fix for CVE-2017-15587

author: valoq 2017-10-28 18:02:55 +0200
committer: valoq 2017-10-28 18:02:55 +0200
commit: 55c3a44b3a7d2caa929dc2d49d48ff735f9334e5 (patch)
tree: f84c4bdb5cfba892c71b4442c133f0fb6c82b079
parent: 9e336b6fc042fd93773834e01e5d26ae6fb49733 (diff)
download: aur-55c3a44b3a7d2caa929dc2d49d48ff735f9334e5.tar.gz
4 files changed, 66 insertions, 59 deletions
diff --git a/.SRCINFO b/.SRCINFO
index a60b50d6cc63..aad01b9f19a9 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
 pkgbase = mupdf-seccomp
 	pkgdesc = Mupdf with seccomp filter
 	pkgver = 1.11
-	pkgrel = 4
+	pkgrel = 5
 	url = http://mupdf.com
 	arch = i686
 	arch = x86_64
@@ -24,11 +24,13 @@ pkgbase = mupdf-seccomp
 	source = mupdf.desktop
 	source = mupdf.xpm
 	source = seccomp.patch
+	source = CVE-2017-15587.patch
 	sha256sums = 209474a80c56a035ce3f4958a63373a96fad75c927c7b1acdc553fc85855f00a
 	sha256sums = e87b0911121753ab24758a8c2bd533abe347b425f0681e84c945a225c62c63be
 	sha256sums = 70f632e22902ad4224b1d88696702b3ba4eb3c28eb7acf735f06d16e6884a078
 	sha256sums = a435f44425f5432c074dee745d8fbaeb879038ec1f1ec64f037c74662f09aca8
-	sha256sums = 7b2936c31fea61b9623eb9a40d81818d1d1dd12f029222d2722b9002e723e5b4
+	sha256sums = 53b0b5c745869b86e9a27dcba86d1492573df0ac78626ad5ce67d0433fe5ac40
+	sha256sums = 5a51384bc6eddfff6295d235662024876eb486588266c040f5579c5958a32a97
 
 pkgname = libmupdf-seccomp
 	pkgdesc = Library for Lightweight PDF viewer
diff --git a/CVE-2017-15587.patch b/CVE-2017-15587.patch
new file mode 100644
index 000000000000..b5f3c2fded17
--- /dev/null
+++ b/CVE-2017-15587.patch
@@ -0,0 +1,11 @@
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -918,7 +918,7 @@
+ 	pdf_xref_entry *table;
+ 	int i, n;
+ 
+-	if (i0 < 0 || i1 < 0)
++	if (i0 < 0 || i1 < 0 || (i0+i1) < 0)
+ 		fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
+ 	//if (i0 + i1 > pdf_xref_len(ctx, doc))
+ 	//	fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");
diff --git a/PKGBUILD b/PKGBUILD
index 58a3e46fec4c..a0c314f871b1 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -5,7 +5,7 @@ pkgbase=${_pkgbase}-seccomp
 pkgname=(libmupdf-seccomp mupdf-seccomp)
 pkgver=1.11
 _pkgver=1.11
-pkgrel=4
+pkgrel=5
 _openjpeg_version=2.3
 pkgdesc='Mupdf with seccomp filter'
 arch=('i686' 'x86_64')
@@ -18,13 +18,15 @@ source=("https://mupdf.com/downloads/mupdf-${pkgver/_/}-source.tar.gz"
         '0001-mupdf-openjpeg.patch'
         'mupdf.desktop'
         'mupdf.xpm'
-        'seccomp.patch')
+        'seccomp.patch'
+        'CVE-2017-15587.patch')
 
 sha256sums=('209474a80c56a035ce3f4958a63373a96fad75c927c7b1acdc553fc85855f00a'
             'e87b0911121753ab24758a8c2bd533abe347b425f0681e84c945a225c62c63be'
             '70f632e22902ad4224b1d88696702b3ba4eb3c28eb7acf735f06d16e6884a078'
             'a435f44425f5432c074dee745d8fbaeb879038ec1f1ec64f037c74662f09aca8'
-            '7b2936c31fea61b9623eb9a40d81818d1d1dd12f029222d2722b9002e723e5b4')
+            '53b0b5c745869b86e9a27dcba86d1492573df0ac78626ad5ce67d0433fe5ac40'
+            '5a51384bc6eddfff6295d235662024876eb486588266c040f5579c5958a32a97')
 
 
 prepare() {
@@ -43,6 +45,10 @@ prepare() {
   # apply seccomp patch
   patch -Np1 < "${srcdir}/seccomp.patch"
 
+  # apply CVE-2017-15587 patch
+  patch -Np1 < "${srcdir}/CVE-2017-15587.patch"
+
+
   # embedding CJK fonts into binaries is madness...
   sed '/* #define TOFU_CJK /c #define TOFU_CJK 1' -i include/mupdf/fitz/config.h
   sed '/* #define TOFU /c #define TOFU 1' -i include/mupdf/fitz/config.h
diff --git a/seccomp.patch b/seccomp.patch
index f551dc87f85d..b72c2766daa6 100644
--- a/seccomp.patch
+++ b/seccomp.patch
@@ -1,6 +1,6 @@
-diff -Naur mupdf-1.11-source/Makefile mupdf-1.11/Makefile
+diff -Naur mupdf-1.11-source/Makefile mupdf/Makefile
 --- mupdf-1.11-source/Makefile	2017-04-05 13:02:21.000000000 +0200
-+++ mupdf-1.11/Makefile	2017-08-20 13:59:29.260759197 +0200
++++ mupdf/Makefile	2017-08-20 13:59:29.260759115 +0200
 @@ -16,6 +16,12 @@
  # set a variable that was set on the command line.
  CFLAGS += $(XCFLAGS) -Iinclude -Igenerated
@@ -39,9 +39,9 @@ diff -Naur mupdf-1.11-source/Makefile mupdf-1.11/Makefile
  $(MUVIEW_X11_CURL_OBJ) : $(FITZ_HDR) $(PDF_HDR)
  $(MUVIEW_X11_CURL_EXE) : $(MUVIEW_X11_CURL_OBJ) $(MUPDF_LIB) $(THIRD_LIB) $(CURL_LIB)
  	$(LINK_CMD) $(X11_LIBS) $(CURL_LIBS) $(SYS_CURL_DEPS)
-diff -Naur mupdf-1.11-source/Makerules mupdf-1.11/Makerules
+diff -Naur mupdf-1.11-source/Makerules mupdf/Makerules
 --- mupdf-1.11-source/Makerules	2017-04-05 13:02:21.000000000 +0200
-+++ mupdf-1.11/Makerules	2017-08-20 13:57:17.007431598 +0200
++++ mupdf/Makerules	2017-08-20 13:57:17.007431507 +0200
 @@ -155,6 +155,12 @@
  SYS_OPENJPEG_LIBS := $(shell pkg-config --libs libopenjp2)
  endif
@@ -64,9 +64,9 @@ diff -Naur mupdf-1.11-source/Makerules mupdf-1.11/Makerules
 +CFLAGS += -DHAVE_PTHREADS
 +LIBS += -lpthread
 +endif
-diff -Naur mupdf-1.11-source/Makethird mupdf-1.11/Makethird
+diff -Naur mupdf-1.11-source/Makethird mupdf/Makethird
 --- mupdf-1.11-source/Makethird	2017-04-05 13:02:21.000000000 +0200
-+++ mupdf-1.11/Makethird	2017-08-20 14:00:35.777422980 +0200
++++ mupdf/Makethird	2017-08-20 14:00:35.777422904 +0200
 @@ -721,3 +721,10 @@
  PTHREAD_CFLAGS := $(SYS_PTHREAD_CFLAGS)
  PTHREAD_LIBS := $(SYS_PTHREAD_LIBS)
@@ -78,51 +78,10 @@ diff -Naur mupdf-1.11-source/Makethird mupdf-1.11/Makethird
 +LIBSECCOMP_CFLAGS := $(SYS_LIBSECCOMP_CFLAGS)
 +LIBSECCOMP_LIBS := $(SYS_LIBSECCOMP_LIBS)
 +endif
-diff -Naur mupdf-1.11-source/README.md mupdf-1.11/README.md
---- mupdf-1.11-source/README.md	1970-01-01 01:00:00.000000000 +0100
-+++ mupdf-1.11/README.md	2017-03-12 20:37:31.149547576 +0100
-@@ -0,0 +1,37 @@
-+# mupdf
-+Sandboxed Mupdf Document Viewer
-+
-+This modified version of Mupdf includes support for seccomp to implement sandbox support on linux systems using libseccomp
-+
-+The original application can be found here: https://mupdf.com
-+
-+
-+Sandbox modes:
-+--------------
-+
-+There are two different sandbox modes available at the moment:
-+
-+- Invisible sandbox mode: this mode does not affect the normal functionality at all and will not be noticed by the user. It only blacklists some dangerous and rare syscalls and uses the no_new_privs flag to prevent the process to gain more privileges (e.g. by using suid)
-+
-+- Read only mode: this mode does not allow writing files or access to the network. It is designed to only allow reading local files. By using a whitelist of allowed systemcalls, 90 % of the kernel interface is unavailable for the process, reducing the attack surface of the kernel significantly and limiting the movement of exploit code.
-+
-+
-+
-+Future Work
-+-----------
-+
-+It is possible to further restrict the list of allowed syscalls right before a document file is interpreted. This also includes blocking the use of syscalls needed for unix domain socket communication as used to communicate to IPC services like Dbus, which presents a weakpoint in sandboxing for modern Linux desktop systems.
-+
-+
-+
-+Weak Points
-+-----------
-+
-+One of the remaining weak points is the X11 Server. Without switching to wayland and blocking X11 access, keylogging is trivial.
-+
-+
-+
-+Additional Sandbox support
-+--------------------------
-+
-+Using linux namespaces container features, it is possible to further isolate the application from the rest of the system. With the bubblewrap project there is already some nice code that can be used for the purpose as demonstrated here: https://github.com/valoq/bwscripts/tree/master/profiles 
-diff -Naur mupdf-1.11-source/platform/x11/libsec.c mupdf-1.11/platform/x11/libsec.c
+diff -Naur mupdf-1.11-source/platform/x11/libsec.c mupdf/platform/x11/libsec.c
 --- mupdf-1.11-source/platform/x11/libsec.c	1970-01-01 01:00:00.000000000 +0100
-+++ mupdf-1.11/platform/x11/libsec.c	2017-03-15 23:17:31.421689510 +0100
-@@ -0,0 +1,472 @@
++++ mupdf/platform/x11/libsec.c	2017-10-28 17:17:23.053794622 +0200
+@@ -0,0 +1,501 @@
 +#include "libsec.h"
 +#include <stdio.h>
 +
@@ -280,6 +239,7 @@ diff -Naur mupdf-1.11-source/platform/x11/libsec.c mupdf-1.11/platform/x11/libse
 +    ALLOW_RULE (mremap);
 +    ALLOW_RULE (munmap);
 +    //ALLOW_RULE (open);  /* specified below */
++    //ALLOW_RULE (openat);  /* specified below */
 +    ALLOW_RULE (prctl);
 +    ALLOW_RULE (poll);
 +    ALLOW_RULE (read);
@@ -326,6 +286,19 @@ diff -Naur mupdf-1.11-source/platform/x11/libsec.c mupdf-1.11/platform/x11/libse
 +		goto out;
 +
 +
++	/* special restrictions for openat, prevent opening files for writing */
++	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
++	                      SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) < 0)
++		goto out;
++
++	if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(openat), 1,
++	                      SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) < 0)
++		goto out;
++
++	if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(openat), 1,
++	                      SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) < 0)
++		goto out;
++
 +
 +
 +
@@ -450,6 +423,7 @@ diff -Naur mupdf-1.11-source/platform/x11/libsec.c mupdf-1.11/platform/x11/libse
 +    ALLOW_RULE (mremap);
 +    ALLOW_RULE (munmap);
 +    //ALLOW_RULE (open);  /* specified below */
++    //ALLOW_RULE (openat);  /* specified below */
 +    ALLOW_RULE (poll);
 +    ALLOW_RULE (read);
 +    ALLOW_RULE (recvfrom);
@@ -494,6 +468,20 @@ diff -Naur mupdf-1.11-source/platform/x11/libsec.c mupdf-1.11/platform/x11/libse
 +		goto out;
 +
 +
++	/* special restrictions for openat, prevent opening files for writing */
++	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
++	                      SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) < 0)
++		goto out;
++
++	if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(openat), 1,
++	                      SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) < 0)
++		goto out;
++
++	if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(openat), 1,
++	                      SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) < 0)
++		goto out;
++
++	
 +
 +
 +
@@ -595,9 +583,9 @@ diff -Naur mupdf-1.11-source/platform/x11/libsec.c mupdf-1.11/platform/x11/libse
 +}
 +
 +#endif /* HAVE_LIBSECCOMP */
-diff -Naur mupdf-1.11-source/platform/x11/libsec.h mupdf-1.11/platform/x11/libsec.h
+diff -Naur mupdf-1.11-source/platform/x11/libsec.h mupdf/platform/x11/libsec.h
 --- mupdf-1.11-source/platform/x11/libsec.h	1970-01-01 01:00:00.000000000 +0100
-+++ mupdf-1.11/platform/x11/libsec.h	2017-03-15 23:01:14.285040855 +0100
++++ mupdf/platform/x11/libsec.h	2017-03-15 23:01:14.285040855 +0100
 @@ -0,0 +1,19 @@
 +#ifndef SECCOMP_H
 +#define SECCOMP_H
@@ -618,9 +606,9 @@ diff -Naur mupdf-1.11-source/platform/x11/libsec.h mupdf-1.11/platform/x11/libse
 +int renderFilter(void);
 +
 +#endif
-diff -Naur mupdf-1.11-source/platform/x11/x11_main.c mupdf-1.11/platform/x11/x11_main.c
+diff -Naur mupdf-1.11-source/platform/x11/x11_main.c mupdf/platform/x11/x11_main.c
 --- mupdf-1.11-source/platform/x11/x11_main.c	2017-04-05 13:02:21.000000000 +0200
-+++ mupdf-1.11/platform/x11/x11_main.c	2017-08-20 13:54:43.330771594 +0200
++++ mupdf/platform/x11/x11_main.c	2017-08-20 13:54:43.330771684 +0200
 @@ -1,5 +1,18 @@
  #include "pdfapp.h"
author	valoq	2017-10-28 18:02:55 +0200
committer	valoq	2017-10-28 18:02:55 +0200
commit	55c3a44b3a7d2caa929dc2d49d48ff735f9334e5 (patch)
tree	f84c4bdb5cfba892c71b4442c133f0fb6c82b079
parent	9e336b6fc042fd93773834e01e5d26ae6fb49733 (diff)
download	aur-55c3a44b3a7d2caa929dc2d49d48ff735f9334e5.tar.gz