From ${URL} : The count_entries function in pdf-layer.c in Artifex Software, Inc. MuPDF allows attackers to cause a denial of service (stack consumption and application crash) via a crafted PDF document. Upstream bug: https://bugs.ghostscript.com/show_bug.cgi?id=697400 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Lets wait for some reaction from upstream. 1.11-rc1 was tagged a week ago.
The version bump includes the upstream patch mentioned on upstreams bugtracker. commit 7e51c0aae90d1611ff7674963a0e3989e6124e5d Author: Michael Weber <xmw@gentoo.org> Date: Fri Apr 28 11:33:04 2017 +0200 app-text/mupdf: Version bump (bug 616652), make mupdf-gl default if available (bug 616654), thanks Massimo Burcheri. Package-Manager: Portage-2.3.5, Repoman-2.3.2 app-text/mupdf/Manifest app-text/mupdf/files/mupdf-1.11-CFLAGS.patch app-text/mupdf/files/mupdf-1.11-openssl-curl-x11.patch app-text/mupdf/files/mupdf-1.11-system-glfw.patch app-text/mupdf/mupdf-1.11.ebuild
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Let's figure out bug 616826, first.
With the dependency closed are we ready for stabilization?
(In reply to Yury German from comment #5) > With the dependency closed are we ready for stabilization? Yes, please!
An automated check of this bug failed - repoman reported dependency errors (43 lines truncated): > dependency.bad app-text/mupdf/mupdf-1.11.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['>=media-libs/glfw-3.2'] > dependency.bad app-text/mupdf/mupdf-1.11.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['>=media-libs/glfw-3.2'] > dependency.bad app-text/mupdf/mupdf-1.11.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['>=media-libs/glfw-3.2']
Stable for HPPA.
An automated check of this bug succeeded - the previous repoman errors are now resolved.
amd64 stable
x86 stable
New stabilization request in 614044, remove remaining arches.
Added to an existing GLSA.
This issue was resolved and addressed in GLSA 201706-08 at https://security.gentoo.org/glsa/201706-08 by GLSA coordinator Thomas Deutschmann (whissi).