Bug 25730 - djvulibre new security issues CVE-2019-1514[2-5] and CVE-2019-18804
Summary: djvulibre new security issues CVE-2019-1514[2-5] and CVE-2019-18804
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-11-23 17:25 CET by David Walser
Modified: 2019-11-30 14:07 CET (History)
5 users (show)

See Also:
Source RPM: djvulibre-3.5.27-5.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-11-23 17:25:33 CET
Ubuntu has issued an advisory on November 21:
https://usn.ubuntu.com/4198-1/

Mageia 7 is also affected.
David Walser 2019-11-23 17:25:40 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2019-11-23 21:07:48 CET
This package now has no maintainer, so assigning the bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2019-11-25 10:15:15 CET
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

In DjVuLibre 3.5.27, DjVmDir.cpp in the DJVU reader component allows attackers to cause a denial-of-service (application crash in GStringRep::strdup in libdjvu/GString.cpp caused by a heap-based buffer over-read) by crafting a DJVU file. (CVE-2019-15142)

In DjVuLibre 3.5.27, the bitmap reader component allows attackers to cause a denial-of-service error (resource exhaustion caused by a GBitmap::read_rle_raw infinite loop) by crafting a corrupted image file, related to libdjvu/DjVmDir.cpp and libdjvu/GBitmap.cpp. (CVE-2019-15143)

In DjVuLibre 3.5.27, the sorting functionality (aka GArrayTemplate<TYPE>::sort) allows attackers to cause a denial-of-service (application crash due to an Uncontrolled Recursion) by crafting a PBM image file that is mishandled in libdjvu/GContainer.h. (CVE-2019-15144)

DjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack (application crash via an out-of-bounds read) by crafting a corrupted JB2 image file that is mishandled in JB2Dict::JB2Codec::get_direct_context in libdjvu/JB2Image.h because of a missing zero-bytes check in libdjvu/GBitmap.h. (CVE-2019-15145)

DjVuLibre 3.5.27 has a NULL pointer dereference in the function DJVU::filter_fv at IW44EncodeCodec.cpp. (CVE-2019-18804)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15142
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15143
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15144
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15145
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18804
https://usn.ubuntu.com/4198-1/
========================

Updated packages in core/updates_testing:
========================
djvulibre-3.5.27-5.1.mga7
lib(64)djvulibre21-3.5.27-5.1.mga7
lib(64)djvulibre-devel-3.5.27-5.1.mga7

from SRPMS:
djvulibre-3.5.27-5.1.mga7.src.rpm

CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Assignee: pkg-bugs => qa-bugs

Comment 3 PC LX 2019-11-26 12:35:51 CET
Installed and tested without issues.

Tested using okular, djview4 and the various djvulibre tools.
Tested with various djvu documents, ps documents and pdf documents.
ps and pdf documents were converted to djvu documents using the djvulibre tools and viewed using both okular and djview4. Text was extracted from the djvu documents and compared.
No issues noticed.

djvu documents can be found at:
http://www.djvu.org/resources/


$ uname -a
Linux marte 5.3.11-desktop-1.mga7 #1 SMP Tue Nov 12 21:10:01 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep djvu | sort
djvulibre-3.5.27-5.1.mga7
lib64djvulibre21-3.5.27-5.1.mga7
$ rpm -q okular djview4
okular-19.04.0-1.mga7
djview4-4.10.6-2.mga7

CC: (none) => mageia
Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2019-11-29 01:29:59 CET
Looks good to me. Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-11-30 12:31:40 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2019-11-30 14:07:53 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0346.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.