Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 798480 (CVE-2021-32490, CVE-2021-32491, CVE-2021-32492, CVE-2021-32493, CVE-2021-3500)

Summary: app-text/djvu: multiple vulnerabilities (CVE-2021-{3500,32490,32491,32492,32493})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: tex
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [upstream/ebuild]
Package list:
Runtime testing required: ---

Description John Helmert III gentoo-dev Security 2021-06-25 02:25:29 UTC
CVE-2021-32490 (https://bugzilla.redhat.com/show_bug.cgi?id=1943693):

A flaw was found in djvulibre-3.5.28 and earlier. An out of bounds write in function DJVU::filter_bv() via crafted djvu file may lead to application crash and other consequences.

RedHat's patch: https://bugzilla.redhat.com/attachment.cgi?id=1770184

CVE-2021-32491 (https://bugzilla.redhat.com/show_bug.cgi?id=1943684):

A flaw was found in djvulibre-3.5.28 and earlier. An integer overflow in function render() in tools/ddjvu via crafted djvu file may lead to application crash and other consequences.

RedHat's patch: https://bugzilla.redhat.com/attachment.cgi?id=1770218

CVE-2021-32492 (https://bugzilla.redhat.com/show_bug.cgi?id=1943686):

A flaw was found in djvulibre-3.5.28 and earlier. An out of bounds read in function DJVU::DataPool::has_data() via crafted djvu file may lead to application crash and other consequences.

RedHat's patch: https://bugzilla.redhat.com/attachment.cgi?id=1770220

CVE-2021-32493 (https://bugzilla.redhat.com/show_bug.cgi?id=1943690):

A flaw was found in djvulibre-3.5.28 and earlier. A heap buffer overflow in function DJVU::GBitmap::decode() via crafted djvu file may lead to application crash and other consequences.

RedHat's patch: https://bugzilla.redhat.com/attachment.cgi?id=1774554

CVE-2021-3500 (https://bugzilla.redhat.com/show_bug.cgi?id=1943685):

A flaw was found in djvulibre-3.5.28 and earlier. A Stack overflow in function DJVU::DjVuDocument::get_djvu_file() via crafted djvu file may lead to application crash and other consequences.

RedHat's patch: https://bugzilla.redhat.com/attachment.cgi?id=1770188


So, seems everything has a patch but there are no links to upstream commits or
issues on the RedHat bugs so I'm not sure if anyone ever actually contacted
upstream to fix these.
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:21:19 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:29:27 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:37:25 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:45:30 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:53:35 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:01:28 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 18:09:50 UTC
Package list is empty or all packages have requested keywords.
Comment 8 Teika kazura 2021-12-31 01:10:30 UTC
Debian released a patched version:
https://www.debian.org/security/2021/dsa-5032

Thanks.