Debian Bug report logs -
#879055
mupdf: CVE-2017-15587
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Kan-Ru Chen (陳侃如) <koster@debian.org>:
Bug#879055; Package src:mupdf.
(Wed, 18 Oct 2017 19:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Kan-Ru Chen (陳侃如) <koster@debian.org>.
(Wed, 18 Oct 2017 19:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mupdf
Version: 1.5-1
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=698605
Hi,
the following vulnerability was published for mupdf.
CVE-2017-15587[0]:
| An integer overflow was discovered in pdf_read_new_xref_section in
| pdf/pdf-xref.c in Artifex MuPDF 1.11.
base64 encoded reproducer for verifying:
JVBERi0wMDAwMDAgMCBvYmo8PC9bXS9JbmRleFsyMTQ3NDgzNjQ3IDFdLyAwIDAgUi8gMC9TaXpl
IDAvV1tdPj5zdHJlYW0Nc3RhcnR4cmVmMTAK
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-15587
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15587
[1] https://bugs.ghostscript.com/show_bug.cgi?id=698605
[2] http://git.ghostscript.com/?p=mupdf.git;h=82df2631d7d0446b206ea6b434ea609b6c28b0e8
[3] https://nandynarwhals.org/CVE-2017-15587/
Regards,
Salvatore
Reply sent
to Kan-Ru Chen (陳侃如) <koster@debian.org>:
You have taken responsibility.
(Thu, 26 Oct 2017 15:39:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 26 Oct 2017 15:39:12 GMT) (full text, mbox, link).
Message #10 received at 879055-close@bugs.debian.org (full text, mbox, reply):
Source: mupdf
Source-Version: 1.11+ds1-2
We believe that the bug you reported is fixed in the latest version of
mupdf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 879055@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kan-Ru Chen (陳侃如) <koster@debian.org> (supplier of updated mupdf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 26 Oct 2017 22:28:43 +0800
Source: mupdf
Binary: libmupdf-dev mupdf mupdf-tools
Architecture: source amd64
Version: 1.11+ds1-2
Distribution: unstable
Urgency: high
Maintainer: Kan-Ru Chen (陳侃如) <koster@debian.org>
Changed-By: Kan-Ru Chen (陳侃如) <koster@debian.org>
Description:
libmupdf-dev - development files for the MuPDF viewer
mupdf - lightweight PDF viewer
mupdf-tools - command line tools for the MuPDF viewer
Closes: 879055
Changes:
mupdf (1.11+ds1-2) unstable; urgency=high
.
* Acknowledge NMU. Thanks, Salvatore.
* Renumber patches
* Fixes CVE-2017-15587 (Closes: 879055)
* Sort files in static library to make the build reproducible.
* Bump Standards-Version to 4.1.1. No changes needed.
Checksums-Sha1:
bffb0aa02a36ce322bd4f91257a8f6dfd8d9115d 2153 mupdf_1.11+ds1-2.dsc
c3770ee899a86c163ab8f0c931858d2dc3324176 26824 mupdf_1.11+ds1-2.debian.tar.xz
ec448e6fe9632e2f137944757350b0588595424f 21127648 libmupdf-dev_1.11+ds1-2_amd64.deb
9b1376cb28b07ce264fee713680b637723fa28da 19088912 mupdf-tools_1.11+ds1-2_amd64.deb
3b93ba673c84d85653e3d2c37978d7211543af38 8029 mupdf_1.11+ds1-2_amd64.buildinfo
7a5f7595521c715795d63f26e7d857ce12478098 18915888 mupdf_1.11+ds1-2_amd64.deb
Checksums-Sha256:
fe0fc8bda547129a808eaa46367eca8a018c4208c34dd71040996a71245ef2d5 2153 mupdf_1.11+ds1-2.dsc
da7445a8063d7c81b97d2c373aa112df69d3ad29989b67621387e88d9c38b668 26824 mupdf_1.11+ds1-2.debian.tar.xz
4d2fb8421d4f4cadfeb579a9b8762908128478b1acbd2653e153953535f16a6a 21127648 libmupdf-dev_1.11+ds1-2_amd64.deb
08fb6279f2dc3cb4225cc13a7bc6a87c08bf0c770822cd9aeb6daefc18beadca 19088912 mupdf-tools_1.11+ds1-2_amd64.deb
e1dec8ffc670839b48c5831a266b076be6f6db27e24e99fea5000bb0cd3952bc 8029 mupdf_1.11+ds1-2_amd64.buildinfo
ac5044edb10e9accfb033f06248a93cdfb6b17264a793dd50bc01e117705402d 18915888 mupdf_1.11+ds1-2_amd64.deb
Files:
3de8c76f8313e0a18039ee621998d2bd 2153 text optional mupdf_1.11+ds1-2.dsc
378192c7b2489e04704bf3061123a6ba 26824 text optional mupdf_1.11+ds1-2.debian.tar.xz
9a8eefc38adea1a4319869ae530b5e26 21127648 libdevel optional libmupdf-dev_1.11+ds1-2_amd64.deb
c4d2a4ad4ded92b9136fbb2fb51d093e 19088912 text optional mupdf-tools_1.11+ds1-2_amd64.deb
5d51562c253b3c9fa5c320a3cef85dfe 8029 text optional mupdf_1.11+ds1-2_amd64.buildinfo
fd5214311732c322b091bca17e13f50b 18915888 text optional mupdf_1.11+ds1-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE2JDTPWFH4vUeM4aHCjk1SrblfeEFAlnx/HsACgkQCjk1Srbl
feGprBAAmjOe6zt6fXw9SC6iaQcu0RLCCB4FFijRxmUHmxj99B2/H8TrNsYZVUQz
OrGzGVnAImsjc0jiXPABZMqi4YiUFWJFSTcCv3/gITbck7w424QhYe1q7nU79awA
5Zn9W1jpfwVFySUH/pMTflNCib5tJ24yQVQd0CKCrJZrHVXmnx93oE/i4eYbaRcP
jLXK7VlOFvaQEJnzpwngTmOT+coPlKmihFacG88RmxFJZSx0rzkbDJ/QMLFwRiCA
mcFN444VD993SaYVg+we7qDANnK306soAdznWdVJAKafGGhKAs38fraT7WxQrEDK
Dcf5wcTG/RMkYEVsCceraQpOV0UAlQKU8hofyoEe514giis8Bb7IMRZEbFCpSfB4
AZqSE9leRjMx/NGVg4W94/3g/cuTPo1Fi9Dia9d9RSa3c7XyC03WPe5ZDAwEq5L6
y83UU7lRNcvcoC4sm3XSHgv8yzX892qkfS9zuRhJruwKHepMmJIwdL4kEArndWqv
D+cUcohy3gWH55jfpHolb8zoPhYlrZVC35d6uaWiSKuKzjvTK/+luAJBWrkr6Rsu
SZ+BDQyIOX6Z8w9N8MstmOk1N6xUHpxLF+kYU6/9/Fi8zHpnI/FHhYObA+eLoOiJ
0jSbzeoXi+J2bO0Cgxf7Iz2c+Y14A6MZuY0iMG3Rehj8ja7/iRE=
=v97U
-----END PGP SIGNATURE-----
Reply sent
to Luciano Bello <luciano@debian.org>:
You have taken responsibility.
(Sun, 12 Nov 2017 15:36:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 12 Nov 2017 15:36:12 GMT) (full text, mbox, link).
