--- Begin Message ---
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: djvulibre@packages.debian.org, Barak A. Pearlmutter <bap@debian.org>, carnil@debian.org
Control: affects -1 + src:djvulibre
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi release team,
Please unblock package djvulibre
[ Reason ]
djvulibre has a out-of-bounds write vulnerability in the
MMRDecoder::scanruns() function, which may cause memory corruption.
This has CVE id CVE-2025-53367 assigned and tracked in Debian BTS as
#1108729.
[ Impact ]
CVE-2025-53367 remains open in trixie (until a DSA is released).
[ Tests ]
Manual tests with the package.
[ Risks ]
Isolated fix for the issue provided by upstream.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
(Anything else the release team should know.)
unblock djvulibre/3.5.28-2.1
Regards,
Salvatore
diff -Nru djvulibre-3.5.28/debian/changelog djvulibre-3.5.28/debian/changelog
--- djvulibre-3.5.28/debian/changelog 2021-05-10 19:56:59.000000000 +0200
+++ djvulibre-3.5.28/debian/changelog 2025-07-04 07:38:58.000000000 +0200
@@ -1,3 +1,11 @@
+djvulibre (3.5.28-2.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Fix potential buffer overflow in MMRDecoder (CVE-2025-53367)
+ (Closes: #1108729)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 04 Jul 2025 07:38:58 +0200
+
djvulibre (3.5.28-2) unstable; urgency=high
* bump policy version
diff -Nru djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch
--- djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch 1970-01-01 01:00:00.000000000 +0100
+++ djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch 2025-07-04 07:38:11.000000000 +0200
@@ -0,0 +1,37 @@
+From: Leon Bottou <leonb@fb.com>
+Date: Wed, 2 Jul 2025 12:49:40 -0400
+Subject: Fix potential buffer overflow in MMRDecoder
+Origin: https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196593d70bd5e37f55b63886c31c82c3da/
+Bug-Debian: https://bugs.debian.org/1108729
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-53367
+
+---
+ libdjvu/MMRDecoder.cpp | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libdjvu/MMRDecoder.cpp b/libdjvu/MMRDecoder.cpp
+index b56fa336d353..bbbaa0c5e2ef 100644
+--- a/libdjvu/MMRDecoder.cpp
++++ b/libdjvu/MMRDecoder.cpp
+@@ -589,6 +589,9 @@ MMRDecoder::scanruns(const unsigned short **endptr)
+ int a0,rle,b1;
+ for(a0=0,rle=0,b1=*pr++;a0 < width;)
+ {
++ // Check for buffer overflow
++ if (xr > lineruns+width+2 || pr > prevruns+width+2)
++ G_THROW(invalid_mmr_data);
+ // Process MMR codes
+ const int c=mrtable->decode(src);
+ switch ( c )
+@@ -714,7 +717,7 @@ MMRDecoder::scanruns(const unsigned short **endptr)
+ rle++;
+ a0++;
+ }
+- if (a0 > width)
++ if (a0 > width || xr > lineruns+width+2)
+ G_THROW(invalid_mmr_data);
+ }
+ // Analyze uncompressed termination code.
+--
+2.50.0
+
diff -Nru djvulibre-3.5.28/debian/patches/series djvulibre-3.5.28/debian/patches/series
--- djvulibre-3.5.28/debian/patches/series 2021-05-10 19:46:09.000000000 +0200
+++ djvulibre-3.5.28/debian/patches/series 2025-07-04 07:38:17.000000000 +0200
@@ -5,3 +5,4 @@
0005-djvulibre-fedora-Patch10-djvulibre-3.5.27-check-inpu.patch
0006-djvulibre-fedora-Patch11-djvulibre-3.5.27-djvuport-s.patch
0007-djvulibre-fedora-Patch12-djvulibre-3.5.27-unsigned-s.patch
+0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch
--- End Message ---