ports/opt
4
3
Fork 1
Code Issues 1 Pull Requests Activity

[notify] qpdf: update to 7.0.0

Browse Source 
new ABI, rebuild of dependent ports like cups-filters required.
This commit is contained in:
Juergen Daubert 2017-09-18 15:23:46 +02:00
parent bb945e9c83
commit adc657bc7a
8 changed files with 13 additions and 176 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
qpdf/.footprint
View File

@ -15,8 +15,10 @@ drwxr-xr-x root/root usr/include/qpdf/
-rw-r--r-- root/root usr/include/qpdf/Pl_Buffer.hh
-rw-r--r-- root/root usr/include/qpdf/Pl_Concatenate.hh
-rw-r--r-- root/root usr/include/qpdf/Pl_Count.hh
-rw-r--r-- root/root usr/include/qpdf/Pl_DCT.hh
-rw-r--r-- root/root usr/include/qpdf/Pl_Discard.hh
-rw-r--r-- root/root usr/include/qpdf/Pl_Flate.hh
-rw-r--r-- root/root usr/include/qpdf/Pl_RunLength.hh
-rw-r--r-- root/root usr/include/qpdf/Pl_StdioFile.hh
-rw-r--r-- root/root usr/include/qpdf/PointerHolder.hh
-rw-r--r-- root/root usr/include/qpdf/QPDF.hh
@ -35,9 +37,9 @@ drwxr-xr-x root/root usr/include/qpdf/
drwxr-xr-x root/root usr/lib/
-rw-r--r-- root/root usr/lib/libqpdf.a
-rwxr-xr-x root/root usr/lib/libqpdf.la
lrwxrwxrwx root/root usr/lib/libqpdf.so -> libqpdf.so.17.0.0
lrwxrwxrwx root/root usr/lib/libqpdf.so.17 -> libqpdf.so.17.0.0
-rwxr-xr-x root/root usr/lib/libqpdf.so.17.0.0
lrwxrwxrwx root/root usr/lib/libqpdf.so -> libqpdf.so.18.1.0
lrwxrwxrwx root/root usr/lib/libqpdf.so.18 -> libqpdf.so.18.1.0
-rwxr-xr-x root/root usr/lib/libqpdf.so.18.1.0
drwxr-xr-x root/root usr/lib/pkgconfig/
-rw-r--r-- root/root usr/lib/pkgconfig/libqpdf.pc
drwxr-xr-x root/root usr/share/

6
qpdf/.md5sum
View File

@ -1,5 +1 @@
b3cc65446adae1fe4f164c010c59f64b qpdf-6.0.0-CVE-2017-9208.patch
491486ccdfddc450f2c3b1414eb369f9 qpdf-6.0.0-CVE-2017-9209.patch
5713ad31faa151c1b7bd9064d820a367 qpdf-6.0.0-CVE-2017-9210.patch
c9457b6f4430f43fe7aaad93736bd67a qpdf-6.0.0-detect-recursions.patch
e014bd3ecf1c4d1a520bbc14d84ac20e qpdf-6.0.0.tar.gz
c3ff408f69b3a6b2b3b4c8b373b2600c qpdf-7.0.0.tar.gz

12
qpdf/.signature
View File

@ -1,9 +1,5 @@
untrusted comment: verify with /etc/ports/opt.pub
RWSE3ohX2g5d/YJAZhWWLZUYLWPRsCYcpW33dackFko68OVeTlSx977CZXMi01uWOhIRVZAponEIRQ+ErUE0c9M3DfH0TTArwwY=
SHA256 (Pkgfile) = 48ab28428f3d935db825606f899011eba69f135142a808536958b0a8e6528bad
SHA256 (.footprint) = 85e6362fb2da951b8318d1de30c3cb3607fb78de108a8348944a3cb992cd37c3
SHA256 (qpdf-6.0.0.tar.gz) = a9fdc7e94d38fcd3831f37b6e0fe36492bf79aa6d54f8f66062cf7f9c4155233
SHA256 (qpdf-6.0.0-detect-recursions.patch) = 4c59e1ca6f7a209a07191ffacac0e28f8d70345801e282493e52cbce76c15a8e
SHA256 (qpdf-6.0.0-CVE-2017-9208.patch) = 0e2bce8c860aec84dff69739020c7320266f188dd5dfa7eb8e6fc8655d462014
SHA256 (qpdf-6.0.0-CVE-2017-9209.patch) = 743aa98868aa887abeeaa3b3f4ec35efd9499bb80b3c1c72410afc064d7cc846
SHA256 (qpdf-6.0.0-CVE-2017-9210.patch) = aff1f8ee13e7436d9982e14d5836172ff0236cb14b48e37c000ae7304185efde
RWSE3ohX2g5d/dhTWsdq7DUedHp94d5JcFxreY7dhB53gVBvu0Ja0NKXbRGNE3UstEf13Mo/faxXaxjCSG2Oq86QrLMjh01CuAs=
SHA256 (Pkgfile) = 9b40ed6dd990a05259c6b9f87261b3bb8534f6622df621d2ba590ad6782302ac
SHA256 (.footprint) = f0b4062eff41f36629fff06cbbb36b8c6c4182a849cd54e619cd457c246242a7
SHA256 (qpdf-7.0.0.tar.gz) = fed08de14caad0fe5efd148d9eca886d812588b2cbb35d13e61993ee8eb8c65f

