Fedora has issued an advisory on May 16: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4APFAWR7QE27GXQMRKR6XKNZWWUJ5YMH/ Mageia 9 is also affected.
Source RPM: (none) => djvulibre-3.5.28-5.mga9.src.rpmCVE: (none) => CVE-2021-46310, CVE-2021-46312Status comment: (none) => Patches available from FedoraWhiteboard: (none) => MGA9TOO
These look like the patches: 46312 https://sourceforge.net/p/djvu/bugs/344/ 46310 https://sourceforge.net/p/djvu/bugs/345/ Another homeless pkg, assigning this globally.
Assignee: bugsquad => pkg-bugs
Fixed for Cauldron!
Whiteboard: MGA9TOO => (none)Version: Cauldron => 9CC: (none) => geiger.david68210
Assigning to QA, Packages in 9/Core/Updates_testing: ====================== djvulibre-3.5.28-5.1.mga9 libdjvulibre-devel-3.5.28-5.1.mga9 libdjvulibre21-3.5.28-5.1.mga9 lib64djvulibre-devel-3.5.28-5.1.mga9 lib64djvulibre21-3.5.28-5.1.mga9 From SRPMS: djvulibre-3.5.28-5.1.mga9.src.rpm
Assignee: pkg-bugs => qa-bugs
Keywords: (none) => advisory
RH mageia 9 x86_64 LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing lib64djvulibre21-3.5.28-5.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: lib64djvulibre21 ################################################################################################## 1/1: removing lib64djvulibre21-3.5.28-5.mga9.x86_64 ################################################################################################## For test I urpmi pdf2djvu that also install djvulibre Convert a pdf to djv pdf2djvu file.pdf > file.djv Open file.djv with okular and djview4, it loads well, and the content is equal to file.pdf Similar test was made in bug#25730 comment#3 soo looks good
Whiteboard: (none) => MGA9-64-OKCC: (none) => andrewsfarm
Late to the party again. Checked out the CVEs and found a couple of PoC. CVE-2021-46310 An issue was discovered IW44Image.cpp in djvulibre 3.5.28 in allows attackers to cause a denial of service via divide by zero. POC downloaded from https://sourceforge.net/p/djvu/bugs/345/ $ djvups POC %!PS-Adobe-3.0 %%Title: DjVu PostScript document [...] Floating point exception (core dumped) CVE-2021-46312 https://sourceforge.net/p/djvu/bugs/344/ An issue was discovered IW44EncodeCodec.cpp in djvulibre 3.5.28 in allows attackers to cause a denial of service via divide by zero. $ c44 poc Floating point exception (core dumped) After updating: $ djvups POC [...] djvups: IW44Image: zero size image (corrupted file?) $ c44 poc *** IWBitmap: zero size image (corrupted file?) *** (IW44EncodeCodec.cpp:1429) *** 'void DJVU::IWBitmap::Encode::init(const DJVU::GBitmap&, DJVU::GP<DJVU::GBitmap>)' So, the issues are definitely fixed.
CC: (none) => tarazed25
Never hurts to have extra tests. Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0183.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED