Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 737034 - app-text/mupdf: bundles vulnerable dev-lang/mujs
Summary: app-text/mupdf: bundles vulnerable dev-lang/mujs
Status: RESOLVED WORKSFORME
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on: CVE-2019-11411, CVE-2019-11412, CVE-2019-11413 CVE-2020-24343
Blocks:
  Show dependency tree
 
Reported: 2020-08-14 04:06 UTC by Sam James
Modified: 2020-10-07 19:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-14 04:06:26 UTC 
Bundled copy of dev-lang/mujs likely vulnerable to bug 737020 and bug 719248.
Comment 1 Larry the Git Cow gentoo-dev 2020-08-14 04:21:33 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0985c4811a165c289d7cde5a81ea960077d7a235

commit 0985c4811a165c289d7cde5a81ea960077d7a235
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-14 04:09:42 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-14 04:21:22 +0000

    app-text/mupdf: security bump to 1.17.0
    
    * Debundle dev-lang/mujs again for the
      security bug (bundled copy is probably OK
      in terms of release mujs, but not a new bug
      (CVE-2020-24343).
    
    * Document bundled libs with references
      to check when bumping. Useful for both
      security@ and the maintainer.
    
    * Include extra Debian patches for improved
      cross-compilation support (mostly pkg-config).
    
    * Fix existing patch to respect libdir in pkgconfig
      file.
    
    * Fix missing || dies.
    
    Bug: https://bugs.gentoo.org/737034
    Bug: https://bugs.gentoo.org/737020
    Closes: https://bugs.gentoo.org/725672
    Closes: https://bugs.gentoo.org/734898
    Package-Manager: Portage-3.0.2, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 app-text/mupdf/Manifest                            |   1 +
 .../mupdf/files/mupdf-1.17.0-cross-fixes.patch     | 103 ++++++++++++++
 app-text/mupdf/mupdf-1.17.0.ebuild                 | 153 +++++++++++++++++++++
 3 files changed, 257 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-07 19:09:22 UTC 
This ended up being a non-issue but something to keep in mind.