diff --git a/qpdf-6.0.0-CVE-2017-9208.patch b/qpdf-6.0.0-CVE-2017-9208.patch deleted file mode 100644 index 0dce309..0000000 --- a/qpdf-6.0.0-CVE-2017-9208.patch +++ /dev/null @@ -1,36 +0,0 @@ -diff -up qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9208 qpdf-6.0.0/libqpdf/QPDF.cc ---- qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9208 2017-08-03 08:53:32.806072781 +0200 -+++ qpdf-6.0.0/libqpdf/QPDF.cc 2017-08-03 08:55:39.529073703 +0200 -@@ -1340,6 +1340,13 @@ QPDF::readObjectAtOffset(bool try_recove - objid = atoi(tobjid.getValue().c_str()); - generation = atoi(tgen.getValue().c_str()); - -+ if (objid == 0) -+ { -+ throw QPDFExc(qpdf_e_damaged_pdf, this->file->getName(), -+ this->last_object_description, offset, -+ "object with ID 0"); -+ } -+ - if ((exp_objid >= 0) && - (! ((objid == exp_objid) && (generation == exp_generation)))) - { -diff -up qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9208 qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc ---- qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9208 2015-11-10 18:48:52.000000000 +0100 -+++ qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc 2017-08-03 08:54:50.264499428 +0200 -@@ -1090,6 +1090,15 @@ QPDFObjectHandle::parseInternal(PointerH - QPDFObjectHandle - QPDFObjectHandle::newIndirect(QPDF* qpdf, int objid, int generation) - { -+ if (objid == 0) -+ { -+ // Special case: QPDF uses objid 0 as a sentinel for direct -+ // objects, and the PDF specification doesn't allow for object -+ // 0. Treat indirect references to object 0 as null so that we -+ // never create an indirect object with objid 0. -+ return newNull(); -+ } -+ - return QPDFObjectHandle(qpdf, objid, generation); - } - diff --git a/qpdf-6.0.0-CVE-2017-9209.patch b/qpdf-6.0.0-CVE-2017-9209.patch deleted file mode 100644 index 6af336f..0000000 --- a/qpdf-6.0.0-CVE-2017-9209.patch +++ /dev/null @@ -1,37 +0,0 @@ -diff -up qpdf-6.0.0/include/qpdf/QPDF.hh.CVE-2017-9209 qpdf-6.0.0/include/qpdf/QPDF.hh ---- qpdf-6.0.0/include/qpdf/QPDF.hh.CVE-2017-9209 2017-08-03 10:00:17.489291722 +0200 -+++ qpdf-6.0.0/include/qpdf/QPDF.hh 2017-08-03 10:00:17.494291685 +0200 -@@ -1095,6 +1095,7 @@ class QPDF - // copied_stream_data_provider is owned by copied_streams - CopiedStreamDataProvider* copied_stream_data_provider; - std::set attachment_streams; -+ bool reconstructed_xref; - - // Linearization data - qpdf_offset_t first_xref_item_offset; // actual value from file -diff -up qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9209 qpdf-6.0.0/libqpdf/QPDF.cc ---- qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9209 2017-08-03 10:00:17.491291707 +0200 -+++ qpdf-6.0.0/libqpdf/QPDF.cc 2017-08-03 10:01:43.243661883 +0200 -@@ -93,6 +93,7 @@ QPDF::QPDF() : - cached_key_generation(0), - pushed_inherited_attributes_to_pages(false), - copied_stream_data_provider(0), -+ reconstructed_xref(false), - first_xref_item_offset(0), - uncompressed_after_compressed(false) - { -@@ -331,6 +332,14 @@ QPDF::setTrailer(QPDFObjectHandle obj) - void - QPDF::reconstruct_xref(QPDFExc& e) - { -+ if (this->reconstructed_xref) -+ { -+ // Avoid xref reconstruction infinite loops -+ throw e; -+ } -+ -+ this->reconstructed_xref = true; -+ - PCRE obj_re("^\\s*(\\d+)\\s+(\\d+)\\s+obj\\b"); - PCRE endobj_re("^\\s*endobj\\b"); - PCRE trailer_re("^\\s*trailer\\b"); diff --git a/qpdf-6.0.0-CVE-2017-9210.patch b/qpdf-6.0.0-CVE-2017-9210.patch deleted file mode 100644 index e3ce8e9..0000000 --- a/qpdf-6.0.0-CVE-2017-9210.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9210 qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc ---- qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9210 2017-08-03 10:09:46.670111267 +0200 -+++ qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc 2017-08-03 10:10:56.430600663 +0200 -@@ -1076,8 +1076,7 @@ QPDFObjectHandle::parseInternal(PointerH - throw QPDFExc( - qpdf_e_damaged_pdf, - input->getName(), object_description, offset, -- std::string("dictionary key not name (") + -- key_obj.unparse() + ")"); -+ std::string("dictionary key is not not a name token")); - } - dict[key_obj.getName()] = val; - } diff --git a/qpdf-6.0.0-detect-recursions.patch b/qpdf-6.0.0-detect-recursions.patch deleted file mode 100644 index ae87d80..0000000 --- a/qpdf-6.0.0-detect-recursions.patch +++ /dev/null @@ -1,61 +0,0 @@ -diff -up qpdf-6.0.0/include/qpdf/QPDF.hh.detect-recursions qpdf-6.0.0/include/qpdf/QPDF.hh ---- qpdf-6.0.0/include/qpdf/QPDF.hh.detect-recursions 2015-11-10 18:48:52.000000000 +0100 -+++ qpdf-6.0.0/include/qpdf/QPDF.hh 2017-08-02 08:41:17.500831407 +0200 -@@ -603,6 +603,25 @@ class QPDF - int gen; - }; - -+ class ResolveRecorder -+ { -+ public: -+ ResolveRecorder(QPDF* qpdf, QPDFObjGen const& og) : -+ qpdf(qpdf), -+ og(og) -+ { -+ qpdf->resolving.insert(og); -+ } -+ virtual ~ResolveRecorder() -+ { -+ this->qpdf->resolving.erase(og); -+ } -+ private: -+ QPDF* qpdf; -+ QPDFObjGen og; -+ }; -+ friend class ResolveRecorder; -+ - void parse(char const* password); - void warn(QPDFExc const& e); - void setTrailer(QPDFObjectHandle obj); -@@ -1065,6 +1084,7 @@ class QPDF - std::map xref_table; - std::set deleted_objects; - std::map obj_cache; -+ std::set resolving; - QPDFObjectHandle trailer; - std::vector all_pages; - std::map pageobj_to_pages_pos; -diff -up qpdf-6.0.0/libqpdf/QPDF.cc.detect-recursions qpdf-6.0.0/libqpdf/QPDF.cc ---- qpdf-6.0.0/libqpdf/QPDF.cc.detect-recursions 2015-11-10 18:48:52.000000000 +0100 -+++ qpdf-6.0.0/libqpdf/QPDF.cc 2017-08-02 08:42:19.070393817 +0200 -@@ -1453,6 +1453,20 @@ QPDF::resolve(int objid, int generation) - // to insert things into the object cache that don't actually - // exist in the file. - QPDFObjGen og(objid, generation); -+ if (this->resolving.count(og)) -+ { -+ // This can happen if an object references itself directly or -+ // indirectly in some key that has to be resolved during -+ // object parsing, such as stream length. -+ warn(QPDFExc(qpdf_e_damaged_pdf, this->file->getName(), -+ "", this->file->getLastOffset(), -+ "loop detected resolving object " + -+ QUtil::int_to_string(objid) + " " + -+ QUtil::int_to_string(generation))); -+ return new QPDF_Null; -+ } -+ ResolveRecorder rr(this, og); -+ - if (! this->obj_cache.count(og)) - { - if (! this->xref_table.count(og)) diff --git a/qpdf.spec b/qpdf.spec index 7ec69dd..7dbfe8f 100644 --- a/qpdf.spec +++ b/qpdf.spec @@ -1,17 +1,13 @@ Summary: Command-line tools and library for transforming PDF files Name: qpdf Version: 6.0.0 -Release: 4%{?dist} +Release: 5%{?dist} # MIT: e.g. libqpdf/sha2.c License: Artistic 2.0 and MIT URL: http://qpdf.sourceforge.net/ Source0: http://downloads.sourceforge.net/sourceforge/qpdf/qpdf-%{version}.tar.gz Patch0: qpdf-doc.patch -Patch1: qpdf-6.0.0-detect-recursions.patch -Patch2: qpdf-6.0.0-CVE-2017-9208.patch -Patch3: qpdf-6.0.0-CVE-2017-9209.patch -Patch4: qpdf-6.0.0-CVE-2017-9210.patch BuildRequires: zlib-devel BuildRequires: pcre-devel @@ -67,10 +63,6 @@ QPDF Manual # fix 'complete manual location' note in man pages %patch0 -p1 -b .doc -%patch1 -p1 -b .detect-recursions -%patch2 -p1 -b .CVE-2017-9208 -%patch3 -p1 -b .CVE-2017-9209 -%patch4 -p1 -b .CVE-2017-9210 sed -i -e '1s,^#!/usr/bin/env perl,#!/usr/bin/perl,' qpdf/fix-qdf @@ -116,6 +108,9 @@ make check %changelog +* Mon Aug 07 2017 Zdenek Dohnal - 6.0.0-5 +- removing patches for CVEs, because they break other things now + * Thu Aug 03 2017 Zdenek Dohnal - 6.0.0-4 - 1477213 - Detect recursions loop resolving objects - 1454820 - CVE-2017-9208