Debian Security Advisory
DSA-4006-1 mupdf -- security update
- Date Reported:
- 24 Oct 2017
- Affected Packages:
- mupdf
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 877379, Bug 879055.
In Mitre's CVE dictionary: CVE-2017-14685, CVE-2017-14686, CVE-2017-14687, CVE-2017-15587. - More information:
-
Multiple vulnerabilities have been found in MuPDF, a PDF file viewer, which may result in denial of service or the execution of arbitrary code.
- CVE-2017-14685,
CVE-2017-14686,
and CVE-2017-14687
WangLin discovered that a crafted .xps file can crash MuPDF and potentially execute arbitrary code in several ways, since the application makes unchecked assumptions on the entry format.
- CVE-2017-15587
Terry Chia and Jeremy Heng discovered an integer overflow that can cause arbitrary code execution via a crafted .pdf file.
For the stable distribution (stretch), these problems have been fixed in version 1.9a+ds1-4+deb9u1.
We recommend that you upgrade your mupdf packages.
- CVE-2017-14685,
CVE-2017-14686,
and CVE-2017-14687