Null pointer dereference in mupdf (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2017-5991 |
| CWE-ID | CWE-476 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
mupdf (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Null pointer dereference
EUVDB-ID: #VU6921
Risk: Low
CVSSv4.0: N/A
CVE-ID: CVE-2017-5991
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: Yes
DescriptionAn issue was discovered in Artifex Software, Inc. MuPDF before 1912de5f08e90af1d9d0a9791f58ba3afdb9d465. The pdf_run_xobject function in pdf-op-run.c encounters a NULL pointer dereference during a Fitz fz_paint_pixmap_with_mask painting operation.
MitigationInstall update from vendor's website.
Vulnerable software versionsmupdf (Alpine package): 1.10a-r0 - 1.10a-r1-r0
CPE2.3- cpe:2.3:a:alpine:mupdf_alpine_package:1.10a-r0:*:*:*:*:alpine_linux:*:3.4
- cpe:2.3:a:alpine:mupdf_alpine_package:1.10a-r1:*:*:*:*:alpine_linux:*:3.4
- cpe:2.3:a:alpine:mupdf_alpine_package:1.10a-r1-r0:*:*:*:*:alpine_linux:*:3.5
https://git.alpinelinux.org/aports/commit/?id=d9c3c9c209f455ed747c905497cfdbfd57baa2c8
https://git.alpinelinux.org/aports/commit/?id=a37e8e2452f86c5f3f46ddade5026a55b924f8a3
https://git.alpinelinux.org/aports/commit/?id=44aebd4a522b8f5af47f212181d7fdc9a0003025
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
