Debian Bug report logs -
#840957
mupdf: CVE-2016-8674: heap-use-after-free
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 16 Oct 2016 12:54:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in version mupdf/1.5-1
Fixed in version mupdf/1.9a+ds1-2
Done: Kan-Ru Chen (陳侃如) <koster@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Kan-Ru Chen (陳侃如) <koster@debian.org>:
Bug#840957; Package src:mupdf.
(Sun, 16 Oct 2016 12:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Kan-Ru Chen (陳侃如) <koster@debian.org>.
(Sun, 16 Oct 2016 12:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mupdf
Version: 1.5-1
Severity: grave
Tags: security upstream patch
Hi,
the following vulnerability was published for mupdf.
CVE-2016-8674[0]:
heap-use-after-free
The issue is reproducible with src:mupdf compiled with ASAN, and two
reproducers are available on the two referenced bugs below.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-8674
[1] https://marc.info/?l=oss-security&m=147658659118554&w=2
[2] https://blogs.gentoo.org/ago/2016/09/22/mupdf-use-after-free-in-pdf_to_num-pdf-object-c/
[3] http://bugs.ghostscript.com/show_bug.cgi?id=697015
[4] http://bugs.ghostscript.com/show_bug.cgi?id=697019
[5] http://git.ghostscript.com/?p=mupdf.git;h=1e03c06456d997435019fb3526fa2d4be7dbc6ec
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Kan-Ru Chen (陳侃如) <koster@debian.org>:
Bug#840957; Package src:mupdf.
(Fri, 28 Oct 2016 06:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Kan-Ru Chen (陳侃如) <koster@debian.org>.
(Fri, 28 Oct 2016 06:57:05 GMT) (full text, mbox, link).
Message #10 received at 840957@bugs.debian.org (full text, mbox, reply):
Hi,
On Sun, Oct 16, 2016 at 02:51:06PM +0200, Salvatore Bonaccorso wrote:
> Source: mupdf
> Version: 1.5-1
> Severity: grave
> Tags: security upstream patch
>
> Hi,
>
> the following vulnerability was published for mupdf.
>
> CVE-2016-8674[0]:
> heap-use-after-free
>
> The issue is reproducible with src:mupdf compiled with ASAN, and two
> reproducers are available on the two referenced bugs below.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-8674
> [1] https://marc.info/?l=oss-security&m=147658659118554&w=2
> [2] https://blogs.gentoo.org/ago/2016/09/22/mupdf-use-after-free-in-pdf_to_num-pdf-object-c/
> [3] http://bugs.ghostscript.com/show_bug.cgi?id=697015
> [4] http://bugs.ghostscript.com/show_bug.cgi?id=697019
> [5] http://git.ghostscript.com/?p=mupdf.git;h=1e03c06456d997435019fb3526fa2d4be7dbc6ec
Any progress on this issue for unstable? Currently src:mupdf is at
risk to not being included in stretch and autoremoved on 14th of
november.
Regards,
Salvatore
Added tag(s) pending.
Request was from Kan-Ru Chen <koster@debian.org>
to control@bugs.debian.org.
(Mon, 14 Nov 2016 16:30:04 GMT) (full text, mbox, link).
Reply sent
to Kan-Ru Chen (陳侃如) <koster@debian.org>:
You have taken responsibility.
(Mon, 14 Nov 2016 16:39:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 14 Nov 2016 16:39:11 GMT) (full text, mbox, link).
Message #17 received at 840957-close@bugs.debian.org (full text, mbox, reply):
Source: mupdf
Source-Version: 1.9a+ds1-2
We believe that the bug you reported is fixed in the latest version of
mupdf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 840957@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kan-Ru Chen (陳侃如) <koster@debian.org> (supplier of updated mupdf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 15 Nov 2016 00:07:55 +0800
Source: mupdf
Binary: libmupdf-dev mupdf mupdf-tools
Architecture: source amd64
Version: 1.9a+ds1-2
Distribution: unstable
Urgency: medium
Maintainer: Kan-Ru Chen (陳侃如) <koster@debian.org>
Changed-By: Kan-Ru Chen (陳侃如) <koster@debian.org>
Description:
libmupdf-dev - development files for the MuPDF viewer
mupdf - lightweight PDF viewer
mupdf-tools - command line tools for the MuPDF viewer
Closes: 840957
Changes:
mupdf (1.9a+ds1-2) unstable; urgency=medium
.
* Acknowledge NMU.
