Debian-LTS and Ubuntu have issued advisories on May 26 and May 17: https://www.debian.org/lts/security/2021/dla-2667 https://ubuntu.com/security/notices/USN-4957-1 Apparently these issues were fixed in downstream Fedora patches. I'm not sure if they were included upstream in 3.5.28. Mageia 7 and Mageia 8 are also affected.
CC: (none) => nicolas.salgueroWhiteboard: (none) => MGA8TOO, MGA7TOOStatus comment: (none) => Patches available from Fedora, Debian, and Ubuntu
A homeless SRPM, assigning this bug glbally. NicolasS is already CC'd (has seen it before).
Assignee: bugsquad => pkg-bugs
Fedora has issued an advisory for CVE-2021-3500 on May 7: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AFBA3B7ZE5WL3W3IC3SJOZLTIMZPKXES/
openSUSE has issued an advisory for this on May 22: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VWUVFLJ5WIUYL2E7ZRZKXICPKCTWQHHD/
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Stack overflow in function DJVU::DjVuDocument::get_djvu_file() via crafted djvu file. (CVE-2021-3500) Out of bounds write in function DJVU::filter_bv() via crafted djvu file. (CVE-2021-32490) Integer overflow in function render() in tools/ddjvu via crafted djvu file. (CVE-2021-32491) Out of bounds read in function DJVU::DataPool::has_data() via crafted djvu file. (CVE-2021-32492) Heap buffer overflow in function DJVU::GBitmap::decode() via crafted djvu file. (CVE-2021-32493) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3500 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32490 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32491 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32492 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32493 https://www.debian.org/lts/security/2021/dla-2667 https://ubuntu.com/security/notices/USN-4957-1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AFBA3B7ZE5WL3W3IC3SJOZLTIMZPKXES/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VWUVFLJ5WIUYL2E7ZRZKXICPKCTWQHHD/ ======================== Updated packages in 7/core/updates_testing: ======================== djvulibre-3.5.27-5.2.mga7 lib(64)djvulibre21-3.5.27-5.2.mga7 lib(64)djvulibre-devel-3.5.27-5.2.mga7 from SRPM: djvulibre-3.5.27-5.2.mga7.src.rpm Updated packages in 8/core/updates_testing: ======================== djvulibre-3.5.28-1.1.mga8 lib(64)djvulibre21-3.5.28-1.1.mga8 lib(64)djvulibre-devel-3.5.28-1.1.mga8 from SRPM: djvulibre-3.5.28-1.1.mga8.src.rpm
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOStatus: NEW => ASSIGNEDStatus comment: Patches available from Fedora, Debian, and Ubuntu => (none)Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 8
Installed and tested with one issue. Tested: - viewing djvu files; - dumping djvu files; - convert djvu files to images; - converting to djvu using any2djvu did NOT work. The any2djvu command uses a internet server to convert files (e.g. pdf) to djvu but it is not working. Looked around in djvuzone.org to see if I could find the URL to the converter but didn't find it. Since there are other online sites that can do the conversion I'm inclined to give this update an OK but will leave that decision to others. $ uname -a Linux marte 5.10.41-desktop-1.mga7 #1 SMP Fri May 28 14:28:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep djvu lib64djvulibre21-3.5.27-5.2.mga7 djvulibre-3.5.27-5.2.mga7 $ any2djvu -a test.ps test.djvu /-- Started sáb jun 5 10:26:24 UTC 2021: pclx@marte, pid 6871: /usr/bin/any2djvu (cwd /tmp) sáb jun 5 10:26:24 UTC 2021 Processing /tmp/test.ps % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 4494k 100 233 0 0 445 0 --:--:-- --:--:-- --:--:-- 445 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="https://www.djvuzone.org/">here</a>.</p> </body></html> error: something got wrong. check log file
CC: (none) => mageia
(In reply to PC LX from comment #5) > Installed and tested with one issue. Was this with the pre-testing version or the testing version? I've confirmed that none of the examples in the documentation are working in the pre-testing version, so this is not a regression. After copying /usr/share/cups/data/secret.pdf to the current directory ... $ any2djvu -u http://any2djvu.djvu.org/ secret.pdf resulted in ... 2021-06-10 16:21:07 (34.7 MB/s) - ‘secret.djvu’ saved [579/579] $ djvutxt secret.djvu Secret Installed the update with ... # urpmi --media 'Core Updates Testing' lib64djvulibre21 djvulibre Repeated the any2djvu and djvutxt commands above (after removing the previously created secret.djvu file), and same output. Oking and validating the update. The default url of http://any2djvu.djvuzone.org/ should be changed to http://any2djvu.djvu.org/ Will open a new bug report for that change.
CC: (none) => davidwhodgins
Oops. Forget to add the MGA7-64-OK tag and will test on mga8 before validating.
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
Testing ok on m8. Validating the update.
CC: (none) => sysadmin-bugsWhiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OKKeywords: (none) => validated_update
bug 29104 opened for the default server url change.
Keywords: (none) => advisoryCVE: (none) => CVE-2021-3500, CVE-2021-3249[0-3]CC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0247.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED