Debian Bug report logs -
#832031
mupdf: CVE-2016-6265: use-after-free
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Kan-Ru Chen (陳侃如) <koster@debian.org>:
Bug#832031; Package src:mupdf.
(Thu, 21 Jul 2016 14:57:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Kan-Ru Chen (陳侃如) <koster@debian.org>.
(Thu, 21 Jul 2016 14:57:10 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mupdf
Version: 1.9a+ds1-1
Severity: important
Tags: security upstream
Forwarded: http://bugs.ghostscript.com/show_bug.cgi?id=696941
Hi,
the following vulnerability was published for mupdf.
CVE-2016-6265[0]:
use-after-free
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-6265
[1] http://bugs.ghostscript.com/show_bug.cgi?id=696941
Please adjust the affected versions in the BTS as needed, only the
unstable version has been checked.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Mon, 25 Jul 2016 17:36:11 GMT) (full text, mbox, link).
Severity set to 'grave' from 'important'
Request was from Moritz Muehlenhoff <jmm@debian.org>
to control@bugs.debian.org.
(Thu, 28 Jul 2016 12:21:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Kan-Ru Chen (陳侃如) <koster@debian.org>:
Bug#832031; Package src:mupdf.
(Mon, 01 Aug 2016 12:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Kan-Ru Chen (陳侃如) <koster@debian.org>.
(Mon, 01 Aug 2016 12:45:04 GMT) (full text, mbox, link).
Message #14 received at 832031@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 832031 + patch
Control: tags 832031 + pending
Dear maintainer,
I've prepared an NMU for mupdf (versioned as 1.9a+ds1-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[mupdf-1.9a+ds1-1.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 832031-submit@bugs.debian.org.
(Mon, 01 Aug 2016 12:45:04 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 832031-submit@bugs.debian.org.
(Mon, 01 Aug 2016 12:45:05 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 06 Aug 2016 13:24:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 06 Aug 2016 13:24:07 GMT) (full text, mbox, link).
Message #23 received at 832031-close@bugs.debian.org (full text, mbox, reply):
Source: mupdf
Source-Version: 1.9a+ds1-1.1
We believe that the bug you reported is fixed in the latest version of
mupdf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 832031@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated mupdf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 01 Aug 2016 14:17:20 +0200
Source: mupdf
Binary: libmupdf-dev mupdf mupdf-tools
Architecture: source
Version: 1.9a+ds1-1.1
Distribution: unstable
Urgency: medium
Maintainer: Kan-Ru Chen (陳侃如) <koster@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 832031
Description:
libmupdf-dev - development files for the MuPDF viewer
mupdf - lightweight PDF viewer
mupdf-tools - command line tools for the MuPDF viewer
Changes:
mupdf (1.9a+ds1-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2016-6265: Use after free vulnerability in pdf_xref.c
(Closes: #832031)
Checksums-Sha1:
b9e222a61aad9d02c1ceaf6c2c60077c44a82671 2147 mupdf_1.9a+ds1-1.1.dsc
5538043f7a6284ad167e6b21a5314488f5ef221c 24936 mupdf_1.9a+ds1-1.1.debian.tar.xz
Checksums-Sha256:
0192725d0958e8295edd2ecd7eb8887d722f96aea9a5df2109f41163266aec30 2147 mupdf_1.9a+ds1-1.1.dsc
276e9a9ec67a9d4f70bb6800dcdb7bf5aa3e60ebfa4122ec639f8b47aa7ed1d9 24936 mupdf_1.9a+ds1-1.1.debian.tar.xz
Files:
a68488c00d44c3329f95cf06a24bb32b 2147 text optional mupdf_1.9a+ds1-1.1.dsc
e4f20ee22bbf1ba956b059e3dd364b2f 24936 text optional mupdf_1.9a+ds1-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJXnz+hAAoJEAVMuPMTQ89EA44P/3H1HOgGgjaJwvgp4K0RSYM1
4ixWfk+eAbqWufCJlKRvPcY0r0T9iXiI1Y/WpJRu41gkCdCh8naLns7XCPe/8FY2
3WSw5GZct33VlmDfRD5+FuZKo8OVb3PDwynFXEtJSW2XNmVpZGNnecZpZVQsk2qW
Z2SpuaQhNgIdz1chUaDAtPA/4xlnYSuPjR/fpkdZH4yDfKGitULB4P5zWbrQ+qil
OUdGIlaG2n0nyZ8z8mbwvK0QmVgEnYCmFCONQ74QUqNyYOX4++9q+AJpbZ7KGMNo
OMYFcyJ6XXidwhcAFPWjSZ9bvwqZ7vJtlcPLQgtUPpJ9JMdiq/k78gGbXtqJ75oD
kWXST2xBL+WfYvOmhfIMfwvvH21jtpsY0J3ngxfPdrgJSB3GATklyOf5cft68SE5
OYTl2y220M6qgFYAdihPsvdAb+kZDSmf/C+/EP4KePGDKeIHmJ956ykmeWDIRiRn
TbXb/I9ri/M84NREJopI/EXe0xGpFvSHEGaeQU/Sc7ZSbMg8OBRe4Wjqqt1HILwt
nZtiWtv1RHM0Plf44XoBg32gccjNm7rfR+LjY7CVAsou75dzqs8dsAmJkjGlehnU
nNlqGl+JBhAAZnLWIj77ECsE+/lVftHuvM3ILv7klUPSsELpJ2dYFIvfd6fm6jDt
TXuPmVrpFqp/2TuUCnf0
=fLyU
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 28 Aug 2016 12:51:17 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 28 Aug 2016 12:51:18 GMT) (full text, mbox, link).
