FS#70787 - [djvulibre] [Security] arbitrary code execution (CVE-2021-3500)
Attached to Project:
Arch Linux
Opened by Jonas Witschel (diabonas) - Monday, 10 May 2021, 20:26 GMT
Last edited by Antonio Rojas (arojas) - Saturday, 15 May 2021, 11:21 GMT
Opened by Jonas Witschel (diabonas) - Monday, 10 May 2021, 20:26 GMT
Last edited by Antonio Rojas (arojas) - Saturday, 15 May 2021, 11:21 GMT
|
Details
Summary
======= The package djvulibre is vulnerable to arbitrary code execution via CVE-2021-3500. Guidance ======== Applying the Fedora patch referenced below fixes the issue. The patch doesn't appear to have been upstreamed, cf. https://bugzilla.redhat.com/show_bug.cgi?id=1943685#c4 References ========== https://security.archlinux.org/AVG-1899 https://bugzilla.redhat.com/show_bug.cgi?id=1943685 https://bugzilla.redhat.com/show_bug.cgi?id=1943411 https://src.fedoraproject.org/rpms/djvulibre/c/fc359410f7131e4ea0a892ef78e6da72f29afeee.patch |
This task depends upon
Closed by Antonio Rojas (arojas)
Saturday, 15 May 2021, 11:21 GMT
Reason for closing: Fixed
Additional comments about closing: djvulibre 3.5.28-3
Saturday, 15 May 2021, 11:21 GMT
Reason for closing: Fixed
Additional comments about closing: djvulibre 3.5.28-3
https://src.fedoraproject.org/rpms/djvulibre/blob/rawhide/f/djvulibre-3.5.27-check-image-size.patch # CVE-2021-32490
https://src.fedoraproject.org/rpms/djvulibre/blob/rawhide/f/djvulibre-3.5.27-integer-overflow.patch # CVE-2021-32491
https://src.fedoraproject.org/rpms/djvulibre/blob/rawhide/f/djvulibre-3.5.27-check-input-pool.patch # CVE-2021-32492
https://src.fedoraproject.org/rpms/djvulibre/blob/rawhide/f/djvulibre-3.5.27-djvuport-stack-overflow.patch # CVE-2021-3500
https://src.fedoraproject.org/rpms/djvulibre/blob/rawhide/f/djvulibre-3.5.27-unsigned-short-overflow.patch # CVE-2021-32493