Lucene search

K
archlinuxArchLinuxASA-201801-27
HistoryJan 30, 2018 - 12:00 a.m.

[ASA-201801-27] mupdf: arbitrary code execution

2018-01-3000:00:00
security.archlinux.org
12

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.024 Low

EPSS

Percentile

89.9%

Arch Linux Security Advisory ASA-201801-27

Severity: High
Date : 2018-01-30
CVE-ID : CVE-2017-17858
Package : mupdf
Type : arbitrary code execution
Remote : No
Link : https://security.archlinux.org/AVG-599

Summary

The package mupdf before version 1.12.0-2 is vulnerable to arbitrary
code execution.

Resolution

Upgrade to 1.12.0-2.

pacman -Syu “mupdf>=1.12.0-2”

The problem has been fixed upstream but no release is available yet.

Workaround

None.

Description

Heap-based buffer overflow in the ensure_solid_xref function in
pdf/pdf-xref.c in Artifex MuPDF 1.12.0 allows an attacker to
potentially execute arbitrary code via a crafted PDF file, because xref
subsection object numbers are unrestricted.

Impact

An attacker is able to execute arbitrary code on the affected host by
tricking the user to open or process a maliciously crafted PDF
document.

References

https://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=55c3f68d638ac1263a386e0aaa004bb6e8bde731
https://bugs.ghostscript.com/show_bug.cgi?id=698819
https://github.com/mzet-/Security-Advisories/blob/master/mzet-adv-2017-01.md
https://security.archlinux.org/CVE-2017-17858

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanymupdf< 1.12.0-2UNKNOWN

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.024 Low

EPSS

Percentile

89.9%