From c2eb6d26c30ef91fb4fd6564a0e05bfb53d7e965 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Sat, 26 Feb 2022 18:24:49 +0800 Subject: [PATCH] Fix CVE-2019-11459 --- CVE-2019-11459.patch | 72 ++++++++++++++++++++++++++++++++++++++++++++ evince.spec | 6 +++- 2 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 CVE-2019-11459.patch diff --git a/CVE-2019-11459.patch b/CVE-2019-11459.patch new file mode 100644 index 0000000..4717d55 --- /dev/null +++ b/CVE-2019-11459.patch @@ -0,0 +1,72 @@ +From 234f034a4d15cd46dd556f4945f99fbd57ef5f15 Mon Sep 17 00:00:00 2001 +From: Jason Crain +Date: Mon, 15 Apr 2019 23:06:36 -0600 +Subject: [PATCH] tiff: Handle failure from TIFFReadRGBAImageOriented + +The TIFFReadRGBAImageOriented function returns zero if it was unable to +read the image. Return NULL in this case instead of displaying +uninitialized memory. + +Fixes #1129 +--- + backend/tiff/tiff-document.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c +index 7715031b9..38bb3bd8f 100644 +--- a/backend/tiff/tiff-document.c ++++ b/backend/tiff/tiff-document.c +@@ -292,18 +292,22 @@ tiff_document_render (EvDocument *document, + g_warning("Failed to allocate memory for rendering."); + return NULL; + } +- ++ ++ if (!TIFFReadRGBAImageOriented (tiff_document->tiff, ++ width, height, ++ (uint32 *)pixels, ++ orientation, 0)) { ++ g_warning ("Failed to read TIFF image."); ++ g_free (pixels); ++ return NULL; ++ } ++ + surface = cairo_image_surface_create_for_data (pixels, + CAIRO_FORMAT_RGB24, + width, height, + rowstride); + cairo_surface_set_user_data (surface, &key, + pixels, (cairo_destroy_func_t)g_free); +- +- TIFFReadRGBAImageOriented (tiff_document->tiff, +- width, height, +- (uint32 *)pixels, +- orientation, 0); + pop_handlers (); + + /* Convert the format returned by libtiff to +@@ -384,13 +388,17 @@ tiff_document_get_thumbnail (EvDocument *document, + if (!pixels) + return NULL; + ++ if (!TIFFReadRGBAImageOriented (tiff_document->tiff, ++ width, height, ++ (uint32 *)pixels, ++ ORIENTATION_TOPLEFT, 0)) { ++ g_free (pixels); ++ return NULL; ++ } ++ + pixbuf = gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, TRUE, 8, + width, height, rowstride, + (GdkPixbufDestroyNotify) g_free, NULL); +- TIFFReadRGBAImageOriented (tiff_document->tiff, +- width, height, +- (uint32 *)pixels, +- ORIENTATION_TOPLEFT, 0); + pop_handlers (); + + ev_render_context_compute_scaled_size (rc, width, height * (x_res / y_res), +-- +GitLab + diff --git a/evince.spec b/evince.spec index 756e786..330a67c 100644 --- a/evince.spec +++ b/evince.spec @@ -1,12 +1,13 @@ Name: evince Version: 3.30.1 -Release: 3 +Release: 4 Summary: Document viewer for multiple document formats License: GPLv2+ and GPLv3+ and LGPLv2+ and MIT and Afmparse URL: https://wiki.gnome.org/Apps/Evince Source0: https://download.gnome.org/sources/%{name}/3.30/%{name}-%{version}.tar.xz Patch0: evince-3.21.4-NPNVToolKit.patch Patch1: 0001-Resolves-deb-762530-rhbz-1061177-add-man-pages.patch +Patch2: CVE-2019-11459.patch BuildRequires: pkgconfig(gio-unix-2.0) >= 2.36.0 pkgconfig(gtk+-x11-3.0) >= 3.16.0 pkgconfig(gnome-desktop-3.0) BuildRequires: pkgconfig(poppler-glib) >= 0.24.0 pkgconfig(libgxps) >= 0.2.1 pkgconfig(gobject-introspection-1.0) @@ -102,5 +103,8 @@ desktop-file-validate $RPM_BUILD_ROOT%{_datadir}/applications/org.gnome.Evince-p %changelog +* Sat Feb 26 2022 yaoxin - 3.30.1-4 +- Fix CVE-2019-11459 + * Mon Dec 2 2019 chenzhenyu - 3.30.1-3 - Package init -- Gitee