the update is non-trivial,
first steps were done with app-text/jmupdf[system-mupdf].
I guess this affects all app-text/mupdf security bugs.
Michael, how would you feel about last-riting this? Upstream is dead, it bundles a vulnerable mupdf, nothing actually depends on it, and if it really doesn't build with Java 8 (as the deps imply) then it's blocking the removal of Java 7.
The bug has been referenced in the following commit(s):
Author: James Le Cuirot <email@example.com>
AuthorDate: 2017-11-05 13:54:00 +0000
Commit: James Le Cuirot <firstname.lastname@example.org>
CommitDate: 2017-11-05 13:54:00 +0000
profiles: Mask app-text/jmupdf
Upstream dead, bundles a vulnerable mupdf, nothing depends on it, and
blocks the removal of Java 7. Removal in 30 days.
profiles/package.mask | 5 +++++
1 file changed, 5 insertions(+)}
You forgot about jtweakpdf-1.1. Given it is not in the tree yet. But there is https://bugs.gentoo.org/331981
I'm not using it regularly, but it is a nice tool to have...
(In reply to Bodo Graumann from comment #4)
> You forgot about jtweakpdf-1.1. Given it is not in the tree yet. But there
> is https://bugs.gentoo.org/331981
> I'm not using it regularly, but it is a nice tool to have...
Okay but someone who cares enough will need to do something about jmupdf. I can live with a dead upstream but the vulnerabilities are a showstopper. The Java 7 requirement may not be a problem once we get Java 9 because it can build against older releases more easily.
app-text/jmupdf has been last-rited. Sorry folks.