Bug 12634

Summary: mupdf new buffer overflow security issue (CVE-2014-2013)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs, tmb, wrw105
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/584549/
Whiteboard: MGA3TOO advisory has_procedure mga4-32-ok mga4-64-ok mga3-64-ok mga3-32-ok
Source RPM: mupdf-1.1-3.mga3.src.rpm CVE:
Status comment:

Description David Walser 2014-02-06 18:19:47 CET 
Fedora has issued an advisory on January 25:
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127861.html

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Note to QA: there is a reproducer linked in the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1056699

Advisory:
========================

Updated mupdf packages fix security vulnerability:

A stack-based buffer overflow was found in mupdf's xps_parse_color() function.
An attacker could create a specially crafted XPS file that, when opened, could
cause mupdf or an application using mupdf to crash.

References:
http://seclists.org/fulldisclosure/2014/Jan/130
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127861.html
========================

Updated packages in core/updates_testing:
========================
mupdf-1.1-3.1.mga3
libmupdf-devel-1.1-3.1.mga3
mupdf-1.2-2.1.mga4
libmupdf-devel-1.2-2.1.mga4

from SRPMS:
mupdf-1.1-3.1.mga3.src.rpm
mupdf-1.2-2.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-02-06 18:19:52 CET

Whiteboard: (none) => MGA3TOO

Comment 1 Bill Wilkinson 2014-02-07 17:05:50 CET 
The reproducer listed in the redhat bug is for windows (launches calc.exe).

Testing general use, starting with mga4-32.

CC: (none) => wrw105

Comment 2 Bill Wilkinson 2014-02-07 17:18:10 CET 
tested mga4-32

Opens pdfs, 1 page per launch.  attempting to open the exploit shows a limit in colors, which is what the fix is supposed to do, according to the fedora bug.

Whiteboard: MGA3TOO => MGA3TOO mga4-32-ok

Comment 3 Bill Wilkinson 2014-02-07 18:08:34 CET 
Tested mga4-64 as above, all OK.

Whiteboard: MGA3TOO mga4-32-ok => MGA3TOO mga4-32-ok mga4-64-ok

Comment 4 Bill Wilkinson 2014-02-07 18:22:06 CET 
mga3-64 tested, all OK

Whiteboard: MGA3TOO mga4-32-ok mga4-64-ok => MGA3TOO mga4-32-ok mga4-64-ok mga3-64-ok

Comment 5 Bill Wilkinson 2014-02-07 20:06:02 CET 
mga3-32 tested. All OK.

Ready to validate when advisory is uploaded to svn.

Whiteboard: MGA3TOO mga4-32-ok mga4-64-ok mga3-64-ok => MGA3TOO mga4-32-ok mga4-64-ok mga3-64-ok mga3-32-ok

Comment 6 claire robinson 2014-02-08 16:45:29 CET 
Thanks Bill :) Advisory uploaded.

Validating

Could sysadmin please push from 3&4 core/updates_testing to updates

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

claire robinson 2014-02-08 16:45:56 CET

Whiteboard: MGA3TOO mga4-32-ok mga4-64-ok mga3-64-ok mga3-32-ok => MGA3TOO advisory has_procedure mga4-32-ok mga4-64-ok mga3-64-ok mga3-32-ok

Comment 7 Thomas Backlund 2014-02-08 20:35:11 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0041.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 8 David Walser 2014-02-18 16:38:39 CET 
This has been assigned CVE-2014-2013:
http://openwall.com/lists/oss-security/2014/02/18/2

Summary: mupdf new buffer overflow security issue => mupdf new buffer overflow security issue (CVE-2014-2013)