Bug 241066 - graphics/xpdf3: Backport fix for CVE-2019-16927 and CVE-2019-9877
Summary: graphics/xpdf3: Backport fix for CVE-2019-16927 and CVE-2019-9877
Status: In Progress
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Cy Schubert
URL:
Keywords: needs-patch, security
Depends on:
Blocks:
 
Reported: 2019-10-04 20:06 UTC by Christian Weisgerber
Modified: 2019-10-14 14:50 UTC (History)
1 user (show)

See Also:
cy: maintainer-feedback+
koobs: merge-quarterly?


Attachments
Fix for CVE-2019-16927, CVE-2019-9877; update WWW and master sites (1.99 KB, patch)
2019-10-04 20:06 UTC, Christian Weisgerber
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Weisgerber freebsd_committer 2019-10-04 20:06:57 UTC
Created attachment 208100 [details]
Fix for CVE-2019-16927, CVE-2019-9877; update WWW and master sites

Xpdf release 4.02 has fixed the serious vulnerability CVE-2019-16927 (out-of-bounds write).

I have extracted the relevant change from the diff between 4.01.01 and 4.02 and backported it to 3.04. See the patch to TextOutputDev.cc in the attached diff.

Release 4.01.01 contained a different stopgap fix for CVE-2019-9877, a closely related out-of-bounds write.  It turns out that the fix for CVE-2019-16927 will also protect against CVE-2019-9877.

https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=CVE-2019-9877&search_type=all
https://forum.xpdfreader.com/viewtopic.php?f=3&t=41885
https://forum.xpdfreader.com/viewtopic.php?f=3&t=41265

While here, I suggest to also update the WWW URL and the dead master sites.
Comment 1 commit-hook freebsd_committer 2019-10-04 22:13:23 UTC
A commit references this bug:

Author: cy
Date: Fri Oct  4 22:12:37 UTC 2019
New revision: 513784
URL: https://svnweb.freebsd.org/changeset/ports/513784

Log:
  Update MASTER_SITES removing dead URLs.

  PR:		241066
  Submitted by:	naddy

Changes:
  head/graphics/xpdf3/Makefile
Comment 2 commit-hook freebsd_committer 2019-10-04 22:13:24 UTC
A commit references this bug:

Author: cy
Date: Fri Oct  4 22:12:40 UTC 2019
New revision: 513785
URL: https://svnweb.freebsd.org/changeset/ports/513785

Log:
  Update WWW.

  PR:		241066
  Submitted by:	naddy
  MFH:		2019Q4

Changes:
  head/graphics/xpdf3/pkg-descr
Comment 3 commit-hook freebsd_committer 2019-10-04 22:13:25 UTC
A commit references this bug:

Author: cy
Date: Fri Oct  4 22:12:44 UTC 2019
New revision: 513786
URL: https://svnweb.freebsd.org/changeset/ports/513786

Log:
  Backport fix for CVE-2019-16927 and CVE-2019-9877 from xpdf4.

  PR:		241066
  Submitted by:	naddy
  MFH:		2019Q4

Changes:
  head/graphics/xpdf3/Makefile
  head/graphics/xpdf3/files/patch-xpdf_TextOutputDev.cc
Comment 4 Cy Schubert freebsd_committer 2019-10-04 22:14:38 UTC
Thank you for the patches.
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2019-10-05 10:11:52 UTC
^Triage: Re-open pending VuXML entries and merge
Comment 6 Cy Schubert freebsd_committer 2019-10-05 14:57:50 UTC
MFC requests have been sent.

I'll try to document the CVEs this week.
Comment 7 commit-hook freebsd_committer 2019-10-06 01:48:53 UTC
A commit references this bug:

Author: cy
Date: Sun Oct  6 01:48:50 UTC 2019
New revision: 513861
URL: https://svnweb.freebsd.org/changeset/ports/513861

Log:
  Document two new Xpdf vulnerabilities: CVE-2019-16927 and CVE-2019-9877.

  PR:		241066
  Security:	https://nvd.nist.gov/vuln/detail/CVE-2019-16927
  Security:	https://nvd.nist.gov/vuln/detail/CVE-2019-9877
  Security:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9877
  Security:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16927

Changes:
  head/security/vuxml/vuln.xml
Comment 8 commit-hook freebsd_committer 2019-10-06 05:53:12 UTC
A commit references this bug:

Author: cy
Date: Sun Oct  6 05:52:59 UTC 2019
New revision: 513870
URL: https://svnweb.freebsd.org/changeset/ports/513870

Log:
  Take PORTEPOCH into account.

  PR:		241066
  Reported by:	tobik

Changes:
  head/security/vuxml/vuln.xml
Comment 9 Dani 2019-10-14 10:06:25 UTC
The "fixed version" VuXML entries for version 3 never match, because the PKG is always named "xpdf" without a number and requires version 4+. Is there a way to fix these?
Comment 10 Cy Schubert freebsd_committer 2019-10-14 14:50:49 UTC
Do not install xpdf3 with XPDF_VERSION?=3.