Debian Bug report logs -
#877379
CVE-2017-14685 / CVE-2017-14686 / CVE-2017-14687
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Sun, 1 Oct 2017 07:48:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in version mupdf/1.11+ds1-1
Fixed in versions mupdf/1.11+ds1-1.1, mupdf/1.9a+ds1-4+deb9u1
Done: Luciano Bello <luciano@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Kan-Ru Chen (陳侃如) <koster@debian.org>
:
Bug#877379
; Package mupdf
.
(Sun, 01 Oct 2017 07:48:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Kan-Ru Chen (陳侃如) <koster@debian.org>
.
(Sun, 01 Oct 2017 07:48:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mupdf
Version: 1.11+ds1-1
Severity: grave
Tags: security
Hi,
please see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14685
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14686
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14687
which contains further descriptions and links to upstream fixes.
Can you please also prepare updates for stretch-security/jessie-security?
Cheers,
Moritz
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 01 Oct 2017 07:57:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Kan-Ru Chen (陳侃如) <koster@debian.org>
:
Bug#877379
; Package mupdf
.
(Sun, 01 Oct 2017 08:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Kan-Ru Chen (陳侃如) <koster@debian.org>
.
(Sun, 01 Oct 2017 08:21:05 GMT) (full text, mbox, link).
Message #12 received at 877379@bugs.debian.org (full text, mbox, reply):
some additional information, I have *not* done a trhougfully code
review. Just two thoughs on two of the mentioned CVEs.
Re CVE-2017-14685 might not be present in jessie. But the code is
quite different. There is no xps_load_links_in_glyphs function and the
only xps_lookup_font loading is done in source/xps/xps-glyphs.c
For CVE-2017-14686 the missing checks seem to be in
source/xps/xps-zip.c and source/cbz/mucbz.c
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Kan-Ru Chen (陳侃如) <koster@debian.org>
:
Bug#877379
; Package mupdf
.
(Sat, 14 Oct 2017 07:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Kan-Ru Chen (陳侃如) <koster@debian.org>
.
(Sat, 14 Oct 2017 07:36:04 GMT) (full text, mbox, link).
Message #17 received at 877379@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 877379 + patch
Control: tags 877379 + pending
Dear maintainer,
I've prepared an NMU for mupdf (versioned as 1.11+ds1-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[mupdf-1.11+ds1-1.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 877379-submit@bugs.debian.org
.
(Sat, 14 Oct 2017 07:36:04 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 877379-submit@bugs.debian.org
.
(Sat, 14 Oct 2017 07:36:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Kan-Ru Chen (陳侃如) <koster@debian.org>
:
Bug#877379
; Package mupdf
.
(Sat, 14 Oct 2017 15:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "Kan-Ru Chen" <koster@debian.org>
:
Extra info received and forwarded to list. Copy sent to Kan-Ru Chen (陳侃如) <koster@debian.org>
.
(Sat, 14 Oct 2017 15:57:06 GMT) (full text, mbox, link).
Message #26 received at 877379@bugs.debian.org (full text, mbox, reply):
Thanks for preparing the NMU! I really appreciate that.
Please go ahead and upload it directly to sid.
Kanru
On Sat, Oct 14, 2017, at 03:22 PM, Salvatore Bonaccorso wrote:
> Control: tags 877379 + patch
> Control: tags 877379 + pending
>
> Dear maintainer,
>
> I've prepared an NMU for mupdf (versioned as 1.11+ds1-1.1) and
> uploaded it to DELAYED/2. Please feel free to tell me if I
> should delay it longer.
>
> Regards,
> Salvatore
> Email had 1 attachment:
> + mupdf-1.11+ds1-1.1-nmu.diff
> 10k (text/x-diff)
Information forwarded
to debian-bugs-dist@lists.debian.org, Kan-Ru Chen (陳侃如) <koster@debian.org>
:
Bug#877379
; Package mupdf
.
(Sun, 15 Oct 2017 15:15:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Kan-Ru Chen (陳侃如) <koster@debian.org>
.
(Sun, 15 Oct 2017 15:15:07 GMT) (full text, mbox, link).
Message #31 received at 877379@bugs.debian.org (full text, mbox, reply):
Hi
On Sat, Oct 14, 2017 at 11:52:44PM +0800, Kan-Ru Chen wrote:
> Thanks for preparing the NMU! I really appreciate that.
>
> Please go ahead and upload it directly to sid.
Thank you!
I rescheduled now (could only act on it now).
Regards,
Salvatore
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>
:
You have taken responsibility.
(Sun, 15 Oct 2017 15:42:08 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Sun, 15 Oct 2017 15:42:08 GMT) (full text, mbox, link).
Message #36 received at 877379-close@bugs.debian.org (full text, mbox, reply):
Source: mupdf
Source-Version: 1.11+ds1-1.1
We believe that the bug you reported is fixed in the latest version of
mupdf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 877379@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated mupdf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 08 Oct 2017 10:37:23 +0200
Source: mupdf
Binary: libmupdf-dev mupdf mupdf-tools
Architecture: source
Version: 1.11+ds1-1.1
Distribution: unstable
Urgency: medium
Maintainer: Kan-Ru Chen (陳侃如) <koster@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 877379
Description:
libmupdf-dev - development files for the MuPDF viewer
mupdf - lightweight PDF viewer
mupdf-tools - command line tools for the MuPDF viewer
Changes:
mupdf (1.11+ds1-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Don't use xps font if it could not be loaded (CVE-2017-14685)
(Closes: #877379)
* Check name, comment and meta size field signs (CVE-2017-14686)
(Closes: #877379)
* Handle non-tags in tag name comparisons (CVE-2017-14687) (Closes: #877379)
Checksums-Sha1:
ec41dd2f4d1ecd3d0e0974bc7ac7cc2d8ed84153 2316 mupdf_1.11+ds1-1.1.dsc
2f4d9fcde11d09058834c6b34eac0d06821ec9f0 26408 mupdf_1.11+ds1-1.1.debian.tar.xz
Checksums-Sha256:
77bd9843f4c442b99f4e98d7605fb9139fb8e2c38d710ef7fd9b8dc96475a04b 2316 mupdf_1.11+ds1-1.1.dsc
cb274532e34f818b2f1871fee6303cfffda37251937dd7d731a898b2ca736433 26408 mupdf_1.11+ds1-1.1.debian.tar.xz
Files:
630593b9756c7076c81053da26132a5e 2316 text optional mupdf_1.11+ds1-1.1.dsc
4bf112ceea37740d8ee71510228692c3 26408 text optional mupdf_1.11+ds1-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlnhupRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Etf4P/1LVBMWOoVlpO4KTy/6xy7z03+hwrpQo
sJdPo+s8v9G4+kXCUBUZh4kKz3D8HxUBR2kg5c3IVd01gXFctM+lyNJwtm5UgxBW
ZMNRc1Qjm0MMJW1t1qlnXlcxPy35hkSDsAGQs7L/haZXn6fnfLSNtvPl21xYHHDw
/jNBGwgMIo9MXKftY6cBzAOspD2Z8jOa/f3LSEb6fiBmp8kkOz+KTRpZqkYgXvN8
VtelaPjSb81+VFu5lcZ0BFqWToQJDtNXAh4ZiADSxs4umeTW0hOVOwSDo+FZflCG
t9kDkBuiRxk1m0KUvPjH9+lAK0EMY9N0k/g8SsKh4ZGQ+OKnMJBst59OQyjbPnlI
Ha5THFoPbc+b6A2mSTTl+wMDyM6e/hTJmkhpku1DKo9UXk5jefUbuM4mBli+5bwM
u0V07OlIFaFZenv3ppMGQk2vPHwk9Xs+38eP7Wrx8To+CyyYbd6UUH46Yj8/NZnM
lruaUC65XRRTR7WUQ0Jug5TXIjH2pRyyk22GH/4lC/6S0xd6Vfb5vUZBKReCOJ1z
5iE02l7uuDbom3fABipI+DH5Mx/R1vfN56PBD2dYAj3vjsJK2yswBid75V598wiL
M0CKXIU6b8vaVBdGx0TgEIwMLvR+UL8ONGRzpS0jZbE6cBfsa1x1ODqt/F5hwHHD
FnFaxjkD21ZH
=5Ehs
-----END PGP SIGNATURE-----
Reply sent
to Luciano Bello <luciano@debian.org>
:
You have taken responsibility.
