the update is non-trivial, first steps were done with app-text/jmupdf[system-mupdf].
I guess this affects all app-text/mupdf security bugs.
Michael, how would you feel about last-riting this? Upstream is dead, it bundles a vulnerable mupdf, nothing actually depends on it, and if it really doesn't build with Java 8 (as the deps imply) then it's blocking the removal of Java 7.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=97bb1cdc9c44c3c242349a286632b554f359de84 commit 97bb1cdc9c44c3c242349a286632b554f359de84 Author: James Le Cuirot <chewi@gentoo.org> AuthorDate: 2017-11-05 13:54:00 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2017-11-05 13:54:00 +0000 profiles: Mask app-text/jmupdf Upstream dead, bundles a vulnerable mupdf, nothing depends on it, and blocks the removal of Java 7. Removal in 30 days. Bug: https://bugs.gentoo.org/472832 profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+)}
You forgot about jtweakpdf-1.1. Given it is not in the tree yet. But there is https://bugs.gentoo.org/331981 I'm not using it regularly, but it is a nice tool to have...
(In reply to Bodo Graumann from comment #4) > You forgot about jtweakpdf-1.1. Given it is not in the tree yet. But there > is https://bugs.gentoo.org/331981 > I'm not using it regularly, but it is a nice tool to have... Okay but someone who cares enough will need to do something about jmupdf. I can live with a dead upstream but the vulnerabilities are a showstopper. The Java 7 requirement may not be a problem once we get Java 9 because it can build against older releases more easily.
app-text/jmupdf has been last-rited. Sorry folks.
