Source: mupdf Version: 1.27.0+ds1-2 Severity: important Tags: security upstream Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=709029 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 1.23.6+ds1-1 Control: found -1 1.25.1+ds1-6
Hi, The following vulnerability was published for mupdf. CVE-2026-25556[0]: | MuPDF versions 1.23.0 through 1.27.0 contain a double-free | vulnerability in fz_fill_pixmap_from_display_list() when an | exception occurs during display list rendering. The function accepts | a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in | its error handling path before rethrowing the exception. Callers | (including the barcode decoding path in | fz_decode_barcode_from_display_list) also drop the same pixmap in | cleanup, resulting in a double-free that can corrupt the heap and | crash the process. This issue affects applications that enable and | use MuPDF barcode decoding and can be triggered by processing | crafted input that causes a rendering-time error while decoding | barcodes. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-25556 https://www.cve.org/CVERecord?id=CVE-2026-25556 [1] https://bugs.ghostscript.com/show_bug.cgi?id=709029 [2] https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=d4743b6092d513321c23c6f7fe5cff87cde043c1 Regards, Salvatore
