Bug 19010

Summary: mupdf new security issue CVE-2016-6265
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, davidwhodgins, marja11, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/695560/
Whiteboard: has_procedure mga5-32-ok advisory
Source RPM: mupdf-1.8-2.mga6.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 17536    

Description David Walser 2016-07-21 18:44:45 CEST 
A CVE has been assigned for a security issue in mupdf:
http://openwall.com/lists/oss-security/2016/07/21/7

There doesn't appear to be a fix available yet.
David Walser 2016-07-21 18:44:53 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-07-22 17:51:31 CEST 
Already assigning to all packagers collectively, since there is no maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2016-07-22 21:29:33 CEST 
Patched packages uploaded for Mageia 5 and Cauldron.

PoC attached to upstream bug:
http://bugs.ghostscript.com/show_bug.cgi?id=696941

Advisory:
========================

Updated mupdf packages fix security vulnerability:

Use-after-free issue in mupdf in pdf_load_xref() can cause a denial of service
(CVE-2016-6265).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6265
http://openwall.com/lists/oss-security/2016/07/21/7
========================

Updated packages in core/updates_testing:
========================
mupdf-1.5-4.2.mga5
libmupdf-devel-1.5-4.2.mga5

from mupdf-1.5-4.2.mga5.src.rpm

Version: Cauldron => 5
Blocks: (none) => 17536
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA5TOO => has_procedure

Comment 3 Brian Rockwell 2016-07-23 19:31:45 CEST 
mga5-32

Installed the software and ran

mupdf-x11 cw_best_places_2015_listings.pdf
mujstest cw_best_places_2015_listings.pdf (watched things scroll by)
mudraw - it told me I have nothing to do (that's a Lie!!!)

Reviewed the best places to work from beginning to end.  Software is working as designed.

CC: (none) => brtians1
Whiteboard: has_procedure => has_procedure mga5-32-ok

Dave Hodgins 2016-07-26 23:51:51 CEST

Keywords: (none) => validated_update
Whiteboard: has_procedure mga5-32-ok => has_procedure mga5-32-ok advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Mageia Robot 2016-07-27 00:11:43 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0268.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-07-27 18:50:41 CEST

URL: (none) => http://lwn.net/Vulnerabilities/695560/