[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1109943: bookworm-pu: package djvulibre/3.5.28-2.2~deb12u1

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: djvulibre@packages.debian.org, security@debian.org
Control: affects -1 + src:djvulibre
User: release.debian.org@packages.debian.org
Usertags: pu

  * CVE-2021-46310: Divide by zero in IW44Image::Map::image()
    (Closes: #1052668)
  * CVE-2021-46312: Divide by zero in IWBitmap::Encode::init()
    (Closes: #1052669)

The debdiff is against the DSA-5960-1 version currently in pu.

diffstat for djvulibre-3.5.28 djvulibre-3.5.28

 changelog                    |   18 ++++++++++++++----
 patches/CVE-2021-46310.patch |   20 ++++++++++++++++++++
 patches/CVE-2021-46312.patch |   20 ++++++++++++++++++++
 patches/series               |    2 ++
 4 files changed, 56 insertions(+), 4 deletions(-)

diff -Nru djvulibre-3.5.28/debian/changelog djvulibre-3.5.28/debian/changelog
--- djvulibre-3.5.28/debian/changelog	2025-07-04 22:33:39.000000000 +0300
+++ djvulibre-3.5.28/debian/changelog	2025-07-21 13:42:26.000000000 +0300
@@ -1,9 +1,19 @@
-djvulibre (3.5.28-2.1~deb12u1) bookworm-security; urgency=high
+djvulibre (3.5.28-2.2~deb12u1) bookworm; urgency=medium
 
-  * Non-maintainer upload by the Security Team.
-  * Rebuild for bookworm-security
+  * Non-maintainer upload.
+  * Rebuild for bookworm.
 
- -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 04 Jul 2025 21:33:39 +0200
+ -- Adrian Bunk <bunk@debian.org>  Mon, 21 Jul 2025 13:42:26 +0300
+
+djvulibre (3.5.28-2.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2021-46310: Divide by zero in IW44Image::Map::image()
+    (Closes: #1052668)
+  * CVE-2021-46312: Divide by zero in IWBitmap::Encode::init()
+    (Closes: #1052669)
+
+ -- Adrian Bunk <bunk@debian.org>  Fri, 18 Jul 2025 20:57:51 +0300
 
 djvulibre (3.5.28-2.1) unstable; urgency=high
 
diff -Nru djvulibre-3.5.28/debian/patches/CVE-2021-46310.patch djvulibre-3.5.28/debian/patches/CVE-2021-46310.patch
--- djvulibre-3.5.28/debian/patches/CVE-2021-46310.patch	1970-01-01 02:00:00.000000000 +0200
+++ djvulibre-3.5.28/debian/patches/CVE-2021-46310.patch	2025-07-18 20:57:51.000000000 +0300
@@ -0,0 +1,20 @@
+Description: CVE-2021-46310: Divide by zero in IW44Image::Map::image()
+Bug-Debian: https://bugs.debian.org/1052668
+Origin: upstream
+Bug: https://sourceforge.net/p/djvu/bugs/345/
+
+--- djvulibre-3.5.28.orig/libdjvu/IW44Image.cpp
++++ djvulibre-3.5.28/libdjvu/IW44Image.cpp
+@@ -676,10 +676,10 @@ IW44Image::Map::image(signed char *img8,
+   // Allocate reconstruction buffer
+   short *data16;
+   size_t sz = bw * bh;
+-  if (sz / (size_t)bw != (size_t)bh) // multiplication overflow
+-    G_THROW("IW44Image: image size exceeds maximum (corrupted file?)");
+   if (sz == 0)
+     G_THROW("IW44Image: zero size image (corrupted file?)");
++  if (sz / (size_t)bw != (size_t)bh) // multiplication overflow
++    G_THROW("IW44Image: image size exceeds maximum (corrupted file?)");
+   GPBuffer<short> gdata16(data16,sz);
+   if (data16 == NULL)
+     G_THROW("IW44Image: unable to allocate image data");
diff -Nru djvulibre-3.5.28/debian/patches/CVE-2021-46312.patch djvulibre-3.5.28/debian/patches/CVE-2021-46312.patch
--- djvulibre-3.5.28/debian/patches/CVE-2021-46312.patch	1970-01-01 02:00:00.000000000 +0200
+++ djvulibre-3.5.28/debian/patches/CVE-2021-46312.patch	2025-07-18 20:57:51.000000000 +0300
@@ -0,0 +1,20 @@
+Description: CVE-2021-46312: Divide by zero in IWBitmap::Encode::init()
+Bug-Debian: https://bugs.debian.org/1052669
+Bug: https://sourceforge.net/p/djvu/bugs/344/
+
+--- djvulibre-3.5.28.orig/libdjvu/IW44EncodeCodec.cpp
++++ djvulibre-3.5.28/libdjvu/IW44EncodeCodec.cpp
+@@ -1424,7 +1424,12 @@ IWBitmap::Encode::init(const GBitmap &bm
+   int h = bm.rows();
+   int g = bm.get_grays()-1;
+   signed char *buffer;
+-  GPBuffer<signed char> gbuffer(buffer,w*h);
++  size_t sz = w * h;
++  if (sz == 0 || g <= 0) // w or h is zero or g is not positive
++    G_THROW("IWBitmap: zero size image (corrupted file?)");
++  if (sz / (size_t)w != (size_t)h) // multiplication overflow
++    G_THROW("IWBitmap: image size exceeds maximum (corrupted file?)");
++  GPBuffer<signed char> gbuffer(buffer,sz);
+   // Prepare gray level conversion table
+   signed char  bconv[256];
+   for (i=0; i<256; i++)
diff -Nru djvulibre-3.5.28/debian/patches/series djvulibre-3.5.28/debian/patches/series
--- djvulibre-3.5.28/debian/patches/series	2025-07-04 22:33:32.000000000 +0300
+++ djvulibre-3.5.28/debian/patches/series	2025-07-18 20:57:51.000000000 +0300
@@ -6,3 +6,5 @@
 0006-djvulibre-fedora-Patch11-djvulibre-3.5.27-djvuport-s.patch
 0007-djvulibre-fedora-Patch12-djvulibre-3.5.27-unsigned-s.patch
 0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch
+CVE-2021-46310.patch
+CVE-2021-46312.patch
Reply to: