CVE-2021-3407: A flaw was found in mupdf 1.18.0. Double free of object during linearization may lead to memory corruption and other potential consequences. Please bump.
We need to apply the patch right?
(In reply to Sam James from comment #1) > We need to apply the patch right? Yes, sorry! No upstream tag with that patch as far as I can tell.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6f8610d53861f805bf4c4b6e1366935ad660b141 commit 6f8610d53861f805bf4c4b6e1366935ad660b141 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-02-24 16:09:26 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-02-24 16:21:44 +0000 app-text/mupdf: patch CVE-2021-3407 Bug: https://bugs.gentoo.org/772311 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Sam James <sam@gentoo.org> .../mupdf/files/mupdf-1.18.0-CVE-2021-3407.patch | 51 ++++++++ app-text/mupdf/mupdf-1.18.0-r3.ebuild | 145 +++++++++++++++++++++ 2 files changed, 196 insertions(+)
Unable to check for sanity: > no match for package: app-text/mudfp-1.18.0-r3
ppc done
ppc64 done
arm done
arm64 done
x86 done
amd64 done all arches done
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f75f343ca56b52d513a15df9c8a30082073acebe commit f75f343ca56b52d513a15df9c8a30082073acebe Author: Sam James <sam@gentoo.org> AuthorDate: 2021-03-04 04:55:38 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-03-04 04:55:50 +0000 app-text/mupdf: remove 1.18.0 (security cleanup) Bug: https://bugs.gentoo.org/772311 Signed-off-by: Sam James <sam@gentoo.org> app-text/mupdf/mupdf-1.18.0-r2.ebuild | 144 ---------------------------------- 1 file changed, 144 deletions(-)
New GLSA request filed.
This issue was resolved and addressed in GLSA 202105-30 at https://security.gentoo.org/glsa/202105-30 by GLSA coordinator Thomas Deutschmann (whissi).