Message #15 received at 879055-close@bugs.debian.org (full text, mbox, reply):
Source: mupdf
Source-Version: 1.9a+ds1-4+deb9u1
We believe that the bug you reported is fixed in the latest version of
mupdf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 879055@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luciano Bello <luciano@debian.org> (supplier of updated mupdf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 22 Oct 2017 20:10:29 -0400
Source: mupdf
Binary: libmupdf-dev mupdf mupdf-tools
Architecture: source amd64
Version: 1.9a+ds1-4+deb9u1
Distribution: stable-security
Urgency: high
Maintainer: Kan-Ru Chen (陳侃如) <koster@debian.org>
Changed-By: Luciano Bello <luciano@debian.org>
Description:
libmupdf-dev - development files for the MuPDF viewer
mupdf - lightweight PDF viewer
mupdf-tools - command line tools for the MuPDF viewer
Closes: 877379 879055
Changes:
mupdf (1.9a+ds1-4+deb9u1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix CVE-2017-14685, CVE-2017-14686, CVE-2017-14687, and CVE-2017-15587
(Closes: #877379, #879055)
Checksums-Sha1:
9d81799345cfb4ebec2c5b8f208cd4b7502275ed 2181 mupdf_1.9a+ds1-4+deb9u1.dsc
2699c33ddc8f33819cd0791f3762a3a268873286 13325139 mupdf_1.9a+ds1.orig.tar.gz
5908b334c81b062996e71e6a7388e13e52f51ac0 29900 mupdf_1.9a+ds1-4+deb9u1.debian.tar.xz
86dbb5d043099667a46df82fb654e3504eed87c3 7301598 libmupdf-dev_1.9a+ds1-4+deb9u1_amd64.deb
05a7c5e73f7105664b082783eda97d3566cdfbde 2114944 mupdf-dbgsym_1.9a+ds1-4+deb9u1_amd64.deb
64e7906300b406c5baf9e1cde09d67d57db4e44f 2387358 mupdf-tools-dbgsym_1.9a+ds1-4+deb9u1_amd64.deb
373f45904a3f03b43a560878bc3b0a1323596cf6 6910056 mupdf-tools_1.9a+ds1-4+deb9u1_amd64.deb
971d193b1017480c7872c50194eaeaff05ebbcd4 8529 mupdf_1.9a+ds1-4+deb9u1_amd64.buildinfo
9278ad662dd2e7b2cfbe815bfc9fe4a844c1fe10 6855630 mupdf_1.9a+ds1-4+deb9u1_amd64.deb
Checksums-Sha256:
2322908eb72897a86d2ae4cfcf0c4bbeb946b1f7a1931460359569bec7cb76e4 2181 mupdf_1.9a+ds1-4+deb9u1.dsc
1b5d6126472f99ae2c99f1b474169b752764d63a90d3dd6e6a6f8fac8cdd0b75 13325139 mupdf_1.9a+ds1.orig.tar.gz
0daba2cb247730dbc741e1cb20396976ba6cb6a1bc9af9988b69cd56e7541f99 29900 mupdf_1.9a+ds1-4+deb9u1.debian.tar.xz
1022406bbe88face9ceaf28e5cea8e742c221018427321d36b643611f48dc093 7301598 libmupdf-dev_1.9a+ds1-4+deb9u1_amd64.deb
