Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 18 Oct 2017 15:33:12 +0800
From: amon <amon@...dynarwhals.org>
To: oss-security@...ts.openwall.com
Subject: MuPDF mutools Out-of-Bounds Write Vulnerability (CVE-2017-15587)

A vulnerability in mutools PDF parsing functionality allows an attacker to
write controlled data to an arbitrary location in memory due to an integer
overflow when performing truncated xref checks.

Fix:
http://git.ghostscript.com/?p=mupdf.git;h=82df2631d7d0446b206ea6b434ea609b6c28b0e8
Writeup: https://nandynarwhals.org/CVE-2017-15587/

Timeline
28 Sept 2017 - Discovery of the vulnerability.
28 Sept 2017 - Disclosure (
https://bugs.ghostscript.com/show_bug.cgi?id=698605) of vulnerability to
the vendor and to Debian Security Team.
16 Oct 2017 - Vendor fixes the issue in git commit (
http://git.ghostscript.com/?p=mupdf.git;h=82df2631d7d0446b206ea6b434ea609b6c28b0e8
).
18 Oct 2017 - CVE-2017-15587 assigned to the issue.
18 Oct 2017 - Publication of the vulnerability details.

This issue was discovered by Terry Chia (Ayrx) and Jeremy Heng (nn_amon).

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.