|
|
Subscribe / Log in / New account

Ubuntu alert USN-7825-1 (mupdf)



From:
              noreply+usn-bot@canonical.com


To:
              ubuntu-security-announce@lists.ubuntu.com


Subject:
              [USN-7825-1] MuPDF vulnerabilities


Date:
              Fri, 17 Oct 2025 01:01:49 +0000


Message-ID:
              <E1v9Yqr-0007v0-Gu@lists.ubuntu.com>


==========================================================================
Ubuntu Security Notice USN-7825-1
October 16, 2025

mupdf vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in MuPDF.

Software Description:
- mupdf: A lightweight open source software framework for viewing and converting PDF, XPS, and
E-book documents

Details:

It was discovered that MuPDF incorrectly managed memory, resulting in a
memory leak. An attacker could possibly use this issue to cause a denial
of service. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-1000036)

It was discovered that MuPDF could enter an infinite loop when parsing
certain PDF files. An attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 18.04 LTS.
(CVE-2018-10289)

It was discovered that MuPDF incorrectly managed memory, possibly leading
to a segmentation fault. An attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 18.04 LTS.
(CVE-2018-16647, CVE-2018-16648)

It was discovered that MuPDF contained a use-after-free vulnerability.
An attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2020-21896)

It was discovered that MuPDF incorrectly managed memory, resulting in a
memory leak. An attacker could possibly use this issue to cause a denial
of service or obtain sensitive information. This issue only affected
Ubuntu 20.04 LTS. (CVE-2020-26683)

Maxim Mishechkin, Vitalii Akolzin, Shamil Kurmangaleev, Denis Straghkov,
Fedor Nis'kov and Ivan Gulakov discovered that MuPDF incorrectly managed
memory under certain circumstances, leading to a double-free. An attacker
could possibly use this to cause a denial of service. This issue only
affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2021-3407)

Xuwei Liu discovered that MuPDF may perform an out-of-bounds write under
certain circumstances. An attacker could possibly use this issue to cause
a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu
20.04 LTS. (CVE-2021-37220)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
  libmupdf-dev                    1.16.1+ds1-1ubuntu1+esm1
                                  Available with Ubuntu Pro
  mupdf                           1.16.1+ds1-1ubuntu1+esm1
                                  Available with Ubuntu Pro
  mupdf-tools                     1.16.1+ds1-1ubuntu1+esm1
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  libmupdf-dev                    1.12.0+ds1-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  mupdf                           1.12.0+ds1-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  mupdf-tools                     1.12.0+ds1-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  libmupdf-dev                    1.7a-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  mupdf                           1.7a-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  mupdf-tools                     1.7a-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7825-1
  CVE-2018-1000036, CVE-2018-10289, CVE-2018-16647, CVE-2018-16648,
  CVE-2020-21896, CVE-2020-26683, CVE-2021-3407, CVE-2021-37220




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmjwuxoACgkQcpJm3tlz
hgF0gRAAqxlErpKF5Hk7zdiuWdTg0xBclG+5bEFWsRPL1ZCensS50D166Zrgmg64
lXXlquVoeIBvBKOzFEqalOSwZClcel4GuucSkxX5QTPMvZFyM+N/822x3xrw28Ds
MCQ2XJ4xcXnbVqfm5ko59sl83Dj1i1zH+5Rfn8T50bVgxC+8+TdIYbj5JjF6vVv4
cprHQCzYfBK8LSudfaZqUKmKTs+mX1OBWGRKBkDe21rRkudgazC8BB2oYGsRaYBg
5B5/r/1l3/cSo2Gph0flzTGlJi1K/IirhMPJdpJpvg/HWte+5C7FWASez+m32dnP
2CSPmapgY6lNG6coXsgKAduLU7HVdHS4Y17j0cN4dnTGNEYkh6vsCil8qm2J7ROe
/I18t/eF77EjMVL4CbOLt2AuMqeQlppAHcLFb+1n/7NItL5mCSQes6ASnWTCRVSs
mR1SQ9oZ5TtLLnOJvVbPDxKeLfq2BgOpsZAO5FcpbImtNOZ5UtdVlG7y+bEx5ipT
t10dfxH803aMgO5nv/PLB6AbBvl6gNB+tV9+C9m5JTVo6cQPMRV0Q6truHqosvh5
dU4mYuOur+dwQXWrAxiZMsNFHsihbYteaHD5RdrF06KbXsCFvGczNtPYRX4qgQ/y
cBVvUv4OSEBhtuB9uAjf5vtoIU/tkyopQsJ9dJwuyDriWOVtnY0=
=u624
-----END PGP SIGNATURE-----
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds