ESB-2018.3446 - [Win][Linux][Debian][Apple iOS][Android] mupdf: Multiple vulnerabilities 2018-11-05

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3446
                           mupdf security update
                              5 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           mupdf
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   Linux variants
                   Windows
                   Apple iOS
                   Android
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000040 CVE-2018-1000037 CVE-2018-6192
                   CVE-2018-6187 CVE-2018-5686 CVE-2017-17866

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4334

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running mupdf check for an updated version of the software for their
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4334-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 04, 2018                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : mupdf
CVE ID         : CVE-2017-17866 CVE-2018-5686 CVE-2018-6187 CVE-2018-6192 
                 CVE-2018-1000037 CVE-2018-1000040

Multiple vulnerabilities were discovered in MuPDF, a PDF, XPS, and e-book
viewer which could result in denial of service or the execution of
arbitrary code if malformed documents are opened.
	
For the stable distribution (stretch), these problems have been fixed in
version 1.9a+ds1-4+deb9u4.

We recommend that you upgrade your mupdf packages.

For the detailed security status of mupdf please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mupdf

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlvfZTUACgkQEMKTtsN8
Tja0rw//RwBZDEq1mzdz/fkBd6bz/F7tgFD35FmFJLpBirVgsDCxGalBUVmcNA0z
e26I/vohg6DgRNulBnZB+6OcCPkIdSRm7kiA+3rLLwjye+epnrE9JTix6WbjC4Ca
GUgK0Smbu4mdCnLowzSucL6hLQkptx2NGsXLh+g8VgQ5Df6UI1zsNuxPif8U40nK
zDtaKO1ex2b97W4u9burN1lsyxcnIjV4PDJVHy3NVEFhlz69hoHI2Z3u0tCNsNeK
Ouyrjk7KgllWvYWCYzRpjKEzdtvOhuLfz9fdRW74uL+TXI4diOB4i3JZayzsd29F
2L+QzN3GqM8jmiHUmTqLvDoeJb3N9TIpE7JhSj9kIwEdpo7K4WR2rvjSTIEltKbY
6Smkp5wmWu0GV5Ogo6NNYEJOHCHDKRx7H4ngp1lA7D5zGe7AgxeRflRGxzrU/xo+
sc4eSpzFnF3Jz0LYJruZx2P37QXwG03HMNn5xNcwbWfB3cor1ehEup/hYZEpnmSo
1dphDlHYNnzDAeVQiCUK2TCkBnDSE5h1jZtprJom4S8T0gRnUQbogGF3IMResGU8
BrqwX+14VyZSe8Eib4Svphsd5ZjwsPOEKQyE4qhugF/ew7vUu8h8ItnBx35kjlFj
uaIzmo5LwPFx5KKqSffBVlaD+zbG+Jgg3kUvLyzO6/l2Xq8mFDk=
=Xd5e
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW9+J/GaOgq3Tt24GAQhnVRAAvERwxNSBJBXGvQXdMcOTUZT2tpcM6I5h
L3SQE4Jxh/tKS2HJFlY7WpWSlXmPy3KlbV2h3FFZq0PF1uw73b2vXQb646QByvLd
p2m2Z0k4xuRTowBf5JgdXeo/T/6SaK+7eVIKuccu1wsyO2Gl+nge6SJ9TGldF20/
RGh47MfChinkQYyeuw41N1mltv6MWwNzFCLtSoVCT/2F4gYuNLSOViQXDg4xJTgZ
S3yJKJQv0UFksL6acZdOPc2VAsBB4kLDS3szMNVOvkGvhEaBavI5Qtx66xhLUDlL
kUaDvmwDRiadacUgZdYcWkOm30/EfMs1him+WU37L73BbBRG1kxrKiOiIjHWm93r
x0Oy6KWkYm3bxILeG6K3F2zdQhahPG7USw06McFATxp6weZyW+bbF2eSp1Y5J+cS
ANRZDkQRaG30CKodQM2mQSOMDsGTbi+Fi81F2KF1lqnxs5Ba3lWQLcFE78eFHmrx
PZkmqVn1AdxDM1tClmWnMKfvXOUof0EzjJWyg+sapYX8vetGB99apkLeGwtdPkLM
XekfDcKkDh7V906E9KL9qN1BjtrHkgxbtQoe3UtqZLWqiB0MTuaVu3ILuA4aJxYT
VESo9X+7pVQz3LnBcIXSUmKgSL+jDezN7oyvbLgi7hdItj/9zkv9f6p8uHICDh30
uxUn9EqzCyA=
=es0E
-----END PGP SIGNATURE-----

« Back to bulletins