Date: Wed, 18 Oct 2017 15:33:12 +0800 From: amon <amon@...dynarwhals.org> To: oss-security@...ts.openwall.com Subject: MuPDF mutools Out-of-Bounds Write Vulnerability (CVE-2017-15587) A vulnerability in mutools PDF parsing functionality allows an attacker to write controlled data to an arbitrary location in memory due to an integer overflow when performing truncated xref checks. Fix: http://git.ghostscript.com/?p=mupdf.git;h=82df2631d7d0446b206ea6b434ea609b6c28b0e8 Writeup: https://nandynarwhals.org/CVE-2017-15587/ Timeline 28 Sept 2017 - Discovery of the vulnerability. 28 Sept 2017 - Disclosure ( https://bugs.ghostscript.com/show_bug.cgi?id=698605) of vulnerability to the vendor and to Debian Security Team. 16 Oct 2017 - Vendor fixes the issue in git commit ( http://git.ghostscript.com/?p=mupdf.git;h=82df2631d7d0446b206ea6b434ea609b6c28b0e8 ). 18 Oct 2017 - CVE-2017-15587 assigned to the issue. 18 Oct 2017 - Publication of the vulnerability details. This issue was discovered by Terry Chia (Ayrx) and Jeremy Heng (nn_amon).
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.