Bug 241066

Summary:

graphics/xpdf3: Backport fix for CVE-2019-16927 and CVE-2019-9877

Product:

Ports & Packages

Reporter:

Christian Weisgerber <naddy>

Component:

Individual Port(s)

Assignee:

Cy Schubert <cy>

Status:

Closed FIXED

Severity:

Affects Many People

CC:

i.dani

Priority:

Normal

Keywords:

needs-patch, security

Version:

Latest

Flags:

cy: maintainer-feedback+
koobs: merge-quarterly?

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
Fix for CVE-2019-16927, CVE-2019-9877; update WWW and master sites	none

Description Christian Weisgerber freebsd_committer

2019-10-04 20:06:57 UTC

Created attachment 208100 [details]
Fix for CVE-2019-16927, CVE-2019-9877; update WWW and master sites

Xpdf release 4.02 has fixed the serious vulnerability CVE-2019-16927 (out-of-bounds write).

I have extracted the relevant change from the diff between 4.01.01 and 4.02 and backported it to 3.04. See the patch to TextOutputDev.cc in the attached diff.

Release 4.01.01 contained a different stopgap fix for CVE-2019-9877, a closely related out-of-bounds write.  It turns out that the fix for CVE-2019-16927 will also protect against CVE-2019-9877.

https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=CVE-2019-9877&search_type=all
https://forum.xpdfreader.com/viewtopic.php?f=3&t=41885
https://forum.xpdfreader.com/viewtopic.php?f=3&t=41265

While here, I suggest to also update the WWW URL and the dead master sites.

Comment 1 commit-hook freebsd_committer

2019-10-04 22:13:23 UTC

A commit references this bug:

Author: cy
Date: Fri Oct  4 22:12:37 UTC 2019
New revision: 513784
URL: https://svnweb.freebsd.org/changeset/ports/513784

Log:
  Update MASTER_SITES removing dead URLs.

  PR:		241066
  Submitted by:	naddy

Changes:
  head/graphics/xpdf3/Makefile

Comment 2 commit-hook freebsd_committer

2019-10-04 22:13:24 UTC

A commit references this bug:

Author: cy
Date: Fri Oct  4 22:12:40 UTC 2019
New revision: 513785
URL: https://svnweb.freebsd.org/changeset/ports/513785

Log:
  Update WWW.

  PR:		241066
  Submitted by:	naddy
  MFH:		2019Q4

Changes:
  head/graphics/xpdf3/pkg-descr

Comment 3 commit-hook freebsd_committer

2019-10-04 22:13:25 UTC

A commit references this bug:

Author: cy
Date: Fri Oct  4 22:12:44 UTC 2019
New revision: 513786
URL: https://svnweb.freebsd.org/changeset/ports/513786

Log:
  Backport fix for CVE-2019-16927 and CVE-2019-9877 from xpdf4.

  PR:		241066
  Submitted by:	naddy
  MFH:		2019Q4

Changes:
  head/graphics/xpdf3/Makefile
  head/graphics/xpdf3/files/patch-xpdf_TextOutputDev.cc

Comment 4 Cy Schubert freebsd_committer

2019-10-04 22:14:38 UTC

Thank you for the patches.

Comment 5 Kubilay Kocak freebsd_committer

2019-10-05 10:11:52 UTC

^Triage: Re-open pending VuXML entries and merge

Comment 6 Cy Schubert freebsd_committer

2019-10-05 14:57:50 UTC

MFC requests have been sent.

I'll try to document the CVEs this week.

Comment 7 commit-hook freebsd_committer

2019-10-06 01:48:53 UTC

A commit references this bug:

Author: cy
Date: Sun Oct  6 01:48:50 UTC 2019
New revision: 513861
URL: https://svnweb.freebsd.org/changeset/ports/513861

Log:
  Document two new Xpdf vulnerabilities: CVE-2019-16927 and CVE-2019-9877.

  PR:		241066
  Security:	https://nvd.nist.gov/vuln/detail/CVE-2019-16927
  Security:	https://nvd.nist.gov/vuln/detail/CVE-2019-9877
  Security:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9877
  Security:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16927

Changes:
  head/security/vuxml/vuln.xml

Comment 8 commit-hook freebsd_committer

2019-10-06 05:53:12 UTC

A commit references this bug:

Author: cy
Date: Sun Oct  6 05:52:59 UTC 2019
New revision: 513870
URL: https://svnweb.freebsd.org/changeset/ports/513870

Log:
  Take PORTEPOCH into account.

  PR:		241066
  Reported by:	tobik

Changes:
  head/security/vuxml/vuln.xml

Comment 9 Dani I. 2019-10-14 10:06:25 UTC

The "fixed version" VuXML entries for version 3 never match, because the PKG is always named "xpdf" without a number and requires version 4+. Is there a way to fix these?

Comment 10 Cy Schubert freebsd_committer

2019-10-14 14:50:49 UTC

Do not install xpdf3 with XPDF_VERSION?=3.

Comment 11 commit-hook freebsd_committer

2019-10-19 03:08:46 UTC

A commit references this bug:

Author: cy
Date: Sat Oct 19 03:08:42 UTC 2019
New revision: 514746
URL: https://svnweb.freebsd.org/changeset/ports/514746

Log:
  MFH: r513783 r513785 r513786

  Pacify stage-qa in DEVELOPER mode.

  Update WWW.

  PR:		241066
  Submitted by:	naddy

  Backport fix for CVE-2019-16927 and CVE-2019-9877 from xpdf4.

  PR:		241066
  Submitted by:	naddy

  Approved by:	portmgr (miwi)

Changes:
_U  branches/2019Q4/
  branches/2019Q4/graphics/xpdf3/Makefile
  branches/2019Q4/graphics/xpdf3/files/patch-xpdf_TextOutputDev.cc
  branches/2019Q4/graphics/xpdf3/pkg-descr

Comment 12 commit-hook freebsd_committer

2019-10-19 03:08:49 UTC

A commit references this bug:

Author: cy
Date: Sat Oct 19 03:08:42 UTC 2019
New revision: 514746
URL: https://svnweb.freebsd.org/changeset/ports/514746

Log:
  MFH: r513783 r513785 r513786

  Pacify stage-qa in DEVELOPER mode.

  Update WWW.

  PR:		241066
  Submitted by:	naddy

  Backport fix for CVE-2019-16927 and CVE-2019-9877 from xpdf4.

  PR:		241066
  Submitted by:	naddy

  Approved by:	portmgr (miwi)

Changes:
_U  branches/2019Q4/
  branches/2019Q4/graphics/xpdf3/Makefile
  branches/2019Q4/graphics/xpdf3/files/patch-xpdf_TextOutputDev.cc
  branches/2019Q4/graphics/xpdf3/pkg-descr

Comment 13 Cy Schubert freebsd_committer

2019-10-19 03:10:14 UTC

Fixed.