Debian Bug report logs -
#900129
mupdf: CVE-2018-1000036: memory leaks in the PDF parser
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 26 May 2018 14:12:02 UTC
Severity: normal
Tags: security, upstream
Found in version mupdf/1.12.0+ds1-1
Fixed in version mupdf/1.14.0+ds1-1
Done: Kan-Ru Chen (陳侃如) <koster@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Kan-Ru Chen (陳侃如) <koster@debian.org>:
Bug#900129; Package src:mupdf.
(Sat, 26 May 2018 14:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Kan-Ru Chen (陳侃如) <koster@debian.org>.
(Sat, 26 May 2018 14:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mupdf
Version: 1.12.0+ds1-1
Severity: normal
Tags: security upstream
Hi,
The following vulnerability was published for mupdf.
CVE-2018-1000036[0]:
| In MuPDF 1.12.0 and earlier, multiple memory leaks in the PDF parser
| allow an attacker to cause a denial of service (memory leak) via a
| crafted file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1000036
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000036
[1] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5502
[2] https://bugzilla.novell.com/show_bug.cgi?id=1094634
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Kan-Ru Chen (陳侃如) <koster@debian.org>:
You have taken responsibility.
(Sun, 28 Oct 2018 09:03:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 28 Oct 2018 09:03:03 GMT) (full text, mbox, link).
Message #10 received at 900129-close@bugs.debian.org (full text, mbox, reply):
Source: mupdf
Source-Version: 1.14.0+ds1-1
We believe that the bug you reported is fixed in the latest version of
mupdf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 900129@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kan-Ru Chen (陳侃如) <koster@debian.org> (supplier of updated mupdf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 28 Oct 2018 14:48:12 +0900
Source: mupdf
Binary: libmupdf-dev mupdf mupdf-tools
Architecture: source amd64
Version: 1.14.0+ds1-1
Distribution: unstable
Urgency: medium
Maintainer: Kan-Ru Chen (陳侃如) <koster@debian.org>
Changed-By: Kan-Ru Chen (陳侃如) <koster@debian.org>
Description:
libmupdf-dev - development files for the MuPDF viewer
mupdf - lightweight PDF viewer
mupdf-tools - command line tools for the MuPDF viewer
Closes: 900129 903319
Changes:
mupdf (1.14.0+ds1-1) unstable; urgency=medium
.
* New upstream version 1.14.0+ds1
- Fixes CVE-2018-1000036 (Closes: #900129, upstream bug 699695)
* d/patches: fresh patches
* d/rules: adjust to work with updated upstream Makefile
* d/rules: Set CC_FOR_BUILD (Closes: #903319)
Checksums-Sha1:
bc617733e88e235aea20966f07483cf7b0ebce4c 2156 mupdf_1.14.0+ds1-1.dsc
2321618e56a908cfa3444f019f805d688d9fa127 24348296 mupdf_1.14.0+ds1.orig.tar.xz
ca80a55e7f2a96a016c05e224987c1f785980547 26532 mupdf_1.14.0+ds1-1.debian.tar.xz
9884c035c8198eb3e6a126c6a106bec77ccfd472 22556068 libmupdf-dev_1.14.0+ds1-1_amd64.deb
18ba651146aed3d0aa3e768ee4b5081b824eda87 2972192 mupdf-dbgsym_1.14.0+ds1-1_amd64.deb
612958bfa45f9a920f78362408ed2adc3d49b4b7 3263740 mupdf-tools-dbgsym_1.14.0+ds1-1_amd64.deb
