Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2691.2 mupdf security update 13 November 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: mupdf Publisher: Debian Operating System: Debian GNU/Linux 9 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-15587 CVE-2017-14687 CVE-2017-14686 CVE-2017-14685 Original Bulletin: http://www.debian.org/security/2017/dsa-4006 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running mupdf check for an updated version of the software for their operating system. Revision History: November 13 2017: It was discovered that the original patch applied for CVE-2017-15587 in DSA-4006-1 was incomplete October 25 2017: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4006-2 security@debian.org https://www.debian.org/security/ November 10, 2017 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : mupdf CVE ID : CVE-2017-15587 Debian Bug : 879055 It was discovered that the original patch applied for CVE-2017-15587 in DSA-4006-1 was incomplete. Updated packages are now available to address this problem. For reference, the relevant part of the original advisory text follows. CVE-2017-15587 Terry Chia and Jeremy Heng discovered an integer overflow that can cause arbitrary code execution via a crafted .pdf file. For the oldstable distribution (jessie), this problem has been fixed in version 1.5-1+deb8u3. For the stable distribution (stretch), this problem have been fixed in version 1.9a+ds1-4+deb9u2. We recommend that you upgrade your mupdf packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAloGD7UACgkQbsLe9o/+ N3SHXw//XanAOryOk4TuF8kEFZ3/TPdryr/64h9e9h6JC5Ro0BHX5687agJ+aDwW D1gBgULOsdwZqppRpnT8bcIJmb9KUQPhfbeeQyhkDA7DzpAZRZunpg+Wlbe+saGA ifrZss3y5Ys1w1PJOTOJxwKfWdwHDVwa4Z5Tj18zNBGKLM7LI9bbQ7evcKMob3rB /SsWz0/R+GKZR5M18/0+YKIVllIH0eQI4ZCGu3FkP3oEwbdidtJP1rdc4sZWRmCk NnJw7cotwNmAKlMUCapzK4BMEqMRmT+3eHi+UcIfh2MxDG3ecGF+Ev4Ok3H12FwG 4c3QJFaOMItMbl8U+Av7T6IwIHFPYJoCHEUekiNFIy0U7pLimE53dpZvcLM2Is9d lqDN203nqio1znTPemafqFDCD6E+m8DDegkvAkZ/XDPuTikr4Zlp9NXsq3R54V5l K3LjPhR7HEtu5YbhSHdnZ5Tj1WU765PTXhmu/off4GuKJV/1fRAsZ54fkPtlew0f 0Qj3pabBFNcElB2b81xjVEMHP8WdYyEoUASRUnGdbsZxEmx39ZI0j2Zu6kHJIhTO hwhSUUmx98qBE6pq+97mXoiD4cBOqE309ycDaRWxWq16bBh7u04bv002ROZLqIrg WY0zre1W4BQuSj7GzO1BMzNBdyuoXu0GgQ5yslgy8TkIb/BbHuU= =gE7H - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWgjcQIx+lLeg9Ub1AQiloA/+OJz6JNwY9jA2O6Vt4bJu7Rr/BU2fmjkh SoU/vEGXY9kdNfy6HmL9REhlPbP13j3Fi0DO9TtkkVKC72cLYkpVgrlj+R9RM2Mb ew24JbFIuC2PBuzoTUo4kl4qLM0MsDW1dw5kFmm4q8IJtHeMGHA7U6Oja6Ip1LO3 aiLCaJfsz0KqXexiCUjmGFlGYqgIhAaZ5t2PVNLgqXg/npadBKVpTFnccMUEmf4K cXH3ojBEIP0xy5Rv9vAGOAlvasOUhe0awSLzHX8y4rIQ71PJTCz/LrlzkF6JVcbn LR3fIpXaGdMEdg3kAwfpggAnGajzZsJeLQoL3ErXCi7RkugDCYbAXeAC9BaqPW7S 2j82sLWPhfwO4FDCfGEIarA5q674II0UPCkpu3llW1lGZ0+J4hBYzXzzSwmuwQof 5SmHTRWgLOUoqUVK/pl7Hj1HpeFiqYd1JD+ZgahneaICPYsH8nSjF1QZPBk6ThEx Op1/kD5sMNOhj5rJnhMghwP1CAVkDfVHIAPwoF8ZxrG070a4WOC2lFe2DaD8gxN8 AHEI8iRXGygxCkLHDzsz4wNnKZLsHsdEJ9EcKRfNtlrgfOBzOxMcFK4YlYIac+tX RMkGvnJm9Y58anLnQUX5BQo3ijEA8y5RETeY0YvDdiPrzL5nCyPuLS/UY3nIFXTx 9C/vDAVgCtA= =AJz0 -----END PGP SIGNATURE-----