A CVE has been assigned for a security issue fixed in mupdf: http://www.openwall.com/lists/oss-security/2016/08/03/8 A PoC is in the original report: http://seclists.org/oss-sec/2016/q3/235 The fix is linked from both messages. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Status: NEW => ASSIGNED
Blocks: (none) => 19105
Fixed in cauldron. Update candidate pushed to Mageia 5 too. I'll merge the not-yet-validated bug 19105 with this one. I'll write the advisory asap. RPMs in core/updates_testing: ============================= mupdf-1.5-4.4.mga5 lib(64)mupdf-devel-1.5-4.4.mga5 SRPM in core/updates_testing: ============================= - mupdf-1.5-4.4.mga5
Version: Cauldron => 5Assignee: rverschelde => qa-bugsSource RPM: mupdf => mupdf-1.5-4.2.mga5Whiteboard: MGA5TOO => (none)
CC: (none) => alexandersirris
So I updated mupdf to the version listed above in the RPMs in core/updates_testing, I then ran rpm -qi mupdf to double check I had the correct version of mupdf. Version : 1.5 Release : 4.4.mga5 Architecture: x86_64 Great. So I have the correct software package. I then "Disabled" & unchecked "Updates" from the "Core Updates Testing (Distrib 5). /u/rindolf told me I can try running the PoC to see if it works. So, I downloaded the PoC in the original post above which came in as a .bin file. In konsole I went to the directory that the file was located in and ran the following and came up with the following errors. ./p_pdf.bin ./p_pdf.bin: line 1: fg: no job control ./p_pdf.bin: line 2: fg: no job control ./p_pdf.bin: line 3: 5: command not found ./p_pdf.bin: line 158: warning: here-document at line 4 delimited by end-of-file (wanted `/Length') ./p_pdf.bin: line 158: syntax error near unexpected token `newline' ./p_pdf.bin: line 158: `<</Length 6 0 R/Filter /FlateDecode>>' Basically it is day 5 of QA, testing in general, and even being around computer science stuff. I'm not 100% sure if what I did was correct, but I seem to be getting stuck at every corner I move to. Is there any recommendation of a book/manuel/videos that I might be able to watch to better understand how to load the correct Software, how to test, and what the proper procedure is. Sorry for the lengthy comment, just not sure if I'm doing this correctly.
Status: ASSIGNED => NEW
Hi Alexander. You are doing OK. Have just been poking around to see what help we can give you. Tried this: $ file p_pdf.bin p_pdf.bin: PDF document, version 1.4 That indicates that the .bin extension is irrelevant. Running it against xpdf showed a blank page, probably to be expected. mupdf seems to be installed as mupdf-x11: $ mupdf-x11 p_pdf.bin Segmentation fault This may be what is expected before the update. So try that command against the updated version. Hope this helps. Good luck.
CC: (none) => tarazed25
Hi Len, Thank you for taking the time to help me out. I did try opening p_pdf.bin as a PDF and realised it was a blank page. >This may be what is expected before the update. So try that command against the updated version. I thought the CVE above was an order for testing after the heap overflow fix? Are you saying that the actual update for the security issue has not been released? Appreciate the help :)
I did not run the update so I could not predict what the result of using mupdf would be. I would imagine that the segmentation fault would not occur - the updated package should handle the heap overflow tidily. One of the frustrating things about testing updates is that a clear Proof of Concept is not always provided and you either have to invent your own or be satisfied with demonstrating that the update installs cleanly and that the application works, at least in a basic fashion. When a library is being tested you need to find applications which use it and show that they continue to function after the update. There is always something new to learn. I am still a newbie myself ;)
Hi Len, How do I know if I've run the updated version? Right now I have the following installed... mupdf-1.5-4.4.mga5 lib(64)mupdf-devel-1.5-4.4.mga5 I've located that mupdf is under mupdfx-11. >I did not run the update so I could not predict what the result of using mupdf would be. Wouldn't you run the update by selecting "Updates from Testing" repository and then going into the software control center and selecting the corresponding SRPM & RPM packages? That is exactly what I did. >$ mupdf-x11 p_pdf.bin I went back into kontrol and ran the following command in the pwd "Downloads/" where p_pdf.bin was located. The program opened to a blank page, am I to assume that if you received a segmentation fault and I did not that the PoC worked?
URL: (none) => http://lwn.net/Vulnerabilities/696697/
> mupdf-1.5-4.4.mga5 < That is the updated version as listed in comment 1. The numbers get bumped for new versions so you have done everything correctly. I did not run the update because I am not testing it. It is your baby. And yes, if the PoC does not result in a segmentation fault with the updated software it looks like the heap overflow has been handled properly. On the basis of that you could add the MGA5-64-OK flag to the Whiteboard. It is up to you whether you go through the same procedure for 32-bit architectures, real or virtual. Our team leaders or David or your mentor might want to advise you on that score. Welcome aboard.
Nice work Alexander, your test is indeed good. Don't be discouraged by the initial difficulty, you're learning fast and testing security updates is always tricky, as quite often we have little knowledge/understanding as to what the packages do or what the security bug was about. As Len mentioned, now that you tested the update successfully, you can add the "MGA5-64-OK" flag to the whiteboard, which is our convention to indicate that the update was tested successfully on Mageia 5 64-bit. It would then automatically add the corresponding "OK" on the line about this update in http://mageia.madb.org/tools/updates
Whiteboard: (none) => MGA5-64-OK
Ran the old version of mupdf to test running the PoC before updating to the newest version on 32 bit. Version : 1.5 Release : 4.2.mga5 Architecture: i586 Closed testing repositories. Ran mupdf-x11 p_pdf.bin in konsole. >Segmentation fault Uninstalled and updated to the newest version 32 bit mupdf. Version : 1.5 Release : 4.4.mga5 Architecture: i586 Closed testing repositories. Ran mupdf-x11 p_pdf.bin in konsole. p_pdf.bin opens to blank page.
Whiteboard: MGA5-64-OK => MGA5-64-OK, MGA5-32-OK
Thanks to Alexander for his sterling work. Am validating the update - but where can we get an Advisory? Can I write (invent) one? Can I use CVE-2016-6525 from http://www.openwall.com/lists/oss-security/2016/08/03/8 ?
Keywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
Advisory: ======================== Updated mupdf packages fix security vulnerability: A flaw was discovered in the pdf_load_mesh_params() function allowing out-of-bounds write access to memory locations. With carefully crafted input, that could trigger a heap overflow, resulting in application crash or possibly having other unspecified impact (CVE-2016-6525). Also, mupdf already contained the X11 viewer /usr/bin/mupdf-x11 but no mupdf binary to match the man page instructions. A symlink to mupdf-x11 now provides this (mga#19105). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6525 http://lwn.net/Alerts/696674/ https://bugs.mageia.org/show_bug.cgi?id=19105 https://bugs.mageia.org/show_bug.cgi?id=19126
Thanks David for your rapid & fulsome response re Advisory. Advisory uploaded.
Whiteboard: MGA5-64-OK, MGA5-32-OK => MGA5-64-OK, MGA5-32-OK advisory
Thanks for the advisory David, I had forgotten about it.
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0286.html
Status: NEW => RESOLVEDResolution: (none) => FIXED