A security issue in mupdf's mujstest has been announced:
There's also CVE-2017-5896 which affects 1.10a. Not sure if it affects older versions:
And other issues with no CVE:
Debian has issued an advisory for mupdf on February 28:
It fixes CVE-2016-8674, CVE-2017-5896, CVE-2017-5991, and includes updates for older versions like we have.
mupdf new security issue CVE-2017-6060 =>
mupdf new security issues (CVE-2016-8674, CVE-2017-5896, CVE-2017-6060)
*** Bug 19603 has been marked as a duplicate of this bug. ***
Some new CVEs affect this:
[ 1 ] Bug #1425338 - CVE-2017-6060 mupdf: Stack-based buffer overflow in jstest_main.c [fedora-all]
[ 2 ] Bug #1424762 - Install size is too big
[ 3 ] Bug #1363695 - CVE-2016-6525 CVE-2016-8674 CVE-2017-5896 mupdf: various flaws [fedora-all]
CVE-2016-10246 and CVE-2016-10247 have been assigned for more mujstest issues:
mupdf new security issues (CVE-2016-8674, CVE-2017-5896, CVE-2017-6060) =>
mupdf new security issues (CVE-2016-8674, CVE-2017-5896, CVE-2017-6060, CVE-2016-1024)
Note that we don't ship mujstest, so we're not affected by its issue. In the pile of security brokenness that mupdf is, there might still be a couple issues that we'd have to patch though.
(In reply to Rémi Verschelde from comment #6)
> Note that we don't ship mujstest, so we're not affected by its issue. In the
> pile of security brokenness that mupdf is, there might still be a couple
> issues that we'd have to patch though.
Actually we *do* ship mujstest. We don't ship mujs, so issues specifically affecting that don't affect us.
A fix for a mujstest issue is linked from here:
Multiple vulnerabilities have been found in MuPDF, a PDF file viewer, which may result in denial of service or the execution of arbitrary code.
CVE-2017-14685, CVE-2017-14686, and CVE-2017-14687
WangLin discovered that a crafted .xps file can crash MuPDF and potentially execute arbitrary code in several ways, since the application makes unchecked assumptions on the entry format.
Terry Chia and Jeremy Heng discovered an integer overflow that can cause arbitrary code execution via a crafted .pdf file.
CVE-2016-10221 CVE-2016-8728 CVE-2016-8729 CVE-2017-7976:
Updated mupdf packages fix security vulnerabilities:
Multiple vulnerabilities have been found in the PDF viewer MuPDF, which may
result in denial of service or the execution of arbitrary code if a malformed
PDF file is opened (CVE-2016-8674, CVE-2017-5896, CVE-2017-5991).
Terry Chia and Jeremy Heng discovered an integer overflow that can cause
arbitrary code execution via a crafted .pdf file (CVE-2017-15587).
Updated packages in core/updates_testing:
Installed mupdf-1.5-4.5.mga5 on a 64-bit KDE system. Used it to view several farm machinery manuals in pdf format.
Looks good. No problems noted, though I did not try all the options.
Giving this the 64-bit OK.
Advisory committed to svn. Tested on Mageia 5 i586 ok.
Validating the update.
An update for this issue has been pushed to the Mageia Updates repository.