Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 600674 - <app-text/mupdf-1.10a: multiple vulnerabilities
Summary: <app-text/mupdf-1.10a: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-24 15:46 UTC by Agostino Sarubbo
Modified: 2017-02-05 22:42 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-11-24 15:46:19 UTC 
mupdf 1.10 is out. It fixes some crashes I reported plus bug 589826.

Please bump.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-11-26 01:57:39 UTC 
(In reply to Agostino Sarubbo from comment #0)
> mupdf 1.10 is out. It fixes some crashes I reported plus bug 589826.
> 
> Please bump.

So what is the point of this bug?  All of the vulnerabilities have opened bugs already. If not, please note the appropriate vulnerabilities within the bug as you usually do.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-11-29 23:50:05 UTC 
(In reply to Agostino Sarubbo from comment #2)
> (In reply to Aaron Bauman from comment #1)
> > So what is the point of this bug?  All of the vulnerabilities have opened
> > bugs already. If not, please note the appropriate vulnerabilities within the
> > bug as you usually do.
> 
> https://blogs.gentoo.org/ago/2016/09/22/mupdf-mutool-infinite-loop-in-
> gatherresourceinfo-pdfinfo-c/
> https://blogs.gentoo.org/ago/2016/09/22/mupdf-use-after-free-in-pdf_to_num-
> pdf-object-c/
> https://blogs.gentoo.org/ago/2016/09/24/mupdf-mujstest-global-buffer-
> overflow-in-my_getline-jstest_main-c/
> https://blogs.gentoo.org/ago/2016/09/24/mupdf-mujstest-global-buffer-
> overflow-in-main-jstest_main-c/
> https://blogs.gentoo.org/ago/2016/09/25/mupdf-mujstest-strcpy-param-overlap-
> in-main-jstest_main-c/
> 
> The latest about mujstest still needs a cve assignment.

Ok, so the patches are present in 1.10 and just awaiting CVE assignment?
Comment 4 charles17 2016-11-30 09:22:46 UTC 
(In reply to Aaron Bauman from comment #3)
> [...]
> Ok, so the patches are present in 1.10 and just awaiting CVE assignment?

<http://mupdf.com/news>: MuPDF 1.10a (2016-11-28)
Comment 5 charles17 2016-12-19 13:05:24 UTC 
See https://github.com/gentoo/gentoo/pull/3108/
Comment 6 Michael Weber (RETIRED) gentoo-dev 2017-01-23 00:32:31 UTC 
1.10a is in tree now.

commit 290927105365ff1f2374f383d7135ecf17f41cb1
Author: Michael Weber <xmw@gentoo.org>
Date:   Mon Jan 23 01:31:02 2017 +0100

    app-text/mupdf: Version bump (https://github.com/gentoo/gentoo/pull/3108, thanks charIes17).
    
    Package-Manager: Portage-2.3.3, Repoman-2.3.1
Comment 7 Agostino Sarubbo gentoo-dev 2017-01-23 12:41:55 UTC 
Stabilization in progress in bug 589826
Comment 8 Michael Weber (RETIRED) gentoo-dev 2017-02-05 17:26:46 UTC 
commit 2af6b2174d988ef90e8178a6c13839d33af70f35
Author: Michael Weber <xmw@gentoo.org>
Date:   Sun Feb 5 18:24:55 2017 +0100

    app-text/mupdf: Remove old versions (bug 600674, 590480, 589826).
    
    Package-Manager: Portage-2.3.3, Repoman-2.3.1
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2017-02-05 22:42:06 UTC 
Tree is clean.

GLSA Vote: No