Bug 747151 (CVE-2020-26519)

Summary:	<app-text/mupdf-1.18.0: Heap based buffer over-write when parsing JBIG (CVE-2020-26519)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	gentoo, graaff, jesse, johu
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://github.com/gentoo/gentoo/pull/17898 https://github.com/gentoo/gentoo/pull/17919 https://bugs.gentoo.org/show_bug.cgi?id=748558 https://bugs.gentoo.org/show_bug.cgi?id=750377
Whiteboard:	B3 [glsa+ cve]
Package list:		Runtime testing required:	---

Description Sam James archtester

2020-10-07 19:11:36 UTC

"Artifex MuPDF before 1.18.0 has a heap based buffer over-write when parsing JBIG2 files allowing attackers to cause a denial of service."

Bug (restricted): https://bugs.ghostscript.com/show_bug.cgi?id=702937
Patch: https://bugs.ghostscript.com/show_bug.cgi?id=702937

Comment 1 Larry the Git Cow gentoo-dev

2020-10-13 23:21:43 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=197b4aee35918341c66b38a761b111d978b00fa6

commit 197b4aee35918341c66b38a761b111d978b00fa6
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-10-13 23:21:32 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-10-13 23:21:39 +0000

    app-text/mupdf: add additional security patches
    
    * Harden populate_ui against unexpected repairs [0]
    * Fix overflow in fz_clear_pixmap_with_value [1]
    
    Both patches were committed post-1.18.0 upstream.
    
    [0] https://github.com/ArtifexSoftware/mupdf/commit/b82e9b6d6b46877e5c376.patch
    [1] https://github.com/ArtifexSoftware/mupdf/commit/32e4e8b4bcbacbf92af7c.patch
    
    Bug: https://bugs.gentoo.org/747151
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Sam James <sam@gentoo.org>

 .../files/mupdf-1.18.0-fix-oob-in-pdf-layer.c      | 102 +++++++++++++++++++++
 .../mupdf/files/mupdf-1.18.0-fix-oob-in-pixmap.c   |  41 +++++++++
 app-text/mupdf/mupdf-1.18.0.ebuild                 |   3 +
 3 files changed, 146 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a986634efb6c5c0842444e989d86e10472412699

commit a986634efb6c5c0842444e989d86e10472412699
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2020-10-12 10:51:19 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-10-13 23:21:38 +0000

    app-text/mupdf: bump to 1.18.0 (CVE-2020-26519)
    
    Bug: https://bugs.gentoo.org/747151
    Removing some keywords (RDEPEND dev-libs/gumbo)
    
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/17898
    Signed-off-by: Sam James <sam@gentoo.org>

 app-text/mupdf/Manifest                            |   1 +
 app-text/mupdf/files/mupdf-1.18-Makefile.patch     |  42 ++++++
 .../mupdf/files/mupdf-1.18.0-cross-fixes.patch     | 128 ++++++++++++++++++
 app-text/mupdf/mupdf-1.18.0.ebuild                 | 150 +++++++++++++++++++++
 4 files changed, 321 insertions(+)

Comment 2 NATTkA bot gentoo-dev

2020-10-13 23:24:58 UTC Comment hidden (obsolete)

Sanity check failed:

> app-text/mupdf-1.18.0
>   depend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >=dev-libs/libressl-3.2.0:0=[static-libs]
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     >=dev-libs/libressl-3.2.0:0=[static-libs]
>   rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >=dev-libs/libressl-3.2.0:0=[static-libs]
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     >=dev-libs/libressl-3.2.0:0=[static-libs]

Comment 3 Sam James archtester

2020-10-13 23:25:55 UTC

Ugh. We will need to see if we can improve the LibreSSL dep here because 3.2.0 is not stable upstream.

Comment 4 NATTkA bot gentoo-dev

2020-10-14 18:37:01 UTC Comment hidden (obsolete)

Sanity check failed:

> app-text/mupdf-1.18.0
>   depend amd64 stable profile default/linux/amd64/17.0 (58 total)
>     >=dev-libs/libressl-3.2.0:0=[static-libs]
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (4 total)
>     >=dev-libs/libressl-3.2.0:0=[static-libs]
>   rdepend amd64 stable profile default/linux/amd64/17.0 (58 total)
>     >=dev-libs/libressl-3.2.0:0=[static-libs]
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (4 total)
>     >=dev-libs/libressl-3.2.0:0=[static-libs]

Comment 5 NATTkA bot gentoo-dev

2020-10-14 19:33:01 UTC Comment hidden (obsolete)

Sanity check failed:

> app-text/mupdf-1.18.0
>   depend amd64 stable profile default/linux/amd64/17.0 (59 total)
>     >=dev-libs/libressl-3.2.0:0=[static-libs]
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (35 total)
>     >=dev-libs/libressl-3.2.0:0=[static-libs]
>   rdepend amd64 stable profile default/linux/amd64/17.0 (59 total)
>     >=dev-libs/libressl-3.2.0:0=[static-libs]
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (35 total)
>     >=dev-libs/libressl-3.2.0:0=[static-libs]

Comment 6 Larry the Git Cow gentoo-dev

2020-10-14 19:51:26 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9ebc61a7729ce75f3593703cfce7216983f2fb6c

commit 9ebc61a7729ce75f3593703cfce7216983f2fb6c
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2020-10-14 05:07:11 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-10-14 19:51:19 +0000

    profiles/base/p.use.stable.mask: add app-text/mupdf[libressl]
    
    Bug: https://bugs.gentoo.org/747151
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/17919
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/base/package.use.stable.mask | 5 +++++
 1 file changed, 5 insertions(+)

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2020-10-15 22:47:01 UTC

ppc/ppc64 stable

Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev

2020-10-18 15:12:22 UTC

x86 stable

Comment 9 Sam James archtester

2020-10-18 23:53:55 UTC

arm done

Comment 10 Sam James archtester

2020-10-19 03:14:39 UTC

arm64 done

Comment 11 Sam James archtester

2020-11-01 15:24:44 UTC

amd64 done

all arches done

Comment 12 NATTkA bot gentoo-dev

2020-11-03 03:56:53 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: app-text/mupdf-1.18.0

Comment 13 NATTkA bot gentoo-dev

2020-11-10 05:21:07 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: app-text/mupdf-1.18.0-r1

Comment 14 John Helmert III archtester

2020-12-27 09:25:44 UTC

Ping for cleanup (and vote)

Comment 15 NATTkA bot gentoo-dev

2020-12-27 09:28:56 UTC

Unable to check for sanity:

> no match for package: app-text/mupdf-1.18.0-r1

Comment 16 Larry the Git Cow gentoo-dev

2021-01-18 00:47:35 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0db1d8bdcd759b37b1e6190eaee89ac963c14149

commit 0db1d8bdcd759b37b1e6190eaee89ac963c14149
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-01-18 00:40:07 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-18 00:46:35 +0000

    app-text/mupdf: security cleanup
    
    Bug: https://bugs.gentoo.org/747151
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 app-text/mupdf/Manifest            |   1 -
 app-text/mupdf/mupdf-1.17.0.ebuild | 144 -------------------------------------
 2 files changed, 145 deletions(-)

Comment 17 Thomas Deutschmann (RETIRED) gentoo-dev

2021-05-25 20:59:46 UTC

Adding to an existing GLSA request.

Comment 18 GLSAMaker/CVETool Bot gentoo-dev

2021-05-26 10:29:08 UTC

This issue was resolved and addressed in
 GLSA 202105-30 at https://security.gentoo.org/glsa/202105-30
by GLSA coordinator Thomas Deutschmann (whissi).