8245a8db1726ca33404bb2ce5cc6a83ed5637b0308bd93fca22cf24906197c9a 2114944 mupdf-dbgsym_1.9a+ds1-4+deb9u1_amd64.deb
09a63eef58a5a9daaba2c71a7085c18dd0a3ec756a26ae95970de4f831c0b542 2387358 mupdf-tools-dbgsym_1.9a+ds1-4+deb9u1_amd64.deb
95b8c926f73a8aa942c724799e3e36565394bf3d2005beb6576f8c21e2cb40fa 6910056 mupdf-tools_1.9a+ds1-4+deb9u1_amd64.deb
e20285543adba21cc56b5d566361fa3afb811a81a3a2190fec71d9c23297b036 8529 mupdf_1.9a+ds1-4+deb9u1_amd64.buildinfo
8d75a49ebb70e827a3e062953af0b37dcb2ded7451feb64d75a4b5f0a1e1e903 6855630 mupdf_1.9a+ds1-4+deb9u1_amd64.deb
Files:
f3481c5a6f7bdbc4d757fde2b964f844 2181 text optional mupdf_1.9a+ds1-4+deb9u1.dsc
62e41e176d501171476cf4f6a03d8306 13325139 text optional mupdf_1.9a+ds1.orig.tar.gz
c16c035920950af2c6b3ca0d90e51744 29900 text optional mupdf_1.9a+ds1-4+deb9u1.debian.tar.xz
b9f4ebbbb329f56ef186fc7509fe70a4 7301598 libdevel optional libmupdf-dev_1.9a+ds1-4+deb9u1_amd64.deb
786cd6cc8f984451cc1bcc27cddfafac 2114944 debug extra mupdf-dbgsym_1.9a+ds1-4+deb9u1_amd64.deb
cf140eca75dfc6a4abfba5b52b77de8f 2387358 debug extra mupdf-tools-dbgsym_1.9a+ds1-4+deb9u1_amd64.deb
e47e08f3a455d0032d8fea7cd7b37dad 6910056 text optional mupdf-tools_1.9a+ds1-4+deb9u1_amd64.deb
14773d1a821606f6e72e6d5714f5056d 8529 text optional mupdf_1.9a+ds1-4+deb9u1_amd64.buildinfo
0a99e9c166c70082f20466c936195251 6855630 text optional mupdf_1.9a+ds1-4+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlnulNAACgkQbsLe9o/+
N3T86Q/7B3/ICbu6GhZ3O5ulh/jHlX8OagrbRGzH3qCI9BDWkxMbvBIk7WRCPcd9
I5/iMA/1rPJeAhzWoPD3hwUzBZq++W8H6qMKrrTM2AYKzr6F9N/19NQJq4wFp7Re
CV3IQN7iOeWWVvd4lMeNX2QdJ1PHCwwCSqOoEKVKt2KCeUQ8hPiVrI4Jc7MFQT3I
vi4bbXERm7Q0n6C6GPhwOsIRV17aXDeKDM2xB0WvkCK6/qiqbXJNzjujE0jSN3/w
eUUP9WdsU/ISC9J7GQZDRSFGFEjF/K6fS1mcvzMbJPtoMDOTAnTV6nytQr4cC/fl
wibXzVmTbUt4I1U8g360NdolNJb8avkUWbgSafvGphTdNDjlTq9/dQWgK6RUm3PQ
hz9BjSuxf9Kd4MQXMJNGAjw11s5Tbe8iw7Q+mJW84/+sgZ8C8kRNpAM8mHF+6E5e
qhfHic1Gs7fJLCEPnT7Rt6xS/xjgCr1SK9W8VieLUMmAUvgHgUHeUf9uxcpQHp2o
nRMM4QQvLsUP7nVMt5PxpyqEnHeFIRc6ltXWpBPRWwNbrOb55WtnTwQ6IClnYmdR
Fj7USVVIY8vJfgPjaR+fvuXK0bvBawWSpifnI/JFfId9DeKeLsCTIpOv6grM95GN
wCxdljgxUBDV1iXiAy+2u+UuemCbg08wvZ03eGRjrCDSzPYlk3o=
=HRBT
-----END PGP SIGNATURE-----
Reply sent
to Luciano Bello <luciano@debian.org>:
You have taken responsibility.
(Sat, 18 Nov 2017 22:24:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 18 Nov 2017 22:24:12 GMT) (full text, mbox, link).
