Summary: | <app-text/mupdf-1.13.0: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | vdupras, xmw |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://github.com/gentoo/gentoo/pull/8984 https://github.com/gentoo/gentoo/pull/9042 |
||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: |
app-text/mupdf-1.13.0
|
Runtime testing required: | --- |
Bug Depends on: | 631970 | ||
Bug Blocks: | 634678, 645974, 646010, 651828 |
Description
GLSAMaker/CVETool Bot
2018-06-20 23:25:53 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=856a6ad1fd3dfe1ab67a2976edc3f5dedd694fa3 commit 856a6ad1fd3dfe1ab67a2976edc3f5dedd694fa3 Author: Jouni Kosonen <jouni.kosonen@tukesoft.com> AuthorDate: 2018-06-27 07:03:42 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-07-25 01:31:14 +0000 app-text/mupdf: version bump to 1.13.0 Bug: https://bugs.gentoo.org/646010 Bug: https://bugs.gentoo.org/651828 Bug: https://bugs.gentoo.org/658618 app-text/mupdf/Manifest | 1 + .../mupdf/files/mupdf-1.13-openssl-curl-x11.patch | 39 +++++ app-text/mupdf/mupdf-1.13.0.ebuild | 166 +++++++++++++++++++++ 3 files changed, 206 insertions(+) app-text/mupdf-1.13.0 has just been pushed to the tree. alpha, amd64, arm, ia64, x86, sparc, please stabilize: app-text/mupdf-1.13.0 Thanks. amd64 stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1b0bc97b3f16d5d1799ff4d9ab2479fa89ef02c commit f1b0bc97b3f16d5d1799ff4d9ab2479fa89ef02c Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-07-27 06:34:42 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-07-27 06:35:06 +0000 app-text/mupdf: stable 1.13.0 for ia64, bug #658618 Bug: https://bugs.gentoo.org/658618 Package-Manager: Portage-2.3.43, Repoman-2.3.10 RepoMan-Options: --include-arches="ia64" app-text/mupdf/mupdf-1.13.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) x86 stable arm stable alpha, sparc, status? This bug has a security rating of "B2", which means that our target delay is 10 days, which is long passed, even if we only count stabilization time. Without stabilization soon, I'll be forced to drop old versions even if it means dropping stable for alpha and sparc. I forgot to CC ppc and ppc64 in my stabilization request. Adding them now. Apparently blocked on sparc because of bug 631970. Unless we can fix this quickly, we will have to un-stabilize mupdf and revdeps on sparc so that we can cleanup vulnerable versions. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=279967b75abd12869ea529f6bd860829bb59f329 commit 279967b75abd12869ea529f6bd860829bb59f329 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-08-18 18:07:01 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-08-18 18:07:01 +0000 app-text/zathura-pdf-mupdf: remove old and vulnerable depends on vulnerable version of mupdf. Bug: https://bugs.gentoo.org/658618 Package-Manager: Portage-2.3.47, Repoman-2.3.10 app-text/zathura-pdf-mupdf/Manifest | 1 - .../zathura-pdf-mupdf-0.3.1.ebuild | 54 ---------------------- 2 files changed, 55 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cebe033037940c160c42dd00fb574b7a1ba9c9a5 commit cebe033037940c160c42dd00fb574b7a1ba9c9a5 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-08-18 18:15:53 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-08-18 18:15:53 +0000 app-text/llpp: remove old and vulnerable Was forced to drop ppc stable keyword due to slow stabilization. Bug: https://bugs.gentoo.org/645974 Bug: https://bugs.gentoo.org/658618 Package-Manager: Portage-2.3.47, Repoman-2.3.10 app-text/llpp/Manifest | 1 - app-text/llpp/llpp-26b.ebuild | 87 ------------------------------------------- 2 files changed, 88 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0f5d484ee208b2c918e0778c6d259bd97ee77475 commit 0f5d484ee208b2c918e0778c6d259bd97ee77475 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-08-18 20:57:03 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-08-18 20:59:59 +0000 app-text/mupdf: drop old and vulnerable We have to drop alpha, ppc, ppc64 and sparc due to slow stabilization. We've already missed our target delay for resolving the security bug by a lot. Bug: https://bugs.gentoo.org/658618 Package-Manager: Portage-2.3.47, Repoman-2.3.10 app-text/mupdf/Manifest | 2 - app-text/mupdf/files/mupdf-1.11-CFLAGS.patch | 10 -- .../mupdf/files/mupdf-1.11-CVE-2017-6060.patch | 15 -- .../files/mupdf-1.11-openssl-curl-x11-r1.patch | 37 ----- .../mupdf/files/mupdf-1.11-openssl-curl-x11.patch | 37 ----- app-text/mupdf/files/mupdf-1.11-system-glfw.patch | 11 -- app-text/mupdf/mupdf-1.11-r1.ebuild | 152 ------------------- app-text/mupdf/mupdf-1.11-r2.ebuild | 152 ------------------- app-text/mupdf/mupdf-1.12.0-r2.ebuild | 166 --------------------- app-text/mupdf/mupdf-1.12.0.ebuild | 160 -------------------- 10 files changed, 742 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e79b4ee9ebed12640653fe7483ab723117e9aef commit 3e79b4ee9ebed12640653fe7483ab723117e9aef Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-08-18 20:45:11 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-08-18 20:59:59 +0000 profiles: mask pdf stable flag on 4 arches for net-print/cups-filters Mark pdf USE flag on alpha, ppc, ppc64 and spark which didn't stabilize fast enough in bug 658618. Vulnerable versions of app-text/mupdf are being deleted now, before stabilization could occur. Bug: https://bugs.gentoo.org/658618 profiles/arch/alpha/package.use.stable.mask | 4 ++++ profiles/arch/powerpc/package.use.stable.mask | 4 ++++ profiles/arch/sparc/package.use.stable.mask | 4 ++++ 3 files changed, 12 insertions(+) Cleanup is over. I had to drop stable for alpha, ppc, ppc64 and sparc so that we can, 2 months later, close a security bug of a "B2" category that has a target delay of 10 days. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f9b740ffc467f21ad543a5e96a608ba4e040b93f commit f9b740ffc467f21ad543a5e96a608ba4e040b93f Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-10-07 19:38:37 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-10-07 19:40:29 +0000 profiles: remove obsolete app-text/mupdf masks Closes: https://bugs.gentoo.org/626732 Bug: https://bugs.gentoo.org/658618 Signed-off-by: Virgil Dupras <vdupras@gentoo.org> profiles/arch/alpha/package.use.mask | 4 ---- profiles/arch/arm/package.use.mask | 4 ---- profiles/arch/ia64/package.use.mask | 4 ---- profiles/arch/powerpc/package.use.mask | 4 ---- profiles/arch/powerpc/package.use.stable.mask | 4 ---- profiles/arch/powerpc/ppc32/package.use.mask | 4 ---- profiles/arch/powerpc/ppc64/package.use.mask | 4 ---- profiles/arch/sparc/package.use.mask | 4 ---- 8 files changed, 32 deletions(-) GLSA filed. This issue was resolved and addressed in GLSA 201811-15 at https://security.gentoo.org/glsa/201811-15 by GLSA coordinator Aaron Bauman (b-man). |