oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

MuPDF mutools Out-of-Bounds Write Vulnerability (CVE-2017-15587)

From: amon <amon () nandynarwhals org>
Date: Wed, 18 Oct 2017 15:33:12 +0800
A vulnerability in mutools PDF parsing functionality allows an attacker to
write controlled data to an arbitrary location in memory due to an integer
overflow when performing truncated xref checks.

Fix:
http://git.ghostscript.com/?p=mupdf.git;h=82df2631d7d0446b206ea6b434ea609b6c28b0e8
Writeup: https://nandynarwhals.org/CVE-2017-15587/

Timeline
28 Sept 2017 - Discovery of the vulnerability.
28 Sept 2017 - Disclosure (
https://bugs.ghostscript.com/show_bug.cgi?id=698605) of vulnerability to
the vendor and to Debian Security Team.
16 Oct 2017 - Vendor fixes the issue in git commit (
http://git.ghostscript.com/?p=mupdf.git;h=82df2631d7d0446b206ea6b434ea609b6c28b0e8
).
18 Oct 2017 - CVE-2017-15587 assigned to the issue.
18 Oct 2017 - Publication of the vulnerability details.

This issue was discovered by Terry Chia (Ayrx) and Jeremy Heng (nn_amon).
Previous By Date Next
Previous By Thread Next

Current thread: