Debian Package Tracker

general

source: mupdf (main)
version: 1.14.0+ds1-4
maintainer: Kan-Ru Chen (陳侃如) [DMD]
uploaders: Quoc-Viet Nguyen [DMD]
arch: any
std-ver: 4.3.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 1.5-1+deb8u4
old-sec: 1.5-1+deb8u4
stable: 1.9a+ds1-4+deb9u4
stable-sec: 1.9a+ds1-4+deb9u4
testing: 1.14.0+ds1-3
unstable: 1.14.0+ds1-4

versioned links

1.5-1+deb8u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.9a+ds1-4+deb9u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.14.0+ds1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.14.0+ds1-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libmupdf-dev
mupdf
mupdf-tools

action needed

Marked for autoremoval on 23 April: #924351 high

Version 1.14.0+ds1-3 of mupdf is marked for autoremoval from testing on Tue 23 Apr 2019. It is affected by #924351. The removal of mupdf will also cause the removal of (transitive) reverse dependencies: img2pdf, impressive, impressive-display, ocrmypdf. You should try to prevent the removal by fixing these RC bugs.

Created: 2019-03-19 Last update: 2019-03-24 14:03

A new upstream version is available: 1.14.0-rc1 high

A new upstream version 1.14.0-rc1 is available, you should consider packaging it.

Created: 2018-09-27 Last update: 2019-03-24 12:00

2 security issues in buster high

There are 2 open security issues in buster.

2 important issues:

CVE-2018-16648: In Artifex MuPDF 1.13.0, the fz_append_byte function in fitz/buffer.c allows remote attackers to cause a denial of service (segmentation fault) via a crafted pdf file. This is caused by a pdf/pdf-device.c pdf_dev_alpha array-index underflow.
CVE-2018-16647: In Artifex MuPDF 1.13.0, the pdf_get_xref_entry function in pdf/pdf-xref.c allows remote attackers to cause a denial of service (segmentation fault in fz_write_data in fitz/output.c) via a crafted pdf file.

Please fix them.

Created: 2018-09-07 Last update: 2019-03-16 09:06

7 security issues in stretch high

There are 7 open security issues in stretch.

5 important issues:

CVE-2018-16648: In Artifex MuPDF 1.13.0, the fz_append_byte function in fitz/buffer.c allows remote attackers to cause a denial of service (segmentation fault) via a crafted pdf file. This is caused by a pdf/pdf-device.c pdf_dev_alpha array-index underflow.
CVE-2018-1000039: In MuPDF 1.12.0 and earlier, multiple heap use after free bugs in the PDF parser could allow an attacker to execute arbitrary code, read memory, or cause a denial of service via a crafted file.
CVE-2018-18662: There is an out-of-bounds read in fz_run_t3_glyph in fitz/font.c in Artifex MuPDF 1.14.0, as demonstrated by mutool.
CVE-2018-16647: In Artifex MuPDF 1.13.0, the pdf_get_xref_entry function in pdf/pdf-xref.c allows remote attackers to cause a denial of service (segmentation fault in fz_write_data in fitz/output.c) via a crafted pdf file.
CVE-2018-1000038: In MuPDF 1.12.0 and earlier, a stack buffer overflow in function pdf_lookup_cmap_full in pdf/pdf-cmap.c could allow an attacker to execute arbitrary code via a crafted file.

2 issues skipped by the security teams:

CVE-2019-6130: Artifex MuPDF 1.14.0 has a SEGV in the function fz_load_page of the fitz/document.c file, as demonstrated by mutool. This is related to page-number mishandling in cbz/mucbz.c, cbz/muimg.c, and svg/svg-doc.c.
CVE-2019-6131: svg-run.c in Artifex MuPDF 1.14.0 has infinite recursion with stack consumption in svg_run_use_symbol, svg_run_element, and svg_run_use, as demonstrated by mutool.

Please fix them.

Created: 2017-12-24 Last update: 2019-03-16 09:06

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2018-10-01 Last update: 2019-03-24 13:36

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2018-04-11 Last update: 2019-03-12 04:43

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2019-03-16 Last update: 2019-03-16 16:55

8 ignored security issues in jessie low

There are 8 open security issues in jessie.

8 issues skipped by the security teams:

CVE-2019-6130: Artifex MuPDF 1.14.0 has a SEGV in the function fz_load_page of the fitz/document.c file, as demonstrated by mutool. This is related to page-number mishandling in cbz/mucbz.c, cbz/muimg.c, and svg/svg-doc.c.
CVE-2018-16648: In Artifex MuPDF 1.13.0, the fz_append_byte function in fitz/buffer.c allows remote attackers to cause a denial of service (segmentation fault) via a crafted pdf file. This is caused by a pdf/pdf-device.c pdf_dev_alpha array-index underflow.
CVE-2017-14687: Artifex MuPDF 1.11 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .xps file, related to "Data from Faulting Address controls Branch Selection starting at mupdf+0x000000000016cb4f" on Windows. This occurs because of mishandling of XML tag name comparisons.
CVE-2018-6187: In Artifex MuPDF 1.12.0, there is a heap-based buffer overflow vulnerability in the do_pdf_save_document function in the pdf/pdf-write.c file. Remote attackers could leverage the vulnerability to cause a denial of service via a crafted pdf file.
CVE-2018-6192: In Artifex MuPDF 1.12.0, the pdf_read_new_xref function in pdf/pdf-xref.c allows remote attackers to cause a denial of service (segmentation violation and application crash) via a crafted pdf file.
CVE-2018-16647: In Artifex MuPDF 1.13.0, the pdf_get_xref_entry function in pdf/pdf-xref.c allows remote attackers to cause a denial of service (segmentation fault in fz_write_data in fitz/output.c) via a crafted pdf file.
CVE-2017-17866: pdf/pdf-write.c in Artifex MuPDF before 1.12.0 mishandles certain length changes when a repair operation occurs during a clean operation, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted PDF document.
CVE-2018-5686: In MuPDF 1.12.0, there is an infinite loop vulnerability and application hang in the pdf_parse_array function (pdf/pdf-parse.c) because EOF is not considered. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted pdf file.

Please fix them.

Created: 2017-10-01 Last update: 2019-03-16 09:06

testing migrations

excuses:
- Too young, only 8 of 10 days old
- Updating mupdf fixes old bugs: #924351
- Piuparts tested OK - https://piuparts.debian.org/sid/source/m/mupdf.html
- Ignoring block request by freeze, due to unblock request by nthykier
- Not considered

news

[rss feed]

[2019-03-16] Accepted mupdf 1.14.0+ds1-4 (source amd64) into unstable (Kan-Ru Chen (陳侃如)) (signed by: Kan-Ru Chen)
[2019-01-21] mupdf 1.14.0+ds1-3 MIGRATED to testing (Debian testing watch)
[2019-01-19] Accepted mupdf 1.14.0+ds1-3 (source amd64) into unstable (Kan-Ru Chen (陳侃如)) (signed by: Kan-Ru Chen)
[2018-11-10] Accepted mupdf 1.9a+ds1-4+deb9u4 (source amd64) into proposed-updates->stable-new, proposed-updates (Kan-Ru Chen (陳侃如)) (signed by: Kan-Ru Chen)
[2018-11-09] mupdf 1.14.0+ds1-2 MIGRATED to testing (Debian testing watch)
[2018-11-04] Accepted mupdf 1.9a+ds1-4+deb9u4 (source amd64) into stable->embargoed, stable (Kan-Ru Chen (陳侃如)) (signed by: Kan-Ru Chen)
[2018-11-04] Accepted mupdf 1.14.0+ds1-2 (source amd64) into unstable (Kan-Ru Chen (陳侃如)) (signed by: Kan-Ru Chen)
[2018-10-28] Accepted mupdf 1.14.0+ds1-1 (source amd64) into unstable (Kan-Ru Chen (陳侃如)) (signed by: Kan-Ru Chen)
[2018-09-08] mupdf 1.13.0+ds1-3 MIGRATED to testing (Debian testing watch)
[2018-09-03] Accepted mupdf 1.13.0+ds1-3 (source amd64) into unstable (Kan-Ru Chen (陳侃如)) (signed by: Kan-Ru Chen)
[2018-07-13] mupdf 1.13.0+ds1-2 MIGRATED to testing (Debian testing watch)
[2018-07-08] Accepted mupdf 1.13.0+ds1-2 (source amd64) into unstable (Kan-Ru Chen (陳侃如)) (signed by: Kan-Ru Chen)
[2018-05-05] mupdf 1.13.0+ds1-1 MIGRATED to testing (Debian testing watch)
[2018-04-30] Accepted mupdf 1.13.0+ds1-1 (source amd64) into unstable (Kan-Ru Chen (陳侃如)) (signed by: Kan-Ru Chen)
[2018-03-30] Accepted mupdf 1.5-1+deb8u4 (source amd64) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Thorsten Alteholz)
[2018-03-30] Accepted mupdf 1.9a+ds1-4+deb9u3 (source amd64) into proposed-updates->stable-new, proposed-updates (Thorsten Alteholz)
[2018-03-27] Accepted mupdf 1.9a+ds1-4+deb9u3 (source amd64) into stable->embargoed, stable (Thorsten Alteholz)
[2018-03-27] Accepted mupdf 1.5-1+deb8u4 (source amd64) into oldstable->embargoed, oldstable (Thorsten Alteholz)
[2018-03-16] mupdf 1.12.0+ds1-1 MIGRATED to testing (Debian testing watch)
[2018-03-14] Accepted mupdf 1.12.0+ds1-1 (source amd64) into unstable (Kan-Ru Chen (陳侃如)) (signed by: Kan-Ru Chen)
[2017-11-18] Accepted mupdf 1.5-1+deb8u3 (source amd64) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Luciano Bello)
[2017-11-12] Accepted mupdf 1.9a+ds1-4+deb9u2 (source amd64) into proposed-updates->stable-new, proposed-updates (Luciano Bello)
[2017-11-12] Accepted mupdf 1.9a+ds1-4+deb9u1 (source amd64) into proposed-updates->stable-new, proposed-updates (Luciano Bello)
[2017-11-07] Accepted mupdf 0.9-2+deb7u4 (source amd64) into oldoldstable (Markus Koschany)
[2017-10-29] mupdf 1.11+ds1-2 MIGRATED to testing (Debian testing watch)
[2017-10-26] Accepted mupdf 1.11+ds1-2 (source amd64) into unstable (Kan-Ru Chen (陳侃如)) (signed by: Kan-Ru Chen)
[2017-10-21] mupdf 1.11+ds1-1.1 MIGRATED to testing (Debian testing watch)
[2017-10-15] Accepted mupdf 1.11+ds1-1.1 (source) into unstable (Salvatore Bonaccorso)
[2017-09-29] mupdf 1.11+ds1-1 MIGRATED to testing (Debian testing watch)
[2017-09-24] Accepted mupdf 1.11+ds1-1 (source amd64) into unstable (Kan-Ru Chen (陳侃如)) (signed by: Kan-Ru Chen)

bugs [bug history graph]

all: 28
RC: 0
I&N: 20
M&W: 8
F&P: 0
patch: 2

links

homepage
lintian (0, 1)
buildd: logs, checks, clang, reproducibility
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.14.0+ds1-4
5 bugs