Bug 12634 - mupdf new buffer overflow security issue (CVE-2014-2013)
: mupdf new buffer overflow security issue (CVE-2014-2013)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/584549/
: MGA3TOO advisory has_procedure mga4-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-02-06 18:19 CET by David Walser
Modified: 2014-02-18 16:38 CET (History)
3 users (show)

See Also:
Source RPM: mupdf-1.1-3.mga3.src.rpm
CVE:


Attachments

Description David Walser 2014-02-06 18:19:47 CET
Fedora has issued an advisory on January 25:
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127861.html

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Note to QA: there is a reproducer linked in the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1056699

Advisory:
========================

Updated mupdf packages fix security vulnerability:

A stack-based buffer overflow was found in mupdf's xps_parse_color() function.
An attacker could create a specially crafted XPS file that, when opened, could
cause mupdf or an application using mupdf to crash.

References:
http://seclists.org/fulldisclosure/2014/Jan/130
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127861.html
========================

Updated packages in core/updates_testing:
========================
mupdf-1.1-3.1.mga3
libmupdf-devel-1.1-3.1.mga3
mupdf-1.2-2.1.mga4
libmupdf-devel-1.2-2.1.mga4

from SRPMS:
mupdf-1.1-3.1.mga3.src.rpm
mupdf-1.2-2.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Bill Wilkinson 2014-02-07 17:05:50 CET
The reproducer listed in the redhat bug is for windows (launches calc.exe).

Testing general use, starting with mga4-32.
Comment 2 Bill Wilkinson 2014-02-07 17:18:10 CET
tested mga4-32

Opens pdfs, 1 page per launch.  attempting to open the exploit shows a limit in colors, which is what the fix is supposed to do, according to the fedora bug.
Comment 3 Bill Wilkinson 2014-02-07 18:08:34 CET
Tested mga4-64 as above, all OK.
Comment 4 Bill Wilkinson 2014-02-07 18:22:06 CET
mga3-64 tested, all OK
Comment 5 Bill Wilkinson 2014-02-07 20:06:02 CET
mga3-32 tested. All OK.

Ready to validate when advisory is uploaded to svn.
Comment 6 claire robinson 2014-02-08 16:45:29 CET
Thanks Bill :) Advisory uploaded.

Validating

Could sysadmin please push from 3&4 core/updates_testing to updates

Thanks
Comment 7 Thomas Backlund 2014-02-08 20:35:11 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0041.html
Comment 8 David Walser 2014-02-18 16:38:39 CET
This has been assigned CVE-2014-2013:
http://openwall.com/lists/oss-security/2014/02/18/2

Note You need to log in before you can comment on or make changes to this bug.