- Package:
- src:djvulibre
- Source:
- src:djvulibre
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2025-07-08 07:19:01 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for djvulibre. CVE-2025-53367[0]: | DjVuLibre is a GPL implementation of DjVu, a web-centric format for | distributing documents and images. Prior to version 3.5.29, the | MMRDecoder::scanruns method is affected by an OOB-write | vulnerability, because it does not check that the xr pointer stays | within the bounds of the allocated buffer. This can lead to writes | beyond the allocated memory, resulting in a heap corruption | condition. An out-of-bounds read with pr is also possible for the | same reason. This issue has been patched in version 3.5.29. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-53367 https://www.cve.org/CVERecord?id=CVE-2025-53367 [1] https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196593d70bd5e37f55b63886c31c82c3da/ [2] https://www.openwall.com/lists/oss-security/2025/07/03/1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Dear Barak, I've prepared an NMU for djvulibre (versioned as 3.5.28-2.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. The NMU delay is bit short, so I'm open to as well delay more or cancel it as you like. I plan to do though based on that if it is accepted as well a bookworm-security updae (as -2.1~deb12u1). Regards, Salvatore
Hi Barak, Actually I might cancel it to see if there are the other CVE fixes which are now applicable. Regards, Salvatore
Hi Barak, So looks good. CVE-2021-46310 was already covered (and updated metadata), and CVE-2021-46312 is yet unfixed. Regards, Salvatore
If you're doing it feel free to do zero delay.
Hi Barak, Thanks a lot, will reschedule it. Regards, Salvatore
You're also welcome to push the commit and tag to the packaging repo. If you don't I will just download it from debsnap and do that myself.
Hi, Done, the idea is not to cause you hassle but help if possible. I did not initially as the debian branch was already ahead. But I have now pushed the changes, and then merged the debian/3.5.28-2.1 tag into debian resolving the merge conflict (would still be good if you can double-check). Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of
djvulibre, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1108729@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated djvulibre package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 04 Jul 2025 07:38:58 +0200
Source: djvulibre
Architecture: source
Version: 3.5.28-2.1
Distribution: unstable
Urgency: high
Maintainer: Barak A. Pearlmutter <bap@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1108729
Changes:
djvulibre (3.5.28-2.1) unstable; urgency=high
.
* Non-maintainer upload.
* Fix potential buffer overflow in MMRDecoder (CVE-2025-53367)
(Closes: #1108729)
Checksums-Sha1:
9c3bfc769e80dcc1cb5ad2a7f75f8900250fff09 2530 djvulibre_3.5.28-2.1.dsc
8b8da7e16ac66a5ad68b935679ad7550fd5a9377 17928 djvulibre_3.5.28-2.1.debian.tar.xz
eccd71a7bc3ece381542b4a0fbab73c2a849e3ca 5988 djvulibre_3.5.28-2.1_source.buildinfo
Checksums-Sha256:
89d5473060fe512e91b36a6879d1cc488bd8546623b1c44df9d06eef2bc05224 2530 djvulibre_3.5.28-2.1.dsc
4b0d84a3a45a399a40aed344169ae1ea5edea41c2c1971b4279aec1413d4f5ea 17928 djvulibre_3.5.28-2.1.debian.tar.xz
9ac8d3a64646b791e36cf76b8b8a14290b725d3609311de6e3c967f3ee783b35 5988 djvulibre_3.5.28-2.1_source.buildinfo
Files:
e9a91410d5708efeebbc18979409c9c1 2530 libs optional djvulibre_3.5.28-2.1.dsc
49cd57d8ea11b8ca116c39b2b10ba720 17928 libs optional djvulibre_3.5.28-2.1.debian.tar.xz
930cdbd43b158dd1592847e7798538e5 5988 libs optional djvulibre_3.5.28-2.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmhnaTlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EhxMQAJeTK6AKQCHSMrvydiMwty5F1P+rY5IE
SscrztaicMjQ+tmZDcTaNHkt7kGmyPkuK3TaTjbP8F9cjFs8BaJn5j7pPXmLLPnY
codE9Pjs2DQC8CInvPv/ZCpTqiDcanvVX0FSQY2GGQltSepCpTHog6llP4sTQijz
9bsg0sBcuAFCmrKBSNx2qlmEkhkVsLq0tVHZ3Fy4gqAYgzlpP6nvt6Qu3ESOaJkY
EQzYNkBxjkrZj52o1ot1JhuGkSwXUl+8oFsXdCRkCptUVLVDzQ/+iPPCp1QUa6hy
Kieo9dQC1ud+bixO8zRu/Nno3FsBBtd1ajU6SgZ7mjrVPkkPwIlbRA6iBux3xi0r
Mq5Y5XiKeroDU6XYfxCqVxiTFsOPbCSHSNIuHToicquym7TEY0QYfO9B6qqFB9aJ
AppPxX60GJJNMxfY8Qq3f68hYCAy2h5GJy0JhluoQLZJS6amd2Qvr9CBZE16O3Eq
DknIvqb5amSjUv77Fq2LfCbf3pAGACZxPt7KdtikDJB8MuvgDP0Ip+Lp3NF8/GNw
13i8rjxxrtq3VakC65upYmLuJg24wkZroCqpDoZbCnSWyTc7aWHJyWdZ0vYdoUBO
xYU+T3eZE35bUMXBCNoJ3KPOmPwPOdpFpHVgKhqpBT2KhDsi1KZAu671gXumwcgN
3bWKtgqPGwsQ
=0WSi
-----END PGP SIGNATURE-----
I welcome your help! Thanks. With any of my packages, it makes me happy when someone fixes things. Less work for me, higher quality for Debian.
We believe that the bug you reported is fixed in the latest version of
djvulibre, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1108729@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated djvulibre package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 04 Jul 2025 21:33:39 +0200
Source: djvulibre
Architecture: source
Version: 3.5.28-2.1~deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Barak A. Pearlmutter <bap@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1108729
Changes:
djvulibre (3.5.28-2.1~deb12u1) bookworm-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Rebuild for bookworm-security
.
djvulibre (3.5.28-2.1) unstable; urgency=high
.
* Non-maintainer upload.
* Fix potential buffer overflow in MMRDecoder (CVE-2025-53367)
(Closes: #1108729)
Checksums-Sha1:
8378c99a29014003a8b2c4f3644600455dc71b9e 2562 djvulibre_3.5.28-2.1~deb12u1.dsc
1846a9e3d84e0174ecda6c4bf2dfe11fb86ea487 2959024 djvulibre_3.5.28.orig.tar.xz
21ebdd5487da3c0d995a25272fd8db094044d4a7 18000 djvulibre_3.5.28-2.1~deb12u1.debian.tar.xz
94a8eef2459838852c18eec41e4a3eb0143563c2 6020 djvulibre_3.5.28-2.1~deb12u1_source.buildinfo
Checksums-Sha256:
11ef087eb1bbffd6414967cb432e9fb8ab919bfb0bfb95247d6c84dbae0de263 2562 djvulibre_3.5.28-2.1~deb12u1.dsc
1223b7bf7c8dfe2e290882f3bfb88ba2468b30495a1bf8dfd54dc7e810987887 2959024 djvulibre_3.5.28.orig.tar.xz
fd426066bd9bee9d6fd903a351b83cb55311d7109d4d39f7cb7b4a5b59933db2 18000 djvulibre_3.5.28-2.1~deb12u1.debian.tar.xz
7fb23dcb27d0679b4c14a1a29e30da00776912ad9e296ee44005aa42502f32b7 6020 djvulibre_3.5.28-2.1~deb12u1_source.buildinfo
Files:
018d58fbb28e4992293e920642448413 2562 libs optional djvulibre_3.5.28-2.1~deb12u1.dsc
2f72e25ecf571449aecc468fcfe4fb60 2959024 libs optional djvulibre_3.5.28.orig.tar.xz
9a9048aaffdae23a06abfada004d74be 18000 libs optional djvulibre_3.5.28-2.1~deb12u1.debian.tar.xz
aeda31b456bdb37b244b731066998b2b 6020 libs optional djvulibre_3.5.28-2.1~deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmhoLTdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EJokQAIn/Lsjcz64usglsd86H1iXC+VKTfyCC
tcTY18aDMt+Aio6ckUnoug3NH01RRLW4adeMnFX0FKT42C6gSPO363LNBsVR6/i1
1CJfP6UjU0A9zp1JvhX9XMAikp2UVcYOgfdxIKEs+gDm1FIoDIF/cteg2J6mo+IW
rb9GTxzFzZ+KRPwyL+nLTuewkezETidXshjDD7i0OY2MrN7Ox8FoBAKPjS7kzTus
qpvkJVVmswjKlNkh4Y930XNKvnSEvllGwOyszriowk15/9byQFRPY5D0fGBN34l5
WzVdajB+RXvjMmHLbNBVV+Z0jaTorEyM0gH/sns1FVp2le2eLQclFOitb1+WOnou
OcXAFi5K9YTGLmdM8etTmIYVpD7BG0uXzHcHqlc4RYJX+HHMmkiByLZJu0voKWK1
YmpP02S9cHK7NcYi3L/D0OkZ5DmUa2GGAhXdi2GxuneQm7X/U42lDb2EI5uRhyjB
DWmxVfe0JKogKo7gS+DlU1gHs/CqhQlSzWuCtimPDyvdNLBC+K8z9ByGvb4OQR/q
O/Et9k1+PgBzpcMcKmMlzd2zY5+TfXtcdOlg3trsQaW1eLqaiZ5/UQVSOJ+F1f1x
7KZcqOEfY9UYS8wK6jmNvSQRDPbJmT9kjqhgIC+ZXz6oXVaLlHnqmEif31uK0vul
h596cUsvl1M2
=ykoF
-----END PGP SIGNATURE-----