From ${URL} : there in an heap overflow in fz_subsample_pixmap. The bug was discovered by Kamil Frankowicz which said to have tested it against the current git head. The same testcase does not crash the current stable 1.10a, but I can confirm (with a round of fuzzing on 1.10a) that stable is affected. No fix atm. Details: https://bugs.ghostscript.com/show_bug.cgi?id=697515 Reproducer for 1.10a: https://github.com/asarubbo/poc/blob/master/00148-mupdf-heapoverflow-fz_subsample_pixmap @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27
commit 54f3dbbee64dfa9de3193a16daa5ff254d4963b2 Author: Michael Weber <xmw@gentoo.org> Date: Thu Feb 9 22:10:20 2017 +0100 app-text/mupdf: Revbump to fix null pointer dereference (bug 608702) and heap overflow (bug 608712). Package-Manager: Portage-2.3.3, Repoman-2.3.1
Stable for HPPA.
amd64 stable
x86 stable
ppc stable
ppc64 stable
arm stable. Maintainer(s), please cleanup. Security, please vote.
commit f7f45315f7279b0a380dcb6728d5ffb033bd2c4e Author: Michael Weber <xmw@gentoo.org> Date: Mon Feb 13 18:04:53 2017 +0100 app-text/mupdf: Remove old version (bug 608712, bug 608702). Package-Manager: Portage-2.3.3, Repoman-2.3.1 app-text/mupdf/mupdf-1.10a.ebuild
Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 201702-12 at https://security.gentoo.org/glsa/201702-12 by GLSA coordinator Thomas Deutschmann (whissi).