Arch Linux 811 Published by

A djvulibre security update has been released for Arch Linux.



ASA-202105-18: djvulibre: arbitrary code execution


Arch Linux Security Advisory ASA-202105-18
=========================================
Severity: Medium
Date : 2021-05-25
CVE-ID : CVE-2021-3500 CVE-2021-32490 CVE-2021-32491 CVE-2021-32492
CVE-2021-32493
Package : djvulibre
Type : arbitrary code execution
Remote : No
Link :   https://security.archlinux.org/AVG-1899

Summary
======
The package djvulibre before version 3.5.28-3 is vulnerable to
arbitrary code execution.

Resolution
=========
Upgrade to 3.5.28-3.

# pacman -Syu "djvulibre>=3.5.28-3"

The problems have been fixed upstream but no release is available yet.

Workaround
=========
None.

Description
==========
- CVE-2021-3500 (arbitrary code execution)

A security issue was found in djvulibre. A stack overflow in the
function DJVU::DjVuDocument::get_djvu_file() may lead to an application
crash and other consequences via a crafted djvu file.

- CVE-2021-32490 (arbitrary code execution)

A security issue was found in djvulibre. An out of bounds write in the
function DJVU::filter_bv() may lead to an application crash and other
consequences via a crafted djvu file.

- CVE-2021-32491 (arbitrary code execution)

A security issue was found in djvulibre. An integer overflow in the
function render() in tools/ddjvu may lead to an application crash and
other consequences via a crafted djvu file.

- CVE-2021-32492 (arbitrary code execution)

A security issue was found in djvulibre. An out of bounds read in the
function DJVU::DataPool::has_data() may lead to an application crash
and other consequences via a crafted djvu file.

- CVE-2021-32493 (arbitrary code execution)

A security issue was found in djvulibre. A heap buffer overflow in the
function DJVU::GBitmap::decode() may lead to an application crash and
other consequences via a crafted djvu file.

Impact
=====
An attacker could cause a crash, or possible execute arbitrary code,
using a crafted djvu file.

References
=========
  https://bugs.archlinux.org/task/70787
  https://bugzilla.redhat.com/show_bug.cgi?id43685
  https://bugzilla.redhat.com/show_bug.cgi?id43411
  https://src.fedoraproject.org/rpms/djvulibre/blob/rawhide/f/djvulibre-3.5.27-djvuport-stack-overflow.patch
  https://bugzilla.redhat.com/show_bug.cgi?id43693
  https://bugzilla.redhat.com/show_bug.cgi?id43408
  https://bugzilla.redhat.com/attachment.cgi?id70184&action=diff
  https://src.fedoraproject.org/rpms/djvulibre/blob/rawhide/f/djvulibre-3.5.27-check-image-size.patch
  https://bugzilla.redhat.com/show_bug.cgi?id43684
  https://bugzilla.redhat.com/show_bug.cgi?id43409
  https://bugzilla.redhat.com/attachment.cgi?id70218&action=diff
  https://src.fedoraproject.org/rpms/djvulibre/blob/4b8d9b4bcb10c24739ca2dcd68a7fba4abe90860/f/djvulibre-3.5.27-integer-overflow.patch
  https://bugzilla.redhat.com/show_bug.cgi?id43686
  https://bugzilla.redhat.com/show_bug.cgi?id43410
  https://bugzilla.redhat.com/attachment.cgi?id70220&action=diff
  https://src.fedoraproject.org/rpms/djvulibre/blob/rawhide/f/djvulibre-3.5.27-check-input-pool.patch
  https://bugzilla.redhat.com/show_bug.cgi?id43690
  https://bugzilla.redhat.com/show_bug.cgi?id43424
  https://bugzilla.redhat.com/attachment.cgi?id74554&action=diff
  https://src.fedoraproject.org/rpms/djvulibre/blob/rawhide/f/djvulibre-3.5.27-unsigned-short-overflow.patch
  https://security.archlinux.org/CVE-2021-3500
  https://security.archlinux.org/CVE-2021-32490
  https://security.archlinux.org/CVE-2021-32491
  https://security.archlinux.org/CVE-2021-32492
  https://security.archlinux.org/CVE-2021-32493