Mailinglist Archive: opensuse-updates (121 mails)

< Previous Next >
openSUSE-SU-2017:0373-1: Security update for mupdf
openSUSE Security Update: Security update for mupdf
______________________________________________________________________________

Announcement ID: openSUSE-SU-2017:0373-1
Rating: low
References: #1019877
Cross-References: CVE-2016-10132 CVE-2016-10133 CVE-2016-10141

Affected Products:
openSUSE Leap 42.1
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for mupdf to version 1.10a fixes the following issues:

These security issues were fixed:

- CVE-2016-10132: Null pointer dereference in regexp because of a missing
check after allocating memory allowing for DoS (bsc#1019877).
- CVE-2016-10133: Heap buffer overflow write in js_stackoverflow allowing
for DoS or possible code execution (bsc#1019877).
- CVE-2016-10141: An integer overflow vulnerability triggered by a regular
expression with nested repetition. A successful exploitation of this
issue can lead to code execution or a denial of service (buffer
overflow) condition (bsc#1019877).

These non-security issues were fixed:

- A bug with mutool and saving PDF files using the 'ascii' option has been
fixed.
- Stop defining OPJ_STATIC
- FictionBook (FB2) e-book support.
- Simple SVG parser (a small subset of SVG only).
- mutool convert: a new document conversion tool and interface.
- Multi-threaded rendering in mudraw.
- Updated base 14 fonts from URW.
- New CJK font with language specific variants.
- Hyperlink support in EPUB.
- Alpha channel is now optional in pixmaps.
- More aggressive purging of cached objects.
- Partial image decoding for lower memory use when banding.
- Reduced default set of built-in CMap tables to the minimum required.
- FZ_ENABLE_PDF, _XPS, _JS, to disable features at compile time.
- Function level linking.
- Dropped pdf object generation numbers from public interfaces.
- Simplified PDF page, xobject, and annotation internals.
- Closing and freeing devices and writers are now separate steps.
- Improved PDF annotation editing interface (still a work in progress).
- Document writer interface.
- Banded image writer interface.
- Bidirectional layout for Arabic and Hebrew scripts.
- Shaping complex scripts for EPUB text layout.
- Noto fallback fonts for EPUB layout.
- mutool create:
- Create new PDF files from scratch.
- Read an annotated content stream in a text file and write a PDF file,
automatically embedding font and image resources.
- mutool run:
+ Run javascript scripts with MuPDF bindings.
+ The interface is similar to the new Java interface.
- mutool draw:
+ Optional multi-threaded operation (Windows and pthreads).
+ Optional low memory mode (primarily for testing).
- Set to best anti-alias mode (8) by default.
- Ship mupdf-x11-curl as default mupdf. Drop non-curl version.
- New URW fonts with greek and cyrillic.
- 64-bit file support.
- Updated FreeType to version 2.6.1.
- Various font substitution bug fixes.
- EPUB improvements: User style sheets, GIF images, Table of Contents, CJK
text, Page margins and many bug fixes.


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE Leap 42.1:

zypper in -t patch openSUSE-2017-197=1

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE Leap 42.1 (i586 x86_64):

mupdf-1.10a-10.1
mupdf-devel-static-1.10a-10.1


References:

https://www.suse.com/security/cve/CVE-2016-10132.html
https://www.suse.com/security/cve/CVE-2016-10133.html
https://www.suse.com/security/cve/CVE-2016-10141.html
https://bugzilla.suse.com/1019877


< Previous Next >
This Thread
  • No further messages