(Sun, 12 Nov 2017 15:36:05 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Sun, 12 Nov 2017 15:36:05 GMT) (full text, mbox, link).
Message #41 received at 877379-close@bugs.debian.org (full text, mbox, reply):
Source: mupdf
Source-Version: 1.9a+ds1-4+deb9u1
We believe that the bug you reported is fixed in the latest version of
mupdf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 877379@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luciano Bello <luciano@debian.org> (supplier of updated mupdf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 22 Oct 2017 20:10:29 -0400
Source: mupdf
Binary: libmupdf-dev mupdf mupdf-tools
Architecture: source amd64
Version: 1.9a+ds1-4+deb9u1
Distribution: stable-security
Urgency: high
Maintainer: Kan-Ru Chen (陳侃如) <koster@debian.org>
Changed-By: Luciano Bello <luciano@debian.org>
Description:
libmupdf-dev - development files for the MuPDF viewer
mupdf - lightweight PDF viewer
mupdf-tools - command line tools for the MuPDF viewer
Closes: 877379 879055
Changes:
mupdf (1.9a+ds1-4+deb9u1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix CVE-2017-14685, CVE-2017-14686, CVE-2017-14687, and CVE-2017-15587
(Closes: #877379, #879055)
Checksums-Sha1:
9d81799345cfb4ebec2c5b8f208cd4b7502275ed 2181 mupdf_1.9a+ds1-4+deb9u1.dsc
2699c33ddc8f33819cd0791f3762a3a268873286 13325139 mupdf_1.9a+ds1.orig.tar.gz
5908b334c81b062996e71e6a7388e13e52f51ac0 29900 mupdf_1.9a+ds1-4+deb9u1.debian.tar.xz
86dbb5d043099667a46df82fb654e3504eed87c3 7301598 libmupdf-dev_1.9a+ds1-4+deb9u1_amd64.deb
05a7c5e73f7105664b082783eda97d3566cdfbde 2114944 mupdf-dbgsym_1.9a+ds1-4+deb9u1_amd64.deb
64e7906300b406c5baf9e1cde09d67d57db4e44f 2387358 mupdf-tools-dbgsym_1.9a+ds1-4+deb9u1_amd64.deb
373f45904a3f03b43a560878bc3b0a1323596cf6 6910056 mupdf-tools_1.9a+ds1-4+deb9u1_amd64.deb
971d193b1017480c7872c50194eaeaff05ebbcd4 8529 mupdf_1.9a+ds1-4+deb9u1_amd64.buildinfo
9278ad662dd2e7b2cfbe815bfc9fe4a844c1fe10 6855630 mupdf_1.9a+ds1-4+deb9u1_amd64.deb
Checksums-Sha256:
2322908eb72897a86d2ae4cfcf0c4bbeb946b1f7a1931460359569bec7cb76e4 2181 mupdf_1.9a+ds1-4+deb9u1.dsc
1b5d6126472f99ae2c99f1b474169b752764d63a90d3dd6e6a6f8fac8cdd0b75 13325139 mupdf_1.9a+ds1.orig.tar.gz
0daba2cb247730dbc741e1cb20396976ba6cb6a1bc9af9988b69cd56e7541f99 29900 mupdf_1.9a+ds1-4+deb9u1.debian.tar.xz
1022406bbe88face9ceaf28e5cea8e742c221018427321d36b643611f48dc093 7301598 libmupdf-dev_1.9a+ds1-4+deb9u1_amd64.deb
