Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 658618 - <app-text/mupdf-1.13.0: Multiple vulnerabilities
Summary: <app-text/mupdf-1.13.0: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on: 631970
Blocks: CVE-2017-15587 645974 CVE-2017-17858, CVE-2018-5686, CVE-2018-6187, CVE-2018-6192 CVE-2018-1000051, CVE-2018-6544
  Show dependency tree
 
Reported: 2018-06-20 23:25 UTC by GLSAMaker/CVETool Bot
Modified: 2018-11-26 18:35 UTC (History)
2 users (show)

See Also:
Package list:
app-text/mupdf-1.13.0
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-06-20 23:25:53 UTC
CVE-2018-1000040 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000040):
  In MuPDF 1.12.0 and earlier, multiple use of uninitialized value bugs in the
  PDF parser could allow an attacker to cause a denial of service (crash) or
  influence program flow via a crafted file.

CVE-2018-1000039 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000039):
  In MuPDF 1.12.0 and earlier, multiple heap use after free bugs in the PDF
  parser could allow an attacker to execute arbitrary code, read memory, or
  cause a denial of service via a crafted file.

CVE-2018-1000038 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000038):
  In MuPDF 1.12.0 and earlier, a stack buffer overflow in function
  pdf_lookup_cmap_full in pdf/pdf-cmap.c could allow an attacker to execute
  arbitrary code via a crafted file.

CVE-2018-1000037 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000037):
  In MuPDF 1.12.0 and earlier, multiple reachable assertions in the PDF parser
  allow an attacker to cause a denial of service (assert crash) via a crafted
  file.

CVE-2018-1000036 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000036):
  In MuPDF 1.12.0 and earlier, multiple memory leaks in the PDF parser allow
  an attacker to cause a denial of service (memory leak) via a crafted file.
Comment 1 Larry the Git Cow gentoo-dev 2018-07-25 01:33:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=856a6ad1fd3dfe1ab67a2976edc3f5dedd694fa3

commit 856a6ad1fd3dfe1ab67a2976edc3f5dedd694fa3
Author:     Jouni Kosonen <jouni.kosonen@tukesoft.com>
AuthorDate: 2018-06-27 07:03:42 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-07-25 01:31:14 +0000

    app-text/mupdf: version bump to 1.13.0
    
    Bug: https://bugs.gentoo.org/646010
    Bug: https://bugs.gentoo.org/651828
    Bug: https://bugs.gentoo.org/658618

 app-text/mupdf/Manifest                            |   1 +
 .../mupdf/files/mupdf-1.13-openssl-curl-x11.patch  |  39 +++++
 app-text/mupdf/mupdf-1.13.0.ebuild                 | 166 +++++++++++++++++++++
 3 files changed, 206 insertions(+)
Comment 2 Virgil Dupras gentoo-dev 2018-07-25 01:51:05 UTC
app-text/mupdf-1.13.0 has just been pushed to the tree.

alpha, amd64, arm, ia64, x86, sparc, please stabilize:

app-text/mupdf-1.13.0

Thanks.
Comment 3 Agostino Sarubbo gentoo-dev 2018-07-25 08:25:16 UTC
amd64 stable
Comment 4 Larry the Git Cow gentoo-dev 2018-07-27 06:35:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1b0bc97b3f16d5d1799ff4d9ab2479fa89ef02c

commit f1b0bc97b3f16d5d1799ff4d9ab2479fa89ef02c
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-07-27 06:34:42 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-07-27 06:35:06 +0000

    app-text/mupdf: stable 1.13.0 for ia64, bug #658618
    
    Bug: https://bugs.gentoo.org/658618
    Package-Manager: Portage-2.3.43, Repoman-2.3.10
    RepoMan-Options: --include-arches="ia64"

 app-text/mupdf/mupdf-1.13.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 5 Thomas Deutschmann gentoo-dev Security 2018-07-28 13:45:35 UTC
x86 stable
Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-07-31 00:00:47 UTC
arm stable
Comment 7 Virgil Dupras gentoo-dev 2018-08-11 23:26:02 UTC
alpha, sparc, status? This bug has a security rating of "B2", which means that our target delay is 10 days, which is long passed, even if we only count stabilization time.

Without stabilization soon, I'll be forced to drop old versions even if it means dropping stable for alpha and sparc.
Comment 8 Virgil Dupras gentoo-dev 2018-08-13 15:03:08 UTC
I forgot to CC ppc and ppc64 in my stabilization request. Adding them now.
Comment 9 Virgil Dupras gentoo-dev 2018-08-13 15:09:04 UTC
Apparently blocked on sparc because of bug 631970. Unless we can fix this quickly, we will have to un-stabilize mupdf and revdeps on sparc so that we can cleanup vulnerable versions.
Comment 10 Larry the Git Cow gentoo-dev 2018-08-18 18:07:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=279967b75abd12869ea529f6bd860829bb59f329

commit 279967b75abd12869ea529f6bd860829bb59f329
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-08-18 18:07:01 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-08-18 18:07:01 +0000

    app-text/zathura-pdf-mupdf: remove old and vulnerable
    
    depends on vulnerable version of mupdf.
    