16
qpdf/Pkgfile
View File

@ -4,22 +4,12 @@
# Depends on: libpcre zlib
name=qpdf
version=6.0.0
release=3
source=(http://downloads.sourceforge.net/project/$name/$name/$version/$name-$version.tar.gz
qpdf-6.0.0-detect-recursions.patch
qpdf-6.0.0-CVE-2017-9208.patch
qpdf-6.0.0-CVE-2017-9209.patch
qpdf-6.0.0-CVE-2017-9210.patch)
version=7.0.0
release=1
source=(http://downloads.sourceforge.net/project/$name/$name/$version/$name-$version.tar.gz)
build() {
cd $name-$version
patch -p1 -i $SRC/qpdf-6.0.0-detect-recursions.patch
patch -p1 -i $SRC/qpdf-6.0.0-CVE-2017-9208.patch
patch -p1 -i $SRC/qpdf-6.0.0-CVE-2017-9209.patch
patch -p1 -i $SRC/qpdf-6.0.0-CVE-2017-9210.patch
./configure --prefix=/usr
make
make DESTDIR=$PKG install

36
qpdf/qpdf-6.0.0-CVE-2017-9208.patch
View File

@ -1,36 +0,0 @@
diff -up qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9208 qpdf-6.0.0/libqpdf/QPDF.cc
--- qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9208 2017-08-03 08:53:32.806072781 +0200
+++ qpdf-6.0.0/libqpdf/QPDF.cc 2017-08-03 08:55:39.529073703 +0200
@@ -1340,6 +1340,13 @@ QPDF::readObjectAtOffset(bool try_recove
objid = atoi(tobjid.getValue().c_str());
generation = atoi(tgen.getValue().c_str());
+ if (objid == 0)
+ {
+ throw QPDFExc(qpdf_e_damaged_pdf, this->file->getName(),
+ this->last_object_description, offset,
+ "object with ID 0");
+ }
+
if ((exp_objid >= 0) &&
(! ((objid == exp_objid) && (generation == exp_generation))))
{
diff -up qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9208 qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc
--- qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9208 2015-11-10 18:48:52.000000000 +0100
+++ qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc 2017-08-03 08:54:50.264499428 +0200
@@ -1090,6 +1090,15 @@ QPDFObjectHandle::parseInternal(PointerH
QPDFObjectHandle
QPDFObjectHandle::newIndirect(QPDF* qpdf, int objid, int generation)
{
+ if (objid == 0)
+ {
+ // Special case: QPDF uses objid 0 as a sentinel for direct
+ // objects, and the PDF specification doesn't allow for object
+ // 0. Treat indirect references to object 0 as null so that we
+ // never create an indirect object with objid 0.
+ return newNull();
+ }
+
return QPDFObjectHandle(qpdf, objid, generation);
}

37
qpdf/qpdf-6.0.0-CVE-2017-9209.patch
View File

@ -1,37 +0,0 @@
diff -up qpdf-6.0.0/include/qpdf/QPDF.hh.CVE-2017-9209 qpdf-6.0.0/include/qpdf/QPDF.hh
--- qpdf-6.0.0/include/qpdf/QPDF.hh.CVE-2017-9209 2017-08-03 10:00:17.489291722 +0200
+++ qpdf-6.0.0/include/qpdf/QPDF.hh 2017-08-03 10:00:17.494291685 +0200
@@ -1095,6 +1095,7 @@ class QPDF
// copied_stream_data_provider is owned by copied_streams
CopiedStreamDataProvider* copied_stream_data_provider;
std::set<QPDFObjGen> attachment_streams;
+ bool reconstructed_xref;
// Linearization data
qpdf_offset_t first_xref_item_offset; // actual value from file
diff -up qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9209 qpdf-6.0.0/libqpdf/QPDF.cc
--- qpdf-6.0.0/libqpdf/QPDF.cc.CVE-2017-9209 2017-08-03 10:00:17.491291707 +0200
+++ qpdf-6.0.0/libqpdf/QPDF.cc 2017-08-03 10:01:43.243661883 +0200
@@ -93,6 +93,7 @@ QPDF::QPDF() :
cached_key_generation(0),
pushed_inherited_attributes_to_pages(false),
copied_stream_data_provider(0),
+ reconstructed_xref(false),
first_xref_item_offset(0),
uncompressed_after_compressed(false)
{
@@ -331,6 +332,14 @@ QPDF::setTrailer(QPDFObjectHandle obj)
void
QPDF::reconstruct_xref(QPDFExc& e)
{
+ if (this->reconstructed_xref)
+ {
+ // Avoid xref reconstruction infinite loops
+ throw e;
+ }
+
+ this->reconstructed_xref = true;
+
PCRE obj_re("^\\s*(\\d+)\\s+(\\d+)\\s+obj\\b");
PCRE endobj_re("^\\s*endobj\\b");
PCRE trailer_re("^\\s*trailer\\b");

