Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 498876 (CVE-2014-2013) - <app-text/mupdf-1.3_p20140118 - buffer overflow with remote code execution for malicious XPS files (CVE-2014-2013)
Summary: <app-text/mupdf-1.3_p20140118 - buffer overflow with remote code execution fo...
Status: RESOLVED FIXED
Alias: CVE-2014-2013
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://git.ghostscript.com/?p=mupdf.g...
Whiteboard: B2 [glsa]
Keywords:
Depends on: 472532
Blocks:
  Show dependency tree
 
Reported: 2014-01-22 03:26 UTC by Hank Leininger
Modified: 2014-12-26 18:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2014-01-22 03:26:27 UTC
A fix for a buffer overflow when opening malicious crafted XPS files was recently checked into mupdf's git repository.

Vulnerability disclosure with PoC:
http://marc.info/?l=full-disclosure&m=139029499413292&w=2

Fix checked in:
http://git.ghostscript.com/?p=mupdf.git;a=commit;h=60dabde18d7fe12b19da8b509bdfee9cc886aafc

The bug is apparently exploitable and allows executing arbitrary code on Windows.  I do not know if it is exploitable on Linux, so am treating it like it is.

Folks in Freenode #ghostscript say that a new release of mupdf that includes the fix is not imminent; next release is likely to be March-April.  Also, the project is actively working on bug cleanups, so within a few weeks there may be additional desirable fixes committed.

So, I suggest we bump to a newer git snapshot as was done for mupdf-1.3_pre20130704 and mupdf-1.3_p20130828.  I rolled a simple mupdf-1.3_p20140121.ebuild using commit 01f0a0db15faf4bffaa2556ced74868572dac7f5 (because it does include several more fixes past this one in particular) and it builds and runs fine so far.

Reproducible: Always
Comment 1 Michael Weber (RETIRED) gentoo-dev 2014-01-22 07:16:37 UTC
+*mupdf-1.3_p20140118 (22 Jan 2014)
+
+  22 Jan 2014; Michael Weber <xmw@gentoo.org> +mupdf-1.3_p20140118.ebuild,
+  mupdf-9999.ebuild:
+  Include buffer overflow fix (bug 498876, thanks  Hank Leininger), include
+  mupdf-select-file for .desktop file (bug 482920, thanks Andreas Proteus).
+
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2014-01-22 14:10:31 UTC
Ready to stable?
Comment 3 Michael Weber (RETIRED) gentoo-dev 2014-01-22 23:55:54 UTC
(In reply to Chris Reffett from comment #2)
> Ready to stable?
I haven't experienced any oddities, stabilization should be possible, current one is bug 472532. I'd say yes.
Comment 4 Michael Weber (RETIRED) gentoo-dev 2014-01-23 06:48:31 UTC
+  23 Jan 2014; Michael Weber <xmw@gentoo.org> -mupdf-1.0.ebuild,
+  -mupdf-1.1.ebuild, -mupdf-1.3.ebuild, -mupdf-1.3_p20130828.ebuild,
+  -mupdf-1.3_pre20130704.ebuild:
+  Drop old stable and unstable versions for security issues (bug 498876)

+  23 Jan 2014; Michael Weber <xmw@gentoo.org> -llpp-12.ebuild, -llpp-16.ebuild,
+  -llpp-16_p20130828.ebuild:
+  Drop old stable and unstable versions for security issues (bug 498876)
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-05-31 19:06:14 UTC
CVE-2014-2013 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2013):
  Stack-based buffer overflow in the xps_parse_color function in
  xps/xps-common.c in MuPDF 1.3 and earlier allows remote attackers to execute
  arbitrary code via a large number of entries in the ContextColor value of
  the Fill attribute in a Path element.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-12-26 18:39:21 UTC
This issue was resolved and addressed in
 GLSA 201412-43 at http://security.gentoo.org/glsa/glsa-201412-43.xml
by GLSA coordinator Yury German (BlueKnight).