Index | Thread | Search

From:
Stuart Henderson <stu@spacehopper.org>
Subject:
Re: Patch to fix CVE-2025-53367 in graphics/djvulibre
To:
Volker Schlecht <openbsd-ports@schlecht.dev>
Cc:
ports@openbsd.org
Date:
Sat, 18 Apr 2026 13:50:32 +0100

Download raw body.

Thread 
On 2026/04/18 14:37, Volker Schlecht wrote:
> On 4/18/26 2:30 PM, Stuart Henderson wrote:
> > On 2026/04/18 14:00, Volker Schlecht wrote:
> > > On 4/18/26 11:43 AM, Stuart Henderson wrote:
> > > > On 2026/04/17 21:33, Volker Schlecht wrote:
> > > > > FWIW: It's CVE-2025-53367
> > > > > 
> > > > > Unbuntu has the best writeup I could find in 2 minutes:
> > > > > https://ubuntu.com/security/CVE-2025-53367
> > > > 
> > > > "This issue has been patched in version 3.5.29."
> > > > 
> > > > I'm not seeing anything that looks particularly worrying in the
> > > > 3.5.28->3.5.29 diff, and there are some other improvements we don't
> > > > have in patches, want to give this a spin?
> > > 
> > > Had that (sans AUTOCONF_VERSION) in my list of diffs for after release :-)
> > > 
> > > Yesterday I shied back from confirming that some of the patches fixing
> > > security issues and which still apply, are all covered in 3.5.29
> 
> > Everything built ok, btw.
> > 
> > The CVE numbers listed in the comments in old patches are listed as
> > being fixed in 3.5.29, though I see the DjVuPort.{cpp,h} changes are
> > not present upstream (and still carried in patches in Debian).
> > 
> > However if I try the PoC from https://bugzilla.redhat.com/show_bug.cgi?id=1943411
> > with any of (3.5.28 with current patches, 3.5.29 as sent, 3.5.29 with
> > DjVuPort patches reinstated) I get the same:
> > 
> > ddjvu: [1-12517] Malformed INCL chunk. Slashes, backslashes, or colons are not allowed.
> > ddjvu: Unexpected End Of File.
> > ddjvu: Cannot decode document.
> 
> It seems they didn't include all the patches verbatim, see comments here:
> 
> https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6/
> 
> 
> 

patches/patch-libdjvu_DjVuPalette_cpp is also useless, they already
have a #define for this, so it can be safely dropped

leaving patch-configure_ac (-O3 / -mtune etc) which we want, and
patch-libdjvu_miniexp_cpp which I have no clue about, there's nothing
in patch comment or commit log. (Other OS don't seem to have it though).