PT-2017-13623 · Artifex · Artifex Mupdf
Wanglin
·
Published
2017-09-22
·
Updated
2017-11-05
·
CVE-2017-14686
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Artifex MuPDF version 1.11
Description
The issue allows attackers to execute arbitrary code or cause a denial of service via a crafted .xps file. This is related to a "User Mode Write AV near NULL" error on Windows, specifically at wow64!Wow64NotifyDebugger+0x000000000000001d. The problem arises because the
read zip dir imp function in fitz/unzip.c does not check whether size fields in a ZIP entry are negative numbers.Recommendations
For Artifex MuPDF version 1.11, consider restricting the processing of .xps files until a patch is available. As a temporary workaround, avoid using the
read zip dir imp function in fitz/unzip.c for handling ZIP entries with potentially negative size fields.Exploit
Fix
DoS
Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Artifex Mupdf