Bug 33221

These look like the patches:
46312 https://sourceforge.net/p/djvu/bugs/344/
46310 https://sourceforge.net/p/djvu/bugs/345/

Another homeless pkg, assigning this globally.

Assignee: bugsquad => pkg-bugs

Fixed for Cauldron!

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
CC: (none) => geiger.david68210

Assigning to QA,


Packages in 9/Core/Updates_testing:
======================
djvulibre-3.5.28-5.1.mga9
libdjvulibre-devel-3.5.28-5.1.mga9
libdjvulibre21-3.5.28-5.1.mga9
lib64djvulibre-devel-3.5.28-5.1.mga9
lib64djvulibre21-3.5.28-5.1.mga9

From SRPMS:
djvulibre-3.5.28-5.1.mga9.src.rpm

Assignee: pkg-bugs => qa-bugs

RH mageia 9 x86_64

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date


installing lib64djvulibre21-3.5.28-5.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: lib64djvulibre21      ##################################################################################################
      1/1: removing lib64djvulibre21-3.5.28-5.mga9.x86_64
                                 ##################################################################################################

For test I urpmi pdf2djvu that also install djvulibre

Convert a pdf to djv pdf2djvu file.pdf > file.djv

Open file.djv with okular and djview4, it loads well, and the content is equal to file.pdf

Similar test was made in bug#25730 comment#3 soo looks good

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Late to the party again.
Checked out the CVEs and found a couple of PoC.

CVE-2021-46310
An issue was discovered IW44Image.cpp in djvulibre 3.5.28 in allows attackers to cause a denial of service via divide by zero.
POC downloaded from https://sourceforge.net/p/djvu/bugs/345/
$ djvups POC
%!PS-Adobe-3.0
%%Title: DjVu PostScript document
[...]
Floating point exception (core dumped)

CVE-2021-46312
https://sourceforge.net/p/djvu/bugs/344/
An issue was discovered IW44EncodeCodec.cpp in djvulibre 3.5.28 in allows attackers to cause a denial of service via divide by zero.
$ c44 poc
Floating point exception (core dumped)

After updating:
$ djvups POC
[...]
djvups: IW44Image: zero size image (corrupted file?)
$ c44 poc
*** IWBitmap: zero size image (corrupted file?)
*** (IW44EncodeCodec.cpp:1429)
*** 'void DJVU::IWBitmap::Encode::init(const DJVU::GBitmap&, DJVU::GP<DJVU::GBitmap>)'

So, the issues are definitely fixed.

CC: (none) => tarazed25

Never hurts to have extra tests.

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0183.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED