CVE-2019-15145 (https://nvd.nist.gov/vuln/detail/CVE-2019-15145): DjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack (application crash via an out-of-bounds read) by crafting a corrupted JB2 image file that is mishandled in JB2Dict::JB2Codec::get_direct_context in libdjvu/JB2Image.h because of a missing zero-bytes check in libdjvu/GBitmap.h. ---- Bug: https://sourceforge.net/p/djvu/bugs/298/ Debian: https://security-tracker.debian.org/tracker/CVE-2019-15145 Looks like there may be more from the Debian link.
CVE-2019-15144 (https://nvd.nist.gov/vuln/detail/CVE-2019-15144): In DjVuLibre 3.5.27, the sorting functionality (aka GArrayTemplate<TYPE>::sort) allows attackers to cause a denial-of-service (application crash due to an Uncontrolled Recursion) by crafting a PBM image file that is mishandled in libdjvu/GContainer.h. CVE-2019-15143 (https://nvd.nist.gov/vuln/detail/CVE-2019-15143): In DjVuLibre 3.5.27, the bitmap reader component allows attackers to cause a denial-of-service error (resource exhaustion caused by a GBitmap::read_rle_raw infinite loop) by crafting a corrupted image file, related to libdjvu/DjVmDir.cpp and libdjvu/GBitmap.cpp. CVE-2019-15142 (https://nvd.nist.gov/vuln/detail/CVE-2019-15142): In DjVuLibre 3.5.27, DjVmDir.cpp in the DJVU reader component allows attackers to cause a denial-of-service (application crash in GStringRep::strdup in libdjvu/GString.cpp caused by a heap-based buffer over-read) by crafting a DJVU file.
(In reply to GLSAMaker/CVETool Bot from comment #0) > CVE-2019-15145 (https://nvd.nist.gov/vuln/detail/CVE-2019-15145): > DjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack > (application crash via an out-of-bounds read) by crafting a corrupted JB2 > image file that is mishandled in JB2Dict::JB2Codec::get_direct_context in > libdjvu/JB2Image.h because of a missing zero-bytes check in > libdjvu/GBitmap.h. > > Bug: https://sourceforge.net/p/djvu/bugs/298/ Patch: https://sourceforge.net/p/djvu/djvulibre-git/ci/9658b01431cd7ff6344d7787f855179e73fe81a7/ (In reply to GLSAMaker/CVETool Bot from comment #1) > CVE-2019-15144 (https://nvd.nist.gov/vuln/detail/CVE-2019-15144): > In DjVuLibre 3.5.27, the sorting functionality (aka > GArrayTemplate<TYPE>::sort) allows attackers to cause a denial-of-service > (application crash due to an Uncontrolled Recursion) by crafting a PBM > image > file that is mishandled in libdjvu/GContainer.h. > Bug: https://sourceforge.net/p/djvu/bugs/299/ Patch: https://sourceforge.net/p/djvu/djvulibre-git/ci/e15d51510048927f172f1bf1f27ede65907d940d/ > CVE-2019-15143 (https://nvd.nist.gov/vuln/detail/CVE-2019-15143): > In DjVuLibre 3.5.27, the bitmap reader component allows attackers to cause > a > denial-of-service error (resource exhaustion caused by a > GBitmap::read_rle_raw infinite loop) by crafting a corrupted image file, > related to libdjvu/DjVmDir.cpp and libdjvu/GBitmap.cpp. > Bug: https://sourceforge.net/p/djvu/bugs/297/ Patch: https://sourceforge.net/p/djvu/djvulibre-git/ci/b1f4e1b2187d9e5010cd01ceccf20b4a11ce723f/ > CVE-2019-15142 (https://nvd.nist.gov/vuln/detail/CVE-2019-15142): > In DjVuLibre 3.5.27, DjVmDir.cpp in the DJVU reader component allows > attackers to cause a denial-of-service (application crash in > GStringRep::strdup in libdjvu/GString.cpp caused by a heap-based buffer > over-read) by crafting a DJVU file. Bug: https://sourceforge.net/p/djvu/bugs/296/ Patch: https://sourceforge.net/p/djvu/djvulibre-git/ci/970fb11a296b5bbdc5e8425851253d2c5913c45e/
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=703e79f63d52413d37f850ca62c1cabcc1606d70 commit 703e79f63d52413d37f850ca62c1cabcc1606d70 Author: John Helmert III <jchelmert3@posteo.net> AuthorDate: 2020-06-13 06:56:45 +0000 Commit: Mikle Kolyada <zlogene@gentoo.org> CommitDate: 2020-06-13 09:35:02 +0000 app-text/djvu: Security bump Bump to upstream tag debian/3.5.27.1-14, which includes fixes for numerous security issues. Bug: https://bugs.gentoo.org/536720 Bug: https://bugs.gentoo.org/718552 Package-Manager: Portage-2.3.100, Repoman-2.3.22 Signed-off-by: John Helmert III <jchelmert3@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/16210 Signed-off-by: Mikle Kolyada <zlogene@gentoo.org> app-text/djvu/Manifest | 1 + app-text/djvu/djvu-3.5.27-r2.ebuild | 73 +++++++++++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a13ebb61d94c615ab2c68de08ab95746c1996c5 commit 3a13ebb61d94c615ab2c68de08ab95746c1996c5 Author: John Helmert III <jchelmert3@posteo.net> AuthorDate: 2020-06-25 22:53:18 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-06-28 20:54:14 +0000 app-text/djvu: Security cleanup Bug: https://bugs.gentoo.org/536720 Bug: https://bugs.gentoo.org/718552 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: John Helmert III <jchelmert3@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/16423 Signed-off-by: Aaron Bauman <bman@gentoo.org> app-text/djvu/Manifest | 1 - app-text/djvu/djvu-3.5.27-r1.ebuild | 68 ------------------------------------- 2 files changed, 69 deletions(-)
glsa opened.
This issue was resolved and addressed in GLSA 202007-36 at https://security.gentoo.org/glsa/202007-36 by GLSA coordinator Sam James (sam_c).
