On 2026/04/18 14:00, Volker Schlecht wrote:
> On 4/18/26 11:43 AM, Stuart Henderson wrote:
> > On 2026/04/17 21:33, Volker Schlecht wrote:
> > > FWIW: It's CVE-2025-53367
> > > 
> > > Unbuntu has the best writeup I could find in 2 minutes:
> > > https://ubuntu.com/security/CVE-2025-53367
> > 
> > "This issue has been patched in version 3.5.29."
> > 
> > I'm not seeing anything that looks particularly worrying in the
> > 3.5.28->3.5.29 diff, and there are some other improvements we don't
> > have in patches, want to give this a spin?
> 
> Had that (sans AUTOCONF_VERSION) in my list of diffs for after release :-)
> 
> Yesterday I shied back from confirming that some of the patches fixing
> security issues and which still apply, are all covered in 3.5.29
> 

Everything built ok, btw.

The CVE numbers listed in the comments in old patches are listed as
being fixed in 3.5.29, though I see the DjVuPort.{cpp,h} changes are
not present upstream (and still carried in patches in Debian).

However if I try the PoC from https://bugzilla.redhat.com/show_bug.cgi?id=1943411
with any of (3.5.28 with current patches, 3.5.29 as sent, 3.5.29 with
DjVuPort patches reinstated) I get the same:

ddjvu: [1-12517] Malformed INCL chunk. Slashes, backslashes, or colons are not allowed.
ddjvu: Unexpected End Of File.
ddjvu: Cannot decode document.