From b554d8de1004157e2c2b0b87563dca48a9407b2d Mon Sep 17 00:00:00 2001 From: Toshaan Bharvani Date: Wed, 22 May 2024 14:00:56 +0200 Subject: [PATCH] update to qpdf 11.9.0 Signed-off-by: Toshaan Bharvani --- SOURCES/qpdf-doc.patch | 0 ...e-tests-with-generated-object-stream.patch | 0 SOURCES/qpdf-relax.patch | 187 +++++++++------- SOURCES/qpdf-s390x-disable-streamtest.patch | 0 SPECS/qpdf.spec | 199 +++++++++++++----- 5 files changed, 258 insertions(+), 128 deletions(-) mode change 100644 => 100755 SOURCES/qpdf-doc.patch mode change 100644 => 100755 SOURCES/qpdf-erase-tests-with-generated-object-stream.patch mode change 100644 => 100755 SOURCES/qpdf-s390x-disable-streamtest.patch diff --git a/SOURCES/qpdf-doc.patch b/SOURCES/qpdf-doc.patch old mode 100644 new mode 100755 diff --git a/SOURCES/qpdf-erase-tests-with-generated-object-stream.patch b/SOURCES/qpdf-erase-tests-with-generated-object-stream.patch old mode 100644 new mode 100755 diff --git a/SOURCES/qpdf-relax.patch b/SOURCES/qpdf-relax.patch index ae50652..9861daf 100644 --- a/SOURCES/qpdf-relax.patch +++ b/SOURCES/qpdf-relax.patch @@ -1,136 +1,157 @@ -diff -up qpdf-10.2.0/libqpdf/QPDF.cc.relax qpdf-10.2.0/libqpdf/QPDF.cc ---- qpdf-10.2.0/libqpdf/QPDF.cc.relax 2021-02-23 16:41:58.000000000 +0100 -+++ qpdf-10.2.0/libqpdf/QPDF.cc 2021-02-24 12:35:50.715329461 +0100 -@@ -11,6 +11,10 @@ - #include - #include - -+#ifdef HAVE_GNUTLS +diff -up qpdf-11.7.0/libqpdf/QPDF.cc.relax qpdf-11.7.0/libqpdf/QPDF.cc +--- qpdf-11.7.0/libqpdf/QPDF.cc.relax 2023-12-24 13:36:07.000000000 +0100 ++++ qpdf-11.7.0/libqpdf/QPDF.cc 2024-01-08 15:17:27.020951639 +0100 +@@ -13,6 +13,10 @@ + #include + #include + ++#ifdef USE_CRYPTO_GNUTLS +# include +#endif + - #include - #include - #include -@@ -261,7 +265,13 @@ QPDF::processFile(char const* filename, + #include + #include + #include +@@ -250,14 +254,26 @@ void + QPDF::processFile(char const* filename, char const* password) { - FileInputSource* fi = new FileInputSource(); - fi->setFilename(filename); -+#ifdef HAVE_GNUTLS + auto* fi = new FileInputSource(filename); ++#ifdef USE_CRYPTO_GNUTLS + GNUTLS_FIPS140_SET_LAX_MODE(); +#endif - processInputSource(fi, password); -+#ifdef HAVE_GNUTLS + processInputSource(std::shared_ptr(fi), password); ++#ifdef USE_CRYPTO_GNUTLS + GNUTLS_FIPS140_SET_STRICT_MODE(); +#endif } void -@@ -270,7 +280,13 @@ QPDF::processFile(char const* descriptio + QPDF::processFile(char const* description, FILE* filep, bool close_file, char const* password) { - FileInputSource* fi = new FileInputSource(); - fi->setFile(description, filep, close_file); -+#ifdef HAVE_GNUTLS + auto* fi = new FileInputSource(description, filep, close_file); ++#ifdef USE_CRYPTO_GNUTLS + GNUTLS_FIPS140_SET_LAX_MODE(); +#endif - processInputSource(fi, password); -+#ifdef HAVE_GNUTLS + processInputSource(std::shared_ptr(fi), password); ++#ifdef USE_CRYPTO_GNUTLS + GNUTLS_FIPS140_SET_STRICT_MODE(); +#endif } void -diff -up qpdf-10.2.0/libqpdf/QPDF_encryption.cc.relax qpdf-10.2.0/libqpdf/QPDF_encryption.cc ---- qpdf-10.2.0/libqpdf/QPDF_encryption.cc.relax 2021-02-23 16:41:58.000000000 +0100 -+++ qpdf-10.2.0/libqpdf/QPDF_encryption.cc 2021-02-24 12:37:17.267561185 +0100 -@@ -1,6 +1,8 @@ - // This file implements methods from the QPDF class that involve - // encryption. +diff -up qpdf-11.7.0/libqpdf/QPDF_encryption.cc.relax qpdf-11.7.0/libqpdf/QPDF_encryption.cc +--- qpdf-11.7.0/libqpdf/QPDF_encryption.cc.relax 2023-12-24 13:36:07.000000000 +0100 ++++ qpdf-11.7.0/libqpdf/QPDF_encryption.cc 2024-01-08 15:19:52.303117277 +0100 +@@ -3,6 +3,8 @@ + + #include +#include + #include #include -@@ -18,6 +20,10 @@ - #include - #include +@@ -19,6 +21,10 @@ + #include + #include -+#ifdef HAVE_GNUTLS ++#ifdef USE_CRYPTO_GNUTLS +# include +#endif + static unsigned char const padding_string[] = { - 0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41, - 0x64, 0x00, 0x4e, 0x56, 0xff, 0xfa, 0x01, 0x08, -@@ -1150,6 +1156,12 @@ QPDF::getKeyForObject( + 0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41, 0x64, 0x00, 0x4e, 0x56, 0xff, 0xfa, 0x01, 0x08, + 0x2e, 0x2e, 0x00, 0xb6, 0xd0, 0x68, 0x3e, 0x80, 0x2f, 0x0c, 0xa9, 0xfe, 0x64, 0x53, 0x69, 0x7a}; +@@ -349,10 +355,21 @@ QPDF::compute_data_key( + result += "sAlT"; + } + ++#ifdef USE_CRYPTO_GNUTLS ++ unsigned oldmode = gnutls_fips140_mode_enabled(); ++ ++ gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD); ++#endif ++ + MD5 md5; + md5.encodeDataIncrementally(result.c_str(), result.length()); + MD5::Digest digest; + md5.digest(digest); ++ ++#ifdef USE_CRYPTO_GNUTLS ++ gnutls_fips140_set_mode(static_cast(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD); ++#endif ++ + return {reinterpret_cast(digest), std::min(result.length(), toS(16))}; + } + +@@ -976,6 +993,12 @@ QPDF::getKeyForObject( void - QPDF::decryptString(std::string& str, int objid, int generation) + QPDF::decryptString(std::string& str, QPDFObjGen const& og) { -+#ifdef HAVE_GNUTLS ++#ifdef USE_CRYPTO_GNUTLS + unsigned oldmode = gnutls_fips140_mode_enabled(); + + gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD); +#endif + - if (objid == 0) - { - return; -@@ -1230,6 +1242,10 @@ QPDF::decryptString(std::string& str, in - QUtil::int_to_string(objid) + " " + - QUtil::int_to_string(generation) + ": " + e.what()); + if (!og.isIndirect()) { + return; + } +@@ -1036,6 +1059,10 @@ QPDF::decryptString(std::string& str, QP + } catch (std::runtime_error& e) { + throw damagedPDF("error decrypting string for object " + og.unparse() + ": " + e.what()); } + -+#ifdef HAVE_GNUTLS ++#ifdef USE_CRYPTO_GNUTLS + gnutls_fips140_set_mode(static_cast(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD); +#endif } - void -@@ -1240,6 +1256,12 @@ QPDF::decryptStream(PointerHolder >& heap) + // Prepend a decryption pipeline to 'pipeline'. The decryption pipeline (returned as +@@ -1051,6 +1078,12 @@ QPDF::decryptStream( + QPDFObjectHandle& stream_dict, + std::unique_ptr& decrypt_pipeline) { -+#ifdef HAVE_GNUTLS ++#ifdef USE_CRYPTO_GNUTLS + unsigned oldmode = gnutls_fips140_mode_enabled(); + + gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD); +#endif + std::string type; - if (stream_dict.getKey("/Type").isName()) - { -@@ -1361,6 +1383,10 @@ QPDF::decryptStream(PointerHolder(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD); +#endif } void -diff -up qpdf-10.2.0/libqpdf/QPDFWriter.cc.relax qpdf-10.2.0/libqpdf/QPDFWriter.cc ---- qpdf-10.2.0/libqpdf/QPDFWriter.cc.relax 2021-02-23 16:41:58.000000000 +0100 -+++ qpdf-10.2.0/libqpdf/QPDFWriter.cc 2021-02-24 12:35:50.716329452 +0100 -@@ -24,6 +24,10 @@ - #include - #include +diff -up qpdf-11.7.0/libqpdf/QPDFWriter.cc.relax qpdf-11.7.0/libqpdf/QPDFWriter.cc +--- qpdf-11.7.0/libqpdf/QPDFWriter.cc.relax 2023-12-24 13:36:07.000000000 +0100 ++++ qpdf-11.7.0/libqpdf/QPDFWriter.cc 2024-01-08 15:17:27.022951614 +0100 +@@ -26,6 +26,10 @@ + #include + #include -+#ifdef HAVE_GNUTLS ++#ifdef USE_CRYPTO_GNUTLS +#include +#endif + - QPDFWriter::Members::Members(QPDF& pdf) : - pdf(pdf), - filename("unspecified"), -@@ -321,6 +325,13 @@ void + QPDFWriter::ProgressReporter::~ProgressReporter() // NOLINT (modernize-use-equals-default) + { + // Must be explicit and not inline -- see QPDF_DLL_CLASS in README-maintainer +@@ -287,6 +291,13 @@ void QPDFWriter::setDeterministicID(bool val) { - this->m->deterministic_id = val; + m->deterministic_id = val; + -+#ifdef HAVE_GNUTLS ++#ifdef USE_CRYPTO_GNUTLS + if (val) + GNUTLS_FIPS140_SET_LAX_MODE(); + else @@ -139,12 +160,12 @@ diff -up qpdf-10.2.0/libqpdf/QPDFWriter.cc.relax qpdf-10.2.0/libqpdf/QPDFWriter. } void -@@ -342,6 +353,13 @@ void +@@ -307,6 +318,13 @@ void QPDFWriter::setPreserveEncryption(bool val) { - this->m->preserve_encryption = val; + m->preserve_encryption = val; + -+#ifdef HAVE_GNUTLS ++#ifdef USE_CRYPTO_GNUTLS + if (val) + GNUTLS_FIPS140_SET_STRICT_MODE(); + else @@ -153,3 +174,25 @@ diff -up qpdf-10.2.0/libqpdf/QPDFWriter.cc.relax qpdf-10.2.0/libqpdf/QPDFWriter. } void +@@ -1890,11 +1908,21 @@ QPDFWriter::generateID() + } + } + ++#ifdef USE_CRYPTO_GNUTLS ++ unsigned oldmode = gnutls_fips140_mode_enabled(); ++ ++ gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD); ++#endif ++ + MD5 m; + m.encodeString(seed.c_str()); + MD5::Digest digest; + m.digest(digest); + result = std::string(reinterpret_cast(digest), sizeof(MD5::Digest)); ++ ++#ifdef USE_CRYPTO_GNUTLS ++ gnutls_fips140_set_mode(static_cast(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD); ++#endif + } + + // If /ID already exists, follow the spec: use the original first word and generate a new second diff --git a/SOURCES/qpdf-s390x-disable-streamtest.patch b/SOURCES/qpdf-s390x-disable-streamtest.patch old mode 100644 new mode 100755 diff --git a/SPECS/qpdf.spec b/SPECS/qpdf.spec index 740c1f5..0b44ecc 100644 --- a/SPECS/qpdf.spec +++ b/SPECS/qpdf.spec @@ -1,34 +1,29 @@ Summary: Command-line tools and library for transforming PDF files Name: qpdf -Version: 10.3.1 -Release: 4%{?dist} -# MIT: e.g. libqpdf/sha2.c +Version: 11.9.0 +Release: 1%{?dist} +# MIT: e.g. libqpdf/sha2.c, but those are not compiled in (GNUTLS is used) # upstream uses ASL 2.0 now, but he allowed other to distribute qpdf under # old license (see README) -License: (Artistic 2.0 or ASL 2.0) and MIT -URL: http://qpdf.sourceforge.net/ -Source0: http://downloads.sourceforge.net/sourceforge/qpdf/qpdf-%{version}.tar.gz - -Patch0: qpdf-doc.patch -# zlib has optimalization for aarch64 now, which gives different output after -# compression - patch erases 3 tests with generated object stream which were failing -Patch1: qpdf-erase-tests-with-generated-object-stream.patch +License: Apache-2.0 OR Artistic-2.0 +URL: https://qpdf.sourceforge.io/ +Source0: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz +Source1: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}-doc.zip + # make qpdf working under FIPS, downstream patch -Patch2: qpdf-relax.patch -# 1950033 - Possible changes in zlib output causes FTBFS for qpdf -Patch3: qpdf-s390x-disable-streamtest.patch +Patch1: qpdf-relax.patch + # gcc and gcc-c++ are no longer in buildroot by default # gcc is needed for qpdf-ctest.c BuildRequires: gcc # gcc-c++ is need for everything except for qpdf-ctest BuildRequires: gcc-c++ -# uses make -BuildRequires: make +# uses cmake +BuildRequires: cmake BuildRequires: zlib-devel BuildRequires: libjpeg-turbo-devel -BuildRequires: pcre-devel # for gnutls crypto BuildRequires: gnutls-devel @@ -43,6 +38,7 @@ BuildRequires: perl(Cwd) BuildRequires: perl(Digest::MD5) BuildRequires: perl(Digest::SHA) BuildRequires: perl(File::Basename) +BuildRequires: perl(File::Compare) BuildRequires: perl(File::Copy) BuildRequires: perl(File::Find) BuildRequires: perl(File::Spec) @@ -55,11 +51,6 @@ BuildRequires: perl(strict) # perl(Term::ANSIColor) - not needed for tests # perl(Term::ReadKey) - not needed for tests -# for autoreconf -BuildRequires: autoconf -BuildRequires: automake -BuildRequires: libtool - Requires: %{name}-libs%{?_isa} = %{version}-%{release} %package libs @@ -72,6 +63,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} %package doc Summary: QPDF Manual BuildArch: noarch +BuildRequires: unzip Requires: %{name}-libs = %{version}-%{release} %description @@ -96,37 +88,34 @@ QPDF Manual %prep %setup -q -# fix 'complete manual location' note in man pages -%patch0 -p1 -b .doc -%ifarch aarch64 -%patch1 -p1 -b .erase-tests-with-generated-object-stream -%endif -%patch2 -p1 -b .relax -%ifarch s390x -%patch3 -p1 -b .s390x-disable-streamtest -%endif +%patch -P 1 -p1 -b .relax + +# unpack zip file with manual +unzip %{SOURCE1} -%build -# work-around check-rpaths errors -autoreconf --verbose --force --install -# automake files needed to be regenerated in 8.4.0 - check if this can be removed -# in the next qpdf release -./autogen.sh -%configure --disable-static \ - --enable-crypto-gnutls \ - --disable-implicit-crypto \ - --enable-show-failed-test-output +%build +%cmake -DBUILD_STATIC_LIBS=0 \ + -DREQUIRE_CRYPTO_GNUTLS=1 \ + -DUSE_IMPLICIT_CRYPTO=0 \ + -DSHOW_FAILED_TEST_OUTPUT=1 \ + -DINSTALL_CMAKE_PACKAGE=0 -%make_build +%cmake_build %install -%make_install +%cmake_install + +install -m 0644 %{name}-%{version}-doc/%{name}-manual.pdf %{buildroot}/%{_pkgdocdir}/%{name}-manual.pdf -rm -f %{buildroot}%{_libdir}/libqpdf.la +# install bash/zsh completions +mkdir -p %{buildroot}%{bash_completions_dir} +mkdir -p %{buildroot}%{zsh_completions_dir} +install -m 0644 completions/bash/qpdf %{buildroot}%{bash_completions_dir}/qpdf +install -m 0644 completions/zsh/_qpdf %{buildroot}%{zsh_completions_dir}/_qpdf %check -make check +%ctest %ldconfig_scriptlets libs @@ -135,12 +124,16 @@ make check %{_bindir}/qpdf %{_bindir}/zlib-flate %{_mandir}/man1/* +%dir %{bash_completions_dir} +%{bash_completions_dir}/qpdf +%dir %{zsh_completions_dir} +%{zsh_completions_dir}/_qpdf %files libs -%doc README.md TODO ChangeLog -%license Artistic-2.0 -%{_libdir}/libqpdf.so.28 -%{_libdir}/libqpdf.so.28.3.1 +%doc README.md TODO.md ChangeLog +%license Artistic-2.0 LICENSE.txt NOTICE.md +%{_libdir}/libqpdf.so.29 +%{_libdir}/libqpdf.so.29.9.0 %files devel %doc examples/*.cc examples/*.c @@ -153,15 +146,109 @@ make check %changelog -* Tue Aug 10 2021 Mohan Boddu - 10.3.1-4 -- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Related: rhbz#1991688 +* Fri Mar 01 2024 Zdenek Dohnal - 11.9.0-1 +- 2267205 - TRIAGE CVE-2024-24246 qpdf - Heap Buffer Overflow vulnerability in qpdf [fedora-all] +- 2265854 - qpdf-11.9.0 is available + +* Fri Jan 26 2024 Fedora Release Engineering - 11.8.