FS#70054 - [mupdf] [Security] arbitrary code execution (CVE-2021-3407)

Attached to Project: Community Packages
Opened by Jonas Witschel (diabonas) - Thursday, 18 March 2021, 11:17 GMT
Last edited by Jonas Witschel (diabonas) - Thursday, 18 March 2021, 14:27 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Christian Hesse (eworm)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Summary
=======

The package mupdf is vulnerable to arbitrary code execution via CVE-2021-3407.

Guidance
========

Applying commit cee7cefc610d42fd383b3c80c12cbc675443176a referenced below fixes the issue.

References
==========

https://security.archlinux.org/AVG-1602
https://bugzilla.redhat.com/show_bug.cgi?id=1931964
https://bugs.ghostscript.com/show_bug.cgi?id=703366
https://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=cee7cefc610d42fd383b3c80c12cbc675443176a
This task depends upon

Closed by  Jonas Witschel (diabonas)
Thursday, 18 March 2021, 14:27 GMT
Reason for closing:  Fixed
Additional comments about closing:  mupdf 1.18.0-2, llpp 33-2, zathura-pdf-mupdf 0.3.6-5
Comment by Christian Hesse (eworm) - Thursday, 18 March 2021, 12:14 GMT
Do we have to care about those package linking statically?
Comment by Christian Hesse (eworm) - Thursday, 18 March 2021, 12:16 GMT
Fixed in mupdf 1.18.0-2.
Comment by Jonas Witschel (diabonas) - Thursday, 18 March 2021, 12:19 GMT
Cheers for the quick fix :) Do you know off-hand which packages might be linking to mupdf statically, or how we could find these?
Comment by Christian Hesse (eworm) - Thursday, 18 March 2021, 13:18 GMT
Those having a build dependency on libmupdf:

llpp
zathura-pdf-mupdf
Comment by Jonas Witschel (diabonas) - Thursday, 18 March 2021, 13:26 GMT
Ah cool :) So rebuilding these two with libmupdf 1.18.0-2 should be enough to fix the issue, correct?
Comment by Christian Hesse (eworm) - Thursday, 18 March 2021, 13:32 GMT
Yes, guess so.
Comment by Jonas Witschel (diabonas) - Thursday, 18 March 2021, 13:34 GMT
OK, thanks! I'll rebuild the two packages, add them to the security tracker, and close this issue afterwards.

Loading...