[meta-openembedded][kirkstone][PATCH 1/1] poppler: fix CVE-2021-30860


Urade, Yogita
 

An integer overflow was addressed with improved input validation. This
issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS
14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously crafted
PDF may lead to arbitrary code execution. Apple is aware of a report that
this issue may have been actively exploited.

References:
https://nvd.nist.gov/vuln/detail/CVE-2021-30860

Upstream patches:
https://gitlab.freedesktop.org/poppler/poppler/-/commit/27354e9d9696ee2bc063910a6c9a6b27c5184a52

Signed-off-by: Yogita Urade <yogita.urade@...>
---
 .../poppler/poppler/CVE-2021-30860.patch      | 40 +++++++++++++++++++
 .../poppler/poppler_22.04.0.bb                |  3 +-
 2 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-support/poppler/poppler/CVE-2021-30860.patch

diff --git a/meta-oe/recipes-support/poppler/poppler/CVE-2021-30860.patch b/meta-oe/recipes-support/poppler/poppler/CVE-2021-30860.patch
new file mode 100644
index 000000000..3dc4ec1c9
--- /dev/null
+++ b/meta-oe/recipes-support/poppler/poppler/CVE-2021-30860.patch
@@ -0,0 +1,40 @@
+From 27354e9d9696ee2bc063910a6c9a6b27c5184a52 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@...>
+Date: Thu, 25 Aug 2022 00:14:22 +0200
+Subject: [PATCH] JBIG2Stream: Fix crash on broken file
+
+https://github.com/jeffssh/CVE-2021-30860
+
+Thanks to David Warren for the heads up
+
+Upstream-Status: Backport
+CVE: CVE-2021-30860
+
+Reference to upstream patch:
+[https://gitlab.freedesktop.org/poppler/poppler/-/commit/27354e9d9696ee2bc063910a6c9a6b27c5184a52]
+
+Signed-off-by: Stefan Ghinea <stefan.ghinea@...>
+---
+ poppler/JBIG2Stream.cc | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
+index 7099608..5b4110b 100644
+--- a/poppler/JBIG2Stream.cc
++++ b/poppler/JBIG2Stream.cc
+@@ -1955,7 +1955,11 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm, bool lossless
+     for (i = 0; i < nRefSegs; ++i) {
+         if ((seg = findSegment(refSegs[i]))) {
+             if (seg->getType() == jbig2SegSymbolDict) {
+-                numSyms += ((JBIG2SymbolDict *)seg)->getSize();
++                const unsigned int segSize = ((JBIG2SymbolDict *)seg)->getSize();
++                if (unlikely(checkedAdd(numSyms, segSize, &numSyms))) {
++                    error(errSyntaxError, getPos(), "Too many symbols in JBIG2 text region");
++                    return;
++                }
+             } else if (seg->getType() == jbig2SegCodeTable) {
+                 codeTables.push_back(seg);
+             }
+--
+2.37.1
+
diff --git a/meta-oe/recipes-support/poppler/poppler_22.04.0.bb b/meta-oe/recipes-support/poppler/poppler_22.04.0.bb
index b7cdb4f1b..fa87bafad 100644
--- a/meta-oe/recipes-support/poppler/poppler_22.04.0.bb
+++ b/meta-oe/recipes-support/poppler/poppler_22.04.0.bb
@@ -6,7 +6,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
 SRC_URI = "http://poppler.freedesktop.org/${BP}.tar.xz \
            file://0001-Do-not-overwrite-all-our-build-flags.patch \
            file://basename-include.patch \
-           "
+           file://CVE-2021-30860.patch \
+           "
 SRC_URI[sha256sum] = "813fb4b90e7bda63df53205c548602bae728887a60f4048aae4dbd9b1927deff"
 
 DEPENDS = "fontconfig zlib cairo lcms glib-2.0"
--
2.32.0

 

 

Sent from Mail for Windows