Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 803305 (CVE-2021-37220, CVE-2021-4216)

Summary: <app-text/mupdf-1.20.0: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: proxy-maint, rndxelement, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugs.ghostscript.com/show_bug.cgi?id=703791
Whiteboard: B2 [glsa? cleanup]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-22 01:51:31 UTC 
CVE-2021-37220:

MuPDF through 1.18.1 has an out-of-bounds write because the cached color converter does not properly consider the maximum key size of a hash table. This can, for example, be seen with crafted "mutool draw" input.

Unreleased patch: https://git.ghostscript.com/?p=mupdf.git;h=f5712c9949d026e4b891b25837edd2edc166151f
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-22 06:15:09 UTC 
Asked upstream about versioning given I don't know if 1.18.1 is a proper release or not. Trying to avoid adding just this patch then ending up stabling something else given it likely has security related fixes in it, in short succession.
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:20:39 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:28:44 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:36:41 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:44:44 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:52:48 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:56:43 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:00:43 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:09:00 UTC 
Package list is empty or all packages have requested keywords.
Comment 10 Niklāvs Koļesņikovs 2022-02-27 16:13:18 UTC 
Version 1.19.0 is in tree and stable keyworded. There is also 1.18.0-r4 for which I was not able to quickly determine if it contains the fix for this particular CVE or not.
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-26 19:24:51 UTC 
CVE-2021-4216 (https://bugs.ghostscript.com/show_bug.cgi?id=704834):

A Floating point exception (division-by-zero) flaw was found in Mupdf for zero width pages in muraster.c. It is fixed in Mupdf-1.20.0-rc1 upstream.

Patch, in 1.20.0: https://github.com/ArtifexSoftware/mupdf/commit/22c47acbd52949421f8c7cb46ea1556827d0fcbf
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-26 19:27:03 UTC 
(In reply to Sam James from comment #1)
> Asked upstream about versioning given I don't know if 1.18.1 is a proper
> release or not. Trying to avoid adding just this patch then ending up
> stabling something else given it likely has security related fixes in it, in
> short succession.

In any case it's definitely in 1.19.0