From a093e5ddbf8056e59a07fcd0eef4c3b5a5d85f90 Mon Sep 17 00:00:00 2001 From: Stefan Schweizer Date: Sat, 10 Feb 2007 20:31:55 +0000 Subject: [PATCH] Add patch for security bug 162460 Package-Manager: portage-2.1.2-r7 --- app-text/poppler/ChangeLog | 8 ++- app-text/poppler/Manifest | 19 ++++-- .../poppler/files/004_CVE-2007-0104.patch | 63 +++++++++++++++++++ .../poppler/files/digest-poppler-0.5.4-r1 | 3 + app-text/poppler/poppler-0.5.4-r1.ebuild | 49 +++++++++++++++ 5 files changed, 137 insertions(+), 5 deletions(-) create mode 100644 app-text/poppler/files/004_CVE-2007-0104.patch create mode 100644 app-text/poppler/files/digest-poppler-0.5.4-r1 create mode 100644 app-text/poppler/poppler-0.5.4-r1.ebuild diff --git a/app-text/poppler/ChangeLog b/app-text/poppler/ChangeLog index 98baea63e585..06f60336411a 100644 --- a/app-text/poppler/ChangeLog +++ b/app-text/poppler/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for app-text/poppler # Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-text/poppler/ChangeLog,v 1.115 2007/01/18 22:41:37 jer Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-text/poppler/ChangeLog,v 1.116 2007/02/10 20:31:55 genstef Exp $ + +*poppler-0.5.4-r1 (10 Feb 2007) + + 10 Feb 2007; +files/004_CVE-2007-0104.patch, + +poppler-0.5.4-r1.ebuild: + Add patch for security bug 162460 18 Jan 2007; Jeroen Roovers poppler-0.5.4.ebuild: Stable for HPPA (bug #147751). diff --git a/app-text/poppler/Manifest b/app-text/poppler/Manifest index d882e8a148cd..ee61667d03c9 100644 --- a/app-text/poppler/Manifest +++ b/app-text/poppler/Manifest @@ -1,17 +1,25 @@ +AUX 004_CVE-2007-0104.patch 2581 RMD160 d80464ee04cbbe88379a5c658fc78893515930ea SHA1 b5fd97fee1d364063aaa44d1d01a48906f47f547 SHA256 b29803552a7bebab86c5a93b77b2a1d6ceeace22929ed5050cbf98a91b14eb12 +MD5 be5c2646db5c46bc739ef12b0d7608a0 files/004_CVE-2007-0104.patch 2581 +RMD160 d80464ee04cbbe88379a5c658fc78893515930ea files/004_CVE-2007-0104.patch 2581 +SHA256 b29803552a7bebab86c5a93b77b2a1d6ceeace22929ed5050cbf98a91b14eb12 files/004_CVE-2007-0104.patch 2581 DIST poppler-0.5.3.tar.gz 1049900 RMD160 3456de23955fc4001842c76d32deba308bd7f968 SHA1 e197f5cf56f0676b5ca313577dd6456a393c46ec SHA256 5cfabff39670610fa8f5c33da7b9b0ae89d445445be6d6c245cdce8bf3f24190 DIST poppler-0.5.4.tar.gz 1062401 RMD160 f28c89b03388757067505df3c60a1d878626b0dd SHA1 edf4e4ff17ef86a7f60f097949ad7db53fa2c3b1 SHA256 ca0f880a4ff07391e99b443f0e7c9860241df6a6aaa327b9d811b358d94a29c9 EBUILD poppler-0.5.3.ebuild 1338 RMD160 490692e99337cbc1c00c8847f491e526b8aeeea7 SHA1 ae7367c857d6d17c4435947d4bc5e232d7204237 SHA256 1b6c17fbc74834f65d7ec4d581bbd7d27acadc925a3886224f4b474465b90140 MD5 5905ba7b5c7475f3155ce05820263469 poppler-0.5.3.ebuild 1338 RMD160 490692e99337cbc1c00c8847f491e526b8aeeea7 poppler-0.5.3.ebuild 1338 SHA256 1b6c17fbc74834f65d7ec4d581bbd7d27acadc925a3886224f4b474465b90140 poppler-0.5.3.ebuild 1338 +EBUILD poppler-0.5.4-r1.ebuild 1295 RMD160 6094a00e05a9c104602275042f96c39261757248 SHA1 96609bdaea492e62a29b776628535d871a78ba0d SHA256 466d8540cf8608ea441966cfce1624d509a029fc299baeb05423ec7fe9673022 +MD5 60aa33b2f3e8c1f89082159f90d0cb62 poppler-0.5.4-r1.ebuild 1295 +RMD160 6094a00e05a9c104602275042f96c39261757248 poppler-0.5.4-r1.ebuild 1295 +SHA256 466d8540cf8608ea441966cfce1624d509a029fc299baeb05423ec7fe9673022 poppler-0.5.4-r1.ebuild 1295 EBUILD poppler-0.5.4.ebuild 1238 RMD160 97d88b3411a2645c67568d14819349d0a2b72663 SHA1 ffc7493635e965a5a1cba92f751ff8cdbb5c652b SHA256 11fac41e08ed1070039862449e21a6520cec5c9dee7d4defb9dc2ca9fd5a010c MD5 3f3dcd36cb0bbbeb8ccd58396de5d13d poppler-0.5.4.ebuild 1238 RMD160 97d88b3411a2645c67568d14819349d0a2b72663 poppler-0.5.4.ebuild 1238 SHA256 11fac41e08ed1070039862449e21a6520cec5c9dee7d4defb9dc2ca9fd5a010c poppler-0.5.4.ebuild 1238 -MISC ChangeLog 15631 RMD160 6181ac340b7ba4522ac7d1ea98b0738c7b84e0ff SHA1 4163fcd3a2cda66cf7c11c92d75931451e7586d7 SHA256 9caec46c719eb4d68518446be2129fa7beac6497404b6193481205db460121a4 -MD5 c8fecf822d796e2f9fd3b6a6374d85e6 ChangeLog 15631 -RMD160 6181ac340b7ba4522ac7d1ea98b0738c7b84e0ff ChangeLog 15631 -SHA256 9caec46c719eb4d68518446be2129fa7beac6497404b6193481205db460121a4 ChangeLog 15631 +MISC ChangeLog 15801 RMD160 2369b05888e102e1a1f77af3edc37f0b20fef738 SHA1 6cf9f5d7eab0a13f10d2baaf94481ceda6f6c8bc SHA256 97c3b2db28b39ae83ff11c45e2d17f0adfe419bb1d4eeb3fa00c17b620f3d1e7 +MD5 7faf8a9f9af2b0e0397c4b6f93c1a841 ChangeLog 15801 +RMD160 2369b05888e102e1a1f77af3edc37f0b20fef738 ChangeLog 15801 +SHA256 97c3b2db28b39ae83ff11c45e2d17f0adfe419bb1d4eeb3fa00c17b620f3d1e7 ChangeLog 15801 MISC metadata.xml 161 RMD160 1e5b1e42553c8869b93c4a5448e9a2a2ed9fe525 SHA1 209c6a46e4cdd891980115e42ba419e3799f8088 SHA256 7c85e6739a71f5bb23e8de36c88677d772946e61f7285892f7554e37bd2bca76 MD5 26b4b081d538c195dc39bcb2ec8e6f3a metadata.xml 161 RMD160 1e5b1e42553c8869b93c4a5448e9a2a2ed9fe525 metadata.xml 161 @@ -22,3 +30,6 @@ SHA256 3465787c7cf301f676c9414533f5246317d1f36cde135a80d9996c4ff2d3ba3e files/di MD5 a1e0228078c7c35fece8606abf60e755 files/digest-poppler-0.5.4 244 RMD160 fc23315deb3d8d4c5c66c228e721ca49d9b6bf59 files/digest-poppler-0.5.4 244 SHA256 e98abc83422dd85e19f4a3bfccbaa25079f6a78c1f326f7a0f2fbec61cb9bb3d files/digest-poppler-0.5.4 244 +MD5 a1e0228078c7c35fece8606abf60e755 files/digest-poppler-0.5.4-r1 244 +RMD160 fc23315deb3d8d4c5c66c228e721ca49d9b6bf59 files/digest-poppler-0.5.4-r1 244 +SHA256 e98abc83422dd85e19f4a3bfccbaa25079f6a78c1f326f7a0f2fbec61cb9bb3d files/digest-poppler-0.5.4-r1 244 diff --git a/app-text/poppler/files/004_CVE-2007-0104.patch b/app-text/poppler/files/004_CVE-2007-0104.patch new file mode 100644 index 000000000000..1019b4f3efce --- /dev/null +++ b/app-text/poppler/files/004_CVE-2007-0104.patch @@ -0,0 +1,63 @@ +diff -Nur poppler-0.5.4/poppler/Catalog.cc poppler-0.5.4.new/poppler/Catalog.cc +--- poppler-0.5.4/poppler/Catalog.cc 2006-09-13 17:10:52.000000000 +0200 ++++ poppler-0.5.4.new/poppler/Catalog.cc 2007-01-16 17:57:43.000000000 +0100 +@@ -26,6 +26,12 @@ + #include "UGooString.h" + #include "Catalog.h" + ++// This define is used to limit the depth of recursive readPageTree calls ++// This is needed because the page tree nodes can reference their parents ++// leaving us in an infinite loop ++// Most sane pdf documents don't have a call depth higher than 10 ++#define MAX_CALL_DEPTH 1000 ++ + //------------------------------------------------------------------------ + // Catalog + //------------------------------------------------------------------------ +@@ -75,7 +81,7 @@ + pageRefs[i].num = -1; + pageRefs[i].gen = -1; + } +- numPages = readPageTree(pagesDict.getDict(), NULL, 0); ++ numPages = readPageTree(pagesDict.getDict(), NULL, 0, 0); + if (numPages != numPages0) { + error(-1, "Page count in top-level pages object is incorrect"); + } +@@ -217,7 +223,7 @@ + return s; + } + +-int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) { ++int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start, int callDepth) { + Object kids; + Object kid; + Object kidRef; +@@ -262,9 +268,13 @@ + // This should really be isDict("Pages"), but I've seen at least one + // PDF file where the /Type entry is missing. + } else if (kid.isDict()) { +- if ((start = readPageTree(kid.getDict(), attrs1, start)) +- < 0) +- goto err2; ++ if (callDepth > MAX_CALL_DEPTH) { ++ error(-1, "Limit of %d recursive calls reached while reading the page tree. If your document is correct and not a test to try to force a crash, please report a bug.", MAX_CALL_DEPTH); ++ } else { ++ if ((start = readPageTree(kid.getDict(), attrs1, start, callDepth + 1)) ++ < 0) ++ goto err2; ++ } + } else { + error(-1, "Kid object (page %d) is wrong type (%s)", + start+1, kid.getTypeName()); +diff -Nur poppler-0.5.4/poppler/Catalog.h poppler-0.5.4.new/poppler/Catalog.h +--- poppler-0.5.4/poppler/Catalog.h 2006-01-23 15:43:36.000000000 +0100 ++++ poppler-0.5.4.new/poppler/Catalog.h 2007-01-16 17:58:09.000000000 +0100 +@@ -193,7 +193,7 @@ + PageMode pageMode; // page mode + PageLayout pageLayout; // page layout + +- int readPageTree(Dict *pages, PageAttrs *attrs, int start); ++ int readPageTree(Dict *pages, PageAttrs *attrs, int start, int callDepth); + Object *findDestInTree(Object *tree, GooString *name, Object *obj); + }; + diff --git a/app-text/poppler/files/digest-poppler-0.5.4-r1 b/app-text/poppler/files/digest-poppler-0.5.4-r1 new file mode 100644 index 000000000000..3cf1476067e6 --- /dev/null +++ b/app-text/poppler/files/digest-poppler-0.5.4-r1 @@ -0,0 +1,3 @@ +MD5 053fdfd70533ecce1a06353fa945f061 poppler-0.5.4.tar.gz 1062401 +RMD160 f28c89b03388757067505df3c60a1d878626b0dd poppler-0.5.4.tar.gz 1062401 +SHA256 ca0f880a4ff07391e99b443f0e7c9860241df6a6aaa327b9d811b358d94a29c9 poppler-0.5.4.tar.gz 1062401 diff --git a/app-text/poppler/poppler-0.5.4-r1.ebuild b/app-text/poppler/poppler-0.5.4-r1.ebuild new file mode 100644 index 000000000000..f6970c990db7 --- /dev/null +++ b/app-text/poppler/poppler-0.5.4-r1.ebuild @@ -0,0 +1,49 @@ +# Copyright 1999-2007 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-text/poppler/poppler-0.5.4-r1.ebuild,v 1.1 2007/02/10 20:31:55 genstef Exp $ + +inherit libtool eutils + +DESCRIPTION="PDF rendering library based on the xpdf-3.0 code base" +HOMEPAGE="http://poppler.freedesktop.org/" +SRC_URI="http://poppler.freedesktop.org/${P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd" +IUSE="cjk jpeg zlib" + +RDEPEND=">=media-libs/freetype-2.1.8 + media-libs/fontconfig + cjk? ( app-text/poppler-data ) + jpeg? ( >=media-libs/jpeg-6b ) + !app-text/pdftohtml" +DEPEND="${RDEPEND} + dev-util/pkgconfig" + +src_unpack() { + unpack ${A} + cd "${S}" + epatch ${FILESDIR}/004_CVE-2007-0104.patch + elibtoolize +} + +src_compile() { + econf \ + --disable-poppler-qt4 \ + --disable-poppler-glib \ + --disable-poppler-qt \ + --disable-gtk-test \ + --enable-opi \ + --disable-cairo-output \ + --enable-xpdf-headers \ + $(use_enable jpeg libjpeg) \ + $(use_enable zlib) \ + || die "configuration failed" + emake || die "compilation failed" +} + +src_install() { + emake DESTDIR="${D}" install || die "make install failed" + dodoc README AUTHORS ChangeLog NEWS README-XPDF TODO pdf2xml.dtd +} -- 2.26.2