Bug#1108729: djvulibre: diff for NMU version 3.5.28-2.1

2025-07-04 Thread Barak A. Pearlmutter 
I welcome your help! Thanks. With any of my packages, it makes me happy
when someone fixes things. Less work for me, higher quality for Debian.

Bug#1108729: djvulibre: diff for NMU version 3.5.28-2.1

2025-07-04 Thread Salvatore Bonaccorso 
Hi,

On Fri, Jul 04, 2025 at 03:32:03PM +0100, Barak A. Pearlmutter wrote:
> You're also welcome to push the commit and tag to the packaging repo.
> If you don't I will just download it from debsnap and do that myself.

Done, the idea is not to cause you hassle but help if possible. I did
not initially as the debian branch was already ahead. But I have now
pushed the changes, and then merged the debian/3.5.28-2.1 tag into
debian resolving the merge conflict (would still be good if you can
double-check).

Regards,
Salvatore

Bug#1108729: djvulibre: diff for NMU version 3.5.28-2.1

2025-07-04 Thread Barak A. Pearlmutter 
You're also welcome to push the commit and tag to the packaging repo.
If you don't I will just download it from debsnap and do that myself.

Bug#1108729: djvulibre: diff for NMU version 3.5.28-2.1

2025-07-04 Thread Salvatore Bonaccorso 
Hi Barak,

On Fri, Jul 04, 2025 at 08:03:38AM +0100, Barak A. Pearlmutter wrote:
> If you're doing it feel free to do zero delay.

Thanks a lot, will reschedule it.

Regards,
Salvatore

Bug#1108729: djvulibre: diff for NMU version 3.5.28-2.1

2025-07-04 Thread Barak A. Pearlmutter 
If you're doing it feel free to do zero delay.

Bug#1108729: djvulibre: diff for NMU version 3.5.28-2.1

2025-07-03 Thread Salvatore Bonaccorso 
Hi Barak,

On Fri, Jul 04, 2025 at 08:24:05AM +0200, Salvatore Bonaccorso wrote:
> Hi Barak,
> 
> Actually I might cancel it to see if there are the other CVE fixes
> which are now applicable.

So looks good. CVE-2021-46310 was already covered (and updated
metadata), and CVE-2021-46312 is yet unfixed.

Regards,
Salvatore

Bug#1108729: djvulibre: diff for NMU version 3.5.28-2.1

2025-07-03 Thread Salvatore Bonaccorso 
Hi Barak,

Actually I might cancel it to see if there are the other CVE fixes
which are now applicable.

Regards,
Salvatore

Bug#1108729: djvulibre: diff for NMU version 3.5.28-2.1

2025-07-03 Thread Salvatore Bonaccorso 
Control: tags 1108729 + patch
Control: tags 1108729 + pending


Dear Barak,

I've prepared an NMU for djvulibre (versioned as 3.5.28-2.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should cancel it.

The NMU delay is bit short, so I'm open to as well delay more or
cancel it as you like. I plan to do though based on that if it is
accepted as well a bookworm-security updae (as -2.1~deb12u1).

Regards,
Salvatore
diffstat for djvulibre-3.5.28 djvulibre-3.5.28

 changelog  |8 ++
 patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch |   37 ++
 patches/series |1 
 3 files changed, 46 insertions(+)

diff -Nru djvulibre-3.5.28/debian/changelog djvulibre-3.5.28/debian/changelog
--- djvulibre-3.5.28/debian/changelog	2021-05-10 19:56:59.0 +0200
+++ djvulibre-3.5.28/debian/changelog	2025-07-04 07:38:58.0 +0200
@@ -1,3 +1,11 @@
+djvulibre (3.5.28-2.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Fix potential buffer overflow in MMRDecoder (CVE-2025-53367)
+(Closes: #1108729)
+
+ -- Salvatore Bonaccorso   Fri, 04 Jul 2025 07:38:58 +0200
+
 djvulibre (3.5.28-2) unstable; urgency=high
 
   * bump policy version
diff -Nru djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch
--- djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch	1970-01-01 01:00:00.0 +0100
+++ djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch	2025-07-04 07:38:11.0 +0200
@@ -0,0 +1,37 @@
+From: Leon Bottou 
+Date: Wed, 2 Jul 2025 12:49:40 -0400
+Subject: Fix potential buffer overflow in MMRDecoder
+Origin: https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196593d70bd5e37f55b63886c31c82c3da/
+Bug-Debian: https://bugs.debian.org/1108729
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-53367
+
+---
+ libdjvu/MMRDecoder.cpp | 5 -
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libdjvu/MMRDecoder.cpp b/libdjvu/MMRDecoder.cpp
+index b56fa336d353..bbbaa0c5e2ef 100644
+--- a/libdjvu/MMRDecoder.cpp
 b/libdjvu/MMRDecoder.cpp
+@@ -589,6 +589,9 @@ MMRDecoder::scanruns(const unsigned short **endptr)
+   int a0,rle,b1;
+   for(a0=0,rle=0,b1=*pr++;a0 < width;)
+ {
++  // Check for buffer overflow
++  if (xr > lineruns+width+2 || pr > prevruns+width+2)
++	G_THROW(invalid_mmr_data);
+   // Process MMR codes
+   const int c=mrtable->decode(src);
+   switch ( c )
+@@ -714,7 +717,7 @@ MMRDecoder::scanruns(const unsigned short **endptr)
+ rle++;
+ a0++;
+   }
+-if (a0 > width)
++if (a0 > width || xr > lineruns+width+2)
+   G_THROW(invalid_mmr_data);
+   }
+ // Analyze uncompressed termination code.
+-- 
+2.50.0
+
diff -Nru djvulibre-3.5.28/debian/patches/series djvulibre-3.5.28/debian/patches/series
--- djvulibre-3.5.28/debian/patches/series	2021-05-10 19:46:09.0 +0200
+++ djvulibre-3.5.28/debian/patches/series	2025-07-04 07:38:17.0 +0200
@@ -5,3 +5,4 @@
 0005-djvulibre-fedora-Patch10-djvulibre-3.5.27-check-inpu.patch
 0006-djvulibre-fedora-Patch11-djvulibre-3.5.27-djvuport-s.patch
 0007-djvulibre-fedora-Patch12-djvulibre-3.5.27-unsigned-s.patch
+0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch