Hi, On Sun, Oct 16, 2016 at 02:51:06PM +0200, Salvatore Bonaccorso wrote: > Source: mupdf > Version: 1.5-1 > Severity: grave > Tags: security upstream patch > > Hi, > > the following vulnerability was published for mupdf. > > CVE-2016-8674[0]: > heap-use-after-free > > The issue is reproducible with src:mupdf compiled with ASAN, and two > reproducers are available on the two referenced bugs below. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2016-8674 > [1] https://marc.info/?l=oss-security&m=147658659118554&w=2 > [2] > https://blogs.gentoo.org/ago/2016/09/22/mupdf-use-after-free-in-pdf_to_num-pdf-object-c/ > [3] http://bugs.ghostscript.com/show_bug.cgi?id=697015 > [4] http://bugs.ghostscript.com/show_bug.cgi?id=697019 > [5] > http://git.ghostscript.com/?p=mupdf.git;h=1e03c06456d997435019fb3526fa2d4be7dbc6ec
Any progress on this issue for unstable? Currently src:mupdf is at risk to not being included in stretch and autoremoved on 14th of november. Regards, Salvatore
