Bug 863975 - (CVE-2014-2013) VUL-0: CVE-2014-2013: mupdf: stack-based duffer overflow in xps_parse_color()
(CVE-2014-2013)
VUL-0: CVE-2014-2013: mupdf: stack-based duffer overflow in xps_parse_color()
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.1
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-02-14 10:01 UTC by Alexander Bergmann
Modified: 2014-03-03 20:26 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-02-14 10:01:17 UTC
Via OSS:12131

A stack-based duffer overflow was found inside the xps_parse_color() function of mupdf.

This affects only openSUSE:13.1 and Factory.

References:
http://bugs.ghostscript.com/show_bug.cgi?id=694957
http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=60dabde18d7fe12b19da8b509bdfee9cc886aafc
https://bugzilla.redhat.com/show_bug.cgi?id=1056699
http://comments.gmane.org/gmane.comp.security.oss.general/12131
Comment 1 Dr. Werner Fink 2014-02-14 10:17:39 UTC
Who has set me as maintainer of mupdf? I've no time to handle this and I've never ever touched the source code of mupdf.
Comment 4 Guido Berhoerster 2014-02-14 10:26:08 UTC
(In reply to comment #1)
> Who has set me as maintainer of mupdf? I've no time to handle this and I've
> never ever touched the source code of mupdf.

I think you're the project maintainer of Publishing. You can hand over maintainership to me, I've just submitted a fix and apparently I'm the only one caring about it and de-facto maintainer anyway.
Comment 5 Adrian Schröter 2014-02-14 10:29:25 UTC
Guido, great, just set yourself as bugowner in that package.

 osc bugowner -s $your_account Publishing mupdf

thanks a lot!
Comment 6 Guido Berhoerster 2014-02-14 10:40:32 UTC
(In reply to comment #5)
> Guido, great, just set yourself as bugowner in that package.

I don't have the necessary permissions, you'll have to do that for me.
Comment 7 Adrian Schröter 2014-02-14 10:48:26 UTC
Werner, can you grant Guido maintainer rights there?

The command would work anyway though, since it just creates a set_bugowner request when you have no maintainer rights ...
Comment 8 Swamp Workflow Management 2014-02-14 23:00:20 UTC
bugbot adjusting priority
Comment 9 Bernhard Wiedemann 2014-02-15 11:01:10 UTC
This is an autogenerated message for OBS integration:
This bug (863975) was mentioned in
https://build.opensuse.org/request/show/222432 13.1 / mupdf
Comment 10 Bernhard Wiedemann 2014-02-18 04:00:23 UTC
This is an autogenerated message for OBS integration:
This bug (863975) was mentioned in
https://build.opensuse.org/request/show/222656 Factory / mupdf
Comment 11 Guido Berhoerster 2014-02-19 21:49:03 UTC
This is CVE-2014-2013 now.
Comment 12 Bernhard Wiedemann 2014-02-19 22:00:52 UTC
This is an autogenerated message for OBS integration:
This bug (863975) was mentioned in
https://build.opensuse.org/request/show/223162 13.1 / mupdf
Comment 13 Marcus Meissner 2014-02-28 10:05:00 UTC
released
Comment 14 Swamp Workflow Management 2014-02-28 10:05:10 UTC
openSUSE-SU-2014:0309-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 863975
CVE References: CVE-2014-2013
Sources used:
openSUSE 13.1 (src):    mupdf-1.2-5.4.1