CVE-2021-37220: MuPDF through 1.18.1 has an out-of-bounds write because the cached color converter does not properly consider the maximum key size of a hash table. This can, for example, be seen with crafted "mutool draw" input. Unreleased patch: https://git.ghostscript.com/?p=mupdf.git;h=f5712c9949d026e4b891b25837edd2edc166151f
Asked upstream about versioning given I don't know if 1.18.1 is a proper release or not. Trying to avoid adding just this patch then ending up stabling something else given it likely has security related fixes in it, in short succession.
Package list is empty or all packages have requested keywords.
Version 1.19.0 is in tree and stable keyworded. There is also 1.18.0-r4 for which I was not able to quickly determine if it contains the fix for this particular CVE or not.
CVE-2021-4216 (https://bugs.ghostscript.com/show_bug.cgi?id=704834): A Floating point exception (division-by-zero) flaw was found in Mupdf for zero width pages in muraster.c. It is fixed in Mupdf-1.20.0-rc1 upstream. Patch, in 1.20.0: https://github.com/ArtifexSoftware/mupdf/commit/22c47acbd52949421f8c7cb46ea1556827d0fcbf
(In reply to Sam James from comment #1) > Asked upstream about versioning given I don't know if 1.18.1 is a proper > release or not. Trying to avoid adding just this patch then ending up > stabling something else given it likely has security related fixes in it, in > short succession. In any case it's definitely in 1.19.0
Ping. Please clean up the vulnerable version 1.19.1. It looks like this also requires app-text/zathura-pdf-mupdf-0.3.8-r2 to be removed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8dc589bb73695e2b430fefd16f80669c42d2d736 commit 8dc589bb73695e2b430fefd16f80669c42d2d736 Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2023-10-22 14:49:48 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2023-10-22 14:49:48 +0000 app-text/mupdf: drop 1.19.1 Bug: https://bugs.gentoo.org/803305 Signed-off-by: Joonas Niilola <juippis@gentoo.org> app-text/mupdf/Manifest | 1 - app-text/mupdf/mupdf-1.19.1.ebuild | 153 ------------------------------------- 2 files changed, 154 deletions(-)
