[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] gnu: mupdf: Fix CVE-2016-8674.
From: |
Ludovic Courtès |
Subject: |
Re: [PATCH] gnu: mupdf: Fix CVE-2016-8674. |
Date: |
Wed, 26 Oct 2016 14:45:12 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
Marius Bakke <address@hidden> skribis:
> I've modified the patch to apply to 1.9a, but it was far from trivial
> due to many context changes in upstream git. The attached patch makes
> mupdf build at least, and viewing PDF still works...
>
> The interdiff is rather unintelligible, so to verify this you should
> compare the final patch with the 1.9a sources.
>
> Ideally we should try and reproduce this vulnerability (and others!)
> after applying this patch, but I don't know how to use AFL.
>
> Another option is to simply package up the git version, as there appears
> to be no users of mupdf in the tree.
>
> WDYT, is this patch safe?
At first sight it appears to duplicate what the original patch was
doing, so that looks good to me.
> From c51f44edf3293aae323eded49dcba750f54607cb Mon Sep 17 00:00:00 2001
> From: Marius Bakke <address@hidden>
> Date: Wed, 26 Oct 2016 06:39:34 +0100
> Subject: [PATCH] gnu: mupdf: Modify CVE-2016-8674 patch to apply to 1.9a.
>
> The fix from upstream did not apply cleanly due to many context changes.
> This was adapted by cloning mupdf 1.9a from git and fixing conflicts
> after applying our patches and cherry-picking upstream commit 1e03c06.
>
> * gnu/packages/patches/mupdf-CVE-2016-8674.patch: Adapt to 1.9a.
I’m in favor of you pushing this patch.
We can always adjust later if need be, but it’s better than keeping
mupdf broken.
Thank you!
Ludo’.