Mailinglist Archive: opensuse-bugs (4284 mails)

< Previous Next >
[Bug 1039931] New: VUL-0: CVE-2016-8729: mupdf: Artifex MuPDf JBIG2 Parser Code Execution Vulnerability
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Fri, 19 May 2017 15:08:45 +0000
  • Message-id: <bug-1039931-21960@http.bugzilla.opensuse.org/>
http://bugzilla.opensuse.org/show_bug.cgi?id=1039931


Bug ID: 1039931
Summary: VUL-0: CVE-2016-8729: mupdf: Artifex MuPDf JBIG2
Parser Code Execution Vulnerability
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.2
Hardware: Other
OS: Other
Status: NEW
Severity: Minor
Priority: P5 - None
Component: Security
Assignee: idonmez@xxxxxxxx
Reporter: astieger@xxxxxxxx
QA Contact: qa-bugs@xxxxxxx
CC: abergmann@xxxxxxxx
Found By: Security Response Team
Blocker: ---

CVE-2016-8729 - Artifex MuPDf JBIG2 Parser Code Execution Vulnerability

An exploitable memory corruption vulnerability exists in the JBIG2 parser of
Artifex MuPDF 1.9. A specially crafted PDF can cause a negative number to be
passed to a memset resulting in memory corruption and potential code execution.
An attacker can specially craft a PDF and send to the victim to trigger this
vulnerability.

https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0243

This is in thirdparty/jbig2dec.
but mupdf.spec removes these and uses the system libs:

# do not use the inlined copies of build dpendencies except for mujs
rm -rf $(ls -d thirdparty/*/ | grep -v mujs)

--> CVE-2016-8729 does not affect openSUSE.

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >
Follow Ups