel
@ -63,6 +67,10 @@ QPDF Manual

 # fix 'complete manual location' note in man pages
 %patch0 -p1 -b .doc
+%patch1 -p1 -b .detect-recursions
+%patch2 -p1 -b .CVE-2017-9208
+%patch3 -p1 -b .CVE-2017-9209
+%patch4 -p1 -b .CVE-2017-9210

 sed -i -e '1s,^#!/usr/bin/env perl,#!/usr/bin/perl,' qpdf/fix-qdf

@ -108,6 +116,12 @@ make check


 %changelog
+* Thu Aug 03 2017 Zdenek Dohnal <zdohnal@redhat.com> - 6.0.0-6
+- 1477213 - Detect recursions loop resolving objects
+- 1454820 - CVE-2017-9208
+- 1454820 - CVE-2017-9209
+- 1454820 - CVE-2017-9210
+
 * Mon May 15 2017 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 6.0.0-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_27_Mass_Rebuild