* CVE-2016-8674: heap-use-after-free in pdf_to_num (pdf-object.c)
(Closes: #840957)
* Set debhelper compact to 9
Checksums-Sha1:
2d97485044308496e836863826ab99f718f8cdab 2121 mupdf_1.9a+ds1-2.dsc
afa7ba1042f3e7e0e0fa0b964a3aa925862a9c8d 26872 mupdf_1.9a+ds1-2.debian.tar.xz
e63ec632297b12d7ed3f09310d40bd4881d7d970 7304718 libmupdf-dev_1.9a+ds1-2_amd64.deb
35fee75f0c7de5c3e642c0ae16801f892a5e5a66 2134366 mupdf-dbgsym_1.9a+ds1-2_amd64.deb
6ed137453a3d2ce2c8e41667be760c2a4f5bfc10 2398566 mupdf-tools-dbgsym_1.9a+ds1-2_amd64.deb
32c2d9f0e914e1771195658080e39b8de6db7be1 6912210 mupdf-tools_1.9a+ds1-2_amd64.deb
af970f4b0fb211d86514a039f12cbbe0071b6a1f 8264 mupdf_1.9a+ds1-2_20161114T161423z-711a8b7e.buildinfo
650f8f181aa8903efc279a31a221db161b64c8a2 6857236 mupdf_1.9a+ds1-2_amd64.deb
Checksums-Sha256:
103f419c50cbfc01ced6a13d33643fad93e2378a5b78d17b3d798ec3fc7b21e0 2121 mupdf_1.9a+ds1-2.dsc
ca51ba80ce64665f4631d30cae9e7080ec6a55c72693132206283e7e7ad85788 26872 mupdf_1.9a+ds1-2.debian.tar.xz
9f4932f02b66b77450155d4ad3b30d4c4f7f6aa9a290ce332e13018e5d114ad9 7304718 libmupdf-dev_1.9a+ds1-2_amd64.deb
3ff95406c3afca2dfa86303680bedb424aa06aaf03c9c305f566894af1454613 2134366 mupdf-dbgsym_1.9a+ds1-2_amd64.deb
00056f3dcd90496e7deb46af1e3d0c340edf683434e6921884d57fc38c239e56 2398566 mupdf-tools-dbgsym_1.9a+ds1-2_amd64.deb
6b07061c321827a0f97d8b9911a2b4489856ad980808f6ca32d63e2c37c09435 6912210 mupdf-tools_1.9a+ds1-2_amd64.deb
a2482e7908c0873c4c111a9023702107c368402884ecfdfe0e9f1afa690fd569 8264 mupdf_1.9a+ds1-2_20161114T161423z-711a8b7e.buildinfo
ea7b988d86876b26f8ba550fda7349ae878057c55aa71c7082a18d6874b23b9a 6857236 mupdf_1.9a+ds1-2_amd64.deb
Files:
2cbfbb81c9ed579bafd4ec54c9e53319 2121 text optional mupdf_1.9a+ds1-2.dsc
6dbe4c365aca85f485a255d30015cda4 26872 text optional mupdf_1.9a+ds1-2.debian.tar.xz
4862764bbf7ede21920b7b232f76f5ee 7304718 libdevel optional libmupdf-dev_1.9a+ds1-2_amd64.deb
2d1cf82074c4c04fbad089bb8286291b 2134366 debug extra mupdf-dbgsym_1.9a+ds1-2_amd64.deb
4964d8b70424c8b10c211924cfd7d6ca 2398566 debug extra mupdf-tools-dbgsym_1.9a+ds1-2_amd64.deb
009bc8ae547a45eb4b7b3625d36acdee 6912210 text optional mupdf-tools_1.9a+ds1-2_amd64.deb
711a8b7ea75734af0f58bfe6f1899c80 8264 text optional mupdf_1.9a+ds1-2_20161114T161423z-711a8b7e.buildinfo
fd7a127c514e9d53e44253b337afa7b3 6857236 text optional mupdf_1.9a+ds1-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYKeL2AAoJEAo5NUq25X3hNC8P/3IWO7LAZDfDa0NelbBI1KvN
psBETqzRBmE7uXEhskLd5n3Lp7Vn3EEfHChf5SV+FGXlw6t0e5egtUtfvFJZz56D
i84Vp+IaX2MmXPGQSfHfLFrrl+0GHBOQh4zqmcaUfTRrs6lx2Gs+aJv/B5G8zFuE
ljvU4SaGJfK/rtGjNtjtMyzqhn/vrqu0ywxO+D7PdtxyCUT4Dt1RbbJ7G7oMg355
xjv95WIASUTyWck/H5VAXvUc0Xt1H1gIOWfu2mUuWcGgdulKDKqB/U1cL0QWIhud
ul6VORQaDw/cvuQlrLISjQdU9jrKzOgwaPYv85ANfrIZ1zefyNgFFtFp2NBqDHeJ
2D+q5tDXtR7HX0DzYQ7jdjJP3JUSpaRFO9ZZxOwpDpVhGJ34Jj/33gMHNhAmxd7+
E9AhB4A3o18MUfU/46JncA0fs95c/JW7d84F1TPoOeXF5qWO1PLqHH7KtZt7JLY2
ZUP/9Q4Xh6KDObo+lDfcfvCkcRkwWu6ojMTbh57EUelyMBnCmfi8SbRuyu3s/30d
M9DwVQZf6W+TpxkyywsGk2cHaWGv0Wbte0czP9/6d0oSPfykz5q9qsaQsHJxUzlc
2xJNDcZ4cHncQbqpX6cAtW4brYRE+K//+d3AhnyjJkBPvs/giVVofx8Z+4SVwc+l
oSBaopLOvJQZeSyueh8f
=iQtG
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 29 Dec 2016 08:52:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:00:16 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon