Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

0-day: rebuild with new pdfium dll #2470

Closed
totaam opened this issue Nov 3, 2019 · 12 comments
Closed

0-day: rebuild with new pdfium dll #2470

totaam opened this issue Nov 3, 2019 · 12 comments
Labels

Comments

@totaam
Copy link
Collaborator

totaam commented Nov 3, 2019

Details here: New Chrome 0-day Bug Under Active Attacks – Update Your Browser Now!: * the other resides in the PDFium (CVE-2019-13721) library*

@totaam
Copy link
Collaborator Author

totaam commented Nov 3, 2019

  -> Cloning pdfium git repo...
Cloning into bare repository '/e/MINGW-packages/mingw-w64-pdfium-git/pdfium'...
      0 [main] git-remote-https 1233 child_info_fork::abort: \??\C:\msys32\usr\bin\msys-unistring-2.dll: Loaded to different address: parent(0x640000) != child(0x800000)
error: cannot fork() for fetch-pack: Resource temporarily unavailable
==> ERROR: Failure while downloading pdfium git repo
    Aborting...

@totaam
Copy link
Collaborator Author

totaam commented Nov 24, 2019

Modifying the PKGBUILD to try to build revision 3976 and copying the patch file to the new name pdfium-3976.patch gives lots of rejects:

==> Starting prepare()...
can't find file to patch at input line 4
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff -r -c pdfium.orig/build_gyp/gyp_pdfium pdfium/build_gyp/gyp_pdfium
|*** pdfium.orig/build_gyp/gyp_pdfium   2016-05-09 10:47:41.000000000 -0300
|--- pdfium/build_gyp/gyp_pdfium        2016-05-09 10:44:18.208997100 -0300
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
2 out of 2 hunks ignored
can't find file to patch at input line 42
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff -r -c pdfium.orig/core/fxcrt/fx_basic_util.cpp pdfium/core/fxcrt/fx_basic_util.cpp
|*** pdfium.orig/core/fxcrt/fx_basic_util.cpp   2016-05-09 10:47:41.000000000 -0300
|--- pdfium/core/fxcrt/fx_basic_util.cpp        2016-05-09 10:43:40.187642300 -0300
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
2 out of 2 hunks ignored
can't find file to patch at input line 79
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff -r -c pdfium.orig/core/fxcrt/include/fx_system.h pdfium/core/fxcrt/include/fx_system.h
|*** pdfium.orig/core/fxcrt/include/fx_system.h 2016-05-09 10:47:41.000000000 -0300
|--- pdfium/core/fxcrt/include/fx_system.h      2016-05-09 10:43:40.203267200 -0300
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
1 out of 1 hunk ignored
can't find file to patch at input line 99
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff -r -c pdfium.orig/core/fxge/win32/fx_win32_dwrite.cpp pdfium/core/fxge/win32/fx_win32_dwrite.cpp
|*** pdfium.orig/core/fxge/win32/fx_win32_dwrite.cpp    2016-05-09 10:47:42.000000000 -0300
|--- pdfium/core/fxge/win32/fx_win32_dwrite.cpp 2016-05-09 10:43:40.218892400 -0300
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
1 out of 1 hunk ignored
patching file core/fxge/win32/fx_win32_gdipext.cpp
Hunk #1 FAILED at 691.
Hunk #2 FAILED at 706.
2 out of 2 hunks FAILED -- saving rejects to file core/fxge/win32/fx_win32_gdipext.cpp.rej
can't find file to patch at input line 158
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff -r -c pdfium.orig/pdfium.gyp pdfium/pdfium.gyp
|*** pdfium.orig/pdfium.gyp     2016-05-09 10:47:42.000000000 -0300
|--- pdfium/pdfium.gyp  2016-05-09 10:43:40.218892400 -0300
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
4 out of 4 hunks ignored
can't find file to patch at input line 323
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff -r -c pdfium.orig/samples/samples.gyp pdfium/samples/samples.gyp
|*** pdfium.orig/samples/samples.gyp    2016-05-09 10:47:42.000000000 -0300
|--- pdfium/samples/samples.gyp 2016-05-09 10:43:40.218892400 -0300
--------------------------
File to patch:
Skip this patch? [y]
Skipping patch.
2 out of 2 hunks ignored
==> ERROR: A failure occurred in prepare().
    Aborting...

