Arch Linux Security Advisory ASA-201711-1

Severity: High
Date : 2017-11-01
CVE-ID : CVE-2017-14685 CVE-2017-14686 CVE-2017-14687 CVE-2017-15587
Package : mupdf-gl
Type : arbitrary code execution
Remote : No
Link : https://security.archlinux.org/AVG-458

Summary

The package mupdf-gl before version 1.11-5 is vulnerable to arbitrary
code execution.

Resolution

Upgrade to 1.11-5.

pacman -Syu “mupdf-gl>=1.11-5”

The problems have been fixed upstream but no release is available yet.

Workaround

None.

Description

• CVE-2017-14685 (arbitrary code execution)

Artifex MuPDF 1.11 allows attackers to cause a denial of service or
possibly have unspecified other impact via a crafted .xps file. This
occurs because xps_load_links_in_glyphs in xps/xps-link.c does not
verify that an xps font could be loaded.

• CVE-2017-14686 (arbitrary code execution)

Artifex MuPDF 1.11 allows attackers to execute arbitrary code or cause
a denial of service via a crafted .xps file. This occurs because
read_zip_dir_imp in fitz/unzip.c does not check whether size fields in
a ZIP entry are negative numbers.

• CVE-2017-14687 (arbitrary code execution)

Artifex MuPDF 1.11 allows attackers to cause a denial of service or
possibly have unspecified other impact via a crafted .xps file. This
occurs because of mishandling of XML tag name comparisons.

• CVE-2017-15587 (arbitrary code execution)

An integer overflow leading to an out-of-bounds wrte has been found in
mupdf <= 1.11. The parsing of a crafted PDF might allow an attacker to
write controlled data to an arbitrary location in memory when
performing truncated xref checks.

Impact

An attacker is able to execute arbitrary code on the affected host by
providing a maliciously-crafted .xps or .pdf file.

References

http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=ab1a420613dec93c686acbee2c165274e922f82a
https://bugs.ghostscript.com/show_bug.cgi?id=698539
http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1
https://bugs.ghostscript.com/show_bug.cgi?id=698540
http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=2b16dbd8f73269cb15ca61ece75cf8d2d196ed28
https://bugs.ghostscript.com/show_bug.cgi?id=698558
https://nandynarwhals.org/CVE-2017-15587/
http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=82df2631d7d0446b206ea6b434ea609b6c28b0e8
https://security.archlinux.org/CVE-2017-14685
https://security.archlinux.org/CVE-2017-14686
https://security.archlinux.org/CVE-2017-14687
https://security.archlinux.org/CVE-2017-15587