Message #28 received at 832031-close@bugs.debian.org (full text, mbox, reply):
Source: mupdf
Source-Version: 1.5-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
mupdf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 832031@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated mupdf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 25 Aug 2016 16:43:34 +0200
Source: mupdf
Binary: libmupdf-dev mupdf mupdf-tools
Architecture: source
Version: 1.5-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Kan-Ru Chen (陳侃如) <koster@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 832031 833417
Description:
libmupdf-dev - development files for the MuPDF viewer
mupdf - lightweight PDF viewer
mupdf-tools - commmand line tools for the MuPDF viewer
Changes:
mupdf (1.5-1+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2016-6265: Use after free vulnerability in pdf_xref.c (Closes: #832031)
* CVE-2016-6525: heap overflow in pdf_load_mesh_params() (Closes: #833417)
Checksums-Sha1:
e6573c3d58e3235ddfd6100c98c4c298413e2681 2122 mupdf_1.5-1+deb8u1.dsc
9b451774d628d2953df7591f0fcdb465f7da4fa5 7528994 mupdf_1.5.orig.tar.gz
09478f047fb172be3017e19560481384100ec465 25224 mupdf_1.5-1+deb8u1.debian.tar.xz
Checksums-Sha256:
f203c1d2490900d76e05ae369a379c8fdf17aac4c636934665f9971cd37d072e 2122 mupdf_1.5-1+deb8u1.dsc
9ef2a457c119031cbf84cf89bfe9bf01d3fbb4b739bb4707bb58bfe141102ff2 7528994 mupdf_1.5.orig.tar.gz
1e5bfeb9debf8811727792eb4d9e0e38120d51618bcde138c46869a370f89dee 25224 mupdf_1.5-1+deb8u1.debian.tar.xz
Files:
2fd66461ed83b6b13f434d9acc59b51f 2122 text optional mupdf_1.5-1+deb8u1.dsc
89dd2ad96a3679035b89007d7dcbd847 7528994 text optional mupdf_1.5.orig.tar.gz
160af6d320bd41a41f9746e0d85997e5 25224 text optional mupdf_1.5-1+deb8u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIvBAEBCgAZBQJXwHkpEhxjYXJuaWxAZGViaWFuLm9yZwAKCRAFTLjzE0PPRK3E
D/9Z2TV9trL1BzAMApSQLxHMN0GFX0P0pi8uM8Cfd0yIctR0+YcMKjInCMe/cT9i
JM+uA7mZReuQYrD7+eXHxtZpKGvSOWXbdmg3PGznAavmmjWt0gnGc9UiSKOrP7oG
CZV50h/+4RAh+/N3Ha3RKz+tGUFGjKui/4AavHagO82glMPlq3Q6FvKAZwCXl3HS
e9rCmLGSgoTmfSIreQRQquTAk5lqHFJXqrtfFhgNFiOMjZ91TeBEcL3mr88Euu2s
N3009OvQKqLDR5/rG9at1YczopgL0fbXeeAUhEebgodr/hVnq4ni/qOewLybZXs7
q1uy7cuGMrkTwBMKQwwS8GTs7w9XWwYd90kit82fQ/doLCpa0X58Ay+NboXaZbuL
rX83oyqmer/3ySpjqBcegOJp6HbamOpzy1eMCPAIvnf6W/bLGGUMJl7t8NbX292+
7JXNuPuWLQ5iDVPIBfahZfnpXWoW0ZgE6HhJc7mR6s5ZGeueaQKz9BvfU6YA7KAh
ABJKBVstQTYrgERjQZvEptWXT47mrxf9EfAgO99GyRRseHI450AMW2BtGcm8yc5U
udJJGTzH4U7RBrNJp1KcFGLdZWAjKYiP5GOLZGIa0blv1C8FXVPI4UTcXP88UlgF
owh9prHZRo3PfPiFZKq5OQsbAqHoFg3ZCPL8B4ohgBFyxQ==
=uyO8
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 26 Sep 2016 07:28:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:51:01 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon