diff --git a/CVE-2021-25786.patch b/CVE-2021-25786.patch new file mode 100644 index 0000000000000000000000000000000000000000..f0852f1f4524eab4c23a442cda6b79a66369f626 --- /dev/null +++ b/CVE-2021-25786.patch @@ -0,0 +1,85 @@ +From 74e00158f5da252b7f8e75e33dd9393f3ac6d3ef Mon Sep 17 00:00:00 2001 +From: starlet-dx <15929766099@163.com> +Date: Mon, 21 Aug 2023 11:02:15 +0800 +Subject: [PATCH 1/1] Fix some pipelines to be safe if downstream write fails (fuzz + issue 28262) + +Origin: +https://github.com/qpdf/qpdf/commit/dc92574c10f3e2516ec6445b88c5d584f40df4e5 +--- + libqpdf/Pl_AES_PDF.cc | 2 +- + libqpdf/Pl_ASCII85Decoder.cc | 7 +++++-- + libqpdf/Pl_ASCIIHexDecoder.cc | 6 ++++-- + libqpdf/Pl_Count.cc | 2 +- + 4 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/libqpdf/Pl_AES_PDF.cc b/libqpdf/Pl_AES_PDF.cc +index 5c493cb..64c9f15 100644 +--- a/libqpdf/Pl_AES_PDF.cc ++++ b/libqpdf/Pl_AES_PDF.cc +@@ -260,6 +260,6 @@ Pl_AES_PDF::flush(bool strip_padding) + } + } + } +- getNext()->write(this->outbuf, bytes); + this->offset = 0; ++ getNext()->write(this->outbuf, bytes); + } +diff --git a/libqpdf/Pl_ASCII85Decoder.cc b/libqpdf/Pl_ASCII85Decoder.cc +index 3a3b57b..4c888ee 100644 +--- a/libqpdf/Pl_ASCII85Decoder.cc ++++ b/libqpdf/Pl_ASCII85Decoder.cc +@@ -119,10 +119,13 @@ Pl_ASCII85Decoder::flush() + + QTC::TC("libtests", "Pl_ASCII85Decoder partial flush", + (this->pos == 5) ? 0 : 1); +- getNext()->write(outbuf, this->pos - 1); +- ++ // Reset before calling getNext()->write in case that throws an ++ // exception. ++ auto t = this->pos - 1; + this->pos = 0; + memset(this->inbuf, 117, 5); ++ ++ getNext()->write(outbuf, t); + } + + void +diff --git a/libqpdf/Pl_ASCIIHexDecoder.cc b/libqpdf/Pl_ASCIIHexDecoder.cc +index d6acab2..6855a25 100644 +--- a/libqpdf/Pl_ASCIIHexDecoder.cc ++++ b/libqpdf/Pl_ASCIIHexDecoder.cc +@@ -97,12 +97,14 @@ Pl_ASCIIHexDecoder::flush() + + QTC::TC("libtests", "Pl_ASCIIHexDecoder partial flush", + (this->pos == 2) ? 0 : 1); +- getNext()->write(&ch, 1); +- ++ // Reset before calling getNext()->write in case that throws an ++ // exception. + this->pos = 0; + this->inbuf[0] = '0'; + this->inbuf[1] = '0'; + this->inbuf[2] = '\0'; ++ ++ getNext()->write(&ch, 1); + } + + void +diff --git a/libqpdf/Pl_Count.cc b/libqpdf/Pl_Count.cc +index c76a5e2..6dec58a 100644 +--- a/libqpdf/Pl_Count.cc ++++ b/libqpdf/Pl_Count.cc +@@ -17,8 +17,8 @@ Pl_Count::write(unsigned char* buf, size_t len) + if (len) + { + this->count += len; +- getNext()->write(buf, len); + this->last_char = buf[len - 1]; ++ getNext()->write(buf, len); + } + } + +-- +2.30.0 + diff --git a/qpdf.spec b/qpdf.spec index 3fe8a4b01b405829e9e2a61f2330b1f68ab35e69..42a089ca301bf7a12df1541bf0034e1f33e24c32 100644 --- a/qpdf.spec +++ b/qpdf.spec @@ -1,6 +1,6 @@ Name: qpdf Version: 8.4.2 -Release: 3 +Release: 4 Summary: A command-line program to transform PDF files License: (Artistic 2.0 or ASL 2.0) and MIT URL: http://qpdf.sourceforge.net/ @@ -8,6 +8,8 @@ Source0: http://downloads.sourceforge.net/sourceforge/qpdf/qpdf-%{version Patch0000: qpdf-doc.patch Patch0001: qpdf-erase-tests-with-generated-object-stream.patch +# https://github.com/qpdf/qpdf/commit/dc92574c10f3e2516ec6445b88c5d584f40df4e5 +Patch0002: CVE-2021-25786.patch BuildRequires: gcc gcc-c++ zlib-devel libjpeg-turbo-devel pcre-devel BuildRequires: perl-interpreter perl-generators perl(Digest::MD5) @@ -42,6 +44,7 @@ This package contains some man help and other files for %{name}. %prep %setup -n %{name}-%{version} %patch0000 -p1 +%patch0002 -p1 %ifarch aarch64 %patch0001 -p1 %endif @@ -85,6 +88,9 @@ make check %{_mandir}/man1/* %changelog +* Mon Aug 21 2023 yaoxin - 8.4.2-4 +- Fix CVE-2021-25786 + * Wed Mar 02 2022 xu_ping - 8.4.2-3 - fix missing patches due to different arch