This update for mupdf to version 1.12.0 fixes several issues.
These security issues were fixed:
- CVE-2018-5686: Prevent infinite loop in pdf_parse_array function because EOF
is not considered. Remote attackers could leverage this vulnerability to cause
a denial of service via a crafted pdf file (bsc#1075936).
- CVE-2017-15369: The build_filter_chain function in pdf/pdf-stream.c
mishandled a case where a variable may reside in a register, which allowed
remote attackers to cause a denial of service (Fitz fz_drop_imp use-after-free
and application crash) or possibly have unspecified other impact via a crafted
PDF document (bsc#1063413).
- CVE-2017-15587: Prevent integer overflow in pdf_read_new_xref_section that
allowed for DoS (bsc#1064027).
- CVE-2017-17866: Fixed mishandling of length changes when a repair operation
occured during a clean operation, which allowed remote attackers to cause a
denial of service (buffer overflow and application crash) or possibly have
unspecified other impact via a crafted PDF document (bsc#1074116).
- CVE-2017-17858: Fixed a heap-based buffer overflow in the ensure_solid_xref
function which allowed a remote attacker to potentially execute arbitrary
code via a crafted PDF file, because xref subsection object numbers were
unrestricted (bsc#1077161).
For non-security changes please refer to the changelog.
- Submitted by Karol Babioch (kbabioch)