Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 798480 (CVE-2021-32490, CVE-2021-32491, CVE-2021-32492, CVE-2021-32493, CVE-2021-3500) - app-text/djvu: multiple vulnerabilities (CVE-2021-{3500,32490,32491,32492,32493})
Summary: app-text/djvu: multiple vulnerabilities (CVE-2021-{3500,32490,32491,32492,324...
Status: CONFIRMED
Alias: CVE-2021-32490, CVE-2021-32491, CVE-2021-32492, CVE-2021-32493, CVE-2021-3500
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [upstream/ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-06-25 02:25 UTC by John Helmert III
Modified: 2021-12-31 01:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-25 02:25:29 UTC
CVE-2021-32490 (https://bugzilla.redhat.com/show_bug.cgi?id=1943693):

A flaw was found in djvulibre-3.5.28 and earlier. An out of bounds write in function DJVU::filter_bv() via crafted djvu file may lead to application crash and other consequences.

RedHat's patch: https://bugzilla.redhat.com/attachment.cgi?id=1770184

CVE-2021-32491 (https://bugzilla.redhat.com/show_bug.cgi?id=1943684):

A flaw was found in djvulibre-3.5.28 and earlier. An integer overflow in function render() in tools/ddjvu via crafted djvu file may lead to application crash and other consequences.

RedHat's patch: https://bugzilla.redhat.com/attachment.cgi?id=1770218

CVE-2021-32492 (https://bugzilla.redhat.com/show_bug.cgi?id=1943686):

A flaw was found in djvulibre-3.5.28 and earlier. An out of bounds read in function DJVU::DataPool::has_data() via crafted djvu file may lead to application crash and other consequences.

RedHat's patch: https://bugzilla.redhat.com/attachment.cgi?id=1770220

CVE-2021-32493 (https://bugzilla.redhat.com/show_bug.cgi?id=1943690):

A flaw was found in djvulibre-3.5.28 and earlier. A heap buffer overflow in function DJVU::GBitmap::decode() via crafted djvu file may lead to application crash and other consequences.

RedHat's patch: https://bugzilla.redhat.com/attachment.cgi?id=1774554

CVE-2021-3500 (https://bugzilla.redhat.com/show_bug.cgi?id=1943685):

A flaw was found in djvulibre-3.5.28 and earlier. A Stack overflow in function DJVU::DjVuDocument::get_djvu_file() via crafted djvu file may lead to application crash and other consequences.

RedHat's patch: https://bugzilla.redhat.com/attachment.cgi?id=1770188


So, seems everything has a patch but there are no links to upstream commits or
issues on the RedHat bugs so I'm not sure if anyone ever actually contacted
upstream to fix these.
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:21:19 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:29:27 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:37:25 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:45:30 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:53:35 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:01:28 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 18:09:50 UTC
Package list is empty or all packages have requested keywords.
Comment 8 Teika kazura 2021-12-31 01:10:30 UTC
Debian released a patched version:
https://www.debian.org/security/2021/dsa-5032

Thanks.