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Mon Jan 22 2024 Fedora Release Engineering - 11.8.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Tue Jan 09 2024 Zdenek Dohnal - 11.8.0-1 +- 2257313 - qpdf-11.8.0 is available + +* Mon Jan 08 2024 Zdenek Dohnal - 11.7.0-1 +- 2255755 - qpdf-11.7.0 is available + +* Tue Dec 19 2023 Zdenek Dohnal - 11.6.4-2 +- 2254778 - remove the tests which fail with zlib-ng-compat for now + +* Mon Dec 18 2023 Zdenek Dohnal - 11.6.4-1 +- 2253901 - qpdf-11.6.4 is available + +* Thu Nov 02 2023 Zdenek Dohnal - 11.6.3-1 +- 2244319 - qpdf-11.6.3 is available + +* Mon Oct 09 2023 Zdenek Dohnal - 11.6.2-1 +- 2242670 - qpdf-11.6.2 is available + +* Tue Sep 12 2023 Zdenek Dohnal - 11.6.1-1 +- 2237125 - qpdf-11.6.1 is available + +* Wed Jul 26 2023 Zdenek Dohnal - 11.5.0-1 +- 2221506 - qpdf-11.5.0 is available + +* Fri Jul 21 2023 Fedora Release Engineering - 11.4.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Mon May 22 2023 Zdenek Dohnal - 11.4.0-1 +- 2208892 - qpdf-11.4.0 is available + +* Mon Mar 27 2023 Zdenek Dohnal - 11.3.0-2 +- 2181519 - qpdf bash and zsh completion files are missing + +* Thu Mar 02 2023 Zdenek Dohnal - 11.3.0-1 +- 2173354 - qpdf-11.3.0 is available + +* Fri Jan 20 2023 Fedora Release Engineering - 11.2.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Tue Nov 22 2022 Zdenek Dohnal - 11.2.0-1 +- 2144359 - qpdf-11.2.0 is available + +* Thu Oct 13 2022 Zdenek Dohnal - 11.1.1-1 +- 2125823 - qpdf-11.1.1 is available + +* Thu Sep 22 2022 Zdenek Dohnal - 11.1.0-1 +- 2125823 - qpdf-11.1.0 is available, move to cmake + +* Thu Sep 22 2022 Zdenek Dohnal - 10.6.3-5 +- use `grep -E` in test suite (bz2127957) + +* Mon Jul 25 2022 Zdenek Dohnal - 10.6.3-4 +- qpdf doesn't depend on pcre since 7.0b1 + +* Fri Jul 22 2022 Fedora Release Engineering - 10.6.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jul 14 2022 Zdenek Dohnal - 10.6.3-2 +- 2107240 - FIPS breaks pdftopdf and bannertopdf + +* Fri Mar 18 2022 Zdenek Dohnal - 10.6.3-1 +- 2063429 - qpdf-10.6.3 is available + +* Thu Feb 17 2022 Zdenek Dohnal - 10.6.2-1 +- 2053647 - qpdf-10.6.2 is available + +* Mon Feb 14 2022 Zdenek Dohnal - 10.6.1-1 +- 2053647 - qpdf-10.6.1 is available + +* Thu Feb 10 2022 Zdenek Dohnal - 10.6.0-1 +- 2052569 - qpdf-10.6.0 is available + +* Fri Jan 21 2022 Fedora Release Engineering - 10.5.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Wed Jan 05 2022 Zdenek Dohnal - 10.5.0-2 +- add qpdf-manual - now it is in a different archive + +* Mon Jan 03 2022 Zdenek Dohnal - 10.5.0-1 +- 2034671 - qpdf-10.5.0 is available + +* Mon Dec 06 2021 Zdenek Dohnal - 10.4.0-1 +- 2023979 - qpdf-10.4.0 is available + +* Fri Jul 23 2021 Fedora Release Engineering - 10.3.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild -* Tue Apr 20 2021 Zdenek Dohnal - 10.3.1-3 -- 1950033 - Possible changes in zlib output causes FTBFS for qpdf +* Thu May 20 2021 Zdenek Dohnal - 10.3.2-1 +- 1958536 - qpdf-10.3.2 is available -* Fri Apr 16 2021 Mohan Boddu - 10.3.1-2 -- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 +* Mon Apr 19 2021 Zdenek Dohnal - 10.3.1-2 +- aarch64 specific patches were removed from zlib, so no need for ours +- zlib got downstream patches on s390x, we need to patch qpdf test suite for it * Fri Mar 12 2021 Zdenek Dohnal - 10.3.1-1 - 1937988 - qpdf-10.3.1 is available