MuPDF ANSI Injection Vulnerability via Unsanitized Metadata in mutool

A vulnerability exists in MuPDF's command-line tool, mutool, which fails to properly sanitize PDF metadata before it is output to the terminal. This oversight allows attackers to inject arbitrary ANSI escape sequences through manipulated PDF metadata. When the 'mutool info' command is executed, these malicious ANSI codes are transmitted unsanitized to the terminal. This could enable attackers to clear the terminal screen and display misleading text, potentially for social engineering purposes, such as creating fake prompts or impersonating commands.

Impact

Exploitation of this vulnerability could lead to unauthorized ANSI injection, allowing for manipulation of the terminal display. This could be used to conduct social engineering attacks by presenting deceptive prompts or spoofed commands.

Remediation

Users are advised to update to the latest version of MuPDF, where this vulnerability has been addressed. The patch is available in the official MuPDF repository.