Bug 20310 - mupdf new security issues (CVE-2016-8674, CVE-2017-5896, CVE-2017-6060, CVE-2016-1024[67])
Summary: mupdf new security issues (CVE-2016-8674, CVE-2017-5896, CVE-2017-6060, CVE-2...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://www.debian.org/security/2017/...
Whiteboard: MGA5-64-OK MGA5-32-OK
Keywords: advisory, validated_update
: 19603 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-02-18 14:35 CET by David Walser
Modified: 2017-12-31 13:00 CET (History)
5 users (show)

See Also:
Source RPM: mupdf-1.5-4.4.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-02-18 14:35:38 CET
A security issue in mupdf's mujstest has been announced:
http://openwall.com/lists/oss-security/2017/02/18/1
Comment 1 David Walser 2017-02-21 12:00:00 CET
There's also CVE-2017-5896 which affects 1.10a.  Not sure if it affects older versions:
https://lwn.net/Vulnerabilities/715039/
http://openwall.com/lists/oss-security/2017/02/07/1

And other issues with no CVE:
http://openwall.com/lists/oss-security/2017/02/06/2
http://openwall.com/lists/oss-security/2017/02/10/1
Comment 2 David Walser 2017-03-01 12:09:57 CET
Debian has issued an advisory for mupdf on February 28:
https://www.debian.org/security/2017/dsa-3797

It fixes CVE-2016-8674, CVE-2017-5896, CVE-2017-5991, and includes updates for older versions like we have.
Rémi Verschelde 2017-03-06 18:21:39 CET

Summary: mupdf new security issue CVE-2017-6060 => mupdf new security issues (CVE-2016-8674, CVE-2017-5896, CVE-2017-6060)

Comment 3 Rémi Verschelde 2017-03-06 18:21:53 CET
*** Bug 19603 has been marked as a duplicate of this bug. ***
Comment 4 Zombie Ryushu 2017-03-08 06:01:13 CET
Some new CVEs affect this:

[ 1 ] Bug #1425338 - CVE-2017-6060 mupdf: Stack-based buffer overflow in jstest_main.c [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1425338
  [ 2 ] Bug #1424762 - Install size is too big
        https://bugzilla.redhat.com/show_bug.cgi?id=1424762
  [ 3 ] Bug #1363695 - CVE-2016-6525 CVE-2016-8674 CVE-2017-5896 mupdf: various flaws [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1363695

CC: (none) => zombie_ryushu

Comment 5 David Walser 2017-03-13 11:31:50 CET
CVE-2016-10246 and CVE-2016-10247 have been assigned for more mujstest issues:
http://openwall.com/lists/oss-security/2017/03/13/21
http://openwall.com/lists/oss-security/2017/03/13/20

Summary: mupdf new security issues (CVE-2016-8674, CVE-2017-5896, CVE-2017-6060) => mupdf new security issues (CVE-2016-8674, CVE-2017-5896, CVE-2017-6060, CVE-2016-1024[67])

Comment 6 Rémi Verschelde 2017-03-13 11:34:35 CET
Note that we don't ship mujstest, so we're not affected by its issue. In the pile of security brokenness that mupdf is, there might still be a couple issues that we'd have to patch though.
Comment 7 David Walser 2017-03-13 11:37:35 CET
(In reply to Rémi Verschelde from comment #6)
> Note that we don't ship mujstest, so we're not affected by its issue. In the
> pile of security brokenness that mupdf is, there might still be a couple
> issues that we'd have to patch though.

Actually we *do* ship mujstest.  We don't ship mujs, so issues specifically affecting that don't affect us.
Comment 8 David Walser 2017-03-26 16:56:55 CEST
CVE-2017-7264:
http://openwall.com/lists/oss-security/2017/03/26/1
Comment 9 David Walser 2017-04-29 22:59:22 CEST
A fix for a mujstest issue is linked from here:
http://openwall.com/lists/oss-security/2017/04/29/4
Comment 10 David Walser 2017-10-18 12:09:37 CEST
CVE-2017-15587:
http://openwall.com/lists/oss-security/2017/10/18/1
Comment 11 Zombie Ryushu 2017-10-26 14:40:06 CEST
https://www.debian.org/security/2017/dsa-4006

Multiple vulnerabilities have been found in MuPDF, a PDF file viewer, which may result in denial of service or the execution of arbitrary code.

    CVE-2017-14685, CVE-2017-14686, and CVE-2017-14687

    WangLin discovered that a crafted .xps file can crash MuPDF and potentially execute arbitrary code in several ways, since the application makes unchecked assumptions on the entry format.
    CVE-2017-15587

    Terry Chia and Jeremy Heng discovered an integer overflow that can cause arbitrary code execution via a crafted .pdf file.
Zombie Ryushu 2017-10-26 14:40:23 CEST

URL: (none) => https://www.debian.org/security/2017/dsa-4006

Comment 12 David Walser 2017-11-26 19:13:59 CET
CVE-2016-10221 CVE-2016-8728 CVE-2016-8729 CVE-2017-7976:
https://lists.opensuse.org/opensuse-updates/2017-11/msg00068.html
Comment 13 David Walser 2017-12-28 06:05:27 CET
Advisory:
========================

Updated mupdf packages fix security vulnerabilities:

Multiple vulnerabilities have been found in the PDF viewer MuPDF, which may
result in denial of service or the execution of arbitrary code if a malformed
PDF file is opened (CVE-2016-8674, CVE-2017-5896, CVE-2017-5991).

Terry Chia and Jeremy Heng discovered an integer overflow that can cause
arbitrary code execution via a crafted .pdf file (CVE-2017-15587).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8674
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5896
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5991
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15587
https://www.debian.org/security/2017/dsa-3797
https://www.debian.org/security/2017/dsa-4006
========================

Updated packages in core/updates_testing:
========================
mupdf-1.5-4.5.mga5
libmupdf-devel-1.5-4.5.mga5

from mupdf-1.5-4.5.mga5.src.rpm

Assignee: rverschelde => qa-bugs
CC: (none) => rverschelde

Comment 14 Thomas Andrews 2017-12-31 00:56:30 CET
Installed mupdf-1.5-4.5.mga5 on a 64-bit KDE system. Used it to view several farm machinery manuals in pdf format.

Looks good. No problems noted, though I did not try all the options.

Giving this the 64-bit OK.

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA5-64-OK

Comment 15 Dave Hodgins 2017-12-31 11:58:38 CET
Advisory committed to svn. Tested on Mageia 5 i586 ok.
Validating the update.

Keywords: (none) => advisory, validated_update
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 16 Mageia Robot 2017-12-31 13:00:58 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0479.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.