631846 – (CVE-2017-14686) app-text/mupdf: execute arbitrary code in read_zip_dir_imp in fitz/unzip.c

Bug 631846 (CVE-2017-14686) - app-text/mupdf: execute arbitrary code in read_zip_dir_imp in fitz/unzip.c

Summary: app-text/mupdf: execute arbitrary code in read_zip_dir_imp in fitz/unzip.c

Status:	RESOLVED INVALID

Alias:	CVE-2017-14686

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	CVE-2017-14685
	Show dependency tree

Reported:	2017-09-23 15:43 UTC by Aleksandr Wagner (Kivak)
Modified:	2017-09-23 15:45 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Aleksandr Wagner (Kivak) 2017-09-23 15:43:32 UTC

CVE-2017-14686 (https://nvd.nist.gov/vuln/detail/CVE-2017-14686):

Artifex MuPDF 1.11 allows attackers to execute arbitrary code or cause a denial of service via a crafted .xps file, related to a "User Mode Write AV near NULL starting at wow64!Wow64NotifyDebugger+0x000000000000001d" on Windows. This occurs because read_zip_dir_imp in fitz/unzip.c does not check whether size fields in a ZIP entry are negative numbers.

References:

http://git.ghostscript.com/?p=mupdf.git;h=0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1
https://bugs.ghostscript.com/show_bug.cgi?id=698540
https://github.com/wlinzi/security_advisories/tree/master/CVE-2017-14686

Comment 1 Aleksandr Wagner (Kivak) 2017-09-23 15:45:02 UTC

My mistake, this vulnerability is Windows only.