Bug 34423 - djvulibre new security issue CVE-2025-53367
Summary: djvulibre new security issue CVE-2025-53367
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-07-04 09:24 CEST by Nicolas Salguero
Modified: 2025-07-19 19:56 CEST (History)
4 users (show)

See Also:
Source RPM: djvulibre-3.5.28-5.1.mga9
CVE: CVE-2025-53367
Status comment: Fixed upstream in 3.5.29 and patch available from upstream

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2025-07-04 09:25:50 CEST

Status comment: (none) => Fixed upstream in 3.5.29 and patch available from upstream
Source RPM: (none) => djvulibre-3.5.28-7.mga10.src.rpm, djvulibre-3.5.28-5.1.mga9.src.rpm
CVE: (none) => CVE-2025-53367
Whiteboard: (none) => MGA9TOO

Comment 1 Marja Van Waes 2025-07-05 20:07:06 CEST 
No registered maintainer, assigning to all.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2025-07-11 10:11:53 CEST 
Ubuntu has issued an advisory on July 9:
https://ubuntu.com/security/notices/USN-7631-1
katnatek 2025-07-16 19:09:01 CEST

Assignee: pkg-bugs => j.alberto.vc

Comment 3 katnatek 2025-07-16 19:16:39 CEST 
David Fix this in Cauldron

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Source RPM: djvulibre-3.5.28-7.mga10.src.rpm, djvulibre-3.5.28-5.1.mga9.src.rpm => djvulibre-3.5.28-5.1.mga9.src.rpm

Comment 4 katnatek 2025-07-16 19:31:30 CEST 
RPMS:

djvulibre-3.5.29-1.mga9
lib(64)djvulibre-devel-3.5.29-1.mga9
lib(64)djvulibre21-3.5.29-1.mga9

SRPM:
djvulibre-3.5.29-1.mga9

Assignee: j.alberto.vc => qa-bugs

katnatek 2025-07-16 19:31:41 CEST

Source RPM: djvulibre-3.5.28-5.1.mga9.src.rpm => djvulibre-3.5.28-5.1.mga9

Comment 5 katnatek 2025-07-16 20:23:20 CEST 
RH x86_64

installing djvulibre-3.5.29-1.mga9.x86_64.rpm lib64djvulibre21-3.5.29-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: lib64djvulibre21      ##################################################################################################
      2/2: djvulibre             ##################################################################################################
      1/2: removing djvulibre-3.5.28-5.1.mga9.x86_64
                                 ##################################################################################################
      2/2: removing lib64djvulibre21-3.5.28-5.1.mga9.x86_64
                                 ##################################################################################################

strace qpdfview, once I open a .djv file shows

openat(AT_FDCWD, "/lib64/libdjvulibre.so.21", O_RDONLY|O_CLOEXEC) = 17

Works OK

strace okular file.djv , shows

openat(AT_FDCWD, "/lib64/libdjvulibre.so.21", O_RDONLY|O_CLOEXEC) = 21

Works OK
Comment 6 Herman Viaene 2025-07-17 11:52:24 CEST 
MGA9-64 server Plasma Wayland on Compaq H000SB.
No istallation issues.
Ref bug 33221 for testing, installed pdf2djvu and run:
$ pdf2djvu handleidingVM.pdf > testfjvu.djv
The pdf is a 12 page document with lots of screenshots in it.
The resulting djv file opens OK in okular, contents is OK.
Good to go.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

katnatek 2025-07-18 04:30:59 CEST

Keywords: (none) => advisory

Comment 7 Thomas Andrews 2025-07-19 05:36:09 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 8 Mageia Robot 2025-07-19 19:56:14 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0209.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.