Bug 212207 - graphics/mupdf: CVE-2016-6525, CVE-2016-6265
Summary: graphics/mupdf: CVE-2016-6525, CVE-2016-6265
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Mark Felder
URL:
Keywords: needs-qa, patch, security
Depends on:
Blocks:
 
Reported: 2016-08-27 22:44 UTC by Tobias Kortkamp
Modified: 2016-10-12 00:50 UTC (History)
2 users (show)

See Also:
uzsolt: maintainer-feedback+
feld: merge-quarterly+


Attachments
mupdf.diff (5.02 KB, patch)
2016-08-27 22:44 UTC, Tobias Kortkamp
uzsolt: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Kortkamp freebsd_committer 2016-08-27 22:44:58 UTC
Created attachment 174138 [details]
mupdf.diff

Seen on the OpenBSD Ports mailing list.

These should affect the version in the FreeBSD ports tree too.  This also affects graphics/llpp and graphics/zathura-pdf-mupdf since both statically link with mupdf.

I'm attaching a patch that bumps portrevisions of all 3 ports and includes patches that are supposed to fix these issues.

OpenBSD commit message:
-------------------------
revision 1.65
date: 2016/08/27 20:58:48;  author: jca;  state: Exp;  lines: +2 -2;  commitid: 7TTHy8bFvHVkME08;
SECURITY fixes for CVE-2016-6525 & CVE-2016-6265

CVE-2016-6525 heap overflow in pdf_load_mesh_params()
CVE-2016-6265 use-after-free

Reported by & looks good to stsp@, ok sthen@ (maintainer)
------------------------

More info:
- https://marc.info/?l=oss-security&m=147022667716011&w=2
- https://marc.info/?l=oss-security&m=146911020216511&w=2

I haven't done any test builds in Poudriere yet. Mupdf still builds fine outside of it however.  Doing poudriere builds will take a while.
Comment 1 Zsolt Udvari 2016-08-28 09:57:45 UTC
Build fine with poudriere. Accept.
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2016-08-28 10:12:46 UTC
@Zsolt please approve patches by setting maintainer-approval to + on attachments for ports you are maintainer of. Attachment -> Details -> maintainer-approval [+]

Maintainer is not committer, assign to ports-secteam accordingly

Thank you for the report and patch Tobias
Comment 3 commit-hook freebsd_committer 2016-10-12 00:11:34 UTC
A commit references this bug:

Author: feld
Date: Wed Oct 12 00:11:08 UTC 2016
New revision: 423807
URL: https://svnweb.freebsd.org/changeset/ports/423807

Log:
  graphics/mupdf: Patch to resolve CVEs

  PR:		212207
  MFH:		2016Q4
  Security:	CVE-2016-6525
  Security:	CVE-2016-6265

Changes:
  head/graphics/llpp/Makefile
  head/graphics/mupdf/Makefile
  head/graphics/mupdf/files/patch-scripts_fontdump.c
  head/graphics/mupdf/files/patch-source__fitz__load-jpx.c
  head/graphics/mupdf/files/patch-source_pdf_pdf-shade.c
  head/graphics/mupdf/files/patch-source_pdf_pdf-xref.c
  head/graphics/zathura-pdf-mupdf/Makefile
Comment 4 commit-hook freebsd_committer 2016-10-12 00:12:36 UTC
A commit references this bug:

Author: feld
Date: Wed Oct 12 00:12:14 UTC 2016
New revision: 423808
URL: https://svnweb.freebsd.org/changeset/ports/423808

Log:
  MFH: r423807

  graphics/mupdf: Patch to resolve CVEs

  PR:		212207
  Security:	CVE-2016-6525
  Security:	CVE-2016-6265

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2016Q4/
  branches/2016Q4/graphics/llpp/Makefile
  branches/2016Q4/graphics/mupdf/Makefile
  branches/2016Q4/graphics/mupdf/files/patch-scripts_fontdump.c
  branches/2016Q4/graphics/mupdf/files/patch-source__fitz__load-jpx.c
  branches/2016Q4/graphics/mupdf/files/patch-source_pdf_pdf-shade.c
  branches/2016Q4/graphics/mupdf/files/patch-source_pdf_pdf-xref.c
  branches/2016Q4/graphics/zathura-pdf-mupdf/Makefile
Comment 5 commit-hook freebsd_committer 2016-10-12 00:49:43 UTC
A commit references this bug:

Author: feld
Date: Wed Oct 12 00:49:01 UTC 2016
New revision: 423813
URL: https://svnweb.freebsd.org/changeset/ports/423813

Log:
  Document mupdf vulnerabilites

  PR:		212207
  Security:	CVE-2016-6525
  Security:	CVE-2016-6265

Changes:
  head/security/vuxml/vuln.xml
Comment 6 Mark Felder freebsd_committer 2016-10-12 00:50:18 UTC
Committed, thanks for your submission!