Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

mupdf: CVE-2019-6131

Related Vulnerabilities: CVE-2019-6131   CVE-2018-18662   CVE-2019-6130  

Source

Debian Bug report logs - #918970
mupdf: CVE-2019-6131

version graph

Package: src:mupdf; Maintainer for src:mupdf is Kan-Ru Chen (陳侃如) <koster@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 11 Jan 2019 08:36:02 UTC

Severity: important

Tags: fixed-upstream, patch, security, upstream

Found in version mupdf/1.14.0+ds1-2

Fixed in version mupdf/1.14.0+ds1-3

Done: Kan-Ru Chen (陳侃如) <koster@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://bugs.ghostscript.com/show_bug.cgi?id=700442

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Kan-Ru Chen (陳侃如) <koster@debian.org>:
Bug#918970; Package src:mupdf. (Fri, 11 Jan 2019 08:36:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Kan-Ru Chen (陳侃如) <koster@debian.org>. (Fri, 11 Jan 2019 08:36:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mupdf: CVE-2019-6131
Date: Fri, 11 Jan 2019 09:32:41 +0100
Source: mupdf
Version: 1.14.0+ds1-2
Severity: grave
Tags: security
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=700442

Hi,

The following vulnerability was published for mupdf.

CVE-2019-6131[0]:
| svg-run.c in Artifex MuPDF 1.14.0 has infinite recursion with stack
| consumption in svg_run_use_symbol, svg_run_element, and svg_run_use, as
| demonstrated by mutool.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-6131
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6131
[1] https://bugs.ghostscript.com/show_bug.cgi?id=700442

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Severity set to 'important' from 'grave' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 11 Jan 2019 08:39:02 GMT) (full text, mbox, link).

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 11 Jan 2019 08:39:03 GMT) (full text, mbox, link).

Added tag(s) patch. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 11 Jan 2019 08:42:06 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Thu, 17 Jan 2019 17:27:16 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Kan-Ru Chen (陳侃如) <koster@debian.org> to control@bugs.debian.org. (Sat, 19 Jan 2019 02:48:03 GMT) (full text, mbox, link).

Reply sent to Kan-Ru Chen (陳侃如) <koster@debian.org>:
You have taken responsibility. (Sat, 19 Jan 2019 04:33:07 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 19 Jan 2019 04:33:07 GMT) (full text, mbox, link).

Message #20 received at 918970-close@bugs.debian.org (full text, mbox, reply):

From: Kan-Ru Chen (陳侃如) <koster@debian.org>
To: 918970-close@bugs.debian.org
Subject: Bug#918970: fixed in mupdf 1.14.0+ds1-3
Date: Sat, 19 Jan 2019 04:28:20 +0000
Source: mupdf
Source-Version: 1.14.0+ds1-3

