CVE-2018-1000038

NameCVE-2018-1000038
DescriptionIn MuPDF 1.12.0 and earlier, a stack buffer overflow in function pdf_lookup_cmap_full in pdf/pdf-cmap.c could allow an attacker to execute arbitrary code via a crafted file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mupdf (PTS)jessie (security), jessie1.5-1+deb8u4fixed
stretch1.9a+ds1-4+deb9u3vulnerable
stretch (security)1.9a+ds1-4+deb9u4vulnerable
buster, sid1.14.0+ds1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mupdfsource(unstable)1.13.0+ds1-1medium
mupdfsourcejessie(not affected)
mupdfsourcewheezy(not affected)

Notes

[jessie] - mupdf <not-affected> (vulnerable code not present)
[wheezy] - mupdf <not-affected> (vulnerable code not present)
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5494
http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=71ceebcf56e682504da22c4035b39a2d451e8ffd;hp=7f82c01523505052615492f8e220f4348ba46995
http://git.ghostscript.com/?p=mupdf.git;a=commitdiff;h=f597300439e62f5e921f0d7b1e880b5c1a1f1607;hp=093fc3b098dc5fadef5d8ad4b225db9fb124758b

Search for package or bug name: Reporting problems