Debian Package Tracker

general

source: mupdf (main)
version: 1.15.0+ds1-1
maintainer: Kan-Ru Chen (陳侃如) (DMD)
uploaders: Quoc-Viet Nguyen [DMD]
arch: any
std-ver: 4.3.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.5-1+deb8u4
o-o-sec: 1.5-1+deb8u6
oldstable: 1.9a+ds1-4+deb9u4
old-sec: 1.9a+ds1-4+deb9u4
stable: 1.14.0+ds1-4
testing: 1.15.0+ds1-1
unstable: 1.15.0+ds1-1

versioned links

1.5-1+deb8u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.5-1+deb8u6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.9a+ds1-4+deb9u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.14.0+ds1-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.15.0+ds1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libmupdf-dev
mupdf (22 bugs: 0, 14, 8, 0)
mupdf-tools (6 bugs: 0, 6, 0, 0)

action needed

A new upstream version is available: 1.16.1 high

A new upstream version 1.16.1 is available, you should consider packaging it.

Created: 2019-07-31 Last update: 2019-12-12 13:35

1 security issue in buster high

There is 1 open security issue in buster.

1 important issue:

CVE-2019-13290: Artifex MuPDF 1.15.0 has a heap-based buffer overflow in fz_append_display_node located at fitz/list-device.c, allowing remote attackers to execute arbitrary code via a crafted PDF file. This occurs with a large BDC property name that overflows the allocated size of a display list node.

Please fix it.

Created: 2019-07-05 Last update: 2019-10-21 00:30

8 security issues in stretch high

There are 8 open security issues in stretch.

6 important issues:

CVE-2018-16648: In Artifex MuPDF 1.13.0, the fz_append_byte function in fitz/buffer.c allows remote attackers to cause a denial of service (segmentation fault) via a crafted pdf file. This is caused by a pdf/pdf-device.c pdf_dev_alpha array-index underflow.
CVE-2018-16647: In Artifex MuPDF 1.13.0, the pdf_get_xref_entry function in pdf/pdf-xref.c allows remote attackers to cause a denial of service (segmentation fault in fz_write_data in fitz/output.c) via a crafted pdf file.
CVE-2018-18662: There is an out-of-bounds read in fz_run_t3_glyph in fitz/font.c in Artifex MuPDF 1.14.0, as demonstrated by mutool.
CVE-2018-1000038: In MuPDF 1.12.0 and earlier, a stack buffer overflow in function pdf_lookup_cmap_full in pdf/pdf-cmap.c could allow an attacker to execute arbitrary code via a crafted file.
CVE-2018-1000039: In MuPDF 1.12.0 and earlier, multiple heap use after free bugs in the PDF parser could allow an attacker to execute arbitrary code, read memory, or cause a denial of service via a crafted file.
CVE-2019-13290: Artifex MuPDF 1.15.0 has a heap-based buffer overflow in fz_append_display_node located at fitz/list-device.c, allowing remote attackers to execute arbitrary code via a crafted PDF file. This occurs with a large BDC property name that overflows the allocated size of a display list node.

2 issues skipped by the security teams:

CVE-2019-6131: svg-run.c in Artifex MuPDF 1.14.0 has infinite recursion with stack consumption in svg_run_use_symbol, svg_run_element, and svg_run_use, as demonstrated by mutool.
CVE-2019-6130: Artifex MuPDF 1.14.0 has a SEGV in the function fz_load_page of the fitz/document.c file, as demonstrated by mutool. This is related to page-number mishandling in cbz/mucbz.c, cbz/muimg.c, and svg/svg-doc.c.

Please fix them.

Created: 2017-12-24 Last update: 2019-10-21 00:30

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2019-04-01 Last update: 2019-12-12 14:33

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit f2e79181d84176e7c8b1b1155e823588c3854e08
Author: Kan-Ru Chen <koster@debian.org>
Date:   Sun Jul 7 23:34:45 2019 +0900

    Bump debhelper compat to 12

Created: 2019-07-07 Last update: 2019-12-08 02:39

lintian reports 2 warnings normal

Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2019-08-24 Last update: 2019-08-24 02:16

5 ignored security issues in jessie low

There are 5 open security issues in jessie.

5 issues skipped by the security teams:

CVE-2018-6187: In Artifex MuPDF 1.12.0, there is a heap-based buffer overflow vulnerability in the do_pdf_save_document function in the pdf/pdf-write.c file. Remote attackers could leverage the vulnerability to cause a denial of service via a crafted pdf file.
CVE-2018-16648: In Artifex MuPDF 1.13.0, the fz_append_byte function in fitz/buffer.c allows remote attackers to cause a denial of service (segmentation fault) via a crafted pdf file. This is caused by a pdf/pdf-device.c pdf_dev_alpha array-index underflow.
CVE-2018-16647: In Artifex MuPDF 1.13.0, the pdf_get_xref_entry function in pdf/pdf-xref.c allows remote attackers to cause a denial of service (segmentation fault in fz_write_data in fitz/output.c) via a crafted pdf file.
CVE-2017-14687: Artifex MuPDF 1.11 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .xps file, related to "Data from Faulting Address controls Branch Selection starting at mupdf+0x000000000016cb4f" on Windows. This occurs because of mishandling of XML tag name comparisons.
CVE-2017-17866: pdf/pdf-write.c in Artifex MuPDF before 1.12.0 mishandles certain length changes when a repair operation occurs during a clean operation, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted PDF document.

