Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 27 Aug 2016 22:44:58 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   [Bug 212207] graphics/mupdf: CVE-2016-6525, CVE-2016-6265
Message-ID:  <bug-212207-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D212207

            Bug ID: 212207
           Summary: graphics/mupdf: CVE-2016-6525, CVE-2016-6265
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Keywords: needs-qa, patch, security
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: freebsd-ports-bugs@FreeBSD.org
          Reporter: t@tobik.me
                CC: udvzsolt@gmail.com
 Attachment #174138 maintainer-approval?(udvzsolt@gmail.com)
             Flags:
                CC: udvzsolt@gmail.com
             Flags: maintainer-feedback?(udvzsolt@gmail.com),
                    merge-quarterly?

Created attachment 174138
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D174138&action=
=3Dedit
mupdf.diff

Seen on the OpenBSD Ports mailing list.

These should affect the version in the FreeBSD ports tree too.  This also
affects graphics/llpp and graphics/zathura-pdf-mupdf since both statically =
link
with mupdf.

I'm attaching a patch that bumps portrevisions of all 3 ports and includes
patches that are supposed to fix these issues.

OpenBSD commit message:
-------------------------
revision 1.65
date: 2016/08/27 20:58:48;  author: jca;  state: Exp;  lines: +2 -2;  commi=
tid:
7TTHy8bFvHVkME08;
SECURITY fixes for CVE-2016-6525 & CVE-2016-6265

CVE-2016-6525 heap overflow in pdf_load_mesh_params()
CVE-2016-6265 use-after-free

Reported by & looks good to stsp@, ok sthen@ (maintainer)
------------------------

More info:
- https://marc.info/?l=3Doss-security&m=3D147022667716011&w=3D2
- https://marc.info/?l=3Doss-security&m=3D146911020216511&w=3D2

I haven't done any test builds in Poudriere yet. Mupdf still builds fine
outside of it however.  Doing poudriere builds will take a while.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-212207-13>