* [Buildroot] [PATCH 1/1] package/qpdf: fix CVE-2021-36978
@ 2021-08-05 9:09 Fabrice Fontaine
2021-08-05 19:07 ` Arnout Vandecappelle
2021-08-08 9:50 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2021-08-05 9:09 UTC (permalink / raw)
To: buildroot; +Cc: Olivier Schonken, Fabrice Fontaine
QPDF 9.x through 9.1.1 and 10.x through 10.0.4 has a heap-based buffer
overflow in Pl_ASCII85Decoder::write (called from Pl_AES_PDF::flush and
Pl_AES_PDF::finish) when a certain downstream write fails.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...to-be-safe-if-downstream-write-fails.patch | 86 +++++++++++++++++++
package/qpdf/qpdf.mk | 3 +
2 files changed, 89 insertions(+)
create mode 100644 package/qpdf/0002-Fix-some-pipelines-to-be-safe-if-downstream-write-fails.patch
diff --git a/package/qpdf/0002-Fix-some-pipelines-to-be-safe-if-downstream-write-fails.patch b/package/qpdf/0002-Fix-some-pipelines-to-be-safe-if-downstream-write-fails.patch
new file mode 100644
index 0000000000..70017350f2
--- /dev/null
+++ b/package/qpdf/0002-Fix-some-pipelines-to-be-safe-if-downstream-write-fails.patch
@@ -0,0 +1,86 @@
+From dc92574c10f3e2516ec6445b88c5d584f40df4e5 Mon Sep 17 00:00:00 2001
+From: Jay Berkenbilt <ejb@ql.org>
+Date: Mon, 4 Jan 2021 11:55:28 -0500
+Subject: [PATCH] Fix some pipelines to be safe if downstream write fails (fuzz
+ issue 28262)
+
+[Retrieved (and updated to remove updates on ChangeLog and fuzz) from:
+https://github.com/qpdf/qpdf/commit/dc92574c10f3e2516ec6445b88c5d584f40df4e5]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ ChangeLog | 6 ++++++
+ fuzz/qpdf_extra/28262.fuzz | Bin 0 -> 40395 bytes
+ libqpdf/Pl_AES_PDF.cc | 2 +-
+ libqpdf/Pl_ASCII85Decoder.cc | 7 +++++--
+ libqpdf/Pl_ASCIIHexDecoder.cc | 6 ++++--
+ libqpdf/Pl_Count.cc | 2 +-
+ 6 files changed, 17 insertions(+), 6 deletions(-)
+ create mode 100644 fuzz/qpdf_extra/28262.fuzz
+
+diff --git a/libqpdf/Pl_AES_PDF.cc b/libqpdf/Pl_AES_PDF.cc
+index 18cf3a4d..2865f804 100644
+--- a/libqpdf/Pl_AES_PDF.cc
++++ b/libqpdf/Pl_AES_PDF.cc
+@@ -238,6 +238,6 @@ Pl_AES_PDF::flush(bool strip_padding)
+ }
+ }
+ }
+- getNext()->write(this->outbuf, bytes);
+ this->offset = 0;
++ getNext()->write(this->outbuf, bytes);
+ }
+diff --git a/libqpdf/Pl_ASCII85Decoder.cc b/libqpdf/Pl_ASCII85Decoder.cc
+index b8df3e87..9d9f6704 100644
+--- a/libqpdf/Pl_ASCII85Decoder.cc
++++ b/libqpdf/Pl_ASCII85Decoder.cc
+@@ -119,10 +119,13 @@ Pl_ASCII85Decoder::flush()
+
+ QTC::TC("libtests", "Pl_ASCII85Decoder partial flush",
+ (this->pos == 5) ? 0 : 1);
+- getNext()->write(outbuf, this->pos - 1);
+-
++ // Reset before calling getNext()->write in case that throws an
++ // exception.
++ auto t = this->pos - 1;
+ this->pos = 0;
+ memset(this->inbuf, 117, 5);
++
++ getNext()->write(outbuf, t);
+ }
+
+ void
+diff --git a/libqpdf/Pl_ASCIIHexDecoder.cc b/libqpdf/Pl_ASCIIHexDecoder.cc
+index f20a9769..7845268e 100644
+--- a/libqpdf/Pl_ASCIIHexDecoder.cc
++++ b/libqpdf/Pl_ASCIIHexDecoder.cc
+@@ -97,12 +97,14 @@ Pl_ASCIIHexDecoder::flush()
+
+ QTC::TC("libtests", "Pl_ASCIIHexDecoder partial flush",
+ (this->pos == 2) ? 0 : 1);
+- getNext()->write(&ch, 1);
+-
++ // Reset before calling getNext()->write in case that throws an
++ // exception.
+ this->pos = 0;
+ this->inbuf[0] = '0';
+ this->inbuf[1] = '0';
+ this->inbuf[2] = '\0';
++
++ getNext()->write(&ch, 1);
+ }
+
+ void
+diff --git a/libqpdf/Pl_Count.cc b/libqpdf/Pl_Count.cc
+index 8077092a..c35619b8 100644
+--- a/libqpdf/Pl_Count.cc
++++ b/libqpdf/Pl_Count.cc
+@@ -27,8 +27,8 @@ Pl_Count::write(unsigned char* buf, size_t len)
+ if (len)
+ {
+ this->m->count += QIntC::to_offset(len);
+- getNext()->write(buf, len);
+ this->m->last_char = buf[len - 1];
++ getNext()->write(buf, len);
+ }
+ }
+
diff --git a/package/qpdf/qpdf.mk b/package/qpdf/qpdf.mk
index ec3d3f89a3..c96bf6bf2e 100644
--- a/package/qpdf/qpdf.mk
+++ b/package/qpdf/qpdf.mk
@@ -14,6 +14,9 @@ QPDF_DEPENDENCIES = host-pkgconf zlib jpeg
QPDF_CONF_OPTS = --with-random=/dev/urandom
+# 0002-Fix-some-pipelines-to-be-safe-if-downstream-write-fails.patch
+QPDF_IGNORE_CVES += CVE-2021-36978
+
ifeq ($(BR2_PACKAGE_GNUTLS),y)
QPDF_CONF_OPTS += --enable-crypto-gnutls
QPDF_DEPENDENCIES += gnutls
--
2.30.2
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/qpdf: fix CVE-2021-36978
2021-08-05 9:09 [Buildroot] [PATCH 1/1] package/qpdf: fix CVE-2021-36978 Fabrice Fontaine
@ 2021-08-05 19:07 ` Arnout Vandecappelle
2021-08-08 9:50 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Arnout Vandecappelle @ 2021-08-05 19:07 UTC (permalink / raw)
To: Fabrice Fontaine, buildroot; +Cc: Olivier Schonken
On 05/08/2021 11:09, Fabrice Fontaine wrote:
> QPDF 9.x through 9.1.1 and 10.x through 10.0.4 has a heap-based buffer
> overflow in Pl_ASCII85Decoder::write (called from Pl_AES_PDF::flush and
> Pl_AES_PDF::finish) when a certain downstream write fails.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Applied to master, thanks.
Regards,
Arnout
> ---
> ...to-be-safe-if-downstream-write-fails.patch | 86 +++++++++++++++++++
> package/qpdf/qpdf.mk | 3 +
> 2 files changed, 89 insertions(+)
> create mode 100644 package/qpdf/0002-Fix-some-pipelines-to-be-safe-if-downstream-write-fails.patch
>
> diff --git a/package/qpdf/0002-Fix-some-pipelines-to-be-safe-if-downstream-write-fails.patch b/package/qpdf/0002-Fix-some-pipelines-to-be-safe-if-downstream-write-fails.patch
> new file mode 100644
> index 0000000000..70017350f2
> --- /dev/null
> +++ b/package/qpdf/0002-Fix-some-pipelines-to-be-safe-if-downstream-write-fails.patch
> @@ -0,0 +1,86 @@
> +From dc92574c10f3e2516ec6445b88c5d584f40df4e5 Mon Sep 17 00:00:00 2001
> +From: Jay Berkenbilt <ejb@ql.org>
> +Date: Mon, 4 Jan 2021 11:55:28 -0500
> +Subject: [PATCH] Fix some pipelines to be safe if downstream write fails (fuzz
> + issue 28262)
> +
> +[Retrieved (and updated to remove updates on ChangeLog and fuzz) from:
> +https://github.com/qpdf/qpdf/commit/dc92574c10f3e2516ec6445b88c5d584f40df4e5]
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> +---
> + ChangeLog | 6 ++++++
> + fuzz/qpdf_extra/28262.fuzz | Bin 0 -> 40395 bytes
> + libqpdf/Pl_AES_PDF.cc | 2 +-
> + libqpdf/Pl_ASCII85Decoder.cc | 7 +++++--
> + libqpdf/Pl_ASCIIHexDecoder.cc | 6 ++++--
> + libqpdf/Pl_Count.cc | 2 +-
> + 6 files changed, 17 insertions(+), 6 deletions(-)
> + create mode 100644 fuzz/qpdf_extra/28262.fuzz
> +
> +diff --git a/libqpdf/Pl_AES_PDF.cc b/libqpdf/Pl_AES_PDF.cc
> +index 18cf3a4d..2865f804 100644
> +--- a/libqpdf/Pl_AES_PDF.cc
> ++++ b/libqpdf/Pl_AES_PDF.cc
> +@@ -238,6 +238,6 @@ Pl_AES_PDF::flush(bool strip_padding)
> + }
> + }
> + }
> +- getNext()->write(this->outbuf, bytes);
> + this->offset = 0;
> ++ getNext()->write(this->outbuf, bytes);
> + }
> +diff --git a/libqpdf/Pl_ASCII85Decoder.cc b/libqpdf/Pl_ASCII85Decoder.cc
> +index b8df3e87..9d9f6704 100644
> +--- a/libqpdf/Pl_ASCII85Decoder.cc
> ++++ b/libqpdf/Pl_ASCII85Decoder.cc
> +@@ -119,10 +119,13 @@ Pl_ASCII85Decoder::flush()
> +
> + QTC::TC("libtests", "Pl_ASCII85Decoder partial flush",
> + (this->pos == 5) ? 0 : 1);
> +- getNext()->write(outbuf, this->pos - 1);
> +-
> ++ // Reset before calling getNext()->write in case that throws an
> ++ // exception.
> ++ auto t = this->pos - 1;
> + this->pos = 0;
> + memset(this->inbuf, 117, 5);
> ++
> ++ getNext()->write(outbuf, t);
> + }
> +
> + void
> +diff --git a/libqpdf/Pl_ASCIIHexDecoder.cc b/libqpdf/Pl_ASCIIHexDecoder.cc
> +index f20a9769..7845268e 100644
> +--- a/libqpdf/Pl_ASCIIHexDecoder.cc
> ++++ b/libqpdf/Pl_ASCIIHexDecoder.cc
> +@@ -97,12 +97,14 @@ Pl_ASCIIHexDecoder::flush()
> +
> + QTC::TC("libtests", "Pl_ASCIIHexDecoder partial flush",
> + (this->pos == 2) ? 0 : 1);
> +- getNext()->write(&ch, 1);
> +-
> ++ // Reset before calling getNext()->write in case that throws an
> ++ // exception.
> + this->pos = 0;
> + this->inbuf[0] = '0';
> + this->inbuf[1] = '0';
> + this->inbuf[2] = '\0';
> ++
> ++ getNext()->write(&ch, 1);
> + }
> +
> + void
> +diff --git a/libqpdf/Pl_Count.cc b/libqpdf/Pl_Count.cc
> +index 8077092a..c35619b8 100644
> +--- a/libqpdf/Pl_Count.cc
> ++++ b/libqpdf/Pl_Count.cc
> +@@ -27,8 +27,8 @@ Pl_Count::write(unsigned char* buf, size_t len)
> + if (len)
> + {
> + this->m->count += QIntC::to_offset(len);
> +- getNext()->write(buf, len);
> + this->m->last_char = buf[len - 1];
> ++ getNext()->write(buf, len);
> + }
> + }
> +
> diff --git a/package/qpdf/qpdf.mk b/package/qpdf/qpdf.mk
> index ec3d3f89a3..c96bf6bf2e 100644
> --- a/package/qpdf/qpdf.mk
> +++ b/package/qpdf/qpdf.mk
> @@ -14,6 +14,9 @@ QPDF_DEPENDENCIES = host-pkgconf zlib jpeg
>
> QPDF_CONF_OPTS = --with-random=/dev/urandom
>
> +# 0002-Fix-some-pipelines-to-be-safe-if-downstream-write-fails.patch
> +QPDF_IGNORE_CVES += CVE-2021-36978
> +
> ifeq ($(BR2_PACKAGE_GNUTLS),y)
> QPDF_CONF_OPTS += --enable-crypto-gnutls
> QPDF_DEPENDENCIES += gnutls
>
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/qpdf: fix CVE-2021-36978
2021-08-05 9:09 [Buildroot] [PATCH 1/1] package/qpdf: fix CVE-2021-36978 Fabrice Fontaine
2021-08-05 19:07 ` Arnout Vandecappelle
@ 2021-08-08 9:50 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-08-08 9:50 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Olivier Schonken, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> QPDF 9.x through 9.1.1 and 10.x through 10.0.4 has a heap-based buffer
> overflow in Pl_ASCII85Decoder::write (called from Pl_AES_PDF::flush and
> Pl_AES_PDF::finish) when a certain downstream write fails.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2021.02.x and 2021.05.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-08-08 9:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-05 9:09 [Buildroot] [PATCH 1/1] package/qpdf: fix CVE-2021-36978 Fabrice Fontaine
2021-08-05 19:07 ` Arnout Vandecappelle
2021-08-08 9:50 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.