From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id yFIvGkX3P2CxIQAA0tVLHw (envelope-from ) for ; Wed, 03 Mar 2021 20:53:25 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id aGUIFkX3P2DvAwAA1q6Kng (envelope-from ) for ; Wed, 03 Mar 2021 20:53:25 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 278C524DCF for ; Wed, 3 Mar 2021 21:53:25 +0100 (CET) Received: from localhost ([::1]:37790 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lHYUm-0006k4-CN for larch@yhetil.org; Wed, 03 Mar 2021 15:53:24 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:34218) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lHYUd-0006jq-Gf for guix-devel@gnu.org; Wed, 03 Mar 2021 15:53:15 -0500 Received: from mail.zaclys.net ([178.33.93.72]:48981) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lHYUb-0003aO-KY for guix-devel@gnu.org; Wed, 03 Mar 2021 15:53:15 -0500 Received: from guix-xps.local (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 123KrBcm054266 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 3 Mar 2021 21:53:11 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 123KrBcm054266 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1614804791; bh=xI95LF4VZK5VJt+TDBVXsi5w5Zmq/j8hWVLDjvpnGQ0=; h=Subject:From:To:Date:From; b=G6kHX/SXidWO6c7iKxNPZe9JiYyO8Ck4VPSKzmnLBjjFY7zjB9NKImzh8aWwU2rvh INo5EDEn/gi0VZRqQuRkegoDMEww/VUESs04BR/sWssH+/IQhJX4zTZpYhxPoKDMGp rMEAzngTwJQ+8XGzazg9I59R/X8wnvC/YF7UK8p4= Message-ID: Subject: mupdf vulnerable to CVE-2021-3407 From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: guix-devel@gnu.org Date: Wed, 03 Mar 2021 21:53:11 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-F23d+ywmyzfNvupzY0i5" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1614804805; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=xI95LF4VZK5VJt+TDBVXsi5w5Zmq/j8hWVLDjvpnGQ0=; b=Xvx2mwINH4XFbtQg+HauTWOh6If3MPJ+Vf2n5AiYbbzZTsUhDaxvDWYnbTutawL4LH+55u 3ch8gySw1jvnZWukuQOXjac+xLuno54JxkaP1b09gt8cx5j3awwG7QHjwhXqnk28VKHwkg /4y2pc1YvAEvyL1D5QHzZlz/XHOML+/IDUfQvRVf9ifWnxjt9vWK/V/bo5Y0xfTZq6UJGo 6AKGZHvhVnWZgwxXGS1sc+cvtblAFd9HRcODkH/Y4dqaTDmHTpspe9QtRm36Gygx9+lOek IrHOleREjy5jMq+iH0PR1cbW+zEEyENAbw1zW/KWWZY4Iklxzg52vKwWWVJDUQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1614804805; a=rsa-sha256; cv=none; b=M1aAGJtdhp8YPW94X4I36pTt1fhcDLQq++KKgOmkjXIm76kQTgl+aPLnCMQLG0E+QdYdkp 4ht/zHcSlKAanuG/iUMuUoXQi8O/v74b0Fm6pHiaTUjBn9KVk3LdIFdSRMGHZceAbQGMdP 4B10eiiQmA/Elzwtz+dvWfZ/1a6ZEaHfG6P9ZypoFeuvv7a5lzhQWbRLUeSIbFzGDxDmc3 asJeOgaVqy+iSp7kjalPcFljNwQm8Ul05n48As1HK5o8C/lTtH2EHwZeezjNcbWDbdrEr3 TULtwjzLK0uEnUAFYO8Tzl3WrXYcRi/voMyRfXj/SR0D0Nv/4K8ujh6AWmNEeQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b="G6kHX/SX"; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -5.16 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b="G6kHX/SX"; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 278C524DCF X-Spam-Score: -5.16 X-Migadu-Scanner: scn1.migadu.com X-TUID: qRnG5QxU5dGx --=-F23d+ywmyzfNvupzY0i5 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable CVE-2021-3407 24.02.21 00:15 A flaw was found in mupdf 1.18.0. Double free of object during linearization may lead to memory corruption and other potential consequences. mupdf has made no release yet, so you need to cherry-pick the commit:=20 https://git.ghostscript.com/?p=3Dmupdf.git;a=3Dlog;h=3Dcee7cefc610d42fd383b= 3c80c12cbc675443176a --=-F23d+ywmyzfNvupzY0i5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmA/9zcACgkQRaix6GvN EKYtyg//fzQeDO65CKpahmLNLWuaKtl5s9tkl097iWOFrFCfIGIT39J+EtBSBAuu EybYYKPIwncXx9tQeTm19obqUqJ/lnoTuAUI3+Zjz0J033UIJ23bOfq0L2QPEaaA EIw06uOUw3i5DpxEAT6UG9BgfgqTVnGk09qQfUl98IMA3uEky3gkfNEaBzSMNlTc agzOwdKE92R0qHExvBtwUzH8XkEcYU7uQMjcnaj221sEB16ogBz4LSd5aYI+vW28 N0aus6lyGd0jFW83KvE7JKsRKuZJFYGuTGY+6z92ylcqxoGrvqcI/XF0TQUEqcKW zJ0u3oWIX7xkFr3KzrmAbESfId2B48Vp11eFKkCnygds1d86NAPxhyBxdxC8K//7 x7bz4j2TZstbupB628PqrBR11wwU+coP6t/W/QBLt/8WPVY1d5RKIGoDb4ItmcCV mn1euzrR2O7V6eEKguia4AnEngW2VoANuvd+77FSL5eVDyI3uCks9kN+qiPo92qE p/W5ftIabZPojdQgZbmWK7a3untmsAueOQeQws3WJRVrGme0ihJ+a7rZJ8aGBOki gPA0nVOFUAXaT4ghQcLNioFV7W59L7vYvijKTwn3QxgtBOHQ1ibhUQti/UM4SbuC g4qt7PzfLAWG5VUcksSEEAv6aKJZrJzAbXtFZIr4fcjhrkkN7js= =zhdp -----END PGP SIGNATURE----- --=-F23d+ywmyzfNvupzY0i5--