Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 631848 (CVE-2017-14685)

Summary: app-text/mupdf: denial of service in xps_load_links_in_glyphs in xps/xps-link.c
Product: Gentoo Security Reporter: Aleksandr Wagner (Kivak) <alwag>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: xmw
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 631846    
Bug Blocks:    

Description Aleksandr Wagner (Kivak) 2017-09-23 15:43:35 UTC 
CVE-2017-14685 (https://nvd.nist.gov/vuln/detail/CVE-2017-14685):

Artifex MuPDF 1.11 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .xps file, related to "Data from Faulting Address controls Branch Selection starting at mupdf+0x000000000016aa61" on Windows. This occurs because xps_load_links_in_glyphs in xps/xps-link.c does not verify that an xps font could be loaded.

Referneces:

http://git.ghostscript.com/?p=mupdf.git;h=ab1a420613dec93c686acbee2c165274e922f82a
https://bugs.ghostscript.com/show_bug.cgi?id=698539
https://github.com/wlinzi/security_advisories/tree/master/CVE-2017-14685
Comment 1 Aleksandr Wagner (Kivak) 2017-09-23 15:44:58 UTC 
My mistake, this vulnerability is Windows only.