12634 – mupdf new buffer overflow security issue (CVE-2014-2013)

Bug 12634 - mupdf new buffer overflow security issue (CVE-2014-2013)

Summary: mupdf new buffer overflow security issue (CVE-2014-2013)

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/584549/
Whiteboard:	MGA3TOO advisory has_procedure mga4-3...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2014-02-06 18:19 CET by David Walser
Modified:	2014-02-18 16:38 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	mupdf-1.1-3.mga3.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-02-06 18:19:47 CET

Fedora has issued an advisory on January 25:
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127861.html

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Note to QA: there is a reproducer linked in the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1056699

Advisory:
========================

Updated mupdf packages fix security vulnerability:

A stack-based buffer overflow was found in mupdf's xps_parse_color() function.
An attacker could create a specially crafted XPS file that, when opened, could
cause mupdf or an application using mupdf to crash.

References:
http://seclists.org/fulldisclosure/2014/Jan/130
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127861.html
========================

Updated packages in core/updates_testing:
========================
mupdf-1.1-3.1.mga3
libmupdf-devel-1.1-3.1.mga3
mupdf-1.2-2.1.mga4
libmupdf-devel-1.2-2.1.mga4

from SRPMS:
mupdf-1.1-3.1.mga3.src.rpm
mupdf-1.2-2.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:

David Walser 2014-02-06 18:19:52 CET

Whiteboard: (none) => MGA3TOO

Comment 1 Bill Wilkinson 2014-02-07 17:05:50 CET

The reproducer listed in the redhat bug is for windows (launches calc.exe).

Testing general use, starting with mga4-32.

CC: (none) => wrw105

Comment 2 Bill Wilkinson 2014-02-07 17:18:10 CET

tested mga4-32

Opens pdfs, 1 page per launch.  attempting to open the exploit shows a limit in colors, which is what the fix is supposed to do, according to the fedora bug.

Whiteboard: MGA3TOO => MGA3TOO mga4-32-ok

Comment 3 Bill Wilkinson 2014-02-07 18:08:34 CET

Tested mga4-64 as above, all OK.

Whiteboard: MGA3TOO mga4-32-ok => MGA3TOO mga4-32-ok mga4-64-ok

Comment 4 Bill Wilkinson 2014-02-07 18:22:06 CET

mga3-64 tested, all OK

Whiteboard: MGA3TOO mga4-32-ok mga4-64-ok => MGA3TOO mga4-32-ok mga4-64-ok mga3-64-ok

Comment 5 Bill Wilkinson 2014-02-07 20:06:02 CET

mga3-32 tested. All OK.

Ready to validate when advisory is uploaded to svn.

Whiteboard: MGA3TOO mga4-32-ok mga4-64-ok mga3-64-ok => MGA3TOO mga4-32-ok mga4-64-ok mga3-64-ok mga3-32-ok

Comment 6 claire robinson 2014-02-08 16:45:29 CET

Thanks Bill :) Advisory uploaded.

Validating

Could sysadmin please push from 3&4 core/updates_testing to updates

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

claire robinson 2014-02-08 16:45:56 CET

Whiteboard: MGA3TOO mga4-32-ok mga4-64-ok mga3-64-ok mga3-32-ok => MGA3TOO advisory has_procedure mga4-32-ok mga4-64-ok mga3-64-ok mga3-32-ok

Comment 7 Thomas Backlund 2014-02-08 20:35:11 CET

Update pushed:
http://advisories.mageia.org/MGASA-2014-0041.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 8 David Walser 2014-02-18 16:38:39 CET

This has been assigned CVE-2014-2013:
http://openwall.com/lists/oss-security/2014/02/18/2

Summary: mupdf new buffer overflow security issue => mupdf new buffer overflow security issue (CVE-2014-2013)

Note You need to log in before you can comment on or make changes to this bug.