Vulnerability roundup 104: djvulibre-3.5.28: 5 advisories [7.8]

[ckauhaus]

search, files

• CVE-2021-3500 CVSSv3=7.8 (nixos-21.05, nixos-unstable)
• CVE-2021-32490 CVSSv3=7.8 (nixos-21.05, nixos-unstable)
• CVE-2021-32491 CVSSv3=7.8 (nixos-21.05, nixos-unstable)
• CVE-2021-32492 CVSSv3=7.8 (nixos-21.05, nixos-unstable)
• CVE-2021-32493 CVSSv3=7.8 (nixos-21.05, nixos-unstable)

CVE details

CVE-2021-3500

A flaw was found in djvulibre-3.5.28 and earlier. A Stack overflow in function DJVU::DjVuDocument::get_djvu_file() via crafted djvu file may lead to application crash and other consequences.

CVE-2021-32490

A flaw was found in djvulibre-3.5.28 and earlier. An out of bounds write in function DJVU::filter_bv() via crafted djvu file may lead to application crash and other consequences.

CVE-2021-32491

A flaw was found in djvulibre-3.5.28 and earlier. An integer overflow in function render() in tools/ddjvu via crafted djvu file may lead to application crash and other consequences.

CVE-2021-32492

A flaw was found in djvulibre-3.5.28 and earlier. An out of bounds read in function DJVU::DataPool::has_data() via crafted djvu file may lead to application crash and other consequences.

CVE-2021-32493

A flaw was found in djvulibre-3.5.28 and earlier. A heap buffer overflow in function DJVU::GBitmap::decode() via crafted djvu file may lead to application crash and other consequences.

---

Scanned versions: nixos-21.05: 2262d78; nixos-unstable: 1905f5f.

Cc @Anton-Latukha

[Anton-Latukha]

Checked.

@ckauhaus

None of the listed CVEs are closed/have patches.

But they at least assigned.

Also delighted to see that upstream is still pretty much active.

Upstream already fixed this, but so far not made a release.

Some CVEs seems to be already closed in Fedora, but CVE monitors do not provide links to them.

So would look further.

[ckauhaus]

We should probably wait for an upstream release fixing all or some of the listed CVEs.

[henrirosten]

I realize this is an old issue, but since this isn't closed I'll leave an update here.

This issue is apparently fixed with Fedora patches: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988215#12 that have been merged upstream: https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6.

However, there has not been an upstream release that would include those fixes. Other distributions (e.g. Debian, Fedora) apparently use a patched version of djvulibre.

Should we include those fix patches in nixpkgs too?

[patka-123]

Hello @ckauhaus 👋

I looks like all the CVE's have been patched in #246773. If this fixes everything, would you be able to close this issue?

(I'm going through older issues to see what can be triaged. If this issue is still a problem then don't mind me)