Bug#879055: marked as done (mupdf: CVE-2017-15587)

[Debian Bug Tracking System]

Your message dated Sun, 12 Nov 2017 15:33:22 +0000
with message-id <e1eduga-000fdw...@fasolo.debian.org>
and subject line Bug#879055: fixed in mupdf 1.9a+ds1-4+deb9u1
has caused the Debian Bug report #879055,
regarding mupdf: CVE-2017-15587
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
879055: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879055
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: mupdf
Version: 1.5-1
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=698605

Hi,

the following vulnerability was published for mupdf.

CVE-2017-15587[0]:
| An integer overflow was discovered in pdf_read_new_xref_section in
| pdf/pdf-xref.c in Artifex MuPDF 1.11.

base64 encoded reproducer for verifying:

JVBERi0wMDAwMDAgMCBvYmo8PC9bXS9JbmRleFsyMTQ3NDgzNjQ3IDFdLyAwIDAgUi8gMC9TaXpl
IDAvV1tdPj5zdHJlYW0Nc3RhcnR4cmVmMTAK

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-15587
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15587
[1] https://bugs.ghostscript.com/show_bug.cgi?id=698605
[2] 
http://git.ghostscript.com/?p=mupdf.git;h=82df2631d7d0446b206ea6b434ea609b6c28b0e8
[3] https://nandynarwhals.org/CVE-2017-15587/

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: mupdf
Source-Version: 1.9a+ds1-4+deb9u1

We believe that the bug you reported is fixed in the latest version of
mupdf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 879...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello <luci...@debian.org> (supplier of updated mupdf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 22 Oct 2017 20:10:29 -0400
Source: mupdf
Binary: libmupdf-dev mupdf mupdf-tools
Architecture: source amd64
Version: 1.9a+ds1-4+deb9u1
Distribution: stable-security
Urgency: high
Maintainer: Kan-Ru Chen (陳侃如) <kos...@debian.org>
Changed-By: Luciano Bello <luci...@debian.org>
Description:
 libmupdf-dev - development files for the MuPDF viewer
 mupdf      - lightweight PDF viewer
 mupdf-tools - command line tools for the MuPDF viewer
Closes: 877379 879055
Changes:
 mupdf (1.9a+ds1-4+deb9u1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix CVE-2017-14685, CVE-2017-14686, CVE-2017-14687, and CVE-2017-15587
     (Closes: #877379, #879055)
Checksums-Sha1:
 9d81799345cfb4ebec2c5b8f208cd4b7502275ed 2181 mupdf_1.9a+ds1-4+deb9u1.dsc
 2699c33ddc8f33819cd0791f3762a3a268873286 13325139 mupdf_1.9a+ds1.orig.tar.gz
 5908b334c81b062996e71e6a7388e13e52f51ac0 29900 
mupdf_1.9a+ds1-4+deb9u1.debian.tar.xz
 86dbb5d043099667a46df82fb654e3504eed87c3 7301598 
libmupdf-dev_1.9a+ds1-4+deb9u1_amd64.deb
 05a7c5e73f7105664b082783eda97d3566cdfbde 2114944 
mupdf-dbgsym_1.9a+ds1-4+deb9u1_amd64.deb
 64e7906300b406c5baf9e1cde09d67d57db4e44f 2387358 
mupdf-tools-dbgsym_1.9a+ds1-4+deb9u1_amd64.deb
 373f45904a3f03b43a560878bc3b0a1323596cf6 6910056 
mupdf-tools_1.9a+ds1-4+deb9u1_amd64.deb
 971d193b1017480c7872c50194eaeaff05ebbcd4 8529 
mupdf_1.9a+ds1-4+deb9u1_amd64.buildinfo
 9278ad662dd2e7b2cfbe815bfc9fe4a844c1fe10 6855630 
mupdf_1.9a+ds1-4+deb9u1_amd64.deb
Checksums-Sha256:
 2322908eb72897a86d2ae4cfcf0c4bbeb946b1f7a1931460359569bec7cb76e4 2181 
mupdf_1.9a+ds1-4+deb9u1.dsc
 1b5d6126472f99ae2c99f1b474169b752764d63a90d3dd6e6a6f8fac8cdd0b75 13325139 
mupdf_1.9a+ds1.orig.tar.gz
 0daba2cb247730dbc741e1cb20396976ba6cb6a1bc9af9988b69cd56e7541f99 29900 
mupdf_1.9a+ds1-4+deb9u1.debian.tar.xz
 1022406bbe88face9ceaf28e5cea8e742c221018427321d36b643611f48dc093 7301598 
libmupdf-dev_1.9a+ds1-4+deb9u1_amd64.deb
 8245a8db1726ca33404bb2ce5cc6a83ed5637b0308bd93fca22cf24906197c9a 2114944 
mupdf-dbgsym_1.9a+ds1-4+deb9u1_amd64.deb
 09a63eef58a5a9daaba2c71a7085c18dd0a3ec756a26ae95970de4f831c0b542 2387358 
mupdf-tools-dbgsym_1.9a+ds1-4+deb9u1_amd64.deb
 95b8c926f73a8aa942c724799e3e36565394bf3d2005beb6576f8c21e2cb40fa 6910056 
mupdf-tools_1.9a+ds1-4+deb9u1_amd64.deb
 e20285543adba21cc56b5d566361fa3afb811a81a3a2190fec71d9c23297b036 8529 
mupdf_1.9a+ds1-4+deb9u1_amd64.buildinfo
 8d75a49ebb70e827a3e062953af0b37dcb2ded7451feb64d75a4b5f0a1e1e903 6855630 
mupdf_1.9a+ds1-4+deb9u1_amd64.deb
Files:
 f3481c5a6f7bdbc4d757fde2b964f844 2181 text optional mupdf_1.9a+ds1-4+deb9u1.dsc
 62e41e176d501171476cf4f6a03d8306 13325139 text optional 
mupdf_1.9a+ds1.orig.tar.gz
 c16c035920950af2c6b3ca0d90e51744 29900 text optional 
mupdf_1.9a+ds1-4+deb9u1.debian.tar.xz
 b9f4ebbbb329f56ef186fc7509fe70a4 7301598 libdevel optional 
libmupdf-dev_1.9a+ds1-4+deb9u1_amd64.deb
 786cd6cc8f984451cc1bcc27cddfafac 2114944 debug extra 
mupdf-dbgsym_1.9a+ds1-4+deb9u1_amd64.deb
 cf140eca75dfc6a4abfba5b52b77de8f 2387358 debug extra 
mupdf-tools-dbgsym_1.9a+ds1-4+deb9u1_amd64.deb
 e47e08f3a455d0032d8fea7cd7b37dad 6910056 text optional 
mupdf-tools_1.9a+ds1-4+deb9u1_amd64.deb
 14773d1a821606f6e72e6d5714f5056d 8529 text optional 
mupdf_1.9a+ds1-4+deb9u1_amd64.buildinfo
 0a99e9c166c70082f20466c936195251 6855630 text optional 
mupdf_1.9a+ds1-4+deb9u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlnulNAACgkQbsLe9o/+
N3T86Q/7B3/ICbu6GhZ3O5ulh/jHlX8OagrbRGzH3qCI9BDWkxMbvBIk7WRCPcd9
I5/iMA/1rPJeAhzWoPD3hwUzBZq++W8H6qMKrrTM2AYKzr6F9N/19NQJq4wFp7Re
CV3IQN7iOeWWVvd4lMeNX2QdJ1PHCwwCSqOoEKVKt2KCeUQ8hPiVrI4Jc7MFQT3I
vi4bbXERm7Q0n6C6GPhwOsIRV17aXDeKDM2xB0WvkCK6/qiqbXJNzjujE0jSN3/w
eUUP9WdsU/ISC9J7GQZDRSFGFEjF/K6fS1mcvzMbJPtoMDOTAnTV6nytQr4cC/fl
wibXzVmTbUt4I1U8g360NdolNJb8avkUWbgSafvGphTdNDjlTq9/dQWgK6RUm3PQ
hz9BjSuxf9Kd4MQXMJNGAjw11s5Tbe8iw7Q+mJW84/+sgZ8C8kRNpAM8mHF+6E5e
qhfHic1Gs7fJLCEPnT7Rt6xS/xjgCr1SK9W8VieLUMmAUvgHgUHeUf9uxcpQHp2o
nRMM4QQvLsUP7nVMt5PxpyqEnHeFIRc6ltXWpBPRWwNbrOb55WtnTwQ6IClnYmdR
Fj7USVVIY8vJfgPjaR+fvuXK0bvBawWSpifnI/JFfId9DeKeLsCTIpOv6grM95GN
wCxdljgxUBDV1iXiAy+2u+UuemCbg08wvZ03eGRjrCDSzPYlk3o=
=HRBT
-----END PGP SIGNATURE-----

--- End Message ---