#VU36243 Input validation error in MuPDF - CVE-2019-6130

Cybersecurity Help s.r.o.

Published: 2019-01-11 | Updated: 2020-08-08

Vulnerability identifier: #VU36243

Vulnerability risk: Medium

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-6130

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
MuPDF
Client/Desktop applications / Multimedia software

Vendor: Artifex Software, Inc.

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

Artifex MuPDF 1.14.0 has a SEGV in the function fz_load_page of the fitz/document.c file, as demonstrated by mutool. This is related to page-number mishandling in cbz/mucbz.c, cbz/muimg.c, and svg/svg-doc.c.

Mitigation
Install update from vendor's website.

Vulnerable software versions

MuPDF: 1.14.0

External links
https://www.securityfocus.com/bid/106558
https://bugs.ghostscript.com/show_bug.cgi?id=700446
https://lists.debian.org/debian-lts-announce/2019/06/msg00027.html
https://lists.debian.org/debian-lts-announce/2020/07/msg00019.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CNJNEX5EW6YH5OARXXSSXW4HHC5PIBSY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SEK2EHVNREJ7XZMFF2MXRWKIF4IBHPNE/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in MuPDF