Your message dated Fri, 04 Jul 2025 15:04:23 +0000
with message-id <e1uxhxf-006dxa...@fasolo.debian.org>
and subject line Bug#1108729: fixed in djvulibre 3.5.28-2.1
has caused the Debian Bug report #1108729,
regarding djvulibre: CVE-2025-53367
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1108729: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108729
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: djvulibre
Version: 3.5.28-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for djvulibre.
CVE-2025-53367[0]:
| DjVuLibre is a GPL implementation of DjVu, a web-centric format for
| distributing documents and images. Prior to version 3.5.29, the
| MMRDecoder::scanruns method is affected by an OOB-write
| vulnerability, because it does not check that the xr pointer stays
| within the bounds of the allocated buffer. This can lead to writes
| beyond the allocated memory, resulting in a heap corruption
| condition. An out-of-bounds read with pr is also possible for the
| same reason. This issue has been patched in version 3.5.29.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-53367
https://www.cve.org/CVERecord?id=CVE-2025-53367
[1]
https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196593d70bd5e37f55b63886c31c82c3da/
[2] https://www.openwall.com/lists/oss-security/2025/07/03/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: djvulibre
Source-Version: 3.5.28-2.1
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
djvulibre, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1108...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated djvulibre package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 04 Jul 2025 07:38:58 +0200
Source: djvulibre
Architecture: source
Version: 3.5.28-2.1
Distribution: unstable
Urgency: high
Maintainer: Barak A. Pearlmutter <b...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1108729
Changes:
djvulibre (3.5.28-2.1) unstable; urgency=high
.
* Non-maintainer upload.
* Fix potential buffer overflow in MMRDecoder (CVE-2025-53367)
(Closes: #1108729)
Checksums-Sha1:
9c3bfc769e80dcc1cb5ad2a7f75f8900250fff09 2530 djvulibre_3.5.28-2.1.dsc
8b8da7e16ac66a5ad68b935679ad7550fd5a9377 17928
djvulibre_3.5.28-2.1.debian.tar.xz
eccd71a7bc3ece381542b4a0fbab73c2a849e3ca 5988
djvulibre_3.5.28-2.1_source.buildinfo
Checksums-Sha256:
89d5473060fe512e91b36a6879d1cc488bd8546623b1c44df9d06eef2bc05224 2530
djvulibre_3.5.28-2.1.dsc
4b0d84a3a45a399a40aed344169ae1ea5edea41c2c1971b4279aec1413d4f5ea 17928
djvulibre_3.5.28-2.1.debian.tar.xz
9ac8d3a64646b791e36cf76b8b8a14290b725d3609311de6e3c967f3ee783b35 5988
djvulibre_3.5.28-2.1_source.buildinfo
Files:
e9a91410d5708efeebbc18979409c9c1 2530 libs optional djvulibre_3.5.28-2.1.dsc
49cd57d8ea11b8ca116c39b2b10ba720 17928 libs optional
djvulibre_3.5.28-2.1.debian.tar.xz
930cdbd43b158dd1592847e7798538e5 5988 libs optional
djvulibre_3.5.28-2.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmhnaTlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EhxMQAJeTK6AKQCHSMrvydiMwty5F1P+rY5IE
SscrztaicMjQ+tmZDcTaNHkt7kGmyPkuK3TaTjbP8F9cjFs8BaJn5j7pPXmLLPnY
codE9Pjs2DQC8CInvPv/ZCpTqiDcanvVX0FSQY2GGQltSepCpTHog6llP4sTQijz
9bsg0sBcuAFCmrKBSNx2qlmEkhkVsLq0tVHZ3Fy4gqAYgzlpP6nvt6Qu3ESOaJkY
EQzYNkBxjkrZj52o1ot1JhuGkSwXUl+8oFsXdCRkCptUVLVDzQ/+iPPCp1QUa6hy
Kieo9dQC1ud+bixO8zRu/Nno3FsBBtd1ajU6SgZ7mjrVPkkPwIlbRA6iBux3xi0r
Mq5Y5XiKeroDU6XYfxCqVxiTFsOPbCSHSNIuHToicquym7TEY0QYfO9B6qqFB9aJ
AppPxX60GJJNMxfY8Qq3f68hYCAy2h5GJy0JhluoQLZJS6amd2Qvr9CBZE16O3Eq
DknIvqb5amSjUv77Fq2LfCbf3pAGACZxPt7KdtikDJB8MuvgDP0Ip+Lp3NF8/GNw
13i8rjxxrtq3VakC65upYmLuJg24wkZroCqpDoZbCnSWyTc7aWHJyWdZ0vYdoUBO
xYU+T3eZE35bUMXBCNoJ3KPOmPwPOdpFpHVgKhqpBT2KhDsi1KZAu671gXumwcgN
3bWKtgqPGwsQ
=0WSi
-----END PGP SIGNATURE-----
pgp3azRyhANNu.pgp
Description: PGP signature
--- End Message ---
