Version in base suite: 3.5.28-2 Base version: djvulibre_3.5.28-2 Target version: djvulibre_3.5.28-2.1~deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/d/djvulibre/djvulibre_3.5.28-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/d/djvulibre/djvulibre_3.5.28-2.1~deb12u1.dsc changelog | 15 ++++ patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch | 37 ++++++++++ patches/series | 1 3 files changed, 53 insertions(+) diff -Nru djvulibre-3.5.28/debian/changelog djvulibre-3.5.28/debian/changelog --- djvulibre-3.5.28/debian/changelog 2021-05-10 17:56:59.000000000 +0000 +++ djvulibre-3.5.28/debian/changelog 2025-07-04 19:33:39.000000000 +0000 @@ -1,3 +1,18 @@ +djvulibre (3.5.28-2.1~deb12u1) bookworm-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Rebuild for bookworm-security + + -- Salvatore Bonaccorso Fri, 04 Jul 2025 21:33:39 +0200 + +djvulibre (3.5.28-2.1) unstable; urgency=high + + * Non-maintainer upload. + * Fix potential buffer overflow in MMRDecoder (CVE-2025-53367) + (Closes: #1108729) + + -- Salvatore Bonaccorso Fri, 04 Jul 2025 07:38:58 +0200 + djvulibre (3.5.28-2) unstable; urgency=high * bump policy version diff -Nru djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch --- djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch 1970-01-01 00:00:00.000000000 +0000 +++ djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch 2025-07-04 19:33:32.000000000 +0000 @@ -0,0 +1,37 @@ +From: Leon Bottou +Date: Wed, 2 Jul 2025 12:49:40 -0400 +Subject: Fix potential buffer overflow in MMRDecoder +Origin: https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196593d70bd5e37f55b63886c31c82c3da/ +Bug-Debian: https://bugs.debian.org/1108729 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-53367 + +--- + libdjvu/MMRDecoder.cpp | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libdjvu/MMRDecoder.cpp b/libdjvu/MMRDecoder.cpp +index b56fa336d353..bbbaa0c5e2ef 100644 +--- a/libdjvu/MMRDecoder.cpp ++++ b/libdjvu/MMRDecoder.cpp +@@ -589,6 +589,9 @@ MMRDecoder::scanruns(const unsigned short **endptr) + int a0,rle,b1; + for(a0=0,rle=0,b1=*pr++;a0 < width;) + { ++ // Check for buffer overflow ++ if (xr > lineruns+width+2 || pr > prevruns+width+2) ++ G_THROW(invalid_mmr_data); + // Process MMR codes + const int c=mrtable->decode(src); + switch ( c ) +@@ -714,7 +717,7 @@ MMRDecoder::scanruns(const unsigned short **endptr) + rle++; + a0++; + } +- if (a0 > width) ++ if (a0 > width || xr > lineruns+width+2) + G_THROW(invalid_mmr_data); + } + // Analyze uncompressed termination code. +-- +2.50.0 + diff -Nru djvulibre-3.5.28/debian/patches/series djvulibre-3.5.28/debian/patches/series --- djvulibre-3.5.28/debian/patches/series 2021-05-10 17:46:09.000000000 +0000 +++ djvulibre-3.5.28/debian/patches/series 2025-07-04 19:33:32.000000000 +0000 @@ -5,3 +5,4 @@ 0005-djvulibre-fedora-Patch10-djvulibre-3.5.27-check-inpu.patch 0006-djvulibre-fedora-Patch11-djvulibre-3.5.27-djvuport-s.patch 0007-djvulibre-fedora-Patch12-djvulibre-3.5.27-unsigned-s.patch +0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch