Hi On Wed, Aug 06, 2025 at 10:00:11PM +0000, Yang Wang wrote: > Package: mupdf > Version: 1.25.1+ds1-6 > Tags: patch security > Justification: remote DoS via infinite recursion > Followup-For: Bug #1110482 > Usertags: cve-2025-46206 > Control: tags -1 patch > > Dear Maintainer, > > This non-maintainer upload (NMU) provides a backported patch for > CVE-2025-46206 in the mupdf package for Debian Trixie. > > The vulnerability allows a remote attacker to trigger infinite recursion in > `mutool clean` by crafting a PDF with cyclic `/Next` references in the > outline structure, causing the process to crash and potentially exhaust > system resources. > > Upstream has fixed this issue in commit > https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=0ec7e4d2201bb6df217e01c17396d36297abf9ac. > This patch incorporates that change into version 1.25.1+ds1-7. > > Reproduction is straightforward using the upstream PoC from Bug 708521, and > testing confirms that with the patch the crash and core dump no longer occur. > > Please consider including this fix or let me know if further information or > packaging adjustments are required.
Thanks for preparing the diff. I will prepare a upload with the patch. For your future reference, a NMU needs to follow certain version format outlined here https://www.debian.org/doc/manuals/developers-reference/pkgs.html#non-maintainer-uploads-nmus Cheers, Kan-Ru
