Bug#1108792: marked as done (unblock: djvulibre/3.5.28-2.1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 05 Jul 2025 13:15:59 +0000
with message-id <E1uY2kJ-008Jae-33@respighi.debian.org>
and subject line unblock djvulibre
has caused the Debian Bug report #1108792,
regarding unblock: djvulibre/3.5.28-2.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1108792: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108792
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: djvulibre/3.5.28-2.1
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sat, 05 Jul 2025 10:37:39 +0200
• Message-id: <[🔎] 175170465985.2320615.10809444017691361900.reportbug@eldamar.lan>

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: djvulibre@packages.debian.org, Barak A. Pearlmutter <bap@debian.org>, carnil@debian.org
Control: affects -1 + src:djvulibre
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi release team,

Please unblock package djvulibre

[ Reason ]
djvulibre has a out-of-bounds write vulnerability in the
MMRDecoder::scanruns() function, which may cause memory corruption.
This has CVE id CVE-2025-53367 assigned and tracked in Debian BTS as
#1108729.

[ Impact ]
CVE-2025-53367 remains open in trixie (until a DSA is released).

[ Tests ]
Manual tests with the package.

[ Risks ]
Isolated fix for the issue provided by upstream.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
(Anything else the release team should know.)

unblock djvulibre/3.5.28-2.1

Regards,
Salvatore

diff -Nru djvulibre-3.5.28/debian/changelog djvulibre-3.5.28/debian/changelog
--- djvulibre-3.5.28/debian/changelog	2021-05-10 19:56:59.000000000 +0200
+++ djvulibre-3.5.28/debian/changelog	2025-07-04 07:38:58.000000000 +0200
@@ -1,3 +1,11 @@
+djvulibre (3.5.28-2.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Fix potential buffer overflow in MMRDecoder (CVE-2025-53367)
+    (Closes: #1108729)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 04 Jul 2025 07:38:58 +0200
+
 djvulibre (3.5.28-2) unstable; urgency=high
 
   * bump policy version
diff -Nru djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch
--- djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch	1970-01-01 01:00:00.000000000 +0100
+++ djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch	2025-07-04 07:38:11.000000000 +0200
@@ -0,0 +1,37 @@
+From: Leon Bottou <leonb@fb.com>
+Date: Wed, 2 Jul 2025 12:49:40 -0400
+Subject: Fix potential buffer overflow in MMRDecoder
+Origin: https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196593d70bd5e37f55b63886c31c82c3da/
+Bug-Debian: https://bugs.debian.org/1108729
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-53367
+
+---
+ libdjvu/MMRDecoder.cpp | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libdjvu/MMRDecoder.cpp b/libdjvu/MMRDecoder.cpp
+index b56fa336d353..bbbaa0c5e2ef 100644
+--- a/libdjvu/MMRDecoder.cpp
++++ b/libdjvu/MMRDecoder.cpp
+@@ -589,6 +589,9 @@ MMRDecoder::scanruns(const unsigned short **endptr)
+   int a0,rle,b1;
+   for(a0=0,rle=0,b1=*pr++;a0 < width;)
+     {
++      // Check for buffer overflow
++      if (xr > lineruns+width+2 || pr > prevruns+width+2)
++	G_THROW(invalid_mmr_data);
+       // Process MMR codes
+       const int c=mrtable->decode(src);
+       switch ( c )
+@@ -714,7 +717,7 @@ MMRDecoder::scanruns(const unsigned short **endptr)
+                         rle++;
+                         a0++;
+                       }
+-                    if (a0 > width)
++                    if (a0 > width || xr > lineruns+width+2)
+                       G_THROW(invalid_mmr_data);
+                   }
+                 // Analyze uncompressed termination code.
+-- 
+2.50.0
+
diff -Nru djvulibre-3.5.28/debian/patches/series djvulibre-3.5.28/debian/patches/series
--- djvulibre-3.5.28/debian/patches/series	2021-05-10 19:46:09.000000000 +0200
+++ djvulibre-3.5.28/debian/patches/series	2025-07-04 07:38:17.000000000 +0200
@@ -5,3 +5,4 @@
 0005-djvulibre-fedora-Patch10-djvulibre-3.5.27-check-inpu.patch
 0006-djvulibre-fedora-Patch11-djvulibre-3.5.27-djvuport-s.patch
 0007-djvulibre-fedora-Patch12-djvulibre-3.5.27-unsigned-s.patch
+0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch

--- End Message ---

--- Begin Message ---

• To: 1108792-done@bugs.debian.org
• Subject: unblock djvulibre
• From: Ivo De Decker <ivodd@respighi.debian.org>
• Date: Sat, 05 Jul 2025 13:15:59 +0000
• Message-id: <E1uY2kJ-008Jae-33@respighi.debian.org>

Unblocked djvulibre.

--- End Message ---