Bug 1452544 (CVE-2016-8728, CVE-2016-8729)

Summary: CVE-2016-8728 CVE-2016-8729 mupdf: Multiple vulnerabilities
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: pzhukov
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-09 16:05:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1452545    
Bug Blocks:    

Description Andrej Nemec 2017-05-19 07:41:50 UTC 
Two vulnerabilities in mupdf were published by Talos.

CVE-2016-8729 - Artifex MuPDf JBIG2 Parser Code Execution Vulnerability

An exploitable memory corruption vulnerability exists in the JBIG2 parser of Artifex MuPDF 1.9. A specially crafted PDF can cause a negative number to be passed to a memset resulting in memory corruption and potential code execution. An attacker can specially craft a PDF and send to the victim to trigger this vulnerability.

https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0243

CVE-2016-8728 - MuPDF Fitz library font glyph scaling Code Execution Vulnerability

An exploitable heap out of bounds write vulnerability exists in the Fitz graphical library part of the MuPDF renderer. A specially crafted PDF file can cause a out of bounds write resulting in heap metadata and sensitive process memory corruption leading to potential code execution. Victim needs to open the specially crafted file in a vulnerable reader in order to trigger this vulnerability.

https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0242%20
Comment 1 Andrej Nemec 2017-05-19 07:42:14 UTC 
Created mupdf tracking bugs for this issue:

Affects: fedora-all [bug 1452545]
Comment 2 Pavel Zhukov 2017-05-19 07:50:06 UTC 
(In reply to Andrej Nemec from comment #0)
> Two vulnerabilities in mupdf were published by Talos.
> 
> CVE-2016-8729 - Artifex MuPDf JBIG2 Parser Code Execution Vulnerability
> 
> An exploitable memory corruption vulnerability exists in the JBIG2 parser of
> Artifex MuPDF 1.9. A specially crafted PDF can cause a negative number to be
> passed to a memset resulting in memory corruption and potential code
> execution. An attacker can specially craft a PDF and send to the victim to
> trigger this vulnerability.
> 
> https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0243
Does security team check if Fedora's versions are affected at all? This is not related. Mupdf doesn't ship openjpeg but uses one provided by openjpeg package.
> 
> CVE-2016-8728 - MuPDF Fitz library font glyph scaling Code Execution
> Vulnerability
> 
> An exploitable heap out of bounds write vulnerability exists in the Fitz
> graphical library part of the MuPDF renderer. A specially crafted PDF file
> can cause a out of bounds write resulting in heap metadata and sensitive
> process memory corruption leading to potential code execution. Victim needs
> to open the specially crafted file in a vulnerable reader in order to
> trigger this vulnerability.
> 
> https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0242

404. Can you please provide with correct link?
Comment 3 Andrej Nemec 2017-05-19 08:13:48 UTC 
(In reply to Pavel Zhukov from comment #2)
> (In reply to Andrej Nemec from comment #0)
> > Two vulnerabilities in mupdf were published by Talos.
> > 
> > CVE-2016-8729 - Artifex MuPDf JBIG2 Parser Code Execution Vulnerability
> > 
> > An exploitable memory corruption vulnerability exists in the JBIG2 parser of
> > Artifex MuPDF 1.9. A specially crafted PDF can cause a negative number to be
> > passed to a memset resulting in memory corruption and potential code
> > execution. An attacker can specially craft a PDF and send to the victim to
> > trigger this vulnerability.
> > 
> > https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0243
> Does security team check if Fedora's versions are affected at all? This is
> not related. Mupdf doesn't ship openjpeg but uses one provided by openjpeg
> package.
> > 

For Fedora I mostly do a check of koji/manifests. I would rather have a bogus flaw such as this than an uncaught vulnerability. But as far as mupdf goes you are a very good maintainer, that's why I was thinking of not filing this at all. If there is anything I can do to improve the process for you let me know.

> > CVE-2016-8728 - MuPDF Fitz library font glyph scaling Code Execution
> > Vulnerability
> > 
> > An exploitable heap out of bounds write vulnerability exists in the Fitz
> > graphical library part of the MuPDF renderer. A specially crafted PDF file
> > can cause a out of bounds write resulting in heap metadata and sensitive
> > process memory corruption leading to potential code execution. Victim needs
> > to open the specially crafted file in a vulnerable reader in order to
> > trigger this vulnerability.
> > 
> > https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0242
> 
> 404. Can you please provide with correct link?

Sorry, it seems that Talos provided an URL with a whitespace in the end. 

https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0242%20