    Bug: https://bugs.gentoo.org/658618
    Package-Manager: Portage-2.3.47, Repoman-2.3.10

 app-text/zathura-pdf-mupdf/Manifest                |  1 -
 .../zathura-pdf-mupdf-0.3.1.ebuild                 | 54 ----------------------
 2 files changed, 55 deletions(-)
Comment 11 Larry the Git Cow gentoo-dev 2018-08-18 18:16:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cebe033037940c160c42dd00fb574b7a1ba9c9a5

commit cebe033037940c160c42dd00fb574b7a1ba9c9a5
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-08-18 18:15:53 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-08-18 18:15:53 +0000

    app-text/llpp: remove old and vulnerable
    
    Was forced to drop ppc stable keyword due to slow stabilization.
    
    Bug: https://bugs.gentoo.org/645974
    Bug: https://bugs.gentoo.org/658618
    Package-Manager: Portage-2.3.47, Repoman-2.3.10

 app-text/llpp/Manifest        |  1 -
 app-text/llpp/llpp-26b.ebuild | 87 -------------------------------------------
 2 files changed, 88 deletions(-)
Comment 12 Larry the Git Cow gentoo-dev 2018-08-18 21:01:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0f5d484ee208b2c918e0778c6d259bd97ee77475

commit 0f5d484ee208b2c918e0778c6d259bd97ee77475
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-08-18 20:57:03 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-08-18 20:59:59 +0000

    app-text/mupdf: drop old and vulnerable
    
    We have to drop alpha, ppc, ppc64 and sparc due to slow stabilization.
    We've already missed our target delay for resolving the security bug by
    a lot.
    
    Bug: https://bugs.gentoo.org/658618
    Package-Manager: Portage-2.3.47, Repoman-2.3.10

 app-text/mupdf/Manifest                            |   2 -
 app-text/mupdf/files/mupdf-1.11-CFLAGS.patch       |  10 --
 .../mupdf/files/mupdf-1.11-CVE-2017-6060.patch     |  15 --
 .../files/mupdf-1.11-openssl-curl-x11-r1.patch     |  37 -----
 .../mupdf/files/mupdf-1.11-openssl-curl-x11.patch  |  37 -----
 app-text/mupdf/files/mupdf-1.11-system-glfw.patch  |  11 --
 app-text/mupdf/mupdf-1.11-r1.ebuild                | 152 -------------------
 app-text/mupdf/mupdf-1.11-r2.ebuild                | 152 -------------------
 app-text/mupdf/mupdf-1.12.0-r2.ebuild              | 166 ---------------------
 app-text/mupdf/mupdf-1.12.0.ebuild                 | 160 --------------------
 10 files changed, 742 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e79b4ee9ebed12640653fe7483ab723117e9aef

commit 3e79b4ee9ebed12640653fe7483ab723117e9aef
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-08-18 20:45:11 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-08-18 20:59:59 +0000

    profiles: mask pdf stable flag on 4 arches for net-print/cups-filters
    
    Mark pdf USE flag on alpha, ppc, ppc64 and spark which didn't stabilize
    fast enough in bug 658618.
    
    Vulnerable versions of app-text/mupdf are being deleted now, before
    stabilization could occur.
    
    Bug: https://bugs.gentoo.org/658618

 profiles/arch/alpha/package.use.stable.mask   | 4 ++++
 profiles/arch/powerpc/package.use.stable.mask | 4 ++++
 profiles/arch/sparc/package.use.stable.mask   | 4 ++++
 3 files changed, 12 insertions(+)
Comment 13 Virgil Dupras gentoo-dev 2018-08-18 21:06:21 UTC
Cleanup is over. I had to drop stable for alpha, ppc, ppc64 and sparc so that we can, 2 months later, close a security bug of a "B2" category that has a target delay of 10 days.
Comment 14 Larry the Git Cow gentoo-dev 2018-10-07 19:41:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f9b740ffc467f21ad543a5e96a608ba4e040b93f

commit f9b740ffc467f21ad543a5e96a608ba4e040b93f
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-10-07 19:38:37 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-10-07 19:40:29 +0000

    profiles: remove obsolete app-text/mupdf masks
    
    Closes: https://bugs.gentoo.org/626732
    Bug: https://bugs.gentoo.org/658618
    
    Signed-off-by: Virgil Dupras <vdupras@gentoo.org>

 profiles/arch/alpha/package.use.mask          | 4 ----
 profiles/arch/arm/package.use.mask            | 4 ----
 profiles/arch/ia64/package.use.mask           | 4 ----
 profiles/arch/powerpc/package.use.mask        | 4 ----
 profiles/arch/powerpc/package.use.stable.mask | 4 ----
 profiles/arch/powerpc/ppc32/package.use.mask  | 4 ----
 profiles/arch/powerpc/ppc64/package.use.mask  | 4 ----
 profiles/arch/sparc/package.use.mask          | 4 ----
 8 files changed, 32 deletions(-)
Comment 15 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-11-24 21:56:30 UTC
GLSA filed.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2018-11-26 18:35:17 UTC
This issue was resolved and addressed in
 GLSA 201811-15 at https://security.gentoo.org/glsa/201811-15
by GLSA coordinator Aaron Bauman (b-man).