Ubuntu has issued an advisory on November 21: https://usn.ubuntu.com/4198-1/ Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
This package now has no maintainer, so assigning the bug globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: In DjVuLibre 3.5.27, DjVmDir.cpp in the DJVU reader component allows attackers to cause a denial-of-service (application crash in GStringRep::strdup in libdjvu/GString.cpp caused by a heap-based buffer over-read) by crafting a DJVU file. (CVE-2019-15142) In DjVuLibre 3.5.27, the bitmap reader component allows attackers to cause a denial-of-service error (resource exhaustion caused by a GBitmap::read_rle_raw infinite loop) by crafting a corrupted image file, related to libdjvu/DjVmDir.cpp and libdjvu/GBitmap.cpp. (CVE-2019-15143) In DjVuLibre 3.5.27, the sorting functionality (aka GArrayTemplate<TYPE>::sort) allows attackers to cause a denial-of-service (application crash due to an Uncontrolled Recursion) by crafting a PBM image file that is mishandled in libdjvu/GContainer.h. (CVE-2019-15144) DjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack (application crash via an out-of-bounds read) by crafting a corrupted JB2 image file that is mishandled in JB2Dict::JB2Codec::get_direct_context in libdjvu/JB2Image.h because of a missing zero-bytes check in libdjvu/GBitmap.h. (CVE-2019-15145) DjVuLibre 3.5.27 has a NULL pointer dereference in the function DJVU::filter_fv at IW44EncodeCodec.cpp. (CVE-2019-18804) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15142 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15143 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15144 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15145 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18804 https://usn.ubuntu.com/4198-1/ ======================== Updated packages in core/updates_testing: ======================== djvulibre-3.5.27-5.1.mga7 lib(64)djvulibre21-3.5.27-5.1.mga7 lib(64)djvulibre-devel-3.5.27-5.1.mga7 from SRPMS: djvulibre-3.5.27-5.1.mga7.src.rpm
CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNEDVersion: Cauldron => 7Whiteboard: MGA7TOO => (none)Assignee: pkg-bugs => qa-bugs
Installed and tested without issues. Tested using okular, djview4 and the various djvulibre tools. Tested with various djvu documents, ps documents and pdf documents. ps and pdf documents were converted to djvu documents using the djvulibre tools and viewed using both okular and djview4. Text was extracted from the djvu documents and compared. No issues noticed. djvu documents can be found at: http://www.djvu.org/resources/ $ uname -a Linux marte 5.3.11-desktop-1.mga7 #1 SMP Tue Nov 12 21:10:01 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep djvu | sort djvulibre-3.5.27-5.1.mga7 lib64djvulibre21-3.5.27-5.1.mga7 $ rpm -q okular djview4 okular-19.04.0-1.mga7 djview4-4.10.6-2.mga7
CC: (none) => mageiaWhiteboard: (none) => MGA7-64-OK
Looks good to me. Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0346.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED