A fix for a buffer overflow when opening malicious crafted XPS files was recently checked into mupdf's git repository. Vulnerability disclosure with PoC: http://marc.info/?l=full-disclosure&m=139029499413292&w=2 Fix checked in: http://git.ghostscript.com/?p=mupdf.git;a=commit;h=60dabde18d7fe12b19da8b509bdfee9cc886aafc The bug is apparently exploitable and allows executing arbitrary code on Windows. I do not know if it is exploitable on Linux, so am treating it like it is. Folks in Freenode #ghostscript say that a new release of mupdf that includes the fix is not imminent; next release is likely to be March-April. Also, the project is actively working on bug cleanups, so within a few weeks there may be additional desirable fixes committed. So, I suggest we bump to a newer git snapshot as was done for mupdf-1.3_pre20130704 and mupdf-1.3_p20130828. I rolled a simple mupdf-1.3_p20140121.ebuild using commit 01f0a0db15faf4bffaa2556ced74868572dac7f5 (because it does include several more fixes past this one in particular) and it builds and runs fine so far. Reproducible: Always
+*mupdf-1.3_p20140118 (22 Jan 2014) + + 22 Jan 2014; Michael Weber <xmw@gentoo.org> +mupdf-1.3_p20140118.ebuild, + mupdf-9999.ebuild: + Include buffer overflow fix (bug 498876, thanks Hank Leininger), include + mupdf-select-file for .desktop file (bug 482920, thanks Andreas Proteus). +
Ready to stable?
(In reply to Chris Reffett from comment #2) > Ready to stable? I haven't experienced any oddities, stabilization should be possible, current one is bug 472532. I'd say yes.
+ 23 Jan 2014; Michael Weber <xmw@gentoo.org> -mupdf-1.0.ebuild, + -mupdf-1.1.ebuild, -mupdf-1.3.ebuild, -mupdf-1.3_p20130828.ebuild, + -mupdf-1.3_pre20130704.ebuild: + Drop old stable and unstable versions for security issues (bug 498876) + 23 Jan 2014; Michael Weber <xmw@gentoo.org> -llpp-12.ebuild, -llpp-16.ebuild, + -llpp-16_p20130828.ebuild: + Drop old stable and unstable versions for security issues (bug 498876)
CVE-2014-2013 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2013): Stack-based buffer overflow in the xps_parse_color function in xps/xps-common.c in MuPDF 1.3 and earlier allows remote attackers to execute arbitrary code via a large number of entries in the ContextColor value of the Fill attribute in a Path element.
This issue was resolved and addressed in GLSA 201412-43 at http://security.gentoo.org/glsa/glsa-201412-43.xml by GLSA coordinator Yury German (BlueKnight).