ArchLinux: 202105-18: djvulibre: arbitrary code execution
Summary
- CVE-2021-3500 (arbitrary code execution)
A security issue was found in djvulibre. A stack overflow in the
function DJVU::DjVuDocument::get_djvu_file() may lead to an application
crash and other consequences via a crafted djvu file.
- CVE-2021-32490 (arbitrary code execution)
A security issue was found in djvulibre. An out of bounds write in the
function DJVU::filter_bv() may lead to an application crash and other
consequences via a crafted djvu file.
- CVE-2021-32491 (arbitrary code execution)
A security issue was found in djvulibre. An integer overflow in the
function render() in tools/ddjvu may lead to an application crash and
other consequences via a crafted djvu file.
- CVE-2021-32492 (arbitrary code execution)
A security issue was found in djvulibre. An out of bounds read in the
function DJVU::DataPool::has_data() may lead to an application crash
and other consequences via a crafted djvu file.
- CVE-2021-32493 (arbitrary code execution)
A security issue was found in djvulibre. A heap buffer overflow in the
function DJVU::GBitmap::decode() may lead to an application crash and
other consequences via a crafted djvu file.
Resolution
Upgrade to 3.5.28-3.
# pacman -Syu "djvulibre>=3.5.28-3"
The problems have been fixed upstream but no release is available yet.
References
https://bugs.archlinux.org/task/70787 https://bugzilla.redhat.com/show_bug.cgi?id=1943685 https://bugzilla.redhat.com/show_bug.cgi?id=1943411 https://src.fedoraproject.org/rpms/djvulibre/blob/rawhide/f/djvulibre-3.5.27-djvuport-stack-overflow.patch https://bugzilla.redhat.com/show_bug.cgi?id=1943693 https://bugzilla.redhat.com/show_bug.cgi?id=1943408 https://bugzilla.redhat.com/attachment.cgi?id=1770184&action=diff https://src.fedoraproject.org/rpms/djvulibre/blob/rawhide/f/djvulibre-3.5.27-check-image-size.patch https://bugzilla.redhat.com/show_bug.cgi?id=1943684 https://bugzilla.redhat.com/show_bug.cgi?id=1943409 https://bugzilla.redhat.com/attachment.cgi?id=1770218&action=diff https://src.fedoraproject.org/rpms/djvulibre/blob/4b8d9b4bcb10c24739ca2dcd68a7fba4abe90860/f/djvulibre-3.5.27-integer-overflow.patch https://bugzilla.redhat.com/show_bug.cgi?id=1943686 https://bugzilla.redhat.com/show_bug.cgi?id=1943410 https://bugzilla.redhat.com/attachment.cgi?id=1770220&action=diff https://src.fedoraproject.org/rpms/djvulibre/blob/rawhide/f/djvulibre-3.5.27-check-input-pool.patch https://bugzilla.redhat.com/show_bug.cgi?id=1943690 https://bugzilla.redhat.com/show_bug.cgi?id=1943424 https://bugzilla.redhat.com/attachment.cgi?id=1774554&action=diff https://src.fedoraproject.org/rpms/djvulibre/blob/rawhide/f/djvulibre-3.5.27-unsigned-short-overflow.patch https://security.archlinux.org/CVE-2021-3500 https://security.archlinux.org/CVE-2021-32490 https://security.archlinux.org/CVE-2021-32491 https://security.archlinux.org/CVE-2021-32492 https://security.archlinux.org/CVE-2021-32493
Workaround
None.