CVE-2021-37220

Name
CVE-2021-37220
Description
MuPDF through 1.18.1 has an out-of-bounds write because the cached color converter does not properly consider the maximum key size of a hash table. This can, for example, be seen with crafted "mutool draw" input.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://bugs.ghostscript.com/show_bug.cgi?id=703791
MISC http://git.ghostscript.com/?p=mupdf.git;h=f5712c9949d026e4b891b25837edd2edc166151f
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TKRMREIYUBGG2GV73CU7BJNW2Q34IP23/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:artifex:mupdf:*:*:*:*:*:*:*:* mupdf >= None <= 1.18.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
mupdf edge-community 1.18.0-r2 Daniel Sabogal <dsabogalcc@gmail.com> possibly vulnerable
mupdf edge-community 1.18.0-r1 Daniel Sabogal <dsabogalcc@gmail.com> possibly vulnerable
mupdf edge-community 1.17.0-r3 None possibly vulnerable
mupdf edge-community 1.13-r0 None possibly vulnerable
mupdf edge-community 1.11-r1 None possibly vulnerable
mupdf edge-community 1.10a-r2 None possibly vulnerable
mupdf edge-community 1.10a-r1 None possibly vulnerable
mupdf 3.22-community 1.18.0-r1 None possibly vulnerable
mupdf 3.22-community 1.17.0-r3 None possibly vulnerable
mupdf 3.22-community 1.13-r0 None possibly vulnerable
mupdf 3.22-community 1.11-r1 None possibly vulnerable
mupdf 3.22-community 1.10a-r2 None possibly vulnerable
mupdf 3.22-community 1.10a-r1 None possibly vulnerable
mupdf 3.11-main 1.16.1-r1 Daniel Sabogal <dsabogalcc@gmail.com> possibly vulnerable