Main Vulnerability Database SB2017060616

SB2017060616 - Gentoo update for MuPDF

Published: June 6, 2017 Updated: June 8, 2017

Security Bulletin ID SB2017060616

Severity

Low

Patch available

YES

Number of vulnerabilities 3

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Stack overflow (CVE-ID: CVE-2016-10221)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error within the count_entries() function in pdf-layer.c in MuPDF 1.10a. A remote attacker can create a specially crafted PDF file, trick the victim into opening it and crash, trigger stack overflow and crash the application.

2) Null pointer dereference (CVE-ID: CVE-2017-5991)

An issue was discovered in Artifex Software, Inc. MuPDF before 1912de5f08e90af1d9d0a9791f58ba3afdb9d465. The pdf_run_xobject function in pdf-op-run.c encounters a NULL pointer dereference during a Fitz fz_paint_pixmap_with_mask painting operation.

3) Stack-based buffer overflow (CVE-ID: CVE-2017-6060)

Stack-based buffer overflow in jstest_main.c in mujstest in Artifex Software, Inc. MuPDF 1.10a allows remote attackers to have unspecified impact via a crafted image.

Remediation

Install update from vendor's website.

References

https://security.gentoo.org/glsa/201706-08