CVE-2018-1000040 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000040): In MuPDF 1.12.0 and earlier, multiple use of uninitialized value bugs in the PDF parser could allow an attacker to cause a denial of service (crash) or influence program flow via a crafted file. CVE-2018-1000039 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000039): In MuPDF 1.12.0 and earlier, multiple heap use after free bugs in the PDF parser could allow an attacker to execute arbitrary code, read memory, or cause a denial of service via a crafted file. CVE-2018-1000038 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000038): In MuPDF 1.12.0 and earlier, a stack buffer overflow in function pdf_lookup_cmap_full in pdf/pdf-cmap.c could allow an attacker to execute arbitrary code via a crafted file. CVE-2018-1000037 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000037): In MuPDF 1.12.0 and earlier, multiple reachable assertions in the PDF parser allow an attacker to cause a denial of service (assert crash) via a crafted file. CVE-2018-1000036 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000036): In MuPDF 1.12.0 and earlier, multiple memory leaks in the PDF parser allow an attacker to cause a denial of service (memory leak) via a crafted file.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=856a6ad1fd3dfe1ab67a2976edc3f5dedd694fa3 commit 856a6ad1fd3dfe1ab67a2976edc3f5dedd694fa3 Author: Jouni Kosonen <jouni.kosonen@tukesoft.com> AuthorDate: 2018-06-27 07:03:42 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-07-25 01:31:14 +0000 app-text/mupdf: version bump to 1.13.0 Bug: https://bugs.gentoo.org/646010 Bug: https://bugs.gentoo.org/651828 Bug: https://bugs.gentoo.org/658618 app-text/mupdf/Manifest | 1 + .../mupdf/files/mupdf-1.13-openssl-curl-x11.patch | 39 +++++ app-text/mupdf/mupdf-1.13.0.ebuild | 166 +++++++++++++++++++++ 3 files changed, 206 insertions(+)
app-text/mupdf-1.13.0 has just been pushed to the tree. alpha, amd64, arm, ia64, x86, sparc, please stabilize: app-text/mupdf-1.13.0 Thanks.
amd64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1b0bc97b3f16d5d1799ff4d9ab2479fa89ef02c commit f1b0bc97b3f16d5d1799ff4d9ab2479fa89ef02c Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-07-27 06:34:42 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-07-27 06:35:06 +0000 app-text/mupdf: stable 1.13.0 for ia64, bug #658618 Bug: https://bugs.gentoo.org/658618 Package-Manager: Portage-2.3.43, Repoman-2.3.10 RepoMan-Options: --include-arches="ia64" app-text/mupdf/mupdf-1.13.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
x86 stable
arm stable
alpha, sparc, status? This bug has a security rating of "B2", which means that our target delay is 10 days, which is long passed, even if we only count stabilization time. Without stabilization soon, I'll be forced to drop old versions even if it means dropping stable for alpha and sparc.
I forgot to CC ppc and ppc64 in my stabilization request. Adding them now.
Apparently blocked on sparc because of bug 631970. Unless we can fix this quickly, we will have to un-stabilize mupdf and revdeps on sparc so that we can cleanup vulnerable versions.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=279967b75abd12869ea529f6bd860829bb59f329 commit 279967b75abd12869ea529f6bd860829bb59f329 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-08-18 18:07:01 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-08-18 18:07:01 +0000 app-text/zathura-pdf-mupdf: remove old and vulnerable depends on vulnerable version of mupdf. Bug: https://bugs.gentoo.org/658618 Package-Manager: Portage-2.3.47, Repoman-2.3.10 app-text/zathura-pdf-mupdf/Manifest | 1 - .../zathura-pdf-mupdf-0.3.1.ebuild | 54 ---------------------- 2 files changed, 55 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cebe033037940c160c42dd00fb574b7a1ba9c9a5 commit cebe033037940c160c42dd00fb574b7a1ba9c9a5 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-08-18 18:15:53 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-08-18 18:15:53 +0000 app-text/llpp: remove old and vulnerable Was forced to drop ppc stable keyword due to slow stabilization. Bug: https://bugs.gentoo.org/645974 Bug: https://bugs.gentoo.org/658618 Package-Manager: Portage-2.3.47, Repoman-2.3.10 app-text/llpp/Manifest | 1 - app-text/llpp/llpp-26b.ebuild | 87 ------------------------------------------- 2 files changed, 88 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0f5d484ee208b2c918e0778c6d259bd97ee77475 commit 0f5d484ee208b2c918e0778c6d259bd97ee77475 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-08-18 20:57:03 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-08-18 20:59:59 +0000 app-text/mupdf: drop old and vulnerable We have to drop alpha, ppc, ppc64 and sparc due to slow stabilization. We've already missed our target delay for resolving the security bug by a lot. Bug: https://bugs.gentoo.org/658618 Package-Manager: Portage-2.3.47, Repoman-2.3.10 app-text/mupdf/Manifest | 2 - app-text/mupdf/files/mupdf-1.11-CFLAGS.patch | 10 -- .../mupdf/files/mupdf-1.11-CVE-2017-6060.patch | 15 -- .../files/mupdf-1.11-openssl-curl-x11-r1.patch | 37 ----- .../mupdf/files/mupdf-1.11-openssl-curl-x11.patch | 37 ----- app-text/mupdf/files/mupdf-1.11-system-glfw.patch | 11 -- app-text/mupdf/mupdf-1.11-r1.ebuild | 152 ------------------- app-text/mupdf/mupdf-1.11-r2.ebuild | 152 ------------------- app-text/mupdf/mupdf-1.12.0-r2.ebuild | 166 --------------------- app-text/mupdf/mupdf-1.12.0.ebuild | 160 -------------------- 10 files changed, 742 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e79b4ee9ebed12640653fe7483ab723117e9aef commit 3e79b4ee9ebed12640653fe7483ab723117e9aef Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-08-18 20:45:11 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-08-18 20:59:59 +0000 profiles: mask pdf stable flag on 4 arches for net-print/cups-filters Mark pdf USE flag on alpha, ppc, ppc64 and spark which didn't stabilize fast enough in bug 658618. Vulnerable versions of app-text/mupdf are being deleted now, before stabilization could occur. Bug: https://bugs.gentoo.org/658618 profiles/arch/alpha/package.use.stable.mask | 4 ++++ profiles/arch/powerpc/package.use.stable.mask | 4 ++++ profiles/arch/sparc/package.use.stable.mask | 4 ++++ 3 files changed, 12 insertions(+)
Cleanup is over. I had to drop stable for alpha, ppc, ppc64 and sparc so that we can, 2 months later, close a security bug of a "B2" category that has a target delay of 10 days.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f9b740ffc467f21ad543a5e96a608ba4e040b93f commit f9b740ffc467f21ad543a5e96a608ba4e040b93f Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-10-07 19:38:37 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-10-07 19:40:29 +0000 profiles: remove obsolete app-text/mupdf masks Closes: https://bugs.gentoo.org/626732 Bug: https://bugs.gentoo.org/658618 Signed-off-by: Virgil Dupras <vdupras@gentoo.org> profiles/arch/alpha/package.use.mask | 4 ---- profiles/arch/arm/package.use.mask | 4 ---- profiles/arch/ia64/package.use.mask | 4 ---- profiles/arch/powerpc/package.use.mask | 4 ---- profiles/arch/powerpc/package.use.stable.mask | 4 ---- profiles/arch/powerpc/ppc32/package.use.mask | 4 ---- profiles/arch/powerpc/ppc64/package.use.mask | 4 ---- profiles/arch/sparc/package.use.mask | 4 ---- 8 files changed, 32 deletions(-)
GLSA filed.
This issue was resolved and addressed in GLSA 201811-15 at https://security.gentoo.org/glsa/201811-15 by GLSA coordinator Aaron Bauman (b-man).
