CVE-2019-13290: Buffer Overflow
First published: Thu Jul 04 2019(Updated: )
Artifex MuPDF 1.15.0 has a heap-based buffer overflow in fz_append_display_node located at fitz/list-device.c, allowing remote attackers to execute arbitrary code via a crafted PDF file. This occurs with a large BDC property name that overflows the allocated size of a display list node.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/mupdf | 1.14.0+ds1-4+deb10u3 1.14.0+ds1-4+deb10u2 1.17.0+ds1-2 1.17.0+ds1-1.3~deb11u1 1.21.1+ds2-1 1.22.2+ds1-2 | |
| Artifex Mupdf | =1.15.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugs.ghostscript.com/show_bug.cgi?id=701118
- https://security-tracker.debian.org/tracker/CVE-2019-13290
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13290
- http://git.ghostscript.com/?p=mupdf.git;h=aaf794439e40a2ef544f15b50c20e657414dec7a
- http://git.ghostscript.com/?p=mupdf.git;h=ed19bc806809ad10c4ddce515d375581b86ede85
- https://security-tracker.debian.org/tracker/CVE-2018-19777
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931475
- https://git.ghostscript.com/?p=mupdf.git;h=aaf794439e40a2ef544f15b50c20e657414dec7a
- https://git.ghostscript.com/?p=mupdf.git;h=ed19bc806809ad10c4ddce515d375581b86ede85
- https://git.ghostscript.com/?p=mupdf.git;a=commit;f=source/fitz/list-device.c;h=e9411aba2b71b67b8521f55917ab26585c464b88
- https://archive.today/oi6bm
- https://lists.debian.org/debian-lts-announce/2020/07/msg00019.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VUXKCY35PKC32IFHN4RBUCZ75OWEYVJH/
- https://www.debian.org/security/2020/dsa-4753
Frequently Asked Questions
What is CVE-2019-13290?
CVE-2019-13290 is a vulnerability in Artifex MuPDF 1.15.0 that allows remote attackers to execute arbitrary code via a crafted PDF file.
How does CVE-2019-13290 occur?
CVE-2019-13290 occurs due to a heap-based buffer overflow in fz_append_display_node located at fitz/list-device.c.
What is the severity of CVE-2019-13290?
The severity of CVE-2019-13290 is high with a severity score of 7.8.
Which software versions are affected by CVE-2019-13290?
Artifex MuPDF 1.15.0 is affected by CVE-2019-13290.
How can I protect myself from CVE-2019-13290?
To protect yourself from CVE-2019-13290, update to a version of Artifex MuPDF that includes the fix.
- collector/debian-bugs
- alias/CVE-2019-13290
- collector/security-tracker-debian
- collector/nvd-index
- agent/weakness
- agent/type
- agent/description
- package-manager/debian
- vendor/artifex
- canonical/artifex mupdf
- version/artifex mupdf/1.15.0