611444 – (CVE-2017-5991) <app-text/mupdf-1.10a-r2: NULL pointer dereference

Bug 611444 (CVE-2017-5991) - <app-text/mupdf-1.10a-r2: NULL pointer dereference

Summary: <app-text/mupdf-1.10a-r2: NULL pointer dereference

Status:	RESOLVED FIXED

Alias:	CVE-2017-5991

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://git.ghostscript.com/?p=mupdf.g...
Whiteboard:	B3 [glsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-03-03 00:38 UTC by Ian Zimmerman
Modified:	2017-06-06 08:58 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	=app-text/mupdf-1.10a-r2
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ian Zimmerman 2017-03-03 00:38:45 UTC

Upstream commit message says:

Bug 697500: Fix NULL ptr access.

Cope better with errors during rendering - avoid letting the
gstate stack get out of sync.

This avoids us ever getting into the situation of popping
a clip when we should be popping a mask or a group. This was
causing an unexpected case in the painting.

This is CVE-2017-5991, and DSA (Debian advisory) DSA-3797.


Reproducible: Always

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2017-03-06 19:46:36 UTC

CVE-2017-5991 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5991):
  An issue was discovered in Artifex Software, Inc. MuPDF before
  1912de5f08e90af1d9d0a9791f58ba3afdb9d465. The pdf_run_xobject function in
  pdf-op-run.c encounters a NULL pointer dereference during a Fitz
  fz_paint_pixmap_with_mask painting operation.

Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-03-06 19:55:01 UTC

I don't see this one handled along with bug 608702 or bug 608712 nor immediately recognize patch in files, so setting [upstream/ebuild] for now

Comment 3 Michael Weber (RETIRED) gentoo-dev

2017-03-06 22:14:25 UTC

commit 8231bc27f9ef5caa6f21b3601047797c432adb7c
Author: Michael Weber <xmw@gentoo.org>
Date:   Mon Mar 6 23:12:21 2017 +0100

    app-text/mupdf: Revbump with patch for CVE-2017-5991.
    
    Package-Manager: Portage-2.3.4, Repoman-2.3.2

app-text/mupdf/files/mupdf-1.10a-null-pointer-2.patch
app-text/mupdf/mupdf-1.10a-r2.ebuild

Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-03-06 22:49:31 UTC

(In reply to Michael Weber from comment #3)
> commit 8231bc27f9ef5caa6f21b3601047797c432adb7c
> Author: Michael Weber <xmw@gentoo.org>
> Date:   Mon Mar 6 23:12:21 2017 +0100
> 
>     app-text/mupdf: Revbump with patch for CVE-2017-5991.
>     
>     Package-Manager: Portage-2.3.4, Repoman-2.3.2
> 
> app-text/mupdf/files/mupdf-1.10a-null-pointer-2.patch
> app-text/mupdf/mupdf-1.10a-r2.ebuild

Thank you for bumping :)

Please call for stabilization once comfortable with its stability

Comment 5 Michael Weber (RETIRED) gentoo-dev

2017-03-06 23:35:47 UTC

@arches: go ahead please.

Comment 6 Jeroen Roovers (RETIRED) gentoo-dev

2017-03-08 05:30:28 UTC

Stable for HPPA.

Comment 7 Agostino Sarubbo gentoo-dev

2017-03-10 09:10:48 UTC

amd64 stable

Comment 8 Agostino Sarubbo gentoo-dev

2017-03-10 11:01:11 UTC

x86 stable

Comment 9 Michael Weber (RETIRED) gentoo-dev

2017-03-10 12:37:09 UTC

Tree is clean.

commit 4f904b100300943c22586e4844d65e813c79e95e
Author: Michael Weber <xmw@gentoo.org>
Date:   Fri Mar 10 13:29:34 2017 +0100

    app-text/mupdf: Remove old version (bug 611444).
    
    Package-Manager: Portage-2.3.4, Repoman-2.3.2

app-text/mupdf/mupdf-1.10a-r1.ebuild

commit 393c97a056216f7a4be689dccaeb1939a26bda25
Author: Michael Weber <xmw@gentoo.org>
Date:   Fri Mar 10 13:28:40 2017 +0100

    app-text/mupdf: arm ppc ppc64 stable (bug 611444).
    
    Package-Manager: Portage-2.3.4, Repoman-2.3.2

app-text/mupdf/mupdf-1.10a-r2.ebuild

Comment 10 Yury German Gentoo Infrastructure

2017-03-24 05:20:29 UTC

GLSA Vote: No

Thank you all for you work. 
Closing as [noglsa].

Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-03 23:53:59 UTC

Because we have to do one GLSA for bug 614044 I'll add this one to the same advisory.

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2017-06-06 08:58:23 UTC

This issue was resolved and addressed in
 GLSA 201706-08 at https://security.gentoo.org/glsa/201706-08
by GLSA coordinator Thomas Deutschmann (whissi).