Bug#1108792: marked as done (unblock: djvulibre/3.5.28-2.1)

Debian Bug Tracking System Sat, 05 Jul 2025 06:19:14 -0700

Your message dated Sat, 05 Jul 2025 13:15:59 +0000
with message-id <[email protected]>
and subject line unblock djvulibre
has caused the Debian Bug report #1108792,
regarding unblock: djvulibre/3.5.28-2.1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1108792: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108792
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: [email protected], Barak A. Pearlmutter 
<[email protected]>, [email protected]
Control: affects -1 + src:djvulibre
User: [email protected]
Usertags: unblock

Hi release team,

Please unblock package djvulibre

[ Reason ]
djvulibre has a out-of-bounds write vulnerability in the
MMRDecoder::scanruns() function, which may cause memory corruption.
This has CVE id CVE-2025-53367 assigned and tracked in Debian BTS as
#1108729.

[ Impact ]
CVE-2025-53367 remains open in trixie (until a DSA is released).

[ Tests ]
Manual tests with the package.

[ Risks ]
Isolated fix for the issue provided by upstream.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
(Anything else the release team should know.)

unblock djvulibre/3.5.28-2.1

Regards,
Salvatore

diff -Nru djvulibre-3.5.28/debian/changelog djvulibre-3.5.28/debian/changelog
--- djvulibre-3.5.28/debian/changelog   2021-05-10 19:56:59.000000000 +0200
+++ djvulibre-3.5.28/debian/changelog   2025-07-04 07:38:58.000000000 +0200
@@ -1,3 +1,11 @@
+djvulibre (3.5.28-2.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Fix potential buffer overflow in MMRDecoder (CVE-2025-53367)
+    (Closes: #1108729)
+
+ -- Salvatore Bonaccorso <[email protected]>  Fri, 04 Jul 2025 07:38:58 +0200
+
 djvulibre (3.5.28-2) unstable; urgency=high
 
   * bump policy version
diff -Nru 
djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch
 
djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch
--- 
djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch
      1970-01-01 01:00:00.000000000 +0100
+++ 
djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch
      2025-07-04 07:38:11.000000000 +0200
@@ -0,0 +1,37 @@
+From: Leon Bottou <[email protected]>
+Date: Wed, 2 Jul 2025 12:49:40 -0400
+Subject: Fix potential buffer overflow in MMRDecoder
+Origin: 
https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196593d70bd5e37f55b63886c31c82c3da/
+Bug-Debian: https://bugs.debian.org/1108729
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-53367
+
+---
+ libdjvu/MMRDecoder.cpp | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libdjvu/MMRDecoder.cpp b/libdjvu/MMRDecoder.cpp
+index b56fa336d353..bbbaa0c5e2ef 100644
+--- a/libdjvu/MMRDecoder.cpp
++++ b/libdjvu/MMRDecoder.cpp
+@@ -589,6 +589,9 @@ MMRDecoder::scanruns(const unsigned short **endptr)
+   int a0,rle,b1;
+   for(a0=0,rle=0,b1=*pr++;a0 < width;)
+     {
++      // Check for buffer overflow
++      if (xr > lineruns+width+2 || pr > prevruns+width+2)
++      G_THROW(invalid_mmr_data);
+       // Process MMR codes
+       const int c=mrtable->decode(src);
+       switch ( c )
+@@ -714,7 +717,7 @@ MMRDecoder::scanruns(const unsigned short **endptr)
+                         rle++;
+                         a0++;
+                       }
+-                    if (a0 > width)
++                    if (a0 > width || xr > lineruns+width+2)
+                       G_THROW(invalid_mmr_data);
+                   }
+                 // Analyze uncompressed termination code.
+-- 
+2.50.0
+
diff -Nru djvulibre-3.5.28/debian/patches/series 
djvulibre-3.5.28/debian/patches/series
--- djvulibre-3.5.28/debian/patches/series      2021-05-10 19:46:09.000000000 
+0200
+++ djvulibre-3.5.28/debian/patches/series      2025-07-04 07:38:17.000000000 
+0200
@@ -5,3 +5,4 @@
 0005-djvulibre-fedora-Patch10-djvulibre-3.5.27-check-inpu.patch
 0006-djvulibre-fedora-Patch11-djvulibre-3.5.27-djvuport-s.patch
 0007-djvulibre-fedora-Patch12-djvulibre-3.5.27-unsigned-s.patch
+0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch

--- End Message ---

--- Begin Message ---
Unblocked djvulibre.
--- End Message ---

Bug#1108792: marked as done (unblock: djvulibre/3.5.28-2.1)

Reply via email to