A security issue in mupdf's mujstest has been announced: http://openwall.com/lists/oss-security/2017/02/18/1
There's also CVE-2017-5896 which affects 1.10a. Not sure if it affects older versions: https://lwn.net/Vulnerabilities/715039/ http://openwall.com/lists/oss-security/2017/02/07/1 And other issues with no CVE: http://openwall.com/lists/oss-security/2017/02/06/2 http://openwall.com/lists/oss-security/2017/02/10/1
Debian has issued an advisory for mupdf on February 28: https://www.debian.org/security/2017/dsa-3797 It fixes CVE-2016-8674, CVE-2017-5896, CVE-2017-5991, and includes updates for older versions like we have.
Summary: mupdf new security issue CVE-2017-6060 => mupdf new security issues (CVE-2016-8674, CVE-2017-5896, CVE-2017-6060)
*** Bug 19603 has been marked as a duplicate of this bug. ***
Some new CVEs affect this: [ 1 ] Bug #1425338 - CVE-2017-6060 mupdf: Stack-based buffer overflow in jstest_main.c [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1425338 [ 2 ] Bug #1424762 - Install size is too big https://bugzilla.redhat.com/show_bug.cgi?id=1424762 [ 3 ] Bug #1363695 - CVE-2016-6525 CVE-2016-8674 CVE-2017-5896 mupdf: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1363695
CC: (none) => zombie_ryushu
CVE-2016-10246 and CVE-2016-10247 have been assigned for more mujstest issues: http://openwall.com/lists/oss-security/2017/03/13/21 http://openwall.com/lists/oss-security/2017/03/13/20
Summary: mupdf new security issues (CVE-2016-8674, CVE-2017-5896, CVE-2017-6060) => mupdf new security issues (CVE-2016-8674, CVE-2017-5896, CVE-2017-6060, CVE-2016-1024[67])
Note that we don't ship mujstest, so we're not affected by its issue. In the pile of security brokenness that mupdf is, there might still be a couple issues that we'd have to patch though.
(In reply to Rémi Verschelde from comment #6) > Note that we don't ship mujstest, so we're not affected by its issue. In the > pile of security brokenness that mupdf is, there might still be a couple > issues that we'd have to patch though. Actually we *do* ship mujstest. We don't ship mujs, so issues specifically affecting that don't affect us.
CVE-2017-7264: http://openwall.com/lists/oss-security/2017/03/26/1
A fix for a mujstest issue is linked from here: http://openwall.com/lists/oss-security/2017/04/29/4
CVE-2017-15587: http://openwall.com/lists/oss-security/2017/10/18/1
https://www.debian.org/security/2017/dsa-4006 Multiple vulnerabilities have been found in MuPDF, a PDF file viewer, which may result in denial of service or the execution of arbitrary code. CVE-2017-14685, CVE-2017-14686, and CVE-2017-14687 WangLin discovered that a crafted .xps file can crash MuPDF and potentially execute arbitrary code in several ways, since the application makes unchecked assumptions on the entry format. CVE-2017-15587 Terry Chia and Jeremy Heng discovered an integer overflow that can cause arbitrary code execution via a crafted .pdf file.
URL: (none) => https://www.debian.org/security/2017/dsa-4006
CVE-2016-10221 CVE-2016-8728 CVE-2016-8729 CVE-2017-7976: https://lists.opensuse.org/opensuse-updates/2017-11/msg00068.html
Advisory: ======================== Updated mupdf packages fix security vulnerabilities: Multiple vulnerabilities have been found in the PDF viewer MuPDF, which may result in denial of service or the execution of arbitrary code if a malformed PDF file is opened (CVE-2016-8674, CVE-2017-5896, CVE-2017-5991). Terry Chia and Jeremy Heng discovered an integer overflow that can cause arbitrary code execution via a crafted .pdf file (CVE-2017-15587). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8674 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5896 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5991 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15587 https://www.debian.org/security/2017/dsa-3797 https://www.debian.org/security/2017/dsa-4006 ======================== Updated packages in core/updates_testing: ======================== mupdf-1.5-4.5.mga5 libmupdf-devel-1.5-4.5.mga5 from mupdf-1.5-4.5.mga5.src.rpm
Assignee: rverschelde => qa-bugsCC: (none) => rverschelde
Installed mupdf-1.5-4.5.mga5 on a 64-bit KDE system. Used it to view several farm machinery manuals in pdf format. Looks good. No problems noted, though I did not try all the options. Giving this the 64-bit OK.
CC: (none) => andrewsfarmWhiteboard: (none) => MGA5-64-OK
Advisory committed to svn. Tested on Mageia 5 i586 ok. Validating the update.
Keywords: (none) => advisory, validated_updateWhiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0479.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED