Bug#879055: marked as done (mupdf: CVE-2017-15587)

2017-11-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Nov 2017 22:20:55 +
with message-id 
and subject line Bug#879055: fixed in mupdf 1.5-1+deb8u3
has caused the Debian Bug report #879055,
regarding mupdf: CVE-2017-15587
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
879055: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879055
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: mupdf
Version: 1.5-1
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=698605

Hi,

the following vulnerability was published for mupdf.

CVE-2017-15587[0]:
| An integer overflow was discovered in pdf_read_new_xref_section in
| pdf/pdf-xref.c in Artifex MuPDF 1.11.

base64 encoded reproducer for verifying:

JVBERi0wMDAwMDAgMCBvYmo8PC9bXS9JbmRleFsyMTQ3NDgzNjQ3IDFdLyAwIDAgUi8gMC9TaXpl
IDAvV1tdPj5zdHJlYW0Nc3RhcnR4cmVmMTAK

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-15587
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15587
[1] https://bugs.ghostscript.com/show_bug.cgi?id=698605
[2] 
http://git.ghostscript.com/?p=mupdf.git;h=82df2631d7d0446b206ea6b434ea609b6c28b0e8
[3] https://nandynarwhals.org/CVE-2017-15587/

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: mupdf
Source-Version: 1.5-1+deb8u3

We believe that the bug you reported is fixed in the latest version of
mupdf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 879...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello  (supplier of updated mupdf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Fri, 10 Nov 2017 12:20:25 -0500
Source: mupdf
Binary: libmupdf-dev mupdf mupdf-tools
Architecture: source amd64
Version: 1.5-1+deb8u3
Distribution: jessie-security
Urgency: high
Maintainer: Kan-Ru Chen (陳侃如) 
Changed-By: Luciano Bello 
Description:
 libmupdf-dev - development files for the MuPDF viewer
 mupdf  - lightweight PDF viewer
 mupdf-tools - commmand line tools for the MuPDF viewer
Closes: 879055
Changes:
 mupdf (1.5-1+deb8u3) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2017-15587: Integer overflow was discovered in
 pdf_read_new_xref_section (Closes: #879055)
Checksums-Sha1:
 6478d5012dfbacad1a26c7c8ebb55ca77dfcc062 2126 mupdf_1.5-1+deb8u3.dsc
 9945ebc124497fbbe684246f1ffabc067a677338 28200 mupdf_1.5-1+deb8u3.debian.tar.xz
 31a8179e4396aa3153619861b29fc1159da4f4be 3465410 
libmupdf-dev_1.5-1+deb8u3_amd64.deb
 7bf5917d850f38e644ca4f2d2b9551cc63959ba8 3415534 mupdf_1.5-1+deb8u3_amd64.deb
 61b7eef1d31a360ed3860ae012768f8816a92472 3578254 
mupdf-tools_1.5-1+deb8u3_amd64.deb
Checksums-Sha256:
 6cdf0d7798aecbac0482f83911a705c181b81de32596fbf417cc82070002017e 2126 
mupdf_1.5-1+deb8u3.dsc
 0a449a0fb49dd015673ff4a03b44e7d29a53f1753ca2adbf10057cc477689ec5 28200 
mupdf_1.5-1+deb8u3.debian.tar.xz
 ed710d3080b1ac2c6497ab79b9979df163cbb39220adc5cfb459cef06b069a23 3465410 
libmupdf-dev_1.5-1+deb8u3_amd64.deb
 1ce9c5d3072bb8a3b1a1a5efed4c8df4a0d0472c5ddfc6f92e2af2d0c40d 3415534 
mupdf_1.5-1+deb8u3_amd64.deb
 a844db1161ac8bb35d274f9e6f2c7d7bd57cd769df43c3ef00c36a16d08c177a 3578254 
mupdf-tools_1.5-1+deb8u3_amd64.deb
Files:
 8f74c9c6b94c6f84fbf8142fd0f6f0d7 2126 text optional mupdf_1.5-1+deb8u3.dsc
 4dc931340e6e243a113ca40d15ead2da 28200 text optional 
mupdf_1.5-1+deb8u3.debian.tar.xz
 3ec733666419112ee3d0274416130081 3465410 libdevel optional 
libmupdf-dev_1.5-1+deb8u3_amd64.deb
 8b828d1a312bce82aaa634ecc766fc06 3415534 text optional 
mupdf_1.5-1+deb8u3_amd64.deb
 2fa3122bc3a1f52b7829a232ebf2142f 3578254 text optional 
mupdf-tools_1.5-1+deb8u3_amd64.deb

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAloGB5wACgkQbsLe9o/+
N3Q2Kg/+M5IxteD3gOGyl15p02HImYuDSHm2touj0Z1j84WKZuQtvp/zvDoS5t36

Bug#879055: marked as done (mupdf: CVE-2017-15587)

2017-11-12 Thread Debian Bug Tracking System 
Your message dated Sun, 12 Nov 2017 15:33:22 +
with message-id 
and subject line Bug#879055: fixed in mupdf 1.9a+ds1-4+deb9u1
has caused the Debian Bug report #879055,
regarding mupdf: CVE-2017-15587
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
879055: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879055
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: mupdf
Version: 1.5-1
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=698605

Hi,

the following vulnerability was published for mupdf.

CVE-2017-15587[0]:
| An integer overflow was discovered in pdf_read_new_xref_section in
| pdf/pdf-xref.c in Artifex MuPDF 1.11.

base64 encoded reproducer for verifying:

JVBERi0wMDAwMDAgMCBvYmo8PC9bXS9JbmRleFsyMTQ3NDgzNjQ3IDFdLyAwIDAgUi8gMC9TaXpl
IDAvV1tdPj5zdHJlYW0Nc3RhcnR4cmVmMTAK

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-15587
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15587
[1] https://bugs.ghostscript.com/show_bug.cgi?id=698605
[2] 
http://git.ghostscript.com/?p=mupdf.git;h=82df2631d7d0446b206ea6b434ea609b6c28b0e8
[3] https://nandynarwhals.org/CVE-2017-15587/

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: mupdf
Source-Version: 1.9a+ds1-4+deb9u1

We believe that the bug you reported is fixed in the latest version of
mupdf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 879...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello  (supplier of updated mupdf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 22 Oct 2017 20:10:29 -0400
Source: mupdf
Binary: libmupdf-dev mupdf mupdf-tools
Architecture: source amd64
Version: 1.9a+ds1-4+deb9u1
Distribution: stable-security
Urgency: high
Maintainer: Kan-Ru Chen (陳侃如) 
Changed-By: Luciano Bello 
Description:
 libmupdf-dev - development files for the MuPDF viewer
 mupdf  - lightweight PDF viewer
 mupdf-tools - command line tools for the MuPDF viewer
Closes: 877379 879055
Changes:
 mupdf (1.9a+ds1-4+deb9u1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix CVE-2017-14685, CVE-2017-14686, CVE-2017-14687, and CVE-2017-15587
 (Closes: #877379, #879055)
Checksums-Sha1:
 9d81799345cfb4ebec2c5b8f208cd4b7502275ed 2181 mupdf_1.9a+ds1-4+deb9u1.dsc
 2699c33ddc8f33819cd0791f3762a3a268873286 13325139 mupdf_1.9a+ds1.orig.tar.gz
 5908b334c81b062996e71e6a7388e13e52f51ac0 29900 
mupdf_1.9a+ds1-4+deb9u1.debian.tar.xz
 86dbb5d043099667a46df82fb654e3504eed87c3 7301598 
libmupdf-dev_1.9a+ds1-4+deb9u1_amd64.deb
 05a7c5e73f7105664b082783eda97d3566cdfbde 2114944 
mupdf-dbgsym_1.9a+ds1-4+deb9u1_amd64.deb
 64e7906300b406c5baf9e1cde09d67d57db4e44f 2387358 
mupdf-tools-dbgsym_1.9a+ds1-4+deb9u1_amd64.deb
 373f45904a3f03b43a560878bc3b0a1323596cf6 6910056 
mupdf-tools_1.9a+ds1-4+deb9u1_amd64.deb
 971d193b1017480c7872c50194eaeaff05ebbcd4 8529 
mupdf_1.9a+ds1-4+deb9u1_amd64.buildinfo
 9278ad662dd2e7b2cfbe815bfc9fe4a844c1fe10 6855630 
mupdf_1.9a+ds1-4+deb9u1_amd64.deb
Checksums-Sha256:
 2322908eb72897a86d2ae4cfcf0c4bbeb946b1f7a1931460359569bec7cb76e4 2181 
mupdf_1.9a+ds1-4+deb9u1.dsc
 1b5d6126472f99ae2c99f1b474169b752764d63a90d3dd6e6a6f8fac8cdd0b75 13325139 
mupdf_1.9a+ds1.orig.tar.gz
 0daba2cb247730dbc741e1cb20396976ba6cb6a1bc9af9988b69cd56e7541f99 29900 
mupdf_1.9a+ds1-4+deb9u1.debian.tar.xz
 1022406bbe88face9ceaf28e5cea8e742c221018427321d36b643611f48dc093 7301598 
libmupdf-dev_1.9a+ds1-4+deb9u1_amd64.deb
 8245a8db1726ca33404bb2ce5cc6a83ed5637b0308bd93fca22cf24906197c9a 2114944 
mupdf-dbgsym_1.9a+ds1-4+deb9u1_amd64.deb
 09a63eef58a5a9daaba2c71a7085c18dd0a3ec756a26ae95970de4f831c0b542 2387358 
mupdf-tools-dbgsym_1.9a+ds1-4+deb9u1_amd64.deb
 95b8c926f73a8aa942c724799e3e36565394bf3d2005beb6576f8c21e2cb40fa 6910056

Bug#879055: marked as done (mupdf: CVE-2017-15587)

2017-10-26 Thread Debian Bug Tracking System 
Your message dated Thu, 26 Oct 2017 15:37:10 +
with message-id 
and subject line Bug#879055: fixed in mupdf 1.11+ds1-2
has caused the Debian Bug report #879055,
regarding mupdf: CVE-2017-15587
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
879055: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879055
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: mupdf
Version: 1.5-1
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=698605

Hi,

the following vulnerability was published for mupdf.

CVE-2017-15587[0]:
| An integer overflow was discovered in pdf_read_new_xref_section in
| pdf/pdf-xref.c in Artifex MuPDF 1.11.

base64 encoded reproducer for verifying:

JVBERi0wMDAwMDAgMCBvYmo8PC9bXS9JbmRleFsyMTQ3NDgzNjQ3IDFdLyAwIDAgUi8gMC9TaXpl
IDAvV1tdPj5zdHJlYW0Nc3RhcnR4cmVmMTAK

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-15587
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15587
[1] https://bugs.ghostscript.com/show_bug.cgi?id=698605
[2] 
http://git.ghostscript.com/?p=mupdf.git;h=82df2631d7d0446b206ea6b434ea609b6c28b0e8
[3] https://nandynarwhals.org/CVE-2017-15587/

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: mupdf
Source-Version: 1.11+ds1-2

We believe that the bug you reported is fixed in the latest version of
mupdf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 879...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kan-Ru Chen (陳侃如)  (supplier of updated mupdf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 26 Oct 2017 22:28:43 +0800
Source: mupdf
Binary: libmupdf-dev mupdf mupdf-tools
Architecture: source amd64
Version: 1.11+ds1-2
Distribution: unstable
Urgency: high
Maintainer: Kan-Ru Chen (陳侃如) 
Changed-By: Kan-Ru Chen (陳侃如) 
Description:
 libmupdf-dev - development files for the MuPDF viewer
 mupdf  - lightweight PDF viewer
 mupdf-tools - command line tools for the MuPDF viewer
Closes: 879055
Changes:
 mupdf (1.11+ds1-2) unstable; urgency=high
 .
   * Acknowledge NMU. Thanks, Salvatore.
   * Renumber patches
   * Fixes CVE-2017-15587 (Closes: 879055)
   * Sort files in static library to make the build reproducible.
   * Bump Standards-Version to 4.1.1. No changes needed.
Checksums-Sha1:
 bffb0aa02a36ce322bd4f91257a8f6dfd8d9115d 2153 mupdf_1.11+ds1-2.dsc
 c3770ee899a86c163ab8f0c931858d2dc3324176 26824 mupdf_1.11+ds1-2.debian.tar.xz
 ec448e6fe9632e2f137944757350b0588595424f 21127648 
libmupdf-dev_1.11+ds1-2_amd64.deb
 9b1376cb28b07ce264fee713680b637723fa28da 19088912 
mupdf-tools_1.11+ds1-2_amd64.deb
 3b93ba673c84d85653e3d2c37978d7211543af38 8029 mupdf_1.11+ds1-2_amd64.buildinfo
 7a5f7595521c715795d63f26e7d857ce12478098 18915888 mupdf_1.11+ds1-2_amd64.deb
Checksums-Sha256:
 fe0fc8bda547129a808eaa46367eca8a018c4208c34dd71040996a71245ef2d5 2153 
mupdf_1.11+ds1-2.dsc
 da7445a8063d7c81b97d2c373aa112df69d3ad29989b67621387e88d9c38b668 26824 
mupdf_1.11+ds1-2.debian.tar.xz
 4d2fb8421d4f4cadfeb579a9b8762908128478b1acbd2653e153953535f16a6a 21127648 
libmupdf-dev_1.11+ds1-2_amd64.deb
 08fb6279f2dc3cb4225cc13a7bc6a87c08bf0c770822cd9aeb6daefc18beadca 19088912 
mupdf-tools_1.11+ds1-2_amd64.deb
 e1dec8ffc670839b48c5831a266b076be6f6db27e24e99fea5000bb0cd3952bc 8029 
mupdf_1.11+ds1-2_amd64.buildinfo
 ac5044edb10e9accfb033f06248a93cdfb6b17264a793dd50bc01e117705402d 18915888 
mupdf_1.11+ds1-2_amd64.deb
Files:
 3de8c76f8313e0a18039ee621998d2bd 2153 text optional mupdf_1.11+ds1-2.dsc
 378192c7b2489e04704bf3061123a6ba 26824 text optional 
mupdf_1.11+ds1-2.debian.tar.xz
 9a8eefc38adea1a4319869ae530b5e26 21127648 libdevel optional 
libmupdf-dev_1.11+ds1-2_amd64.deb
 c4d2a4ad4ded92b9136fbb2fb51d093e 19088912 text optional 
mupdf-tools_1.11+ds1-2_amd64.deb
 5d51562c253b3c9fa5c320a3cef85dfe 8029 text optional