Version in base suite: 1.21.1+ds2-1 Base version: mupdf_1.21.1+ds2-1 Target version: mupdf_1.21.1+ds2-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/m/mupdf/mupdf_1.21.1+ds2-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/m/mupdf/mupdf_1.21.1+ds2-1+deb12u1.dsc changelog | 8 ++ patches/0009-Bug-708990-Avoid-overflow-src_stride-calculation-in-.patch | 28 ++++++++++ patches/series | 1 3 files changed, 37 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp1qg1jemf/mupdf_1.21.1+ds2-1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp1qg1jemf/mupdf_1.21.1+ds2-1+deb12u1.dsc: no acceptable signature found diff -Nru mupdf-1.21.1+ds2/debian/changelog mupdf-1.21.1+ds2/debian/changelog --- mupdf-1.21.1+ds2/debian/changelog 2023-01-25 00:38:44.000000000 +0000 +++ mupdf-1.21.1+ds2/debian/changelog 2026-04-17 14:03:43.000000000 +0000 @@ -1,3 +1,11 @@ +mupdf (1.21.1+ds2-1+deb12u1) bookworm-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Avoid overflow src_stride calculation in unpack_stream (CVE-2026-3308) + (Closes: #1133189) + + -- Salvatore Bonaccorso Fri, 17 Apr 2026 16:03:43 +0200 + mupdf (1.21.1+ds2-1) unstable; urgency=medium * Replace the embedded fonts with system fonts (Closes: #1029087) diff -Nru mupdf-1.21.1+ds2/debian/patches/0009-Bug-708990-Avoid-overflow-src_stride-calculation-in-.patch mupdf-1.21.1+ds2/debian/patches/0009-Bug-708990-Avoid-overflow-src_stride-calculation-in-.patch --- mupdf-1.21.1+ds2/debian/patches/0009-Bug-708990-Avoid-overflow-src_stride-calculation-in-.patch 1970-01-01 00:00:00.000000000 +0000 +++ mupdf-1.21.1+ds2/debian/patches/0009-Bug-708990-Avoid-overflow-src_stride-calculation-in-.patch 2026-04-17 14:02:32.000000000 +0000 @@ -0,0 +1,28 @@ +From: Tor Andersson +Date: Mon, 5 Jan 2026 17:54:15 +0100 +Subject: Bug 708990: Avoid overflow src_stride calculation in unpack_stream. +Origin: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=a26f0142e7d390d4a82c6e5ae0e312e07cc4ec85 +Bug-Debian: https://bugs.debian.org/1133189 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-3308 + +By using 64-bit math! +--- + source/fitz/draw-unpack.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source/fitz/draw-unpack.c b/source/fitz/draw-unpack.c +index 048abbf3531b..8c99337dbff2 100644 +--- a/source/fitz/draw-unpack.c ++++ b/source/fitz/draw-unpack.c +@@ -437,7 +437,7 @@ unpack_drop(fz_context *ctx, void *state) + fz_stream * + fz_unpack_stream(fz_context *ctx, fz_stream *src, int depth, int w, int h, int n, int indexed, int pad, int skip) + { +- int src_stride = (w*depth*n+7)>>3; ++ int src_stride = ((int64_t)w*depth*n+7)>>3; // avoid overflow by bumping to 64-bit math + int dst_stride; + unpack_state *state; + fz_unpack_line_fn unpack_line = NULL; +-- +2.53.0 + diff -Nru mupdf-1.21.1+ds2/debian/patches/series mupdf-1.21.1+ds2/debian/patches/series --- mupdf-1.21.1+ds2/debian/patches/series 2023-01-25 00:38:44.000000000 +0000 +++ mupdf-1.21.1+ds2/debian/patches/series 2026-04-17 14:02:53.000000000 +0000 @@ -7,3 +7,4 @@ 0006-Allow-disabling-objcopy.patch 0007-mupdf-x11-does-not-need-to-link-to-libcrypto.patch 0008-Add-fallback-for-missing-SA_NOCLDWAIT.patch +0009-Bug-708990-Avoid-overflow-src_stride-calculation-in-.patch