Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

Fedora 32: FEDORA-2021-fcb25df974 Critical: Djvulibre Stack Overflow Fix

fedora
Calendar Grey May 12, 2021
Dist Fedora Esm H88
New version of djvulibre addresses stack overflow and file corruption issues in Fedora 32, incorporating essential security fixes.
This update fixes several issues in djvulibre

Summary

DjVu is a web-centric format and software platform for distributing documents

and images. DjVu can advantageously replace PDF, PS, TIFF, JPEG, and GIF for

distributing scanned documents, digital documents, or high-resolution pictures.

DjVu content downloads faster, displays and renders faster, looks nicer on a

screen, and consume less client resources than competing formats. DjVu images

display instantly and can be smoothly zoomed and panned with no lengthy

re-rendering.

DjVuLibre is a free (GPL'ed) implementation of DjVu, including viewers,

decoders, simple encoders, and utilities. The browser plugin is in its own

separate sub-package.

This update fixes several issues in djvulibre. These are mostly related to

opening of corrupted files.

* Tue May 4 2021 Marek Kasik - 3.5.27-25

- Fix exporting of djvu icons with Inkscape

- Related: #1863428

* Mon May 3 2021 Marek Kasik - 3.5.27-24

- Avoid unsigned short overflow in GBitmap when allocating row buffer

- Resolves: #1943424

* Mon May 3 2021 Marek Kasik - 3.5.27-23

- Avoid stack overflow in DjVuPort by remembering which file we are opening

- Resolves: #1943411, #1943685

* Mon May 3 2021 Marek Kasik - 3.5.27-22

- Check input pool for NULL

- Resolves: #1943410

* Mon May 3 2021 Marek Kasik - 3.5.27-21

- Avoid integer overflow when allocating bitmap

- Resolves: #1943409

* Mon May 3 2021 Marek Kasik - 3.5.27-20

- Check image size for 0

- Resolves: #1943408

[ 1 ] Bug #1943685 - CVE-2021-3500 djvulibre: Stack overflow in function DJVU::DjVuDocument::get_djvu_file() via crafted djvu file

https://bugzilla.redhat.com/show_bug.cgi?id=1943685

su -c 'dnf upgrade --advisory FEDORA-2021-fcb25df974' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

Topics%20covered

Topics Covered

security advisory update critical Fedora stack overflow djvulibre corrupted files

Change Log

References

Update Instructions

Severity
critical
Lowest
Low
Medium
High
Critical

Product: Fedora 32
Version: 3.5.27
Release: 25.fc32
URL:
Summary: DjVu viewers, encoders, and utilities

Topics%20covered

Topics Covered

security advisory update critical Fedora stack overflow djvulibre corrupted files

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here