Operating System:

[WIN][UNIX/Linux][Debian]

Published:

13 November 2017

Protect yourself against future threats.

//Service

AusCERT Education

Enhance your knowledge with our exceptional one day training offerings for individuals and organisations

Read more
Resources > Security Bulletins > ESB-2017.2691.2 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2017.2691.2
                           mupdf security update
                             13 November 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           mupdf
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-15587 CVE-2017-14687 CVE-2017-14686
                   CVE-2017-14685  

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-4006

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running mupdf check for an updated version of the software for their
         operating system.

Revision History:  November 13 2017: It was discovered that the original patch 
			             applied for CVE-2017-15587 in DSA-4006-1 was 
                                     incomplete
                   October  25 2017: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4006-2                   security@debian.org
https://www.debian.org/security/                                         
November 10, 2017                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : mupdf
CVE ID         : CVE-2017-15587
Debian Bug     : 879055

It was discovered that the original patch applied for CVE-2017-15587
in DSA-4006-1 was incomplete. Updated packages are now available to
address this problem. For reference, the relevant part of the original
advisory text follows.

CVE-2017-15587

    Terry Chia and Jeremy Heng discovered an integer overflow that can
    cause arbitrary code execution via a crafted .pdf file.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.5-1+deb8u3.

For the stable distribution (stretch), this problem have been fixed in
version 1.9a+ds1-4+deb9u2.

We recommend that you upgrade your mupdf packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAloGD7UACgkQbsLe9o/+
N3SHXw//XanAOryOk4TuF8kEFZ3/TPdryr/64h9e9h6JC5Ro0BHX5687agJ+aDwW
D1gBgULOsdwZqppRpnT8bcIJmb9KUQPhfbeeQyhkDA7DzpAZRZunpg+Wlbe+saGA
ifrZss3y5Ys1w1PJOTOJxwKfWdwHDVwa4Z5Tj18zNBGKLM7LI9bbQ7evcKMob3rB
/SsWz0/R+GKZR5M18/0+YKIVllIH0eQI4ZCGu3FkP3oEwbdidtJP1rdc4sZWRmCk
NnJw7cotwNmAKlMUCapzK4BMEqMRmT+3eHi+UcIfh2MxDG3ecGF+Ev4Ok3H12FwG
4c3QJFaOMItMbl8U+Av7T6IwIHFPYJoCHEUekiNFIy0U7pLimE53dpZvcLM2Is9d
lqDN203nqio1znTPemafqFDCD6E+m8DDegkvAkZ/XDPuTikr4Zlp9NXsq3R54V5l
K3LjPhR7HEtu5YbhSHdnZ5Tj1WU765PTXhmu/off4GuKJV/1fRAsZ54fkPtlew0f
0Qj3pabBFNcElB2b81xjVEMHP8WdYyEoUASRUnGdbsZxEmx39ZI0j2Zu6kHJIhTO
hwhSUUmx98qBE6pq+97mXoiD4cBOqE309ycDaRWxWq16bBh7u04bv002ROZLqIrg
WY0zre1W4BQuSj7GzO1BMzNBdyuoXu0GgQ5yslgy8TkIb/BbHuU=
=gE7H
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWgjcQIx+lLeg9Ub1AQiloA/+OJz6JNwY9jA2O6Vt4bJu7Rr/BU2fmjkh
SoU/vEGXY9kdNfy6HmL9REhlPbP13j3Fi0DO9TtkkVKC72cLYkpVgrlj+R9RM2Mb
ew24JbFIuC2PBuzoTUo4kl4qLM0MsDW1dw5kFmm4q8IJtHeMGHA7U6Oja6Ip1LO3
aiLCaJfsz0KqXexiCUjmGFlGYqgIhAaZ5t2PVNLgqXg/npadBKVpTFnccMUEmf4K
cXH3ojBEIP0xy5Rv9vAGOAlvasOUhe0awSLzHX8y4rIQ71PJTCz/LrlzkF6JVcbn
LR3fIpXaGdMEdg3kAwfpggAnGajzZsJeLQoL3ErXCi7RkugDCYbAXeAC9BaqPW7S
2j82sLWPhfwO4FDCfGEIarA5q674II0UPCkpu3llW1lGZ0+J4hBYzXzzSwmuwQof
5SmHTRWgLOUoqUVK/pl7Hj1HpeFiqYd1JD+ZgahneaICPYsH8nSjF1QZPBk6ThEx
Op1/kD5sMNOhj5rJnhMghwP1CAVkDfVHIAPwoF8ZxrG070a4WOC2lFe2DaD8gxN8
AHEI8iRXGygxCkLHDzsz4wNnKZLsHsdEJ9EcKRfNtlrgfOBzOxMcFK4YlYIac+tX
RMkGvnJm9Y58anLnQUX5BQo3ijEA8y5RETeY0YvDdiPrzL5nCyPuLS/UY3nIFXTx
9C/vDAVgCtA=
=AJz0
-----END PGP SIGNATURE-----