Debian-LTS and Ubuntu have issued advisories on May 26 and May 17:
Apparently these issues were fixed in downstream Fedora patches. I'm not sure if they were included upstream in 3.5.28.
Mageia 7 and Mageia 8 are also affected.
MGA8TOO, MGA7TOOStatus comment:
Patches available from Fedora, Debian, and Ubuntu
A homeless SRPM, assigning this bug glbally. NicolasS is already CC'd (has seen it before).
Fedora has issued an advisory for CVE-2021-3500 on May 7:
openSUSE has issued an advisory for this on May 22:
The updated packages fix security vulnerabilities:
Stack overflow in function DJVU::DjVuDocument::get_djvu_file() via crafted djvu file. (CVE-2021-3500)
Out of bounds write in function DJVU::filter_bv() via crafted djvu file. (CVE-2021-32490)
Integer overflow in function render() in tools/ddjvu via crafted djvu file. (CVE-2021-32491)
Out of bounds read in function DJVU::DataPool::has_data() via crafted djvu file. (CVE-2021-32492)
Heap buffer overflow in function DJVU::GBitmap::decode() via crafted djvu file. (CVE-2021-32493)
Updated packages in 7/core/updates_testing:
Updated packages in 8/core/updates_testing:
MGA8TOO, MGA7TOO =>
Patches available from Fedora, Debian, and Ubuntu =>
Installed and tested with one issue.
- viewing djvu files;
- dumping djvu files;
- convert djvu files to images;
- converting to djvu using any2djvu did NOT work.
The any2djvu command uses a internet server to convert files (e.g. pdf) to djvu but it is not working.
Looked around in djvuzone.org to see if I could find the URL to the converter but didn't find it.
Since there are other online sites that can do the conversion I'm inclined to give this update an OK but will leave that decision to others.
$ uname -a
Linux marte 5.10.41-desktop-1.mga7 #1 SMP Fri May 28 14:28:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep djvu
$ any2djvu -a test.ps test.djvu
/-- Started sáb jun 5 10:26:24 UTC 2021: pclx@marte, pid 6871: /usr/bin/any2djvu (cwd /tmp)
sáb jun 5 10:26:24 UTC 2021 Processing /tmp/test.ps
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 4494k 100 233 0 0 445 0 --:--:-- --:--:-- --:--:-- 445
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<title>301 Moved Permanently</title>
<p>The document has moved <a href="https://www.djvuzone.org/">here</a>.</p>
error: something got wrong. check log file
(In reply to PC LX from comment #5)
> Installed and tested with one issue.
Was this with the pre-testing version or the testing version?
I've confirmed that none of the examples in the documentation are working in
the pre-testing version, so this is not a regression.
After copying /usr/share/cups/data/secret.pdf to the current directory ...
$ any2djvu -u http://any2djvu.djvu.org/ secret.pdf
resulted in ...
2021-06-10 16:21:07 (34.7 MB/s) - ‘secret.djvu’ saved [579/579]
$ djvutxt secret.djvu
Installed the update with ...
# urpmi --media 'Core Updates Testing' lib64djvulibre21 djvulibre
Repeated the any2djvu and djvutxt commands above (after removing the previously
created secret.djvu file), and same output.
Oking and validating the update.
The default url of http://any2djvu.djvuzone.org/ should be changed to
Will open a new bug report for that change.
Oops. Forget to add the MGA7-64-OK tag and will test on mga8 before validating.
Testing ok on m8. Validating the update.
MGA7TOO MGA7-64-OK =>
MGA7TOO MGA7-64-OK MGA8-64-OKKeywords:
bug 29104 opened for the default server url change.
An update for this issue has been pushed to the Mageia Updates repository.