Control: tags 1108729 + patch Control: tags 1108729 + pending
Dear Barak, I've prepared an NMU for djvulibre (versioned as 3.5.28-2.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. The NMU delay is bit short, so I'm open to as well delay more or cancel it as you like. I plan to do though based on that if it is accepted as well a bookworm-security updae (as -2.1~deb12u1). Regards, Salvatore
diffstat for djvulibre-3.5.28 djvulibre-3.5.28 changelog | 8 ++ patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch | 37 ++++++++++ patches/series | 1 3 files changed, 46 insertions(+) diff -Nru djvulibre-3.5.28/debian/changelog djvulibre-3.5.28/debian/changelog --- djvulibre-3.5.28/debian/changelog 2021-05-10 19:56:59.000000000 +0200 +++ djvulibre-3.5.28/debian/changelog 2025-07-04 07:38:58.000000000 +0200 @@ -1,3 +1,11 @@ +djvulibre (3.5.28-2.1) unstable; urgency=high + + * Non-maintainer upload. + * Fix potential buffer overflow in MMRDecoder (CVE-2025-53367) + (Closes: #1108729) + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 04 Jul 2025 07:38:58 +0200 + djvulibre (3.5.28-2) unstable; urgency=high * bump policy version diff -Nru djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch --- djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch 1970-01-01 01:00:00.000000000 +0100 +++ djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch 2025-07-04 07:38:11.000000000 +0200 @@ -0,0 +1,37 @@ +From: Leon Bottou <le...@fb.com> +Date: Wed, 2 Jul 2025 12:49:40 -0400 +Subject: Fix potential buffer overflow in MMRDecoder +Origin: https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196593d70bd5e37f55b63886c31c82c3da/ +Bug-Debian: https://bugs.debian.org/1108729 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-53367 + +--- + libdjvu/MMRDecoder.cpp | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libdjvu/MMRDecoder.cpp b/libdjvu/MMRDecoder.cpp +index b56fa336d353..bbbaa0c5e2ef 100644 +--- a/libdjvu/MMRDecoder.cpp ++++ b/libdjvu/MMRDecoder.cpp +@@ -589,6 +589,9 @@ MMRDecoder::scanruns(const unsigned short **endptr) + int a0,rle,b1; + for(a0=0,rle=0,b1=*pr++;a0 < width;) + { ++ // Check for buffer overflow ++ if (xr > lineruns+width+2 || pr > prevruns+width+2) ++ G_THROW(invalid_mmr_data); + // Process MMR codes + const int c=mrtable->decode(src); + switch ( c ) +@@ -714,7 +717,7 @@ MMRDecoder::scanruns(const unsigned short **endptr) + rle++; + a0++; + } +- if (a0 > width) ++ if (a0 > width || xr > lineruns+width+2) + G_THROW(invalid_mmr_data); + } + // Analyze uncompressed termination code. +-- +2.50.0 + diff -Nru djvulibre-3.5.28/debian/patches/series djvulibre-3.5.28/debian/patches/series --- djvulibre-3.5.28/debian/patches/series 2021-05-10 19:46:09.000000000 +0200 +++ djvulibre-3.5.28/debian/patches/series 2025-07-04 07:38:17.000000000 +0200 @@ -5,3 +5,4 @@ 0005-djvulibre-fedora-Patch10-djvulibre-3.5.27-check-inpu.patch 0006-djvulibre-fedora-Patch11-djvulibre-3.5.27-djvuport-s.patch 0007-djvulibre-fedora-Patch12-djvulibre-3.5.27-unsigned-s.patch +0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch
