--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
This fixes three CVEs in atril, two of them fixed in buster via spu (#946819)
with the other one not affecting the version in buster.
Tested on a stretch VM. debdiff attached and package uploaded.
Thanks,
Emilio
diff -Nru atril-1.16.1/debian/changelog atril-1.16.1/debian/changelog
--- atril-1.16.1/debian/changelog 2017-07-21 06:59:09.000000000 +0200
+++ atril-1.16.1/debian/changelog 2020-07-10 12:35:24.000000000 +0200
@@ -1,3 +1,13 @@
+atril (1.16.1-2+deb9u2) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * dvi: Mitigate command injection attacks by quoting filename
+ (CVE-2017-1000159)
+ * Fix overflow checks in tiff backend (CVE-2019-1010006)
+ * tiff: Handle failure from TIFFReadRGBAImageOriented (CVE-2019-11459)
+
+ -- Emilio Pozuelo Monfort <po...@debian.org> Fri, 10 Jul 2020 12:35:24 +0200
+
atril (1.16.1-2+deb9u1) stretch-security; urgency=high
* Non-maintainer upload
diff -Nru
atril-1.16.1/debian/patches/03_dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch
atril-1.16.1/debian/patches/03_dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch
---
atril-1.16.1/debian/patches/03_dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch
1970-01-01 01:00:00.000000000 +0100
+++
atril-1.16.1/debian/patches/03_dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch
2020-07-10 12:18:10.000000000 +0200
@@ -0,0 +1,43 @@
+From: Tobias Mueller <mue...@cryptobitch.de>
+Date: Fri, 14 Jul 2017 12:52:14 +0200
+Subject: dvi: Mitigate command injection attacks by quoting filename
+Origin:
https://gitlab.gnome.org/GNOME/evince/commit/350404c76dc8601e2cdd2636490e2afc83d3090e
+Bug-Debian-Security:
https://security-tracker.debian.org/tracker/CVE-2017-1000159
+
+With commit 1fcca0b8041de0d6074d7e17fba174da36c65f99 came a DVI backend.
+It exports to PDF via the dvipdfm tool.
+It calls that tool with the filename of the currently loaded document.
+If that filename is cleverly crafted, it can escape the currently
+used manual quoting of the filename. Instead of manually quoting the
+filename, we use g_shell_quote.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=784947
+---
+ backend/dvi/dvi-document.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/backend/dvi/dvi-document.c b/backend/dvi/dvi-document.c
+index 4a896e215273..28877700880f 100644
+--- a/backend/dvi/dvi-document.c
++++ b/backend/dvi/dvi-document.c
+@@ -300,12 +300,14 @@ dvi_document_file_exporter_end (EvFileExporter *exporter)
+ gboolean success;
+
+ DviDocument *dvi_document = DVI_DOCUMENT(exporter);
++ gchar* quoted_filename = g_shell_quote
(dvi_document->context->filename);
+
+- command_line = g_strdup_printf ("dvipdfm %s -o %s \"%s\"", /* dvipdfm
-s 1,2,.., -o exporter_filename dvi_filename */
++ command_line = g_strdup_printf ("dvipdfm %s -o %s %s", /* dvipdfm -s
1,2,.., -o exporter_filename dvi_filename */
+ dvi_document->exporter_opts->str,
+ dvi_document->exporter_filename,
+- dvi_document->context->filename);
+-
++ quoted_filename);
++ g_free (quoted_filename);
++
+ success = g_spawn_command_line_sync (command_line,
+ NULL,
+ NULL,
+--
+2.25.0
+
diff -Nru
atril-1.16.1/debian/patches/04_Fix-overflow-checks-in-tiff-backend.patch
atril-1.16.1/debian/patches/04_Fix-overflow-checks-in-tiff-backend.patch
--- atril-1.16.1/debian/patches/04_Fix-overflow-checks-in-tiff-backend.patch
1970-01-01 01:00:00.000000000 +0100
+++ atril-1.16.1/debian/patches/04_Fix-overflow-checks-in-tiff-backend.patch
2020-07-10 12:18:10.000000000 +0200
@@ -0,0 +1,57 @@
+From: Jason Crain <jcr...@src.gnome.org>
+Date: Sat, 2 Dec 2017 20:24:33 -0600
+Subject: [1/2] Fix overflow checks in tiff backend
+Origin:
https://gitlab.gnome.org/GNOME/evince/commit/e02fe9170ad0ac2fd46c75329c4f1d4502d4a362
+Bug-Debian-Security:
https://security-tracker.debian.org/tracker/CVE-2019-1010006
+
+The overflow checks in tiff_document_render and
+tiff_document_get_thumbnail don't work when optimizations are enabled.
+Change the checks so they don't rely on undefined behavior.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=788980
+---
+ backend/tiff/tiff-document.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c
+index 8f40934ee766..7bf95c2bbd7b 100644
+--- a/backend/tiff/tiff-document.c
++++ b/backend/tiff/tiff-document.c
+@@ -284,12 +284,12 @@ tiff_document_render (EvDocument *document,
+ return NULL;
+ }
+
+- bytes = height * rowstride;
+- if (bytes / rowstride != height) {
++ if (height >= INT_MAX / rowstride) {
+ g_warning("Overflow while rendering document.");
+ /* overflow */
+ return NULL;
+ }
++ bytes = height * rowstride;
+
+ pixels = g_try_malloc (bytes);
+ if (!pixels) {
+@@ -374,15 +374,15 @@ tiff_document_get_thumbnail (EvDocument *document,
+ if (width <= 0 || height <= 0)
+ return NULL;
+
+- rowstride = width * 4;
+- if (rowstride / 4 != width)
++ if (width >= INT_MAX / 4)
+ /* overflow */
+ return NULL;
++ rowstride = width * 4;
+
+- bytes = height * rowstride;
+- if (bytes / rowstride != height)
++ if (height >= INT_MAX / rowstride)
+ /* overflow */
+ return NULL;
++ bytes = height * rowstride;
+
+ pixels = g_try_malloc (bytes);
+ if (!pixels)
+--
+2.25.0
+
diff -Nru
atril-1.16.1/debian/patches/06_tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch
atril-1.16.1/debian/patches/06_tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch
---
atril-1.16.1/debian/patches/06_tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch
1970-01-01 01:00:00.000000000 +0100
+++
atril-1.16.1/debian/patches/06_tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch
2020-07-10 12:32:25.000000000 +0200
@@ -0,0 +1,70 @@
+From: Jason Crain <jcr...@src.gnome.org>
+Date: Mon, 15 Apr 2019 23:06:36 -0600
+Subject: tiff: Handle failure from TIFFReadRGBAImageOriented
+Origin:
https://gitlab.gnome.org/GNOME/evince/commit/3e38d5ad724a042eebadcba8c2d57b0f48b7a8c7
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11459
+Bug-Debian: https://bugs.debian.org/927820
+Bug: https://gitlab.gnome.org/GNOME/evince/issues/1129
+
+The TIFFReadRGBAImageOriented function returns zero if it was unable to
+read the image. Return NULL in this case instead of displaying
+uninitialized memory.
+
+Fixes #1129
+---
+ backend/tiff/tiff-document.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+--- a/backend/tiff/tiff-document.c
++++ b/backend/tiff/tiff-document.c
+@@ -280,18 +280,22 @@ tiff_document_render (EvDocument *d
+ g_warning("Failed to allocate memory for rendering.");
+ return NULL;
+ }
+-
++
++ if (!TIFFReadRGBAImageOriented (tiff_document->tiff,
++ width, height,
++ (uint32 *)pixels,
++ orientation, 0)) {
++ g_warning ("Failed to read TIFF image.");
++ g_free (pixels);
++ return NULL;
++ }
++
+ surface = cairo_image_surface_create_for_data (pixels,
+ CAIRO_FORMAT_RGB24,
+ width, height,
+ rowstride);
+ cairo_surface_set_user_data (surface, &key,
+ pixels, (cairo_destroy_func_t)g_free);
+-
+- TIFFReadRGBAImageOriented (tiff_document->tiff,
+- width, height,
+- (uint32 *)pixels,
+- orientation, 0);
+ pop_handlers ();
+
+ /* Convert the format returned by libtiff to
+@@ -370,13 +374,17 @@ tiff_document_render_pixbuf (EvDocument
+ if (!pixels)
+ return NULL;
+
++ if (!TIFFReadRGBAImageOriented (tiff_document->tiff,
++ width, height,
++ (uint32 *)pixels,
++ ORIENTATION_TOPLEFT, 0)) {
++ g_free (pixels);
++ return NULL;
++ }
++
+ pixbuf = gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, TRUE, 8,
+ width, height, rowstride,
+ (GdkPixbufDestroyNotify) g_free,
NULL);
+- TIFFReadRGBAImageOriented (tiff_document->tiff,
+- width, height,
+- (uint32 *)pixels,
+- ORIENTATION_TOPLEFT, 0);
+ pop_handlers ();
+
+ scaled_pixbuf = gdk_pixbuf_scale_simple (pixbuf,
diff -Nru atril-1.16.1/debian/patches/series atril-1.16.1/debian/patches/series
--- atril-1.16.1/debian/patches/series 2017-07-19 13:58:54.000000000 +0200
+++ atril-1.16.1/debian/patches/series 2020-07-10 12:32:17.000000000 +0200
@@ -1 +1,4 @@
0001-CVE-2017-1000083-comics-Remove-support-for-tar-and-tar-like-command.patch
+03_dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch
+04_Fix-overflow-checks-in-tiff-backend.patch
+06_tiff-Handle-failure-from-TIFFReadRGBAImageOriented.patch
--- End Message ---
