1Vanchen

**Name of the Vulnerable Software and Affected Versions** Artifex Software MuPDF version 1.17.0 **Description** A memory leak issue in the `/pdf/pdf-font-add.c` file allows attackers to obtain sensitive information. **Recommendations** For Artifex Software MuPDF version 1.17.0, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2 **Description** The issue is related to an Integer Overflow vulnerability in the qsvghandler.cpp component of Qt qtsvg, allowing local attackers to cause a denial of service (DoS). This vulnerability can be exploited by attackers to disrupt service. **Recommendations** For Qt qtsvg version 5.15.1, update to a version that fixes the Integer Overflow vulnerability in qsvghandler.cpp. For Qt qtsvg version 6.0.0, update to a version that fixes the Integer Overflow vulnerability in qsvghandler.cpp. For Qt qtsvg version 6.0.2, update to a version that fixes the Integer Overflow vulnerability in qsvghandler.cpp. For Qt qtsvg version 6.2, update to a version that fixes the Integer Overflow vulnerability in qsvghandler.cpp. As a temporary workaround, consider restricting access to the qsvghandler.cpp component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** DjVuLibre versions 3.5.28 and earlier **Description** A flaw was found in the function `DJVU::GBitmap::decode()` that handles crafted djvu files, leading to a heap buffer overflow. This may cause an application crash and potentially allow a remote attacker to execute arbitrary code on the target system using a specially crafted djvu file. **Recommendations** For DjVuLibre versions 3.5.28 and earlier, as a temporary workaround, consider disabling the `DJVU::GBitmap::decode()` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DjVuLibre versions 3.5.28 and earlier **Description** The issue is related to an integer overflow in the `render()` function in the tools/ddjvu component of DjVuLibre. This can be exploited by a remote attacker using a crafted djvu file, potentially leading to an application crash and other consequences. **Recommendations** For DjVuLibre versions 3.5.28 and earlier, consider disabling the `render()` function in tools/ddjvu as a temporary workaround until a patch is available. Restrict the use of crafted djvu files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** djvulibre versions 3.5.28 and earlier **Description** A flaw in the DJVU::filter bv() function allows for an out of bounds write via a crafted djvu file, potentially leading to an application crash. The vulnerability may also enable a remote attacker to execute arbitrary code on the target system using a specially crafted djvu file. **Recommendations** For versions 3.5.28 and earlier, consider disabling the DJVU::filter bv() function as a temporary workaround until a patch is available. Restrict access to djvu files from untrusted sources to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** djvulibre versions 3.5.28 and earlier **Description** A flaw was found in the function `DJVU::DjVuDocument::get djvu file()` that can cause a stack overflow via a crafted djvu file, potentially leading to an application crash and other consequences. The vulnerability may allow a remote attacker to execute arbitrary code. **Recommendations** For versions 3.5.28 and earlier, consider disabling the `DJVU::DjVuDocument::get djvu file()` function as a temporary workaround until a patch is available. Restrict access to crafted djvu files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FFmpeg version 4.3.2 **Description** The issue is related to an integer overflow vulnerability in the `av timecode make string` function of the `libavutil/timecode.c` component in FFmpeg. This vulnerability allows local attackers to cause a denial of service (DoS) via a crafted .mov file. **Recommendations** For FFmpeg version 4.3.2, consider updating to a newer version to mitigate the risk, as the current version is affected by the integer overflow vulnerability in the `av timecode make string` function. At the moment, there is no information about a newer version that contains a fix for this vulnerability.