1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1108792: unblock: djvulibre/3.5.28-2.1

    From Salvatore Bonaccorso@21:1/5 to All on Sat Jul 5 10:40:01 2025
    XPost: linux.debian.devel.release

    This is a multi-part MIME message sent by reportbug.


    Package: release.debian.org
    Severity: normal
    X-Debbugs-Cc: [email protected], Barak A. Pearlmutter <[email protected]>, [email protected]
    Control: affects -1 + src:djvulibre
    User: [email protected]
    Usertags: unblock

    Hi release team,

    Please unblock package djvulibre

    [ Reason ]
    djvulibre has a out-of-bounds write vulnerability in the
    MMRDecoder::scanruns() function, which may cause memory corruption.
    This has CVE id CVE-2025-53367 assigned and tracked in Debian BTS as
    #1108729.

    [ Impact ]
    CVE-2025-53367 remains open in trixie (until a DSA is released).

    [ Tests ]
    Manual tests with the package.

    [ Risks ]
    Isolated fix for the issue provided by upstream.

    [ Checklist ]
    [x] all changes are documented in the d/changelog
    [x] I reviewed all changes and I approve them
    [x] attach debdiff against the package in testing

    [ Other info ]
    (Anything else the release team should know.)

    unblock djvulibre/3.5.28-2.1

    Regards,
    Salvatore

    diff -Nru djvulibre-3.5.28/debian/changelog djvulibre-3.5.28/debian/changelog --- djvulibre-3.5.28/debian/changelog 2021-05-10 19:56:59.000000000 +0200
    +++ djvulibre-3.5.28/debian/changelog 2025-07-04 07:38:58.000000000 +0200
    @@ -1,3 +1,11 @@
    +djvulibre (3.5.28-2.1) unstable; urgency=high
    +
    + * Non-maintainer upload.
    + * Fix potential buffer overflow in MMRDecoder (CVE-2025-53367)
    + (Closes: #1108729)
    +
    + -- Salvatore Bonaccorso <[email protected]> Fri, 04 Jul 2025 07:38:58 +0200 +
    djvulibre (3.5.28-2) unstable; urgency=high

    * bump policy version
    diff -Nru djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch
    --- djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch 1970-01-01 01:00:00.000000000 +0100
    +++ djvulibre-3.5.28/debian/patches/0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch 2025-07-04 07:38:11.000000000 +0200
    @@ -0,0 +1,37 @@
    +From: Leon Bottou <[email protected]>
    +Date: Wed, 2 Jul 2025 12:49:4