8245a8db1726ca33404bb2ce5cc6a83ed5637b0308bd93fca22cf24906197c9a 2114944 mupdf-dbgsym_1.9a+ds1-4+deb9u1_amd64.deb
09a63eef58a5a9daaba2c71a7085c18dd0a3ec756a26ae95970de4f831c0b542 2387358 mupdf-tools-dbgsym_1.9a+ds1-4+deb9u1_amd64.deb
95b8c926f73a8aa942c724799e3e36565394bf3d2005beb6576f8c21e2cb40fa 6910056 mupdf-tools_1.9a+ds1-4+deb9u1_amd64.deb
e20285543adba21cc56b5d566361fa3afb811a81a3a2190fec71d9c23297b036 8529 mupdf_1.9a+ds1-4+deb9u1_amd64.buildinfo
8d75a49ebb70e827a3e062953af0b37dcb2ded7451feb64d75a4b5f0a1e1e903 6855630 mupdf_1.9a+ds1-4+deb9u1_amd64.deb
Files:
f3481c5a6f7bdbc4d757fde2b964f844 2181 text optional mupdf_1.9a+ds1-4+deb9u1.dsc
62e41e176d501171476cf4f6a03d8306 13325139 text optional mupdf_1.9a+ds1.orig.tar.gz
c16c035920950af2c6b3ca0d90e51744 29900 text optional mupdf_1.9a+ds1-4+deb9u1.debian.tar.xz
b9f4ebbbb329f56ef186fc7509fe70a4 7301598 libdevel optional libmupdf-dev_1.9a+ds1-4+deb9u1_amd64.deb
786cd6cc8f984451cc1bcc27cddfafac 2114944 debug extra mupdf-dbgsym_1.9a+ds1-4+deb9u1_amd64.deb
cf140eca75dfc6a4abfba5b52b77de8f 2387358 debug extra mupdf-tools-dbgsym_1.9a+ds1-4+deb9u1_amd64.deb
e47e08f3a455d0032d8fea7cd7b37dad 6910056 text optional mupdf-tools_1.9a+ds1-4+deb9u1_amd64.deb
14773d1a821606f6e72e6d5714f5056d 8529 text optional mupdf_1.9a+ds1-4+deb9u1_amd64.buildinfo
0a99e9c166c70082f20466c936195251 6855630 text optional mupdf_1.9a+ds1-4+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlnulNAACgkQbsLe9o/+
N3T86Q/7B3/ICbu6GhZ3O5ulh/jHlX8OagrbRGzH3qCI9BDWkxMbvBIk7WRCPcd9
I5/iMA/1rPJeAhzWoPD3hwUzBZq++W8H6qMKrrTM2AYKzr6F9N/19NQJq4wFp7Re
CV3IQN7iOeWWVvd4lMeNX2QdJ1PHCwwCSqOoEKVKt2KCeUQ8hPiVrI4Jc7MFQT3I
vi4bbXERm7Q0n6C6GPhwOsIRV17aXDeKDM2xB0WvkCK6/qiqbXJNzjujE0jSN3/w
eUUP9WdsU/ISC9J7GQZDRSFGFEjF/K6fS1mcvzMbJPtoMDOTAnTV6nytQr4cC/fl
wibXzVmTbUt4I1U8g360NdolNJb8avkUWbgSafvGphTdNDjlTq9/dQWgK6RUm3PQ
hz9BjSuxf9Kd4MQXMJNGAjw11s5Tbe8iw7Q+mJW84/+sgZ8C8kRNpAM8mHF+6E5e
qhfHic1Gs7fJLCEPnT7Rt6xS/xjgCr1SK9W8VieLUMmAUvgHgUHeUf9uxcpQHp2o
nRMM4QQvLsUP7nVMt5PxpyqEnHeFIRc6ltXWpBPRWwNbrOb55WtnTwQ6IClnYmdR
Fj7USVVIY8vJfgPjaR+fvuXK0bvBawWSpifnI/JFfId9DeKeLsCTIpOv6grM95GN
wCxdljgxUBDV1iXiAy+2u+UuemCbg08wvZ03eGRjrCDSzPYlk3o=
=HRBT
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 11 Dec 2017 07:29:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:34:30 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.