From: Volker Schlecht <openbsd-ports@schlecht.dev>
Subject: Re: Patch to fix CVE-2025-53367 in graphics/djvulibre
To: Nick Permyakov <nick.permyakov@gmail.com>, ports@openbsd.org
Date: Fri, 17 Apr 2026 21:33:04 +0200

FWIW: It's CVE-2025-53367

Unbuntu has the best writeup I could find in 2 minutes:
https://ubuntu.com/security/CVE-2025-53367

ok volker@ - builds fine, and everyone else has the patch already

On 4/17/26 7:50 PM, Nick Permyakov wrote:
> Ping.
> 
> This vulnerability seems to have high severity.
> 
> On Fri, Apr 10, 2026 at 6:27 PM Nick Permyakov <nick.permyakov@gmail.com> wrote:
>>
>> Hi,
>>
>> Here's an upstream patch that fixes a potential buffer overflow in graphics/djvulibre.
>>
>> Best regards,
>> Nick Permyakov
>>
>> Index: Makefile
>> ===================================================================
>> RCS file: /cvs/ports/graphics/djvulibre/Makefile,v
>> diff -u -p -u -r1.53 Makefile
>> --- Makefile 22 Jul 2025 12:40:55 -0000 1.53
>> +++ Makefile 9 Apr 2026 21:13:52 -0000
>> @@ -1,7 +1,7 @@
>>   COMMENT= view, decode and encode DjVu files
>>
>>   DISTNAME= djvulibre-3.5.28
>> -REVISION= 4
>> +REVISION= 5
>>   SHARED_LIBS= djvulibre 27.0 # 28.0
>>   CATEGORIES= graphics print
>>
>> Index: patches/patch-libdjvu_MMRDecoder_cpp
>> ===================================================================
>> RCS file: patches/patch-libdjvu_MMRDecoder_cpp
>> diff -N patches/patch-libdjvu_MMRDecoder_cpp
>> --- /dev/null 1 Jan 1970 00:00:00 -0000
>> +++ patches/patch-libdjvu_MMRDecoder_cpp 9 Apr 2026 21:13:52 -0000
>> @@ -0,0 +1,25 @@
>> +Fix CVE-2025-53367: potential buffer overflow in MMRDecoder
>> +https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196593d70bd5e37f55b63886c31c82c3da/
>> +
>> +Index: libdjvu/MMRDecoder.cpp
>> +--- libdjvu/MMRDecoder.cpp.orig
>> ++++ libdjvu/MMRDecoder.cpp
>> +@@ -589,6 +589,9 @@ MMRDecoder::scanruns(const unsigned short **endptr)
>> +   int a0,rle,b1;
>> +   for(a0=0,rle=0,b1=*pr++;a0 < width;)
>> +     {
>> ++      // Check for buffer overflow
>> ++      if (xr > lineruns+width+2 || pr > prevruns+width+2)
>> ++        G_THROW(invalid_mmr_data);
>> +       // Process MMR codes
>> +       const int c=mrtable->decode(src);
>> +       switch ( c )
>> +@@ -714,7 +717,7 @@
>> +                         rle++;
>> +                         a0++;
>> +                       }
>> +-                    if (a0 > width)
>> ++                    if (a0 > width || xr > lineruns+width+2)
>> +                       G_THROW(invalid_mmr_data);
>> +                   }
>> +                 // Analyze uncompressed termination code.
>>
>>
>