13
qpdf/qpdf-6.0.0-CVE-2017-9210.patch
View File

@ -1,13 +0,0 @@
diff -up qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9210 qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc
--- qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc.CVE-2017-9210 2017-08-03 10:09:46.670111267 +0200
+++ qpdf-6.0.0/libqpdf/QPDFObjectHandle.cc 2017-08-03 10:10:56.430600663 +0200
@@ -1076,8 +1076,7 @@ QPDFObjectHandle::parseInternal(PointerH
throw QPDFExc(
qpdf_e_damaged_pdf,
input->getName(), object_description, offset,
- std::string("dictionary key not name (") +
- key_obj.unparse() + ")");
+ std::string("dictionary key is not not a name token"));
}
dict[key_obj.getName()] = val;
}

61
qpdf/qpdf-6.0.0-detect-recursions.patch
View File

@ -1,61 +0,0 @@
diff -up qpdf-6.0.0/include/qpdf/QPDF.hh.detect-recursions qpdf-6.0.0/include/qpdf/QPDF.hh
--- qpdf-6.0.0/include/qpdf/QPDF.hh.detect-recursions 2015-11-10 18:48:52.000000000 +0100
+++ qpdf-6.0.0/include/qpdf/QPDF.hh 2017-08-02 08:41:17.500831407 +0200
@@ -603,6 +603,25 @@ class QPDF
int gen;
};
+ class ResolveRecorder
+ {
+ public:
+ ResolveRecorder(QPDF* qpdf, QPDFObjGen const& og) :
+ qpdf(qpdf),
+ og(og)
+ {
+ qpdf->resolving.insert(og);
+ }
+ virtual ~ResolveRecorder()
+ {
+ this->qpdf->resolving.erase(og);
+ }
+ private:
+ QPDF* qpdf;
+ QPDFObjGen og;
+ };
+ friend class ResolveRecorder;
+
void parse(char const* password);
void warn(QPDFExc const& e);
void setTrailer(QPDFObjectHandle obj);
@@ -1065,6 +1084,7 @@ class QPDF
std::map<QPDFObjGen, QPDFXRefEntry> xref_table;
std::set<int> deleted_objects;
std::map<QPDFObjGen, ObjCache> obj_cache;
+ std::set<QPDFObjGen> resolving;
QPDFObjectHandle trailer;
std::vector<QPDFObjectHandle> all_pages;
std::map<QPDFObjGen, int> pageobj_to_pages_pos;
diff -up qpdf-6.0.0/libqpdf/QPDF.cc.detect-recursions qpdf-6.0.0/libqpdf/QPDF.cc
--- qpdf-6.0.0/libqpdf/QPDF.cc.detect-recursions 2015-11-10 18:48:52.000000000 +0100
+++ qpdf-6.0.0/libqpdf/QPDF.cc 2017-08-02 08:42:19.070393817 +0200
@@ -1453,6 +1453,20 @@ QPDF::resolve(int objid, int generation)
// to insert things into the object cache that don't actually
// exist in the file.
QPDFObjGen og(objid, generation);
+ if (this->resolving.count(og))
+ {
+ // This can happen if an object references itself directly or
+ // indirectly in some key that has to be resolved during
+ // object parsing, such as stream length.
+ warn(QPDFExc(qpdf_e_damaged_pdf, this->file->getName(),
+ "", this->file->getLastOffset(),
+ "loop detected resolving object " +
+ QUtil::int_to_string(objid) + " " +
+ QUtil::int_to_string(generation)));
+ return new QPDF_Null;
+ }
+ ResolveRecorder rr(this, og);
+
if (! this->obj_cache.count(og))
{
if (! this->xref_table.count(og))