Please fix them.

Created: 2017-10-01 Last update: 2019-10-21 00:30

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2019-03-16 Last update: 2019-03-16 16:55

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.4.1 instead of 4.3.0).

Created: 2019-07-08 Last update: 2019-09-29 23:41

news

[rss feed]

[2019-08-20] mupdf 1.15.0+ds1-1 MIGRATED to testing (Debian testing watch)
[2019-08-20] mupdf 1.15.0+ds1-1 MIGRATED to testing (Debian testing watch)
[2019-07-07] Accepted mupdf 1.15.0+ds1-1 (source amd64) into unstable (Kan-Ru Chen (陳侃如)) (signed by: Kan-Ru Chen)
[2019-06-28] Accepted mupdf 1.5-1+deb8u6 (source amd64) into oldstable (Mike Gabriel)
[2019-06-28] Accepted mupdf 1.5-1+deb8u5 (source amd64) into oldstable (Mike Gabriel)
[2019-03-26] mupdf 1.14.0+ds1-4 MIGRATED to testing (Debian testing watch)
[2019-03-16] Accepted mupdf 1.14.0+ds1-4 (source amd64) into unstable (Kan-Ru Chen (陳侃如)) (signed by: Kan-Ru Chen)
[2019-01-21] mupdf 1.14.0+ds1-3 MIGRATED to testing (Debian testing watch)
[2019-01-19] Accepted mupdf 1.14.0+ds1-3 (source amd64) into unstable (Kan-Ru Chen (陳侃如)) (signed by: Kan-Ru Chen)
[2018-11-10] Accepted mupdf 1.9a+ds1-4+deb9u4 (source amd64) into proposed-updates->stable-new, proposed-updates (Kan-Ru Chen (陳侃如)) (signed by: Kan-Ru Chen)
[2018-11-09] mupdf 1.14.0+ds1-2 MIGRATED to testing (Debian testing watch)
[2018-11-04] Accepted mupdf 1.9a+ds1-4+deb9u4 (source amd64) into stable->embargoed, stable (Kan-Ru Chen (陳侃如)) (signed by: Kan-Ru Chen)
[2018-11-04] Accepted mupdf 1.14.0+ds1-2 (source amd64) into unstable (Kan-Ru Chen (陳侃如)) (signed by: Kan-Ru Chen)
[2018-10-28] Accepted mupdf 1.14.0+ds1-1 (source amd64) into unstable (Kan-Ru Chen (陳侃如)) (signed by: Kan-Ru Chen)
[2018-09-08] mupdf 1.13.0+ds1-3 MIGRATED to testing (Debian testing watch)
[2018-09-03] Accepted mupdf 1.13.0+ds1-3 (source amd64) into unstable (Kan-Ru Chen (陳侃如)) (signed by: Kan-Ru Chen)
[2018-07-13] mupdf 1.13.0+ds1-2 MIGRATED to testing (Debian testing watch)
[2018-07-08] Accepted mupdf 1.13.0+ds1-2 (source amd64) into unstable (Kan-Ru Chen (陳侃如)) (signed by: Kan-Ru Chen)
[2018-05-05] mupdf 1.13.0+ds1-1 MIGRATED to testing (Debian testing watch)
[2018-04-30] Accepted mupdf 1.13.0+ds1-1 (source amd64) into unstable (Kan-Ru Chen (陳侃如)) (signed by: Kan-Ru Chen)
[2018-03-30] Accepted mupdf 1.5-1+deb8u4 (source amd64) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Thorsten Alteholz)
[2018-03-30] Accepted mupdf 1.9a+ds1-4+deb9u3 (source amd64) into proposed-updates->stable-new, proposed-updates (Thorsten Alteholz)
[2018-03-27] Accepted mupdf 1.9a+ds1-4+deb9u3 (source amd64) into stable->embargoed, stable (Thorsten Alteholz)
[2018-03-27] Accepted mupdf 1.5-1+deb8u4 (source amd64) into oldstable->embargoed, oldstable (Thorsten Alteholz)
[2018-03-16] mupdf 1.12.0+ds1-1 MIGRATED to testing (Debian testing watch)
[2018-03-14] Accepted mupdf 1.12.0+ds1-1 (source amd64) into unstable (Kan-Ru Chen (陳侃如)) (signed by: Kan-Ru Chen)
[2017-11-18] Accepted mupdf 1.5-1+deb8u3 (source amd64) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Luciano Bello)
[2017-11-12] Accepted mupdf 1.9a+ds1-4+deb9u2 (source amd64) into proposed-updates->stable-new, proposed-updates (Luciano Bello)
[2017-11-12] Accepted mupdf 1.9a+ds1-4+deb9u1 (source amd64) into proposed-updates->stable-new, proposed-updates (Luciano Bello)
[2017-11-07] Accepted mupdf 0.9-2+deb7u4 (source amd64) into oldoldstable (Markus Koschany)

bugs [bug history graph]

all: 29
RC: 0
I&N: 21
M&W: 8
F&P: 0
patch: 2

links

homepage
lintian (0, 2)
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.15.0+ds1-1
6 bugs