Your message dated Tue, 08 Jul 2025 07:17:51 +0000
with message-id <e1uz2an-0064je...@fasolo.debian.org>
and subject line Bug#1108729: fixed in djvulibre 3.5.28-2.1~deb12u1
has caused the Debian Bug report #1108729,
regarding djvulibre: CVE-2025-53367
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1108729: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108729
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: djvulibre
Version: 3.5.28-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for djvulibre.
CVE-2025-53367[0]:
| DjVuLibre is a GPL implementation of DjVu, a web-centric format for
| distributing documents and images. Prior to version 3.5.29, the
| MMRDecoder::scanruns method is affected by an OOB-write
| vulnerability, because it does not check that the xr pointer stays
| within the bounds of the allocated buffer. This can lead to writes
| beyond the allocated memory, resulting in a heap corruption
| condition. An out-of-bounds read with pr is also possible for the
| same reason. This issue has been patched in version 3.5.29.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-53367
https://www.cve.org/CVERecord?id=CVE-2025-53367
[1]
https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196593d70bd5e37f55b63886c31c82c3da/
[2] https://www.openwall.com/lists/oss-security/2025/07/03/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: djvulibre
Source-Version: 3.5.28-2.1~deb12u1
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
djvulibre, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1108...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated djvulibre package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 04 Jul 2025 21:33:39 +0200
Source: djvulibre
Architecture: source
Version: 3.5.28-2.1~deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Barak A. Pearlmutter <b...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1108729
Changes:
djvulibre (3.5.28-2.1~deb12u1) bookworm-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Rebuild for bookworm-security
.
djvulibre (3.5.28-2.1) unstable; urgency=high
.
* Non-maintainer upload.
* Fix potential buffer overflow in MMRDecoder (CVE-2025-53367)
(Closes: #1108729)
Checksums-Sha1:
8378c99a29014003a8b2c4f3644600455dc71b9e 2562 djvulibre_3.5.28-2.1~deb12u1.dsc
1846a9e3d84e0174ecda6c4bf2dfe11fb86ea487 2959024 djvulibre_3.5.28.orig.tar.xz
21ebdd5487da3c0d995a25272fd8db094044d4a7 18000
djvulibre_3.5.28-2.1~deb12u1.debian.tar.xz
94a8eef2459838852c18eec41e4a3eb0143563c2 6020
djvulibre_3.5.28-2.1~deb12u1_source.buildinfo
Checksums-Sha256:
11ef087eb1bbffd6414967cb432e9fb8ab919bfb0bfb95247d6c84dbae0de263 2562
djvulibre_3.5.28-2.1~deb12u1.dsc
1223b7bf7c8dfe2e290882f3bfb88ba2468b30495a1bf8dfd54dc7e810987887 2959024
djvulibre_3.5.28.orig.tar.xz
fd426066bd9bee9d6fd903a351b83cb55311d7109d4d39f7cb7b4a5b59933db2 18000
djvulibre_3.5.28-2.1~deb12u1.debian.tar.xz
7fb23dcb27d0679b4c14a1a29e30da00776912ad9e296ee44005aa42502f32b7 6020
djvulibre_3.5.28-2.1~deb12u1_source.buildinfo
Files:
018d58fbb28e4992293e920642448413 2562 libs optional
djvulibre_3.5.28-2.1~deb12u1.dsc
2f72e25ecf571449aecc468fcfe4fb60 2959024 libs optional
djvulibre_3.5.28.orig.tar.xz
9a9048aaffdae23a06abfada004d74be 18000 libs optional
djvulibre_3.5.28-2.1~deb12u1.debian.tar.xz
aeda31b456bdb37b244b731066998b2b 6020 libs optional
djvulibre_3.5.28-2.1~deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmhoLTdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EJokQAIn/Lsjcz64usglsd86H1iXC+VKTfyCC
tcTY18aDMt+Aio6ckUnoug3NH01RRLW4adeMnFX0FKT42C6gSPO363LNBsVR6/i1
1CJfP6UjU0A9zp1JvhX9XMAikp2UVcYOgfdxIKEs+gDm1FIoDIF/cteg2J6mo+IW
rb9GTxzFzZ+KRPwyL+nLTuewkezETidXshjDD7i0OY2MrN7Ox8FoBAKPjS7kzTus
qpvkJVVmswjKlNkh4Y930XNKvnSEvllGwOyszriowk15/9byQFRPY5D0fGBN34l5
WzVdajB+RXvjMmHLbNBVV+Z0jaTorEyM0gH/sns1FVp2le2eLQclFOitb1+WOnou
OcXAFi5K9YTGLmdM8etTmIYVpD7BG0uXzHcHqlc4RYJX+HHMmkiByLZJu0voKWK1
YmpP02S9cHK7NcYi3L/D0OkZ5DmUa2GGAhXdi2GxuneQm7X/U42lDb2EI5uRhyjB
DWmxVfe0JKogKo7gS+DlU1gHs/CqhQlSzWuCtimPDyvdNLBC+K8z9ByGvb4OQR/q
O/Et9k1+PgBzpcMcKmMlzd2zY5+TfXtcdOlg3trsQaW1eLqaiZ5/UQVSOJ+F1f1x
7KZcqOEfY9UYS8wK6jmNvSQRDPbJmT9kjqhgIC+ZXz6oXVaLlHnqmEif31uK0vul
h596cUsvl1M2
=ykoF
-----END PGP SIGNATURE-----
pgpzHRgkr5UBL.pgp
Description: PGP signature
--- End Message ---