0ba8094d37f828c13143060b9707d0be3e7d57ad 20089468 mupdf-tools_1.14.0+ds1-1_amd64.deb
2dfb85fea5fe63c6f99c935ef4ed31b6cc88c875 11181 mupdf_1.14.0+ds1-1_amd64.buildinfo
185f95eba9b1bd33c36e4f21eae788e1a7e25c9a 19993828 mupdf_1.14.0+ds1-1_amd64.deb
Checksums-Sha256:
5081694299959c4fa49bda4ab5035e414b6f989baf74ab67c45b05e4668b7fc7 2156 mupdf_1.14.0+ds1-1.dsc
289b4f5cb4ffa2f4c9ca67fda5a48deb9615f2ca51f276b5fd9318b62329cc93 24348296 mupdf_1.14.0+ds1.orig.tar.xz
7f427383072f345a52266e2ac95df2a46329b1c5189f9a209917b72b543d8d2f 26532 mupdf_1.14.0+ds1-1.debian.tar.xz
cdfaaf6513cf480daae23907cc252621e53e36b6b9fe51411f80de2573862641 22556068 libmupdf-dev_1.14.0+ds1-1_amd64.deb
cc452c30cf413f1d4e52820b186b58f57cbc05fd9a9ec84bb667e6b92c8fafd7 2972192 mupdf-dbgsym_1.14.0+ds1-1_amd64.deb
f809a532b1c7be8a1c914365176dd72205e5f3403a529067052774eb8b3b388c 3263740 mupdf-tools-dbgsym_1.14.0+ds1-1_amd64.deb
aa8db8ad436620b491617494d74fb4d22e65dac1fb334b3c32dbcd15b66bf0d2 20089468 mupdf-tools_1.14.0+ds1-1_amd64.deb
c71b6254af70d60c9c716030320298245302a2c6899ebb3326ff605266e87bd1 11181 mupdf_1.14.0+ds1-1_amd64.buildinfo
0873adce00699e1e5a0dd7fcf25d8e5597bb1c156435b61dcea4d01672ac2c44 19993828 mupdf_1.14.0+ds1-1_amd64.deb
Files:
9dfd0e9e512cb57a291d023021efea15 2156 text optional mupdf_1.14.0+ds1-1.dsc
10b771cd3389a4e0b8a0deceb5254e96 24348296 text optional mupdf_1.14.0+ds1.orig.tar.xz
50cea91caeaa2cc203bb08110b334220 26532 text optional mupdf_1.14.0+ds1-1.debian.tar.xz
e106dfa86411c6a16c62c68b266cc407 22556068 libdevel optional libmupdf-dev_1.14.0+ds1-1_amd64.deb
e68ff402da664e21bafa5505d678f8cd 2972192 debug optional mupdf-dbgsym_1.14.0+ds1-1_amd64.deb
951bf06266fe040581d7f6741f74c92d 3263740 debug optional mupdf-tools-dbgsym_1.14.0+ds1-1_amd64.deb
1319c1a0dd6e4965b015a4dba87603f0 20089468 text optional mupdf-tools_1.14.0+ds1-1_amd64.deb
148326951be91da4ac8a3f20497837dc 11181 text optional mupdf_1.14.0+ds1-1_amd64.buildinfo
5b92226bab473a63ddba03ad127d5c8f 19993828 text optional mupdf_1.14.0+ds1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE2JDTPWFH4vUeM4aHCjk1SrblfeEFAlvVTxwACgkQCjk1Srbl
feFInw//ZqZ/JuOmuK1HMKjNXT3d1D6iWDMExPagLvWFfNM2XjbJIfVKm4ywY/OX
2Kwq78QIZ0l2yzBD+RdawJzJN1ZjkWEeT/GTiuTO/c3o+LRBO44E0ELKIKG/4sbz
rJ2WPtGsByVa7Fba9WD7Fg4NgG7jP2akVDUSOlG6Ba+jvT8BYUeIyRK9UQ6ZWYth
HGmNJHoo5CsyHDf/jVT+J+T2EdaGNyK45UyncMfFySdXROXA7RNpaDpYrjkItdWB
dlN5s33iPsItBEkqQX9YiDv72qDFao+egjVMs7IWCo+aZolZP8ajK2ZEmuu+8Yfg
Me1xWnpaOJaefzFpJZhfdUmytU8l4DfItwbkV05SgmSsXQRNlSjWh8tYEtH7WPAz
nTcBf3U/fXlRhh44qxSUkmHE81Jz/bWqQsLB36wCYOp6Ay1FFF7jwnigE5gf1dJO
q2Yk8Wzc6wLtyZjOEUnuHZsDpnxNQSgN5V6OZs0VnujfJR+gQA6T+NoDAkDqnGRH
+lqrU03aQeawzJrXH5ss/Gg/S0Esu6YLeCfgqD0qYjfeWDF66P4YhThp6ZhSdtVx
PCZuGCrbjb2DFqIN2H8uEEpUD8HfB469QJ960iFTLoO6BGi8mojUW58wGzw43pcK
Iv/YP2BeZkr0/QQBinRiHVzsPOXiZ6R2ZY6vCQuk4AK7VMKp8CE=
=Y28E
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 07 Dec 2018 07:27:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:38:38 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon