openSUSE 16 Security Update : mupdf (openSUSE-SU-2026:21180-1)

medium Nessus Plugin ID 324889

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:21180-1 advisory.

Changes in mupdf:

- Build and ship MuPDF as a shared library (make shared=yes) instead of static-only:
* New subpackage libmupdf27_2 carries libmupdf.so.27.2 (the SONAME tracks the upstream minor.patch version).
* Replaced the static-only mupdf-devel-static with mupdf-devel, which ships the .so symlink and a generated mupdf.pc (upstream provides no pkg-config file).
* mupdf-devel obsoletes the dropped mupdf-devel-static so it is cleanly replaced on upgrade (resolves the /usr/include/mupdf header file conflict flagged in staging).
- Consumers that statically embedded libmupdf.a (e.g. zathura's pdf-mupdf plugin) failed to load with undefined symbol:
jpeg_resync_to_restart because openSUSE builds MuPDF against system codec libraries and the static archive does not pull them in; linking against the shared library (which carries those codecs in its own NEEDED) fixes this (boo#1165273).

- update to 1.27.2:
* Add ImageMask operation in image rewriter.
* SText vector merging, and 'fuzzy-vectors' option.
* SText corruption fixes.
* SText Depth First Search iterator fixes.

- Update to 1.27.1:
* Several optimizations, tweaks, and fixes to the structured text device text extraction.
* Improve table-hunting code in structured text device.
* Import image-rafting code from layout project to the structured text device.
* Fix bug causing FitR link destination rectangles to remain untransformed.
* Fix bug causing xps rendering to enter eternal loop.
- CVE-2025-55780: null pointer dereference occurs in the function break_word_for_overflow_wrap() (bsc#1250443)
- CVE-2026-25556: double-free in fz_fill_pixmap_from_display_list() (bsc#1257944)

- Update to version 1.26.3:
* Cope with /AS being an indirection in annotations.
* PDF redaction should honour RO entries.
* Recompress lossy (JPEG, J2K, JXR, etc) as JPEG when writing to SVG.
* Improve speed of roll in postscript functions.
* Be more accepting of EmbeddedFiles FileSpecs.
* Extend rectangles to improve strikeout detection.
* Fix strikeout detection failure caused by FP inaccuracy.
* Make mutool trace and mutool draw -Ftrace output identical.
* Re-order mutool sub-commands, highlight the most useful commands at the top.
* Use fz_strstrcase for case insensitive file dialog filters in mupdf-gl.
- Use system brotli, tesseract for builds
- More specific directory globs for files section.

- Update to 1.25.6:
* Avoid crash when noto fonts have zero size.
* Fix bug in q/Q count balancing.
* Improve clip/layer nesting to handle more than 1000 nested levels.
* Fix bug where all redaction annotations were applied intead of just one.

- Update to 1.25.5:
* Allow pdf_lookup_page_number_slow on deleted pages.
* Fix issue in Fax decoder.
* Tweak antidropout code in the non-AA rasterizer.
* Fix bug ignoring last entry in UAX 14 line-breaking table.
* Let Windows handle unhandled ALT-key combinations.
* Cope with undersized cross-reference streams.
* Use ULL rather than Ui64 in windows specific time funcs
* Fix redaction problem with form transforms.
* Fix Makefiles to test/alter CFLAGS, not XCFLAGS.
* Avoid double drop of fz_html_tree upon exception in xml_to_boxes().
* Free unopened pages instead of waiting for document to reap them.
* Do not create bad write options if encrypt option was set to unknown value.
* PDF saving: Perform a pre-pass to load objects before saving.
* Change capitalization in mutool usage to be consistent.
* Ensure that cfb archive entry names are null-terminated.
* Allocate xml root node in pool.
* Fix typo in LZW compressed inline image dictionary.
* Report error in audit tool, otherwise it counts as unhandled.
* Handle PDF objects numbered outside xref range.
* Check whether opts is NULL when cleaning a PDF file.
* Check whether the argument list is NULL, when argument are said to exist.
* Consistently use uint32_t for color in stext device.
* Sync open page numbers after undo has swapped the xrefs, not before.
* Clear the in-doc flag when removing a page from the opened page list.
* Add support archive script to create commercial tarballs.

- Update to 1.25.4:
* Add common Noto font name lookup function.
* Improve font Ascent/Descent handling.
* Allow fz_store_size to be customised in Java.
* Add fz_atoz() convenience function to parse size_t.
* Add and use convenience function for loading user CSS.
* Fix valgrind error seen with saving pdfs with garbage collection.
* Process both widgets and annotations when rewriting images.
* Adjust vector handling in page segmentation.
* Only include latest object versions when gathering object streams.
* Add AFRelationship property.
* Minimise size of softmasks before rendering.
* Fix bug where mutool clean produced object 0 with invalid gen num.
* Fix bbox calculation in segmentation.
* Improve exception messages from tesseract.
* When deleting widget fields, compare the objects, not their pointers.
* Fix for JBIG2 data not having the correct filter attached.
* Fix concerning renumbered PDF encryption dictionaries.

- Update to 1.25.3:
* Fix bug where structure trees were always kept.
* Add option to drop/keep structure trees when rearranging or subsetting pages.

- Update to 1.25.2:
* Add support to spot invisible text in structured text.
* Fix sanitisation of clipping paths.
* Fix leak in C++ wrappers.

- Update to 1.25.1:
* Fix bug in structured text to html conversion concerning color.

- For changes in 1.25.0 and older see https://mupdf.com/releases/history

- Update to 1.24.10:
* Several fixes to python scripts for bindings.
* Fix bug relating to redactions on pages with shared content streams.
* Fix bug when both color keying and softmasking is used.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected libmupdf27_2, mupdf and / or mupdf-devel packages.

See Also

https://bugzilla.suse.com/1165273

https://bugzilla.suse.com/1250443

https://bugzilla.suse.com/1257944

https://www.suse.com/security/cve/CVE-2025-55780

https://www.suse.com/security/cve/CVE-2026-25556

Plugin Details

Severity: Medium

ID: 324889

File Name: openSUSE-2026-21180-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 7/2/2026

Updated: 7/2/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.15

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-25556

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.9

Threat Score: 5

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

CPE: cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:mupdf, p-cpe:/a:novell:opensuse:libmupdf27_2, p-cpe:/a:novell:opensuse:mupdf-devel

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/30/2026

Vulnerability Publication Date: 9/23/2025

Reference Information

CVE: CVE-2025-55780, CVE-2026-25556