We believe that the bug you reported is fixed in the latest version of
mupdf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 918970@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kan-Ru Chen (陳侃如) <koster@debian.org> (supplier of updated mupdf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 19 Jan 2019 12:01:19 +0900
Source: mupdf
Binary: libmupdf-dev mupdf mupdf-tools
Architecture: source amd64
Version: 1.14.0+ds1-3
Distribution: unstable
Urgency: high
Maintainer: Kan-Ru Chen (陳侃如) <koster@debian.org>
Changed-By: Kan-Ru Chen (陳侃如) <koster@debian.org>
Description:
 libmupdf-dev - development files for the MuPDF viewer
 mupdf      - lightweight PDF viewer
 mupdf-tools - command line tools for the MuPDF viewer
Closes: 912013 913515 918970 918971
Changes:
 mupdf (1.14.0+ds1-3) unstable; urgency=high
 .
   * d/patches: import upstream fixes for various bugs.
     Fixes CVE-2018-18662, CVE-2019-6131, CVE-2019-6130
     (Closes: #912013, #918970, #918971)
   * d/control: Bump Standards-Version to 4.3.0, no changes required
   * Fix FTCBFS
     + Supply a cross LD for wrapping fonts.
     + Supply PKG_CONFIG to all make targets.
     Thanks to Helmut Grohne for the patch (Closes: #913515)
   * Regenerate cmaps from source.
     Thanks to Helmut Grohne for the suggestion
   * d/patches/0007-typographical-and-formatting-fixes-to-the-manual.patch:
     typographical and formatting fixes to the manual.
     Thanks to Bjarni Ingi Gislason for the patch
Checksums-Sha1:
 2420b3cfeb4116743c2cab8adf260ec1954827a0 2168 mupdf_1.14.0+ds1-3.dsc
 741fdca286910f73f9d5bdb9e43731ae2d9892ee 29652 mupdf_1.14.0+ds1-3.debian.tar.xz
 5dbd175a638ef06e9864b8df16706939b2eef079 22561408 libmupdf-dev_1.14.0+ds1-3_amd64.deb
 1f90b9a88f47c8f53e3b8fa8ef8a7e1eb46b781c 2974712 mupdf-dbgsym_1.14.0+ds1-3_amd64.deb
 db2b66f6630cc492a0372159cd2d92c06f386525 3265344 mupdf-tools-dbgsym_1.14.0+ds1-3_amd64.deb
 d5293ebb187c768faaf6838978affc1d9c80b080 20093140 mupdf-tools_1.14.0+ds1-3_amd64.deb
 cc8a7db27930ce182678b80d2c8d298fe0aa9412 11620 mupdf_1.14.0+ds1-3_amd64.buildinfo
 ce66b95427a8ba16e0b76a7833e4c70ef28b7d11 19994052 mupdf_1.14.0+ds1-3_amd64.deb
Checksums-Sha256:
 31dc56edb7575f8f38096c317a5755f89b627d447c12cfc70724006704a8046f 2168 mupdf_1.14.0+ds1-3.dsc
 13ade8e0cccbe02b6f9245242a924c00e70261cda029012819d0513005638e2f 29652 mupdf_1.14.0+ds1-3.debian.tar.xz
 f9733f757bc9f01cb40a09551c898569b80278e106950fca3bc34887ff1939bf 22561408 libmupdf-dev_1.14.0+ds1-3_amd64.deb
 40559c2059c5956d202cc719f1d7c04095cc9cd6588761fcf599ed563da4adeb 2974712 mupdf-dbgsym_1.14.0+ds1-3_amd64.deb
 e3119f6bec31876149569441d8e5c20895c337fb6a209e9be815c28bfa3e958b 3265344 mupdf-tools-dbgsym_1.14.0+ds1-3_amd64.deb
 004f945ca0c480d75c67c8e97648da04180d5b0b9c24c2d696bda611e4fbec33 20093140 mupdf-tools_1.14.0+ds1-3_amd64.deb
 5e9cb1fa62aab30d04cdf7021d05754e2492b624a99b251bba1d649775cff2b9 11620 mupdf_1.14.0+ds1-3_amd64.buildinfo
 058fb5b4fdc876db25329280ab3c63435b53dec253abbe757b9d52f8c776adae 19994052 mupdf_1.14.0+ds1-3_amd64.deb
Files:
 d2999e2c3499144646cc8b55d8103267 2168 text optional mupdf_1.14.0+ds1-3.dsc
 f07a988744841d7dc655591e9c1da660 29652 text optional mupdf_1.14.0+ds1-3.debian.tar.xz
 f315dede72320e6c87a6d86eae32cb12 22561408 libdevel optional libmupdf-dev_1.14.0+ds1-3_amd64.deb
 8fa10cded559c5a7afeb74c6a9f013d1 2974712 debug optional mupdf-dbgsym_1.14.0+ds1-3_amd64.deb
 a701a877879153163e7055e035f2d97d 3265344 debug optional mupdf-tools-dbgsym_1.14.0+ds1-3_amd64.deb
 3e94decba6547fcead4a8007c6e3ddbd 20093140 text optional mupdf-tools_1.14.0+ds1-3_amd64.deb
 4401b316f446a00e9f0a2db8d583cece 11620 text optional mupdf_1.14.0+ds1-3_amd64.buildinfo
 b58ee6f68bd88fa54f187f66f25fd8d5 19994052 text optional mupdf_1.14.0+ds1-3_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE2JDTPWFH4vUeM4aHCjk1SrblfeEFAlxClMIACgkQCjk1Srbl
feHowg//ZK+avad5+7JJwBspQ8oyKaaBkweHY00whAB9R4x99XfBzYTOFvzLLFqK
PnAMCgSsRM3fw4Pxg19Z01sEcwjwfMbR1NTstdRaOdZDSXk9AyM+njB0NqSFd3Jq
NpCwzFsilMTwJK731iZUGr4owoD7wkZWkRAP/i0/no8AAny2Dtkxm8PeoY981m2R
KjUlvFT5hBRhwXOaSPzBxOz1TKdNuHMWph45u2nVVtxhxhOOgDoOdpqBwmui8tKi
BhuRRUhFC9F0gkz9fyh6WuRH3/pNBANIorbsDi+lIb9fTpxnVLpg1mxyKk3DSrv6
k1ChOp3uJXfZWjZuo9d4kgn9t8l/NTaVNVBGHNjU6eMdWSxa83Vo6abNko0BI1vr
SqL3Llc/YgH70R/3Dex0RfQFgIOyz8rG9HE0PkflVJ0ZPH5PgiB2fTSjn9FXob8a
2+Uj6RlA2wtdBVRnXCe+0/fZp5ThnhKDouE11o741klOA1C0z6RYa3eAhsFuM4y4
OsFaysKxeuA3iWeywxpt5c+WvmYqMcv9lIFgU+JYwUzdp3FcdJBfIkTqDRkXunOn
B5syzWNSqris2O5ji9D+wQ5iXabAaqPxXstdEqTF1WqQU+A5CWjCsaInGYXQX2fs
9OWwKtmoZPPbTStFqPS+Iw03CIQpfUYw/lmPwBoQWXthe7aWa4Y=
=z8bx
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Feb 2019 07:31:23 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:05:26 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started