Mike Gabriel · Mike Gabriel · Mike Gabriel · ef6d5ddc · ef6d5ddc · ef6d5ddc
--- a/debian/changelog
+++ b/debian/changelog
+atril (1.22.3-1) unstable; urgency=medium
+
+  * New upstream release.
+  * debian/changelog: Document security issue closure for 1.22.1-1.
+  * debian/patches:
+    + Add CVE-2019-11459.patch. tiff: Handle failure from
+      TIFFReadRGBAImageOriented. (Closes: #927821, CVE-2019-11459).
+  * debian/control:
+    + Add Rules-Requires-Root: field and set it to 'no'.
+    + Bump Standards-Version: to 4.4.1. No changes needed.
+
+ -- Mike Gabriel <mike.gabriel@das-netzwerkteam.de>  Mon, 16 Dec 2019 10:23:05 +0100
+
 atril (1.22.2-1) unstable; urgency=medium

  [ Martin Wimpress ]
@@ -12,6 +25,11 @@ atril (1.22.1-1) unstable; urgency=medium

  [ Martin Wimpress ]
  * New upstream release.
+  * debian/patches:
+    + Add 0002_CVE-2019-1010006.patch. Fix buffer overflow.
+      (CVE-2019-1010006)
+    + Add 0001_prevent_no_doc_segfault.patch. Prevent segfaults when no
+      document is loaded.
  * debian/copyright:
    + Update copyright attributions.
  * debian/rules:

--- a/debian/patches/CVE-2019-11459.patch
+++ b/debian/patches/CVE-2019-11459.patch
+From 5ecffe6a75542fc4d82264c9b263fee5d25a84b1 Mon Sep 17 00:00:00 2001
+From: Victor Kareh <vkareh@redhat.com>
+Date: Sun, 11 Aug 2019 05:20:09 +0300
+Subject: [PATCH] tiff: Handle failure from TIFFReadRGBAImageOriented
+
+The TIFFReadRGBAImageOriented function returns zero if it was unable to
+read the image. Return NULL in this case instead of displaying
+uninitialized memory.
+
+This addresses CVE-2019-11459
+
+upstream commit:
+https://gitlab.gnome.org/GNOME/evince/commit/234f034a4
+---
+ backend/tiff/tiff-document.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+--- a/backend/tiff/tiff-document.c
+++ b/backend/tiff/tiff-document.c
+@@ -281,6 +281,15 @@
+ 		g_warning("Failed to allocate memory for rendering.");
+ 		return NULL;
+ 	}
+
+	if (!TIFFReadRGBAImageOriented (tiff_document->tiff,
+	                               width, height,
+	                               (uint32 *)pixels,
+	                                orientation, 0)) {
+		g_warning ("Failed to read TIFF image.");
+		g_free (pixels);
+		return NULL;
+	}
+ 	
+ 	surface = cairo_image_surface_create_for_data (pixels,
+ 						       CAIRO_FORMAT_RGB24,
+@@ -288,11 +297,6 @@
+ 						       rowstride);
+ 	cairo_surface_set_user_data (surface, &key,
+ 				     pixels, (cairo_destroy_func_t)g_free);
+-
+-	TIFFReadRGBAImageOriented (tiff_document->tiff,
+-				   width, height,
+-				   (uint32 *)pixels,
+-				   orientation, 0);
+ 	pop_handlers ();
+ 
+ 	/* Convert the format returned by libtiff to
+@@ -372,14 +376,18 @@
+ 	pixels = g_try_malloc (bytes);
+ 	if (!pixels)
+ 		return NULL;
+
+	if (!TIFFReadRGBAImageOriented (tiff_document->tiff,
+					width, height,
+					(uint32 *)pixels,
+					ORIENTATION_TOPLEFT, 0)) {
+		g_free (pixels);
+		return NULL;
+	}
+ 	
+ 	pixbuf = gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, TRUE, 8, 
+ 					   width, height, rowstride,
+ 					   (GdkPixbufDestroyNotify) g_free, NULL);
+-	TIFFReadRGBAImageOriented (tiff_document->tiff,
+-				   width, height,
+-				   (uint32 *)pixels,
+-				   ORIENTATION_TOPLEFT, 0);
+ 	pop_handlers ();
+ 
+ 	scaled_pixbuf = gdk_pixbuf_scale_simple (pixbuf,
--- a/debian/patches/series
+++ b/debian/patches/series
+CVE-2019-11459.patch