@totaam
Copy link
Collaborator Author

totaam commented Nov 24, 2019

Trying to build (with limited patching):

$ ninja
ninja: error: loading 'build.ninja': No such file or directory

Docs say we're supposed to use gn?

$ gn --help
gn.py: Could not find checkout in any parent of the current path.
This must be run inside a checkout.

What does this even mean?
I want to build your software, why is it so hard?
(makes autotools look easy!)

@totaam
Copy link
Collaborator Author

totaam commented Dec 5, 2019

2019-12-05 17:59:35: sergey commented


pdfium is a Google project. Google (Chromium team) uses Ninja build system.
Try to run ninja with proper parameters:
ninja -C pdfium_all

For more details see https://pdfium.googlesource.com/pdfium/

@totaam
Copy link
Collaborator Author

totaam commented Dec 5, 2019

@Sergey: there are no build.ninja files anywhere, I believe that's where gn comes in.

@totaam
Copy link
Collaborator Author

totaam commented Dec 5, 2019

2019-12-05 20:15:14: sergey commented


Replying to [comment:5 Antoine Martin]:

@Sergey: there are no build.ninja files anywhere, I believe that's where gn comes in.
Sure. 1st of all it's necessary to generate build configs:

gn gen <directory>

For example:

gn gen out/Default

And then

ninja -C out/Default pdfium_all

If you see error

gn.py: Could not find checkout in any parent of the current path.
This must be run inside a checkout.

your checkout is not full. I do not think it's possible to build pdfium with just clone the repository. It's necessary to checkout all dependencies. I've try official way and it did work on my Fedora:

mkdir repo
cd repo
gclient config --unmanaged https://pdfium.googlesource.com/pdfium.git
gclient sync
cd pdfium

@totaam
Copy link
Collaborator Author

totaam commented Dec 9, 2019

Security Risks of PDFium-based Apps and SDKs: The high number of reported PDFium vulnerabilities compared to some PDF libraries doesn’t necessarily imply an unusual degree of insecurity for open source; but it creates challenges for developers, DevSecOps, and security teams.

@totaam
Copy link
Collaborator Author

totaam commented Dec 9, 2019

Another option would be to cherry pick some of the fixes and apply them to the version in mingw.
Some of the fixes may not be needed.

ie:

  • [https://nvd.nist.gov/vuln/detail/CVE-2019-5868] Use after free in PDFium in Google Chrome prior to 76.0.3809.100 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. Issue 983867: Security: Use-after-free in CPDFSDK_ActionHandler::ExecuteFieldAction
  • [https://nvd.nist.gov/vuln/detail/CVE-2019-13721] Use after free in PDFium in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. [https://bugs.chromium.org/p/chromium/issues/detail?id=1013868] (no details yet)

Commits:

The last change in mingw: update to latest branch (2729) : Diego Sogari committed on May 9, 2016..

@totaam
Copy link
Collaborator Author

totaam commented Dec 10, 2019

Replying to [comment:6 Sergey]:

Sure. 1st of all it's necessary to generate build configs:
..
I do not think it's possible to build pdfium with just clone the repository.

Looks like they managed to do it in MSYS2.
Things have changed since the build file was made and adapting it to the new code is hard, so now I am leaning towards applying the fixes to that branch instead.
Here's the build file: [https://github.com/msys2/MINGW-packages/blob/master/mingw-w64-pdfium-git/PKGBUILD].

And here is the patch I am most interested in applying: [https://pdfium-review.googlesource.com/changes/pdfium~57854/revisions/8/patch?zip]

If you want to try it, it should be trivial using an mswindows box:

  • install MSYS2
  • clone [https://github.com/msys2/MINGW-packages]
  • go to MINGW-packages/mingw-w64-pdfium-git
  • run makepkg -sCLf

@totaam
Copy link
Collaborator Author

totaam commented Mar 20, 2020

Upstream ticket: update pdfium-git / git fetch fails.

@totaam
Copy link
Collaborator Author

totaam commented Nov 28, 2020

As suggested in the MINGW-packages ticket I had created: update pdfium-git / git fetch fails: switching to pdfium-binaries in r28023 "fixes" things and saves me having to figure out how to build this beast.

We're using the plain x64 DLL build, I don't think we need anything from the PDFium with V8 and XFA variant. (in fact, it is a lot safer to not include all this extra code)

@totaam totaam closed this as completed Nov 28, 2020
@totaam
Copy link
Collaborator Author

totaam commented Dec 28, 2020

#2401 is now redundant

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant