From 96865f02d4d770da40d33ebc6421e15721bf3f94 Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Thu, 5 Aug 2021 11:09:20 +0200 Subject: [PATCH] package/qpdf: fix CVE-2021-36978 QPDF 9.x through 9.1.1 and 10.x through 10.0.4 has a heap-based buffer overflow in Pl_ASCII85Decoder::write (called from Pl_AES_PDF::flush and Pl_AES_PDF::finish) when a certain downstream write fails. Signed-off-by: Fabrice Fontaine Signed-off-by: Arnout Vandecappelle (Essensium/Mind) --- ...to-be-safe-if-downstream-write-fails.patch | 86 +++++++++++++++++++ package/qpdf/qpdf.mk | 3 + 2 files changed, 89 insertions(+) create mode 100644 package/qpdf/0002-Fix-some-pipelines-to-be-safe-if-downstream-write-fails.patch diff --git a/package/qpdf/0002-Fix-some-pipelines-to-be-safe-if-downstream-write-fails.patch b/package/qpdf/0002-Fix-some-pipelines-to-be-safe-if-downstream-write-fails.patch new file mode 100644 index 0000000000..70017350f2 --- /dev/null +++ b/package/qpdf/0002-Fix-some-pipelines-to-be-safe-if-downstream-write-fails.patch @@ -0,0 +1,86 @@ +From dc92574c10f3e2516ec6445b88c5d584f40df4e5 Mon Sep 17 00:00:00 2001 +From: Jay Berkenbilt +Date: Mon, 4 Jan 2021 11:55:28 -0500 +Subject: [PATCH] Fix some pipelines to be safe if downstream write fails (fuzz + issue 28262) + +[Retrieved (and updated to remove updates on ChangeLog and fuzz) from: +https://github.com/qpdf/qpdf/commit/dc92574c10f3e2516ec6445b88c5d584f40df4e5] +Signed-off-by: Fabrice Fontaine +--- + ChangeLog | 6 ++++++ + fuzz/qpdf_extra/28262.fuzz | Bin 0 -> 40395 bytes + libqpdf/Pl_AES_PDF.cc | 2 +- + libqpdf/Pl_ASCII85Decoder.cc | 7 +++++-- + libqpdf/Pl_ASCIIHexDecoder.cc | 6 ++++-- + libqpdf/Pl_Count.cc | 2 +- + 6 files changed, 17 insertions(+), 6 deletions(-) + create mode 100644 fuzz/qpdf_extra/28262.fuzz + +diff --git a/libqpdf/Pl_AES_PDF.cc b/libqpdf/Pl_AES_PDF.cc +index 18cf3a4d..2865f804 100644 +--- a/libqpdf/Pl_AES_PDF.cc ++++ b/libqpdf/Pl_AES_PDF.cc +@@ -238,6 +238,6 @@ Pl_AES_PDF::flush(bool strip_padding) + } + } + } +- getNext()->write(this->outbuf, bytes); + this->offset = 0; ++ getNext()->write(this->outbuf, bytes); + } +diff --git a/libqpdf/Pl_ASCII85Decoder.cc b/libqpdf/Pl_ASCII85Decoder.cc +index b8df3e87..9d9f6704 100644 +--- a/libqpdf/Pl_ASCII85Decoder.cc ++++ b/libqpdf/Pl_ASCII85Decoder.cc +@@ -119,10 +119,13 @@ Pl_ASCII85Decoder::flush() + + QTC::TC("libtests", "Pl_ASCII85Decoder partial flush", + (this->pos == 5) ? 0 : 1); +- getNext()->write(outbuf, this->pos - 1); +- ++ // Reset before calling getNext()->write in case that throws an ++ // exception. ++ auto t = this->pos - 1; + this->pos = 0; + memset(this->inbuf, 117, 5); ++ ++ getNext()->write(outbuf, t); + } + + void +diff --git a/libqpdf/Pl_ASCIIHexDecoder.cc b/libqpdf/Pl_ASCIIHexDecoder.cc +index f20a9769..7845268e 100644 +--- a/libqpdf/Pl_ASCIIHexDecoder.cc ++++ b/libqpdf/Pl_ASCIIHexDecoder.cc +@@ -97,12 +97,14 @@ Pl_ASCIIHexDecoder::flush() + + QTC::TC("libtests", "Pl_ASCIIHexDecoder partial flush", + (this->pos == 2) ? 0 : 1); +- getNext()->write(&ch, 1); +- ++ // Reset before calling getNext()->write in case that throws an ++ // exception. + this->pos = 0; + this->inbuf[0] = '0'; + this->inbuf[1] = '0'; + this->inbuf[2] = '\0'; ++ ++ getNext()->write(&ch, 1); + } + + void +diff --git a/libqpdf/Pl_Count.cc b/libqpdf/Pl_Count.cc +index 8077092a..c35619b8 100644 +--- a/libqpdf/Pl_Count.cc ++++ b/libqpdf/Pl_Count.cc +@@ -27,8 +27,8 @@ Pl_Count::write(unsigned char* buf, size_t len) + if (len) + { + this->m->count += QIntC::to_offset(len); +- getNext()->write(buf, len); + this->m->last_char = buf[len - 1]; ++ getNext()->write(buf, len); + } + } + diff --git a/package/qpdf/qpdf.mk b/package/qpdf/qpdf.mk index ec3d3f89a3..c96bf6bf2e 100644 --- a/package/qpdf/qpdf.mk +++ b/package/qpdf/qpdf.mk @@ -14,6 +14,9 @@ QPDF_DEPENDENCIES = host-pkgconf zlib jpeg QPDF_CONF_OPTS = --with-random=/dev/urandom +# 0002-Fix-some-pipelines-to-be-safe-if-downstream-write-fails.patch +QPDF_IGNORE_CVES += CVE-2021-36978 + ifeq ($(BR2_PACKAGE_GNUTLS),y) QPDF_CONF_OPTS += --enable-crypto-gnutls QPDF_DEPENDENCIES += gnutls -- 2.30.2