Message #20 received at 879055-close@bugs.debian.org (full text, mbox, reply):
Source: mupdf
Source-Version: 1.5-1+deb8u3
We believe that the bug you reported is fixed in the latest version of
mupdf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 879055@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luciano Bello <luciano@debian.org> (supplier of updated mupdf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 10 Nov 2017 12:20:25 -0500
Source: mupdf
Binary: libmupdf-dev mupdf mupdf-tools
Architecture: source amd64
Version: 1.5-1+deb8u3
Distribution: jessie-security
Urgency: high
Maintainer: Kan-Ru Chen (陳侃如) <koster@debian.org>
Changed-By: Luciano Bello <luciano@debian.org>
Description:
libmupdf-dev - development files for the MuPDF viewer
mupdf - lightweight PDF viewer
mupdf-tools - commmand line tools for the MuPDF viewer
Closes: 879055
Changes:
mupdf (1.5-1+deb8u3) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2017-15587: Integer overflow was discovered in
pdf_read_new_xref_section (Closes: #879055)
Checksums-Sha1:
6478d5012dfbacad1a26c7c8ebb55ca77dfcc062 2126 mupdf_1.5-1+deb8u3.dsc
9945ebc124497fbbe684246f1ffabc067a677338 28200 mupdf_1.5-1+deb8u3.debian.tar.xz
31a8179e4396aa3153619861b29fc1159da4f4be 3465410 libmupdf-dev_1.5-1+deb8u3_amd64.deb
7bf5917d850f38e644ca4f2d2b9551cc63959ba8 3415534 mupdf_1.5-1+deb8u3_amd64.deb
61b7eef1d31a360ed3860ae012768f8816a92472 3578254 mupdf-tools_1.5-1+deb8u3_amd64.deb
Checksums-Sha256:
6cdf0d7798aecbac0482f83911a705c181b81de32596fbf417cc82070002017e 2126 mupdf_1.5-1+deb8u3.dsc
0a449a0fb49dd015673ff4a03b44e7d29a53f1753ca2adbf10057cc477689ec5 28200 mupdf_1.5-1+deb8u3.debian.tar.xz
ed710d3080b1ac2c6497ab79b9979df163cbb39220adc5cfb459cef06b069a23 3465410 libmupdf-dev_1.5-1+deb8u3_amd64.deb
1ce9c5d3072bb8a3b1a1a5efed4c8df42222a0d0472c5ddfc6f92e2af2d0c40d 3415534 mupdf_1.5-1+deb8u3_amd64.deb
a844db1161ac8bb35d274f9e6f2c7d7bd57cd769df43c3ef00c36a16d08c177a 3578254 mupdf-tools_1.5-1+deb8u3_amd64.deb
Files:
8f74c9c6b94c6f84fbf8142fd0f6f0d7 2126 text optional mupdf_1.5-1+deb8u3.dsc
4dc931340e6e243a113ca40d15ead2da 28200 text optional mupdf_1.5-1+deb8u3.debian.tar.xz
3ec733666419112ee3d0274416130081 3465410 libdevel optional libmupdf-dev_1.5-1+deb8u3_amd64.deb
8b828d1a312bce82aaa634ecc766fc06 3415534 text optional mupdf_1.5-1+deb8u3_amd64.deb
2fa3122bc3a1f52b7829a232ebf2142f 3578254 text optional mupdf-tools_1.5-1+deb8u3_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAloGB5wACgkQbsLe9o/+
N3Q2Kg/+M5IxteD3gOGyl15p02HImYuDSHm2touj0Z1j84WKZuQtvp/zvDoS5t36
4zFwpiY8Qh4wF6wIqNrta2WsuHDJEtnJe673Pyf/b6G981B++iWLzNUUsgv6EMKo
Q7bfg5XSEv4f9KRGWQZdLIRSlOuTIpltTAkGlOTFoHJ5vKZa9ROixzwRj4AcsbPu
a+3964mqT2FUa+mD/bHMfnXLH32K6XC/WcsjHtWh4hvQupNZbCrFJA9WvLyseGDw
z3BjKXbViYlZ7sFaQ6O4C13N/WCCxEDoCXqPyCv50ABUi8W0opk9Zcbe6KrQ3nND
xsvaRRqstjgw9ehbzeY2iN8WRxV4FNJ9D6Ey/ca98vWMeiR3N2/6857VUOuSsU3g
nQtx2klqmDEvR6JrtNsag1/vCMOIwSIM+251BueKVojoUbyY+XrDYUhqJF9w6E2Q
zu3uNdKDCOlzZLcZrT3X2wxur1WweDCCHOhKtRVBCc0PZ5xoqmW3LOTqEwkLRzMp
4dp9J/oOi7gBtX7uHPQBzo3vDlklYhiVVZdy4vpVXq78Ridg4mNao3omMpX56vhf
r3jm09S4zEcXSSbt3Y46vZuhCiZhMsw1eMn9UH8+22CltSokMlz5LfrPtEnQTGpr
LdL8zk8vSSoGqkIoe7pmtI8FhMcwNIGfOAlSkUkuTDmosME+Kv8=
=vk6y
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 17 Dec 2017 07:29:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:08:36 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon