Vulnerabilities > CVE-2016-6265 - Use After Free vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
Use-after-free vulnerability in the pdf_load_xref function in pdf/pdf-xref.c in MuPDF allows remote attackers to cause a denial of service (crash) via a crafted PDF file.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-926.NASL description This update for mupdf fixes the following issues : Security issues fixed : - CVE-2016-6265: Fixed a use-after-free issue (boo#990195). last seen 2020-06-05 modified 2016-08-04 plugin id 92715 published 2016-08-04 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/92715 title openSUSE Security Update : mupdf (openSUSE-2016-926) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2016-926. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(92715); script_version("2.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-6265"); script_name(english:"openSUSE Security Update : mupdf (openSUSE-2016-926)"); script_summary(english:"Check for the openSUSE-2016-926 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for mupdf fixes the following issues : Security issues fixed : - CVE-2016-6265: Fixed a use-after-free issue (boo#990195)." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=990195" ); script_set_attribute( attribute:"solution", value:"Update the affected mupdf packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mupdf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mupdf-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mupdf-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mupdf-devel-static"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1"); script_set_attribute(attribute:"patch_publication_date", value:"2016/07/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE13\.2|SUSE42\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.2 / 42.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE13.2", reference:"mupdf-1.5-2.3.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"mupdf-debuginfo-1.5-2.3.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"mupdf-debugsource-1.5-2.3.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"mupdf-devel-static-1.5-2.3.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"mupdf-1.7a-7.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"mupdf-debuginfo-1.7a-7.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"mupdf-debugsource-1.7a-7.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"mupdf-devel-static-1.7a-7.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mupdf / mupdf-debuginfo / mupdf-debugsource / mupdf-devel-static"); }NASL family Fedora Local Security Checks NASL id FEDORA_2017-6FE982684D.NASL description New release (1.10a). Security fix for CVE-2016-6265 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-03-01 plugin id 97453 published 2017-03-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97453 title Fedora 25 : mupdf (2017-6fe982684d) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2017-6fe982684d. # include("compat.inc"); if (description) { script_id(97453); script_version("3.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-6265"); script_xref(name:"FEDORA", value:"2017-6fe982684d"); script_name(english:"Fedora 25 : mupdf (2017-6fe982684d)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "New release (1.10a). Security fix for CVE-2016-6265 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-6fe982684d" ); script_set_attribute(attribute:"solution", value:"Update the affected mupdf package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mupdf"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/22"); script_set_attribute(attribute:"patch_publication_date", value:"2017/02/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC25", reference:"mupdf-1.10a-1.fc25")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mupdf"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201702-12.NASL description The remote host is affected by the vulnerability described in GLSA-201702-12 (MuPDF: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MuPDF. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to open a specially crafted PDF document using MuPDF possibly resulting in the execution of arbitrary code, with the privileges of the process, or a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 97255 published 2017-02-21 reporter This script is Copyright (C) 2017 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/97255 title GLSA-201702-12 : MuPDF: Multiple vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3655.NASL description Two vulnerabilities were discovered in MuPDF, a lightweight PDF viewer. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2016-6265 Marco Grassi discovered a use-after-free vulnerability in MuPDF. An attacker can take advantage of this flaw to cause an application crash (denial-of-service), or potentially to execute arbitrary code with the privileges of the user running MuPDF, if a specially crafted PDF file is processed. - CVE-2016-6525 Yu Hong and Zheng Jihong discovered a heap overflow vulnerability within the pdf_load_mesh_params function, allowing an attacker to cause an application crash (denial-of-service), or potentially to execute arbitrary code with the privileges of the user running MuPDF, if a specially crafted PDF file is processed. last seen 2020-06-01 modified 2020-06-02 plugin id 93134 published 2016-08-29 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93134 title Debian DSA-3655-1 : mupdf - security update NASL family Fedora Local Security Checks NASL id FEDORA_2017-844445F2AA.NASL description Security fix for CVE-2016-6265 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-03-02 plugin id 97482 published 2017-03-02 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97482 title Fedora 24 : mupdf (2017-844445f2aa) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_47157C14901311E6A59014DAE9D210B8.NASL description Tobias Kortkamp reports : Heap-based buffer overflow in the pdf_load_mesh_params function in pdf/pdf-shade.c in MuPDF allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a large decode array. Use-after-free vulnerability in the pdf_load_xref function in pdf/pdf-xref.c in MuPDF allows remote attackers to cause a denial of service (crash) via a crafted PDF file. last seen 2020-06-01 modified 2020-06-02 plugin id 93985 published 2016-10-12 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93985 title FreeBSD : mupdf -- multiple vulnerabilities (47157c14-9013-11e6-a590-14dae9d210b8)
References
- http://www.openwall.com/lists/oss-security/2016/07/21/7
- http://lists.opensuse.org/opensuse-updates/2016-08/msg00007.html
- http://bugs.ghostscript.com/show_bug.cgi?id=696941
- http://www.securityfocus.com/bid/92071
- https://security.gentoo.org/glsa/201702-12
- http://www.debian.org/security/2016/dsa-3655
- http://git.ghostscript.com/?p=mupdf.git%3Bh=fa1936405b6a84e5c9bb440912c23d532772f958