Debian Bug report logs -
#896545
mupdf: CVE-2018-10289: Infinite Loop in fz_skip_space
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Kan-Ru Chen (陳侃如) <koster@debian.org>:
Bug#896545; Package src:mupdf.
(Sun, 22 Apr 2018 08:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Kan-Ru Chen (陳侃如) <koster@debian.org>.
(Sun, 22 Apr 2018 08:42:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mupdf
Version: 1.9a+ds1-1
Severity: important
Tags: security upstream
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=699271
Hi,
The following vulnerability was published for mupdf.
CVE-2018-10289[0]:
| In MuPDF 1.13.0, there is an infinite loop in the fz_skip_space
| function of the pdf/pdf-xref.c file. A remote adversary could leverage
| this vulnerability to cause a denial of service via a crafted pdf file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10289
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10289
[1] https://bugs.ghostscript.com/show_bug.cgi?id=699271
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Thu, 23 Aug 2018 17:15:23 GMT) (full text, mbox, link).
Reply sent
to Kan-Ru Chen (陳侃如) <koster@debian.org>:
You have taken responsibility.
(Mon, 03 Sep 2018 01:09:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 03 Sep 2018 01:09:06 GMT) (full text, mbox, link).
Message #12 received at 896545-close@bugs.debian.org (full text, mbox, reply):
Source: mupdf
Source-Version: 1.13.0+ds1-3
We believe that the bug you reported is fixed in the latest version of
mupdf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 896545@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kan-Ru Chen (陳侃如) <koster@debian.org> (supplier of updated mupdf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 03 Sep 2018 09:10:50 +0900
Source: mupdf
Binary: libmupdf-dev mupdf mupdf-tools
Architecture: source amd64
Version: 1.13.0+ds1-3
Distribution: unstable
Urgency: medium
Maintainer: Kan-Ru Chen (陳侃如) <koster@debian.org>
Changed-By: Kan-Ru Chen (陳侃如) <koster@debian.org>
Description:
libmupdf-dev - development files for the MuPDF viewer
mupdf - lightweight PDF viewer
mupdf-tools - command line tools for the MuPDF viewer
Closes: 896545 903319
Changes:
mupdf (1.13.0+ds1-3) unstable; urgency=medium
.
* debian/patches: import upstream patch for CVE-2018-10289 (Closes: 896545)
* More FTCBFS patches.
Thanks to Helmut Grohne for the patches. (Closes: 903319)
Checksums-Sha1:
557c8f7300da4548f4c1e8fe9b5bb65213859cbe 2156 mupdf_1.13.0+ds1-3.dsc
f559278ae3ffca0ec49edf91c49605c67c11eb93 26604 mupdf_1.13.0+ds1-3.debian.tar.xz
cdcc968d3e9727950e0d1859c59e13fb9ded301f 21528772 libmupdf-dev_1.13.0+ds1-3_amd64.deb
f1c0d9479bb66818c0305f6f14373f0b0124f795 3007564 mupdf-dbgsym_1.13.0+ds1-3_amd64.deb
d9604c19add53e9b28985ccee55f03494795085a 3279516 mupdf-tools-dbgsym_1.13.0+ds1-3_amd64.deb
8ec458dc9cf62ad763d544d48a8d21b5fbf5ae5f 19233144 mupdf-tools_1.13.0+ds1-3_amd64.deb
333bf21fcc79072031b23d817c434f7eae78d460 10926 mupdf_1.13.0+ds1-3_amd64.buildinfo
23a92586beff28ddff1ccb73e139a5ad884a9fa7 19014956 mupdf_1.13.0+ds1-3_amd64.deb
Checksums-Sha256:
f966918da07b77566d0ddb0279319b93bfe343702feb0d2b750b134bcf7e4850 2156 mupdf_1.13.0+ds1-3.dsc
20373606d45b16accc0726237b8007e770fafb86b42ead1e3a2a38230e209d10 26604 mupdf_1.13.0+ds1-3.debian.tar.xz
845f23453ad2b9ab63e885b6c2c091d1cb521297adee8f852f636af028ab98fd 21528772 libmupdf-dev_1.13.0+ds1-3_amd64.deb
753b5e8d3b99e1464e2774d0d5383d56a688977b880d2ffec83437f395f4dba3 3007564 mupdf-dbgsym_1.13.0+ds1-3_amd64.deb
b041706460a8d75b70260bb4dd190df29e9d7a10a96412745a3f34695b9a7c96 3279516 mupdf-tools-dbgsym_1.13.0+ds1-3_amd64.deb
dbef8bbda069438d491b7031871c635dbe40987811f072b1f71743ef7c7f8405 19233144 mupdf-tools_1.13.0+ds1-3_amd64.deb
be28ce3cb0bcc6ee3be48b724927c0b56adb3c4c8f7055f1ead6f0493f8e639a 10926 mupdf_1.13.0+ds1-3_amd64.buildinfo
def20ee2a90c2caea195e9cf4f4202a49b35550cb3f256bd5445915412155c2f 19014956 mupdf_1.13.0+ds1-3_amd64.deb
Files:
9761a0049204ed53c6360881618fe097 2156 text optional mupdf_1.13.0+ds1-3.dsc
671a339fc71c9ed0342be2d99425ceab 26604 text optional mupdf_1.13.0+ds1-3.debian.tar.xz
896ebedb32a86c625ded789a3b7ae209 21528772 libdevel optional libmupdf-dev_1.13.0+ds1-3_amd64.deb
0e04f5a8f3cb3496b49636fa84af1166 3007564 debug optional mupdf-dbgsym_1.13.0+ds1-3_amd64.deb
57108888cf75d0c1fa4200c6b61d12ac 3279516 debug optional mupdf-tools-dbgsym_1.13.0+ds1-3_amd64.deb
55df281aa8598acd0f378f5ad8e60399 19233144 text optional mupdf-tools_1.13.0+ds1-3_amd64.deb
17b1d27d23a1ad47744907ec847bfdf9 10926 text optional mupdf_1.13.0+ds1-3_amd64.buildinfo
5e03f7eaa5ebd3450518170e0d991c08 19014956 text optional mupdf_1.13.0+ds1-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE2JDTPWFH4vUeM4aHCjk1SrblfeEFAluMgxIACgkQCjk1Srbl
feFjUhAAi2Nf00VldLymT5yzK4b+DOCt4JYZL3IeOPaA3pqJjjZ0dnORYZ7grTpe
PdIMTq2Lwm+sUtPQVZz7YKDOqJUoV+gzwI5ZVS/7XQZX70lPL4IY7nOR9Kfgnn0Q
mTMC6CjTYSLWVBYaXL8AZcu0wpuggvwNUaQXbvoOOStKaBdGeaiU3315uWi5/kSR
7+e/kaCL1HE9pza+SoM3MNIBrccrCvK21c73++hE3F/1wIK0WqRnDLdX/j8coPhp
EB34nY5jVf8ZLxh/Gh6g45bqnH/6wK+XN2bcSeysiZW3uhYKgkS3HyV9D7YnS40U
VMgPlzuh4i7wlUArG3c15IasE+fXhHuw80/9GdIrtKRoD5tifp1B/VhV9k8o63Zg
kaQQU33UxXu4Js9UHm0TjcPE0p8x6bHznCGiPHBITylQ2nHYSeQLbDiC4Tj0lMqm
QGHdrt9tgrID5vSdnluB+jzDd9r+zXHjN5sMobtd8yH9Z1I0LB7bT4eofCBZr9hh
whGJvRfBjqkDtEro++dAm80iqj06txg9H7HhEDubrogpRFOmJdrltsRZrX5s4CyB
xTEgDd6ou22/RybxV0RR9eHcGVLVLgKHQl9fUMcIb4Vu9tOOn1pPzY2UlEGVUH0Z
ovpKPXHUV0qW9p0kQaEwzgBTBuO13BSwCPvF3iNoK48IpYzwJLw=
=f276
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 06 Oct 2018 07:28:22 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:11:26 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon