Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Fedora 34 FEDORA-2021-d781fa9f44 Critical: DjVulibre Stack Overflow

fedora
Calendar Grey May 6, 2021
Dist Fedora Esm H88
The recent upgrade to Djvulibre focuses on enhancing support for damaged files within Fedora 34. Explore the advancements that have been introduced.
This update fixes several issues in djvulibre

Summary

DjVu is a web-centric format and software platform for distributing documents

and images. DjVu can advantageously replace PDF, PS, TIFF, JPEG, and GIF for

distributing scanned documents, digital documents, or high-resolution pictures.

DjVu content downloads faster, displays and renders faster, looks nicer on a

screen, and consume less client resources than competing formats. DjVu images

display instantly and can be smoothly zoomed and panned with no lengthy

re-rendering.

DjVuLibre is a free (GPL'ed) implementation of DjVu, including viewers,

decoders, simple encoders, and utilities. The browser plugin is in its own

separate sub-package.

This update fixes several issues in djvulibre. These are mostly related to

opening of corrupted files.

* Mon May 3 2021 Marek Kasik - 3.5.27-28

- Avoid unsigned short overflow in GBitmap when allocating row buffer

- Resolves: #1943424

* Mon May 3 2021 Marek Kasik - 3.5.27-27

- Avoid stack overflow in DjVuPort by remembering which file we are opening

- Resolves: #1943411, #1943685

* Mon May 3 2021 Marek Kasik - 3.5.27-26

- Check input pool for NULL

- Resolves: #1943410

* Mon May 3 2021 Marek Kasik - 3.5.27-25

- Avoid integer overflow when allocating bitmap

- Resolves: #1943409

* Mon May 3 2021 Marek Kasik - 3.5.27-24

- Check image size for 0

- Resolves: #1943408

[ 1 ] Bug #1943685 - CVE-2021-3500 djvulibre: Stack overflow in function DJVU::DjVuDocument::get_djvu_file() via crafted djvu file

https://bugzilla.redhat.com/show_bug.cgi?id=1943685

su -c 'dnf upgrade --advisory FEDORA-2021-d781fa9f44' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

Topics%20covered

Topics Covered

security advisory fedora critical software update software stack overflow file issue djvulibre corrupted files

Change Log

References

Update Instructions

Severity
critical
Lowest
Low
Medium
High
Critical

Product: Fedora 34
Version: 3.5.27
Release: 28.fc34
URL:
Summary: DjVu viewers, encoders, and utilities

Topics%20covered

Topics Covered

security advisory fedora critical software update software stack overflow file issue djvulibre corrupted files

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here