Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3203 mupdf security update 24 September 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: mupdf Publisher: Debian Operating System: Debian GNU/Linux UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-19609 CVE-2018-1000036 CVE-2018-10289 CVE-2017-6060 CVE-2016-10247 CVE-2016-10246 Original Bulletin: https://lists.debian.org/debian-lts-announce/2021/09/msg00013.html Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running mupdf check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2765-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky September 23, 2021 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : mupdf Version : 1.14.0+ds1-4+deb9u1 CVE ID : CVE-2016-10246 CVE-2016-10247 CVE-2017-6060 CVE-2018-10289 CVE-2018-1000036 CVE-2020-19609 Multiple issues have been discovered in mupdf. CVE-2016-10246 Buffer overflow in the main function in jstest_main.c allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted file. CVE-2016-10247 Buffer overflow in the my_getline function in jstest_main.c allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted file. CVE-2017-6060 Stack-based buffer overflow in jstest_main.c allows remote attackers to have unspecified impact via a crafted image. CVE-2018-10289 An infinite loop in the fz_skip_space function of the pdf/pdf-xref.c file. A remote adversary could leverage this vulnerability to cause a denial of service via a crafted pdf file. CVE-2018-1000036 Multiple memory leaks in the PDF parser allow an attacker to cause a denial of service (memory leak) via a crafted file. CVE-2020-19609 A heap based buffer over-write in tiff_expand_colormap() function when parsing TIFF files allowing attackers to cause a denial of service. For Debian 9 stretch, these problems have been fixed in version 1.14.0+ds1-4+deb9u1. We recommend that you upgrade your mupdf packages. For the detailed security status of mupdf please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mupdf Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmFM5qcACgkQ0+Fzg8+n /wZ+2w/+KMtJDPzaGgHYzhaeax75+IXBf9zfbS+AO/trnFuj8Jh7bNql5REN+7Bf sT6R/8U74AMKmZrTrurq1Exp5KpNxxlPCOJvl8RgrSzC+0hmzIy/+MeIi+Q/TaiW j1b6HpqILbWz2NmzM0cYcDXYFRt9voOwKDwehmz2Vr/Zm9elX+VPzlm77mcGJy0H f0eC81vizuI1s+DPa1Psd0USzBjfcLgUaIN+e4/aGOSMUX6EwYzvX8DjIYGO1PeV L8ye3XybwL734IUmgU7MSKdZi/qJ9pYeIuyq48mvNNlEZXu0pEmiJBepwKnIvtLi eKMimFLs6Hth2+jKoSJn3evk/Wd6JT8/HK8aMlsEsad2NVrw/ovy07I09DfXIW8F iphBKPJHQezLmDzCsrzutjDVmOrEs06IygD1wglsCxKDCXrT0lPQzbyiuHhDbbCv +KStwXAmp+Q2sgsWqYU+/N4/60mGrgNNtFiLBFqtrb1mQzY+P867Vofg1KNjJ39L egQhyJjnTE09PNXYA8S+Ev3CbgvWBaPX5n8uROpMaFhXR2g9t5Q6+sVEt+5oJ13f DpLqPDWDUNlrqe3+MVyDUMkZ+Xoonl40Yxn3c+x3WuCiiiSJ2liJY4T/QLlpUqg3 MLQoQn+1C1tvc+peLGNh5Bgemr1qoz9wT0fI0CtUmJcmUAZQhMI= =4y6v - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYU0DKONLKJtyKPYoAQgqJw/9H/4X/YfgtLX9bXHi40elzpoM2GtP83fo SFElA51Qth0Bb8DuDUJuMsAHZYE+9IS+9EBH1p8S8z6PD1UxK6QbliHsdHsP7C37 W+Uiqa3DwEmwz39eEVFqmI+pwJpMZ4JR+jvVMAvv25jDUHxAso0NdIfvfJFPWK30 k2B/ySLVySaMIuYqFfFlgikOgB/u5gAcdWknID6QyAFkWzRwz9dLOcHx2xdt8yDG 9W5KqcJymlhkupgT5LfbOW25y//G22r91U/Y60en9jGtR5MfO6Ru21JorZqXaVAR 1ghinWR33FtbTbvv7r122T/KYTKrYqf2jngfKu5cCSbNdPlEvH222On5z6vpcS6f CIzleH+eR3PiC2fSfy9mSL2Em1PG8yEut7GMk/hByNZWxpWJuO4WltBcbbGqSbXf 8UZSm/DDyJJ71FsDoP9ZtNaj+5tk+/Abiwin0LE47OJjE1Y7xUHjqtgoiU7Am6HA sK6yO30c2B5iRiRaonbYf/86dPQ0R9SyJxLOBC6yugdjVv0Btd5ZZ48ZXojYWeQV /Ey+xRh9jpnAz0rldRS4A3MFWl7ZR/a+DusnfvWGD9/G89t8vh/gROeq7b1/YwIJ w9jy3GShii0jKbKBgRF2lN6xEZg4zHBMzLHjmt2CytVaUMPf0ERJ6iDolVKCDoYq LgnazgOwJkY= =RkWZ -----END PGP SIGNATURE-----