There are several security bugs in the used mupdf version.
http://bugs.ghostscript.com/show_bug.cgi?id=696941
http://bugs.ghostscript.com/show_bug.cgi?id=696954
I tried to fix this issue by applying the patches referenced by the debian bugtracker.
However there are major differences between the current version of mupdf and the version used by sumatrapdf. It will probably be easier to update the complete mupdf version for sumatrapdf.
Since this will require quite some testing I have not yet tried that approach.
Please note that the referenced bugs are critical and are referenced by CVE-2016-6265 and CVE-2016-6525
SumatraPDF is also vulnerable against the recently disclosed CVE-2017-15587 and others, which can result in arbitrary code execution. Is it really using a version of MuPDF that has not been updated in years as it can be seen in this repository? If so, this is really irresponsible because there are several known critical vulnerabilities. If there are any custom MuPDF modifications that prevent you from upgrading, it might be worth sending those modifications upstream so that in the future a vanilla version of the library could be used.
Proof-of-concept PDF file: https://nandynarwhals.org/CVE-2017-15587/
SumatraPDF is still vulnerable. These CVEs are pretty serious.
Is this issue still relevant? I'm just thinking of using SumatraPDF but there are still some other CVE's from 2017 that are serious. Is the current version of mupdf in SumatraPDF this outdated?
on a 32bit windows (supposedly the more vulnerable) I ran the proof of concept and it will crash MuPdfGLv1.1 (based heavily on mutools 1.1 which was the subject of CVE-2017-15587)
MuPDF standard 1.1 reported the file as not possible to open i.e. did NOT crash
SumatraPDF uses MuPDF lib (NOT equal tools) and has a significantly different error handling for an invalid file and this case simply reports error loading file and does not crash
That is not to say such a file could be crafted in the future, just that SumatraPDF was same as many other unqualified reports NOT likely to be affected by this CVE
the start of thread reported 2 bugs which were the same (a non malicious file that had been MANGLED IT was given a CVE in mid 2016 simply because in that state it could potentially have been corrupted by a virus
the badly corrupted file as with all others is handled gracefully by current version 3.1.2 and pre-release as "Error Loading" exactly the same as CVE 2017
I am not wasting any of my valuable time trying to prove all historic versions were immune to these two files or any others not specifically highlighting SumatraPDF as at fault, Just for the record before you raise CVE-2016-8332 which was mentioned in the forum and raised as issue 629 that was closed in 2017 so if you think you are likely to be browsing malware sites you may want to use most recent pre-release until 3,2 is released
@kjk I suggest this ISSUE is NOT an issue and be closed
Would it help to define all dependencies in such a way that they show up in the dependency graph?
https://github.com/sumatrapdfreader/sumatrapdf/network/dependencies
And possibly can be scanned by Dependabot?
https://github.blog/2019-05-23-introducing-new-ways-to-keep-your-code-secure/
Well if Sumatra uses its own customized version mupdf it's not going to help really, because it's not an external dependency. The proof of concept linked above still crashes current preview builds of SumatraPDF. This means that this CVE can most likely still be used to target exploits at SumatraPDF.
@sagamusix SumatraPDF in my tests did not crash with that CVE file nor does it nor likely will do since it is not using mutools as such it IS the fact that its NOT the same that hardens it against similar issues

I always add I can be wrong and that the above is not to say some other exploit couldn't have an effect.
@GitHubRulesOK I would not be claiming that SumatraPDF crashes on this file if it didn't do that for me. The fact that it doesn't crash for you doesn't mean that it's not vulnerable.
Did you actually base64-decode the proof of concept? If you try to load the base64-encoded file, naturally it will not crash.
Yes it is decoded again fresh yesterday to confirm the above on a Win 10 x 64 bit machine perhaps your using a different OS please confirm which range of versions you experience the crash with and on which platform(S) since I don't want to test thousands of permutations again.
It crashes both on Windows 7 x64 and Windows 10 x64, it crashed at
whatever pre-release version was current when I added my first comment
to this issue and it still crashes on the current pre-release version
(11133 64-bit). It's 100% reproducable for me on all setups I tried.
Just for confirmation, the SHA256 of the decoded file that causes the
crash is 7DD74DDB6B86FDD6CE11923FC99C6749866A0A231572FD65EA19668A7C92DA83
There's no need to "waste your valuable time" (as you put it) to try to
prove that there are some configurations on which the crash does not
happen: The fact that there are at least some (in my case: all)
configurations on which this proof-of-concept crashes SumatraPDF is
enough to know for a developer that the application is vulnerable and
should be fixed, no matter how likely or unlikely it is to find an
exploit for this vulnerability in the wild.
Confirmed I am testing with 7DD74DDB6B86FDD6CE11923FC99C6749866A0A231572FD65EA19668A7C92DA83 so we know that is correct file and using recent pre-release 11133 x 64 it does crash for me too, point taken @kjk ?
ping @kjk
you may have noted two sequential crashes for version 3.1.2-x64 and pre-release 3.2.11133-x64
I was testing above POC
however you may not know that the above file does not crash latest build 3.2.11275-x64 thus proving it is more resilient against such exploit
We now use the latest mupdf so those are fixed in https://www.sumatrapdfreader.org/dailybuilds.html
Hi, will there be a release with this issues fixed anytime soon? fyi the issue is mentioned in the German IT news portal heise.de.
You can already use pre-release builds https://www.sumatrapdfreader.org/prerelease.html
While advanced users are probably well-aware of this option, it still leaves all less savvy users who are stuck on the latest stable without protection. Is there anything in particular preventing a new official release with these bugfixes?
Most helpful comment
SumatraPDF is still vulnerable. These CVEs are pretty serious.