#1110482 mupdf: CVE-2025-46206

Package:
src:mupdf
Source:
src:mupdf
Submitter:
Salvatore Bonaccorso
Date:
2025-08-07 00:51:01 UTC
Severity:
normal
Tags:
#1110482#5
Date:
2025-08-06 18:29:15 UTC
From:
To:
Hi,

The following vulnerability was published for mupdf.

CVE-2025-46206[0]:
| An issue in Artifex mupdf 1.25.6, 1.25.5 allows a remote attacker to
| cause a denial of service via an infinite recursion in the `mutool
| clean` utility. When processing a crafted PDF file containing cyclic
| /Next references in the outline structure, the `strip_outline()`
| function enters infinite recursion


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-46206
https://www.cve.org/CVERecord?id=CVE-2025-46206
[1] https://bugs.ghostscript.com/show_bug.cgi?id=708521
[2] https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=0ec7e4d2201bb6df217e01c17396d36297abf9ac

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1110482#10
Date:
2025-08-06 22:00:11 UTC
From:
To:
Dear Maintainer,

This non-maintainer upload (NMU) provides a backported patch for CVE-2025-46206 in the mupdf package for Debian Trixie.

The vulnerability allows a remote attacker to trigger infinite recursion in `mutool clean` by crafting a PDF with cyclic `/Next` references in the outline structure, causing the process to crash and potentially exhaust system resources.

Upstream has fixed this issue in commit https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=0ec7e4d2201bb6df217e01c17396d36297abf9ac. This patch incorporates that change into version 1.25.1+ds1-7.

Reproduction is straightforward using the upstream PoC from Bug 708521, and testing confirms that with the patch the crash and core dump no longer occur.

Please consider including this fix or let me know if further information or packaging adjustments are required.

Best regards,
Yang Wang
<yang.wang@windriver.com>
#1110482#17
Date:
2025-08-06 23:21:19 UTC
From:
To:
Hi

Thanks for preparing the diff. I will prepare a upload with the patch.

For your future reference, a NMU needs to follow certain version format outlined here
https://www.debian.org/doc/manuals/developers-reference/pkgs.html#non-maintainer-uploads-nmus

Cheers,
Kan-Ru
#1110482#22
Date:
2025-08-06 23:32:42 UTC
From:
To:
Great, thanks.

So the correct version should be 1.25.1+ds1-6.1, correct?

Thanks,
-Yang
#1110482#27
Date:
2025-08-07 00:24:29 UTC
From:
To:
Yes. And you can use the `dch --nmu` command to create a correct entry.

Cheers,
Kan-Ru
#1110482#32
Date:
2025-08-07 00:48:36 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
mupdf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1110482@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kan-Ru Chen (陳侃如) <koster@debian.org> (supplier of updated mupdf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 07 Aug 2025 08:40:44 +0900
Source: mupdf
Architecture: source
Version: 1.25.1+ds1-7
Distribution: unstable
Urgency: high
Maintainer: Kan-Ru Chen (陳侃如) <koster@debian.org>
Changed-By: Kan-Ru Chen (陳侃如) <koster@debian.org>
Closes: 1110482
Changes:
 mupdf (1.25.1+ds1-7) unstable; urgency=high
 .
   * Fix CVE-2025-46206: Infinite recursion in `mutool clean` when processing
     cyclic /Next references in PDF outlines. (Closes: #1110482)
     + Thanks to Yang Wang for preparing the update.
Checksums-Sha1:
 7215070bae2d2e46d1c19e743a9ea3d8f49aba66 2632 mupdf_1.25.1+ds1-7.dsc
 3a2c7cac9be7936fabdf9d25e4a54021cc066f38 95388 mupdf_1.25.1+ds1-7.debian.tar.xz
 d182582baed9d5e576e18d22f5686b4e500d0e5c 13444 mupdf_1.25.1+ds1-7_source.buildinfo
Checksums-Sha256:
 c3b5db4be9da498f4b6a84a48d1489e33ed79328fe0de2410e8222b33eb1d2f1 2632 mupdf_1.25.1+ds1-7.dsc
 35acd457a7c7fd975e5a4dabdd0002eb9a93441c0a78080ce8fef5fa049f86c8 95388 mupdf_1.25.1+ds1-7.debian.tar.xz
 fa13783a6dd02c79af20558e3446649b77915c8df67cf1b1c649028d8a722978 13444 mupdf_1.25.1+ds1-7_source.buildinfo
Files:
 7eab1a9a74635984b60dca11434efb7d 2632 text optional mupdf_1.25.1+ds1-7.dsc
 4fd33e2d6fe004dcc1c6bf9e3dea8675 95388 text optional mupdf_1.25.1+ds1-7.debian.tar.xz
 0e89e7e4ac9c315c6b415efcd504b812 13444 text optional mupdf_1.25.1+ds1-7_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE2JDTPWFH4vUeM4aHCjk1SrblfeEFAmiT9DUACgkQCjk1Srbl
feF6BQ//eFqHvThyCSJCwGDMxCCK7CulQvSfQDKEzZtwIvp5oVyz3GPyduMgWHfL
eAbYurr0BKK6Y14Jt4BZPL45ZETVwGiFzMK27j0npNng8hkryYrZPG8rN1XJW7qQ
5v/KI4JO824K0cqRAPZ3XdcyTVLhHnqW/IFy8OYsYG5SJdeMCP7GtTSt3rU6QGjw
09uAUM/X1LmqZ8gmUEZv7ri5DpdUUL2/nyq3lGDqhZmHjutEq33SpZbS83jTXMW3
ErzmTPr4jTM/MQBZ09U3WJQNnmfw81m+aVsxUc9RQNMfH7ECQmPzhSiRjhJ08DVO
3sJJrFl3qzqHl7mKVHx7UrKSc/6x6D60sVS1JW2aRn7DFVS2ZzUQlcP+g9rFl/yr
Pqxh+ORtrlLGzkr8S/AmznoOyD+WcQ5ZXORkLQd5R/LRajOxpf2aqm18hIDq6Vba
L/RXTJYbgHhzUtM2rpr5X84NuaDywn9Iw9ooK1Yjv0nx/Q5ELwPYvkqd/Jd1Z6pI
aUqcjnIRIc2EFi0nyBArIIHbUIfq6VTFWjPmzcItzNrSHO74txsoxkNG1JcoMxTK
UJ9mBgvTn30NMjJhmXcMMe760xN4VU11YkR7m/m0MQLUpVw+Xv0ODR7yNeMY5VJh
kUmZWU2HowzmKtaqQ4jwhBi8GAca11Q+W4y8QKTX4+ollrr0CBE=
=IRq7
-----END PGP SIGNATURE-----