Debian has issued an advisory on June 9: https://www.debian.org/security/2021/dsa-4928 Mageia 7 and Mageia 8 are also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOOCC: (none) => geiger.david68210
'htmldoc' is committed by various people, so assigning this bug globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: AddressSanitizer: double-free in function pspdf_export ps-pdf.cxx. (CVE-2021-23158) AddressSanitizer: heap-buffer-overflow in pspdf_prepare_outpages() in ps-pdf.cxx. (CVE-2021-23165) AddressSanitizer: SEGV in file_extension file.c. (CVE-2021-23180) AddressSanitizer: SEGV on unknown address 0x000000000014. (CVE-2021-23191) AddressSanitizer: stack-buffer-overflow in parse_table ps-pdf.cxx. (CVE-2021-23206) AddressSanitizer: heap-buffer-overflow in pspdf_prepare_page(int) ps-pdf.cxx. (CVE-2021-26252) AddressSanitizer: heap-buffer-overflow on render_table_row() ps-pdf.cxx. (CVE-2021-26259) SEGV on unknown address 0x000000000000. (CVE-2021-26948) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23158 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23165 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23180 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23191 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23206 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26252 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26259 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26948 https://www.debian.org/security/2021/dsa-4928 ======================== Updated packages in 7/core/updates_testing: ======================== htmldoc-1.9.3-2.2.mga7 htmldoc-nogui-1.9.3-2.2.mga7 from SRPM: htmldoc-1.9.3-2.2.mga7.src.rpm Updated packages in 8/core/updates_testing: ======================== htmldoc-1.9.8-1.1.mga8 htmldoc-nogui-1.9.8-1.1.mga8 from SRPM: htmldoc-1.9.8-1.1.mga8.src.rpm
CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNEDVersion: Cauldron => 8Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOAssignee: pkg-bugs => qa-bugs
Tested on Mageia 8 KDE No problems with htmldoc-nogui installation. urpmq -i --media "Core Updates Testing" htmldoc-nogui Name : htmldoc-nogui Version : 1.9.8 Release : 1.1.mga8 Group : File tools Size : 340174 Architecture: x86_64 Source RPM : htmldoc-1.9.8-1.1.mga8.src.rpm URL : http://michaelrsweet.github.io/htmldoc/ Summary : Convert HTML documents into PDF or PS format Description : This package contains the non-GUI version of htmldoc. htmldoc-1.9.8-1.1 needs libfltk.so.1.3. sudo urpmi --media "Core Updates Testing" htmldoc Le paquetage demandé ne peut pas être installé : htmldoc-1.9.8-1.1.mga8.x86_64 (car libfltk.so.1.3()(64bit) est non satisfait)
CC: (none) => hdetavernier
That is odd. Installed the two packages, ran htmldoc for the gui to see help information. Updated the packages and launched the gui. Tried the cli version but have no idea how to operate either interface. Cannot add anything useful. mga8, x86_64
CC: (none) => tarazed25
MGA7-64 Plasma on Lenovo B50 No installation issues. Tested with a html file which has been generated by LOWriter from an .odt file. htmldoc does it OK, in the sense that page breaks are not really nice, but I didn't bother to hunt for all possible settings. The CLI is also OK (same remark) with the command: $ htmldoc-nogui -f donderdag2.pdf --webpage donderdag.html PAGES: 18 BYTES: 320364 OK for me.
CC: (none) => herman.viaeneWhiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
Depends on: (none) => 29161
Assignee: qa-bugs => pkg-bugs
PoC tests for these CVEs... https://github.com/michaelrsweet/htmldoc/issues/414 Before: $ htmldoc-nogui -f demo.pdf poc3.html ERR005: Unable to open psglyphs data file! ERR005: Unable to open character set file iso-8859-1! ERR005: Unable to open font width file /usr/share/htmldoc/fonts/Times-Roman.afm! ERR005: Unable to open psglyphs data file! [...] ERR005: Unable to open font width file /usr/share/htmldoc/fonts/Times-Roman.afm! ERR005: Unable to open font width file /usr/share/htmldoc/fonts/Helvetica.afm! [...] BYTES: 11380 malloc_consolidate(): unaligned fastbin chunk detected Aborted (core dumped) After: $ htmldoc-nogui -f demo.pdf poc3.html [...] BYTES: 4980 https://github.com/michaelrsweet/htmldoc/issues/413 Before: $ htmldoc-nogui -f demo.pdf poc2.html [...] malloc(): corrupted top size Aborted (core dumped) After: $ htmldoc-nogui -f demo.pdf poc2.html [...] BYTES: 9981 https://github.com/michaelrsweet/htmldoc/issues/418 Before: $ htmldoc-nogui -f demo.pdf poc8.html [...] Segmentation fault (core dumped) After: $ htmldoc-nogui -f demo.pdf poc8.html [...] PAGES: 3 ERR005: Unable to open font file /usr/share/htmldoc/fonts/Times-Roman.pfa! ERR005: Unable to open font file /usr/share/htmldoc/fonts/Times-Bold.pfa! ERR005: Unable to open font file /usr/share/htmldoc/fonts/Helvetica.pfa! ERR005: Unable to open font file /usr/share/htmldoc/fonts/Helvetica-Bold.pfa! BYTES: 7002 https://github.com/michaelrsweet/htmldoc/issues/415 Before: $ htmldoc-nogui -f demo.pdf poc4.html [...] Corrupt JPEG data: 97 extraneous bytes before marker 0xc4 Segmentation fault (core dumped) After: $ htmldoc-nogui -f demo.pdf poc4.html [...] libpng error: PLTE: CRC error ERR007: PNG file contains errors! ERR011: Unable to load image file "data URL"! [...] PAGES: 3 ERR005: Unable to open font file /usr/share/htmldoc/fonts/Courier.pfa! ERR005: Unable to open font file /usr/share/htmldoc/fonts/Times-Roman.pfa! ERR005: Unable to open font file /usr/share/htmldoc/fonts/Times-Bold.pfa! ERR005: Unable to open font file /usr/share/htmldoc/fonts/Helvetica.pfa! ERR005: Unable to open font file /usr/share/htmldoc/fonts/Helvetica-Bold.pfa! BYTES: 3607 https://github.com/michaelrsweet/htmldoc/issues/416 Before: $ htmldoc-nogui -f demo.pdf poc6.html [...] Segmentation fault (core dumped) After: $ htmldoc-nogui -f demo.pdf poc6.html [...] PAGES: 3 ERR005: Unable to open font file /usr/share/htmldoc/fonts/Courier.pfa! ERR005: Unable to open font file /usr/share/htmldoc/fonts/Times-Roman.pfa! ERR005: Unable to open font file /usr/share/htmldoc/fonts/Times-Bold.pfa! ERR005: Unable to open font file /usr/share/htmldoc/fonts/Helvetica.pfa! ERR005: Unable to open font file /usr/share/htmldoc/fonts/Helvetica-Bold.pfa! BYTES: 3445 https://github.com/michaelrsweet/htmldoc/issues/412 Before: $ htmldoc-nogui -f demo.pdf poc1.html [...] Segmentation fault (core dumped) After: $ htmldoc-nogui -f demo.pdf poc1.html [...] PAGES: 4 ERR005: Unable to open font file /usr/share/htmldoc/fonts/Times-Roman.pfa! ERR005: Unable to open font file /usr/share/htmldoc/fonts/Times-Bold.pfa! ERR005: Unable to open font file /usr/share/htmldoc/fonts/Times-Italic.pfa! ERR005: Unable to open font file /usr/share/htmldoc/fonts/Times-BoldItalic.pfa! ERR005: Unable to open font file /usr/share/htmldoc/fonts/Helvetica.pfa! ERR005: Unable to open font file /usr/share/htmldoc/fonts/Helvetica-Bold.pfa! BYTES: 5728 https://github.com/michaelrsweet/htmldoc/issues/417 Before: $ htmldoc-nogui -f demo.pdf poc7.html [...] Segmentation fault (core dumped) After: $ htmldoc-nogui -f demo.pdf poc7.html [...] PAGES: 3 ERR005: Unable to open font file /usr/share/htmldoc/fonts/Courier.pfa! ERR005: Unable to open font file /usr/share/htmldoc/fonts/Times-Roman.pfa! ERR005: Unable to open font file /usr/share/htmldoc/fonts/Times-Bold.pfa! ERR005: Unable to open font file /usr/share/htmldoc/fonts/Helvetica.pfa! ERR005: Unable to open font file /usr/share/htmldoc/fonts/Helvetica-Bold.pfa! BYTES: 3556 https://github.com/michaelrsweet/htmldoc/issues/410 Before: $ htmldoc-nogui -f demo.epub crash01.html [...] libpng error: [13][15][11][40]: invalid chunk type ERR007: PNG file contains errors! ERR011: Unable to load image file "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAQMAAAAlPW0iAAA,BlBMVEUAAAD///+l2Z/dAAAAM0lEQVR4nGP4/5/h/1+G/58ZDrAz3D/McH8yw83NDDeNGe4Ug9CLzwz3gVLMDA/A6P9/#FGGFjOXZtQAAAAAElFTkSuQmCC"! ERR005: Unable to open psglyphs data file! ERR005: Unable to open character set file iso-8859-1! ERR005: Unable to open font width file /usr/share/htmldoc/fonts/Helvetica-Bold.afm! BYTES: 3125 After: $ htmldoc-nogui -f demo.epub crash01.html [...] libpng error: [13][15][11][40]: invalid chunk type ERR007: PNG file contains errors! ERR011: Unable to load image file "data URL"! ERR005: Unable to open psglyphs data file! ERR005: Unable to open character set file iso-8859-1! ERR005: Unable to open font width file /usr/share/htmldoc/fonts/Helvetica-Bold.afm! BYTES: 2985
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0332.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED