Download raw body.
Patch to fix CVE-2025-53367 in graphics/djvulibre
On 2026/04/17 21:33, Volker Schlecht wrote:
> FWIW: It's CVE-2025-53367
>
> Unbuntu has the best writeup I could find in 2 minutes:
> https://ubuntu.com/security/CVE-2025-53367
"This issue has been patched in version 3.5.29."
I'm not seeing anything that looks particularly worrying in the
3.5.28->3.5.29 diff, and there are some other improvements we don't
have in patches, want to give this a spin?
I'll set a build running with all the things depending on it.
Index: Makefile
===================================================================
RCS file: /cvs/ports/graphics/djvulibre/Makefile,v
diff -u -p -r1.54 Makefile
--- Makefile 17 Apr 2026 19:58:07 -0000 1.54
+++ Makefile 18 Apr 2026 09:41:25 -0000
@@ -1,8 +1,7 @@
COMMENT= view, decode and encode DjVu files
-DISTNAME= djvulibre-3.5.28
-REVISION= 5
-SHARED_LIBS= djvulibre 27.0 # 28.0
+DISTNAME= djvulibre-3.5.29
+SHARED_LIBS= djvulibre 27.0 # 29.0
CATEGORIES= graphics print
HOMEPAGE= https://djvu.sourceforge.net/
@@ -26,7 +25,7 @@ BUILD_DEPENDS+= x11/gnome/librsvg
USE_GMAKE= Yes
-AUTOCONF_VERSION= 2.69
+AUTOCONF_VERSION= 2.71
CONFIGURE_STYLE= autoconf
CONFIGURE_ARGS= --with-extra-includes=${LOCALBASE}/include \
Index: distinfo
===================================================================
RCS file: /cvs/ports/graphics/djvulibre/distinfo,v
diff -u -p -r1.10 distinfo
--- distinfo 20 Oct 2021 16:31:58 -0000 1.10
+++ distinfo 18 Apr 2026 09:41:25 -0000
@@ -1,2 +1,2 @@
-SHA256 (djvulibre-3.5.28.tar.gz) = /NAJ6nZU/eWoNgDrgHV706dpmOR9E8ZrVMjbhJ+PLtw=
-SIZE (djvulibre-3.5.28.tar.gz) = 3701161
+SHA256 (djvulibre-3.5.29.tar.gz) = 07SwOuK9yoUWo2726ye3d/BSjJ7aJnRdmWKCSj/f7M8=
+SIZE (djvulibre-3.5.29.tar.gz) = 3716911
Index: patches/patch-libdjvu_DataPool_cpp
===================================================================
RCS file: patches/patch-libdjvu_DataPool_cpp
diff -N patches/patch-libdjvu_DataPool_cpp
--- patches/patch-libdjvu_DataPool_cpp 11 Mar 2022 19:22:14 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,16 +0,0 @@
-Fix CVE-2021-32492: Out-of-Bounds Read
-https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6
-
-Index: libdjvu/DataPool.cpp
---- libdjvu/DataPool.cpp.orig
-+++ libdjvu/DataPool.cpp
-@@ -791,6 +791,9 @@ DataPool::create(const GP<DataPool> & pool, int start,
- DEBUG_MSG("DataPool::DataPool: pool=" << (void *)((DataPool *)pool) << " start=" << start << " length= " << length << "\n");
- DEBUG_MAKE_INDENT(3);
-
-+ if (!pool)
-+ G_THROW( ERR_MSG("DataPool.zero_DataPool") );
-+
- DataPool *xpool=new DataPool();
- GP<DataPool> retval=xpool;
- xpool->init();
Index: patches/patch-libdjvu_DjVuFile_cpp
===================================================================
RCS file: patches/patch-libdjvu_DjVuFile_cpp
diff -N patches/patch-libdjvu_DjVuFile_cpp
--- patches/patch-libdjvu_DjVuFile_cpp 11 Mar 2022 19:22:14 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,14 +0,0 @@
-https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6
-
-Index: libdjvu/DjVuFile.cpp
---- libdjvu/DjVuFile.cpp.orig
-+++ libdjvu/DjVuFile.cpp
-@@ -576,6 +576,8 @@ DjVuFile::process_incl_chunk(ByteStream & str, int fil
- GURL incl_url=pcaster->id_to_url(this, incl_str);
- if (incl_url.is_empty()) // Fallback. Should never be used.
- incl_url=GURL::UTF8(incl_str,url.base());
-+ if (incl_url == url) // Infinite loop avoidance
-+ G_THROW( ERR_MSG("DjVuFile.malformed") );
-
- // Now see if there is already a file with this *name* created
- {
Index: patches/patch-libdjvu_DjVuPort_cpp
===================================================================
RCS file: patches/patch-libdjvu_DjVuPort_cpp
diff -N patches/patch-libdjvu_DjVuPort_cpp
--- patches/patch-libdjvu_DjVuPort_cpp 11 Mar 2022 19:22:14 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,26 +0,0 @@
-Fix CVE-2021-3500: Stack-Based Buffer Overflow
-https://bugzilla.redhat.com/show_bug.cgi?id=1943411
-
-Index: libdjvu/DjVuPort.cpp
---- libdjvu/DjVuPort.cpp.orig
-+++ libdjvu/DjVuPort.cpp
-@@ -507,10 +507,19 @@ GP<DjVuFile>
- DjVuPortcaster::id_to_file(const DjVuPort * source, const GUTF8String &id)
- {
- GPList<DjVuPort> list;
-+
-+ if (!!opening_id && opening_id == id)
-+ G_THROW( ERR_MSG("DjVuPortcaster.recursive_open") );
-+ else
-+ opening_id = id;
-+
- compute_closure(source, list, true);
- GP<DjVuFile> file;
- for(GPosition pos=list;pos;++pos)
- if ((file=list[pos]->id_to_file(source, id))) break;
-+
-+ opening_id = GUTF8String();
-+
- return file;
- }
-
Index: patches/patch-libdjvu_DjVuPort_h
===================================================================
RCS file: patches/patch-libdjvu_DjVuPort_h
diff -N patches/patch-libdjvu_DjVuPort_h
--- patches/patch-libdjvu_DjVuPort_h 11 Mar 2022 19:22:14 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,14 +0,0 @@
-Fix CVE-2021-3500: Stack-Based Buffer Overflow
-https://bugzilla.redhat.com/show_bug.cgi?id=1943411
-
-Index: libdjvu/DjVuPort.h
---- libdjvu/DjVuPort.h.orig
-+++ libdjvu/DjVuPort.h
-@@ -484,6 +484,7 @@ class DJVUAPI DjVuPortcaster (private)
- const DjVuPort *dst, int distance);
- void compute_closure(const DjVuPort *src, GPList<DjVuPort> &list,
- bool sorted=false);
-+ GUTF8String opening_id;
- };
-
-
Index: patches/patch-libdjvu_GBitmap_cpp
===================================================================
RCS file: patches/patch-libdjvu_GBitmap_cpp
diff -N patches/patch-libdjvu_GBitmap_cpp
--- patches/patch-libdjvu_GBitmap_cpp 11 Mar 2022 19:22:14 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,15 +0,0 @@
-Fix CVE-2021-32493: Integer Overflow Leading to Heap Buffer Overflow
-https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6
-
-Index: libdjvu/GBitmap.cpp
---- libdjvu/GBitmap.cpp.orig
-+++ libdjvu/GBitmap.cpp
-@@ -1284,6 +1284,8 @@ GBitmap::decode(unsigned char *runs)
- // initialize pixel array
- if (nrows==0 || ncolumns==0)
- G_THROW( ERR_MSG("GBitmap.not_init") );
-+ if (ncolumns + border != (unsigned short)(ncolumns+border))
-+ G_THROW("GBitmap: image size exceeds maximum (corrupted file?)");
- bytes_per_row = ncolumns + border;
- if (runs==0)
- G_THROW( ERR_MSG("GBitmap.null_arg") );
Index: patches/patch-libdjvu_IW44Image_cpp
===================================================================
RCS file: patches/patch-libdjvu_IW44Image_cpp
diff -N patches/patch-libdjvu_IW44Image_cpp
--- patches/patch-libdjvu_IW44Image_cpp 11 Mar 2022 19:22:14 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,20 +0,0 @@
-Fix CVE-2021-32490: out of bounds write
-https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6
-
-Index: libdjvu/IW44Image.cpp
---- libdjvu/IW44Image.cpp.orig
-+++ libdjvu/IW44Image.cpp
-@@ -676,9 +676,13 @@ IW44Image::Map::image(signed char *img8, int rowsize,
- // Allocate reconstruction buffer
- short *data16;
- size_t sz = bw * bh;
-+ if (sz == 0)
-+ G_THROW("IW44Image: image size is zero (corrupted file?)");
- if (sz / (size_t)bw != (size_t)bh) // multiplication overflow
- G_THROW("IW44Image: image size exceeds maximum (corrupted file?)");
- GPBuffer<short> gdata16(data16,sz);
-+ if (data16 == 0)
-+ G_THROW("IW44Image: unable to allocate image buffer");
- // Copy coefficients
- int i;
- short *p = data16;
Index: patches/patch-libdjvu_MMRDecoder_cpp
===================================================================
RCS file: patches/patch-libdjvu_MMRDecoder_cpp
diff -N patches/patch-libdjvu_MMRDecoder_cpp
--- patches/patch-libdjvu_MMRDecoder_cpp 17 Apr 2026 19:58:10 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,25 +0,0 @@
-Fix CVE-2025-53367: potential buffer overflow in MMRDecoder
-https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196593d70bd5e37f55b63886c31c82c3da/
-
-Index: libdjvu/MMRDecoder.cpp
---- libdjvu/MMRDecoder.cpp.orig
-+++ libdjvu/MMRDecoder.cpp
-@@ -589,6 +589,9 @@ MMRDecoder::scanruns(const unsigned short **endptr)
- int a0,rle,b1;
- for(a0=0,rle=0,b1=*pr++;a0 < width;)
- {
-+ // Check for buffer overflow
-+ if (xr > lineruns+width+2 || pr > prevruns+width+2)
-+ G_THROW(invalid_mmr_data);
- // Process MMR codes
- const int c=mrtable->decode(src);
- switch ( c )
-@@ -714,7 +717,7 @@
- rle++;
- a0++;
- }
-- if (a0 > width)
-+ if (a0 > width || xr > lineruns+width+2)
- G_THROW(invalid_mmr_data);
- }
- // Analyze uncompressed termination code.
Index: patches/patch-libdjvu_miniexp_cpp
===================================================================
RCS file: /cvs/ports/graphics/djvulibre/patches/patch-libdjvu_miniexp_cpp,v
diff -u -p -r1.4 patch-libdjvu_miniexp_cpp
--- patches/patch-libdjvu_miniexp_cpp 11 Mar 2022 19:22:14 -0000 1.4
+++ patches/patch-libdjvu_miniexp_cpp 18 Apr 2026 09:41:25 -0000
@@ -1,7 +1,7 @@
Index: libdjvu/miniexp.cpp
--- libdjvu/miniexp.cpp.orig
+++ libdjvu/miniexp.cpp
-@@ -1300,7 +1300,7 @@ static int stdio_fputs(miniexp_io_t *io, const char *s
+@@ -1326,7 +1326,7 @@ static int stdio_fputs(miniexp_io_t *io, const char *s
static int true_stdio_fgetc(miniexp_io_t *io) {
FILE *f = (io->data[0]) ? (FILE*)(io->data[0]) : stdin;
Index: patches/patch-tools_ddjvu_cpp
===================================================================
RCS file: patches/patch-tools_ddjvu_cpp
diff -N patches/patch-tools_ddjvu_cpp
--- patches/patch-tools_ddjvu_cpp 11 Mar 2022 19:22:14 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,20 +0,0 @@
-Fix CVE-2021-32491: Integer Overflow Leading to Heap-Based Buffer Overflow
-https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6
-
-Index: tools/ddjvu.cpp
---- tools/ddjvu.cpp.orig
-+++ tools/ddjvu.cpp
-@@ -393,8 +393,11 @@ render(ddjvu_page_t *page, int pageno)
- } else if (style == DDJVU_FORMAT_GREY8)
- rowsize = rrect.w;
- else
-- rowsize = rrect.w * 3;
-- if (! (image = (char*)malloc(rowsize * rrect.h)))
-+ rowsize = rrect.w * 3;
-+ size_t bufsize = (size_t)rowsize * rrect.h;
-+ if (bufsize / rowsize != rrect.h)
-+ die(i18n("Integer overflow when allocating image buffer for page %d"), pageno);
-+ if (! (image = (char*)malloc(bufsize)))
- die(i18n("Cannot allocate image buffer for page %d"), pageno);
-
- /* Render */
Patch to fix CVE-2025-53367 in graphics/djvulibre