openSUSE Security Update: Security update for mupdf ______________________________________________________________________________ Announcement ID: openSUSE-SU-2017:0373-1 Rating: low References: #1019877 Cross-References: CVE-2016-10132 CVE-2016-10133 CVE-2016-10141 Affected Products: openSUSE Leap 42.1 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for mupdf to version 1.10a fixes the following issues: These security issues were fixed: - CVE-2016-10132: Null pointer dereference in regexp because of a missing check after allocating memory allowing for DoS (bsc#1019877). - CVE-2016-10133: Heap buffer overflow write in js_stackoverflow allowing for DoS or possible code execution (bsc#1019877). - CVE-2016-10141: An integer overflow vulnerability triggered by a regular expression with nested repetition. A successful exploitation of this issue can lead to code execution or a denial of service (buffer overflow) condition (bsc#1019877). These non-security issues were fixed: - A bug with mutool and saving PDF files using the 'ascii' option has been fixed. - Stop defining OPJ_STATIC - FictionBook (FB2) e-book support. - Simple SVG parser (a small subset of SVG only). - mutool convert: a new document conversion tool and interface. - Multi-threaded rendering in mudraw. - Updated base 14 fonts from URW. - New CJK font with language specific variants. - Hyperlink support in EPUB. - Alpha channel is now optional in pixmaps. - More aggressive purging of cached objects. - Partial image decoding for lower memory use when banding. - Reduced default set of built-in CMap tables to the minimum required. - FZ_ENABLE_PDF, _XPS, _JS, to disable features at compile time. - Function level linking. - Dropped pdf object generation numbers from public interfaces. - Simplified PDF page, xobject, and annotation internals. - Closing and freeing devices and writers are now separate steps. - Improved PDF annotation editing interface (still a work in progress). - Document writer interface. - Banded image writer interface. - Bidirectional layout for Arabic and Hebrew scripts. - Shaping complex scripts for EPUB text layout. - Noto fallback fonts for EPUB layout. - mutool create: - Create new PDF files from scratch. - Read an annotated content stream in a text file and write a PDF file, automatically embedding font and image resources. - mutool run: + Run javascript scripts with MuPDF bindings. + The interface is similar to the new Java interface. - mutool draw: + Optional multi-threaded operation (Windows and pthreads). + Optional low memory mode (primarily for testing). - Set to best anti-alias mode (8) by default. - Ship mupdf-x11-curl as default mupdf. Drop non-curl version. - New URW fonts with greek and cyrillic. - 64-bit file support. - Updated FreeType to version 2.6.1. - Various font substitution bug fixes. - EPUB improvements: User style sheets, GIF images, Table of Contents, CJK text, Page margins and many bug fixes. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.1: zypper in -t patch openSUSE-2017-197=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.1 (i586 x86_64): mupdf-1.10a-10.1 mupdf-devel-static-1.10a-10.1 References: https://www.suse.com/security/cve/CVE-2016-10132.html https://www.suse.com/security/cve/CVE-2016-10133.html https://www.suse.com/security/cve/CVE-2016-10141.html https://bugzilla.suse.com/1019877