From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
To: buildroot@buildroot.org
Cc: Olivier Schonken <olivier.schonken@gmail.com>,
Fabrice Fontaine <fontaine.fabrice@gmail.com>
Subject: [Buildroot] [PATCH 1/1] package/qpdf: fix CVE-2021-36978
Date: Thu, 5 Aug 2021 11:09:20 +0200 [thread overview]
Message-ID: <20210805090920.2107925-1-fontaine.fabrice@gmail.com> (raw)
QPDF 9.x through 9.1.1 and 10.x through 10.0.4 has a heap-based buffer
overflow in Pl_ASCII85Decoder::write (called from Pl_AES_PDF::flush and
Pl_AES_PDF::finish) when a certain downstream write fails.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...to-be-safe-if-downstream-write-fails.patch | 86 +++++++++++++++++++
package/qpdf/qpdf.mk | 3 +
2 files changed, 89 insertions(+)
create mode 100644 package/qpdf/0002-Fix-some-pipelines-to-be-safe-if-downstream-write-fails.patch
diff --git a/package/qpdf/0002-Fix-some-pipelines-to-be-safe-if-downstream-write-fails.patch b/package/qpdf/0002-Fix-some-pipelines-to-be-safe-if-downstream-write-fails.patch
new file mode 100644
index 0000000000..70017350f2
--- /dev/null
+++ b/package/qpdf/0002-Fix-some-pipelines-to-be-safe-if-downstream-write-fails.patch
@@ -0,0 +1,86 @@
+From dc92574c10f3e2516ec6445b88c5d584f40df4e5 Mon Sep 17 00:00:00 2001
+From: Jay Berkenbilt <ejb@ql.org>
+Date: Mon, 4 Jan 2021 11:55:28 -0500
+Subject: [PATCH] Fix some pipelines to be safe if downstream write fails (fuzz
+ issue 28262)
+
+[Retrieved (and updated to remove updates on ChangeLog and fuzz) from:
+https://github.com/qpdf/qpdf/commit/dc92574c10f3e2516ec6445b88c5d584f40df4e5]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ ChangeLog | 6 ++++++
+ fuzz/qpdf_extra/28262.fuzz | Bin 0 -> 40395 bytes
+ libqpdf/Pl_AES_PDF.cc | 2 +-
+ libqpdf/Pl_ASCII85Decoder.cc | 7 +++++--
+ libqpdf/Pl_ASCIIHexDecoder.cc | 6 ++++--
+ libqpdf/Pl_Count.cc | 2 +-
+ 6 files changed, 17 insertions(+), 6 deletions(-)
+ create mode 100644 fuzz/qpdf_extra/28262.fuzz
+
+diff --git a/libqpdf/Pl_AES_PDF.cc b/libqpdf/Pl_AES_PDF.cc
+index 18cf3a4d..2865f804 100644
+--- a/libqpdf/Pl_AES_PDF.cc
++++ b/libqpdf/Pl_AES_PDF.cc
+@@ -238,6 +238,6 @@ Pl_AES_PDF::flush(bool strip_padding)
+ }
+ }
+ }
+- getNext()->write(this->outbuf, bytes);
+ this->offset = 0;
++ getNext()->write(this->outbuf, bytes);
+ }
+diff --git a/libqpdf/Pl_ASCII85Decoder.cc b/libqpdf/Pl_ASCII85Decoder.cc
+index b8df3e87..9d9f6704 100644
+--- a/libqpdf/Pl_ASCII85Decoder.cc
++++ b/libqpdf/Pl_ASCII85Decoder.cc
+@@ -119,10 +119,13 @@ Pl_ASCII85Decoder::flush()
+
+ QTC::TC("libtests", "Pl_ASCII85Decoder partial flush",
+ (this->pos == 5) ? 0 : 1);
+- getNext()->write(outbuf, this->pos - 1);
+-
++ // Reset before calling getNext()->write in case that throws an
++ // exception.
++ auto t = this->pos - 1;
+ this->pos = 0;
+ memset(this->inbuf, 117, 5);
++
++ getNext()->write(outbuf, t);
+ }
+
+ void
+diff --git a/libqpdf/Pl_ASCIIHexDecoder.cc b/libqpdf/Pl_ASCIIHexDecoder.cc
+index f20a9769..7845268e 100644
+--- a/libqpdf/Pl_ASCIIHexDecoder.cc
++++ b/libqpdf/Pl_ASCIIHexDecoder.cc
+@@ -97,12 +97,14 @@ Pl_ASCIIHexDecoder::flush()
+
+ QTC::TC("libtests", "Pl_ASCIIHexDecoder partial flush",
+ (this->pos == 2) ? 0 : 1);
+- getNext()->write(&ch, 1);
+-
++ // Reset before calling getNext()->write in case that throws an
++ // exception.
+ this->pos = 0;
+ this->inbuf[0] = '0';
+ this->inbuf[1] = '0';
+ this->inbuf[2] = '\0';
++
++ getNext()->write(&ch, 1);
+ }
+
+ void
+diff --git a/libqpdf/Pl_Count.cc b/libqpdf/Pl_Count.cc
+index 8077092a..c35619b8 100644
+--- a/libqpdf/Pl_Count.cc
++++ b/libqpdf/Pl_Count.cc
+@@ -27,8 +27,8 @@ Pl_Count::write(unsigned char* buf, size_t len)
+ if (len)
+ {
+ this->m->count += QIntC::to_offset(len);
+- getNext()->write(buf, len);
+ this->m->last_char = buf[len - 1];
++ getNext()->write(buf, len);
+ }
+ }
+
diff --git a/package/qpdf/qpdf.mk b/package/qpdf/qpdf.mk
index ec3d3f89a3..c96bf6bf2e 100644
--- a/package/qpdf/qpdf.mk
+++ b/package/qpdf/qpdf.mk
@@ -14,6 +14,9 @@ QPDF_DEPENDENCIES = host-pkgconf zlib jpeg
QPDF_CONF_OPTS = --with-random=/dev/urandom
+# 0002-Fix-some-pipelines-to-be-safe-if-downstream-write-fails.patch
+QPDF_IGNORE_CVES += CVE-2021-36978
+
ifeq ($(BR2_PACKAGE_GNUTLS),y)
QPDF_CONF_OPTS += --enable-crypto-gnutls
QPDF_DEPENDENCIES += gnutls
--
2.30.2
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot
next reply other threads:[~2021-08-05 9:09 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-05 9:09 Fabrice Fontaine [this message]
2021-08-05 19:07 ` [Buildroot] [PATCH 1/1] package/qpdf: fix CVE-2021-36978 Arnout Vandecappelle
2021-08-08 9:50 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210805090920.2107925-1-fontaine.fabrice@gmail.com \
--to=fontaine.fabrice@gmail.com \
--cc=buildroot@buildroot.org \
--cc=olivier.schonken@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.