From: Stuart Henderson Subject: Re: Patch to fix CVE-2025-53367 in graphics/djvulibre To: Volker Schlecht Cc: Nick Permyakov , ports@openbsd.org Date: Sat, 18 Apr 2026 10:43:07 +0100 On 2026/04/17 21:33, Volker Schlecht wrote: > FWIW: It's CVE-2025-53367 > > Unbuntu has the best writeup I could find in 2 minutes: > https://ubuntu.com/security/CVE-2025-53367 "This issue has been patched in version 3.5.29." I'm not seeing anything that looks particularly worrying in the 3.5.28->3.5.29 diff, and there are some other improvements we don't have in patches, want to give this a spin? I'll set a build running with all the things depending on it. Index: Makefile =================================================================== RCS file: /cvs/ports/graphics/djvulibre/Makefile,v diff -u -p -r1.54 Makefile --- Makefile 17 Apr 2026 19:58:07 -0000 1.54 +++ Makefile 18 Apr 2026 09:41:25 -0000 @@ -1,8 +1,7 @@ COMMENT= view, decode and encode DjVu files -DISTNAME= djvulibre-3.5.28 -REVISION= 5 -SHARED_LIBS= djvulibre 27.0 # 28.0 +DISTNAME= djvulibre-3.5.29 +SHARED_LIBS= djvulibre 27.0 # 29.0 CATEGORIES= graphics print HOMEPAGE= https://djvu.sourceforge.net/ @@ -26,7 +25,7 @@ BUILD_DEPENDS+= x11/gnome/librsvg USE_GMAKE= Yes -AUTOCONF_VERSION= 2.69 +AUTOCONF_VERSION= 2.71 CONFIGURE_STYLE= autoconf CONFIGURE_ARGS= --with-extra-includes=${LOCALBASE}/include \ Index: distinfo =================================================================== RCS file: /cvs/ports/graphics/djvulibre/distinfo,v diff -u -p -r1.10 distinfo --- distinfo 20 Oct 2021 16:31:58 -0000 1.10 +++ distinfo 18 Apr 2026 09:41:25 -0000 @@ -1,2 +1,2 @@ -SHA256 (djvulibre-3.5.28.tar.gz) = /NAJ6nZU/eWoNgDrgHV706dpmOR9E8ZrVMjbhJ+PLtw= -SIZE (djvulibre-3.5.28.tar.gz) = 3701161 +SHA256 (djvulibre-3.5.29.tar.gz) = 07SwOuK9yoUWo2726ye3d/BSjJ7aJnRdmWKCSj/f7M8= +SIZE (djvulibre-3.5.29.tar.gz) = 3716911 Index: patches/patch-libdjvu_DataPool_cpp =================================================================== RCS file: patches/patch-libdjvu_DataPool_cpp diff -N patches/patch-libdjvu_DataPool_cpp --- patches/patch-libdjvu_DataPool_cpp 11 Mar 2022 19:22:14 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,16 +0,0 @@ -Fix CVE-2021-32492: Out-of-Bounds Read -https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6 - -Index: libdjvu/DataPool.cpp ---- libdjvu/DataPool.cpp.orig -+++ libdjvu/DataPool.cpp -@@ -791,6 +791,9 @@ DataPool::create(const GP & pool, int start, - DEBUG_MSG("DataPool::DataPool: pool=" << (void *)((DataPool *)pool) << " start=" << start << " length= " << length << "\n"); - DEBUG_MAKE_INDENT(3); - -+ if (!pool) -+ G_THROW( ERR_MSG("DataPool.zero_DataPool") ); -+ - DataPool *xpool=new DataPool(); - GP retval=xpool; - xpool->init(); Index: patches/patch-libdjvu_DjVuFile_cpp =================================================================== RCS file: patches/patch-libdjvu_DjVuFile_cpp diff -N patches/patch-libdjvu_DjVuFile_cpp --- patches/patch-libdjvu_DjVuFile_cpp 11 Mar 2022 19:22:14 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,14 +0,0 @@ -https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6 - -Index: libdjvu/DjVuFile.cpp ---- libdjvu/DjVuFile.cpp.orig -+++ libdjvu/DjVuFile.cpp -@@ -576,6 +576,8 @@ DjVuFile::process_incl_chunk(ByteStream & str, int fil - GURL incl_url=pcaster->id_to_url(this, incl_str); - if (incl_url.is_empty()) // Fallback. Should never be used. - incl_url=GURL::UTF8(incl_str,url.base()); -+ if (incl_url == url) // Infinite loop avoidance -+ G_THROW( ERR_MSG("DjVuFile.malformed") ); - - // Now see if there is already a file with this *name* created - { Index: patches/patch-libdjvu_DjVuPort_cpp =================================================================== RCS file: patches/patch-libdjvu_DjVuPort_cpp diff -N patches/patch-libdjvu_DjVuPort_cpp --- patches/patch-libdjvu_DjVuPort_cpp 11 Mar 2022 19:22:14 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,26 +0,0 @@ -Fix CVE-2021-3500: Stack-Based Buffer Overflow -https://bugzilla.redhat.com/show_bug.cgi?id=1943411 - -Index: libdjvu/DjVuPort.cpp ---- libdjvu/DjVuPort.cpp.orig -+++ libdjvu/DjVuPort.cpp -@@ -507,10 +507,19 @@ GP - DjVuPortcaster::id_to_file(const DjVuPort * source, const GUTF8String &id) - { - GPList list; -+ -+ if (!!opening_id && opening_id == id) -+ G_THROW( ERR_MSG("DjVuPortcaster.recursive_open") ); -+ else -+ opening_id = id; -+ - compute_closure(source, list, true); - GP file; - for(GPosition pos=list;pos;++pos) - if ((file=list[pos]->id_to_file(source, id))) break; -+ -+ opening_id = GUTF8String(); -+ - return file; - } - Index: patches/patch-libdjvu_DjVuPort_h =================================================================== RCS file: patches/patch-libdjvu_DjVuPort_h diff -N patches/patch-libdjvu_DjVuPort_h --- patches/patch-libdjvu_DjVuPort_h 11 Mar 2022 19:22:14 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,14 +0,0 @@ -Fix CVE-2021-3500: Stack-Based Buffer Overflow -https://bugzilla.redhat.com/show_bug.cgi?id=1943411 - -Index: libdjvu/DjVuPort.h ---- libdjvu/DjVuPort.h.orig -+++ libdjvu/DjVuPort.h -@@ -484,6 +484,7 @@ class DJVUAPI DjVuPortcaster (private) - const DjVuPort *dst, int distance); - void compute_closure(const DjVuPort *src, GPList &list, - bool sorted=false); -+ GUTF8String opening_id; - }; - - Index: patches/patch-libdjvu_GBitmap_cpp =================================================================== RCS file: patches/patch-libdjvu_GBitmap_cpp diff -N patches/patch-libdjvu_GBitmap_cpp --- patches/patch-libdjvu_GBitmap_cpp 11 Mar 2022 19:22:14 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,15 +0,0 @@ -Fix CVE-2021-32493: Integer Overflow Leading to Heap Buffer Overflow -https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6 - -Index: libdjvu/GBitmap.cpp ---- libdjvu/GBitmap.cpp.orig -+++ libdjvu/GBitmap.cpp -@@ -1284,6 +1284,8 @@ GBitmap::decode(unsigned char *runs) - // initialize pixel array - if (nrows==0 || ncolumns==0) - G_THROW( ERR_MSG("GBitmap.not_init") ); -+ if (ncolumns + border != (unsigned short)(ncolumns+border)) -+ G_THROW("GBitmap: image size exceeds maximum (corrupted file?)"); - bytes_per_row = ncolumns + border; - if (runs==0) - G_THROW( ERR_MSG("GBitmap.null_arg") ); Index: patches/patch-libdjvu_IW44Image_cpp =================================================================== RCS file: patches/patch-libdjvu_IW44Image_cpp diff -N patches/patch-libdjvu_IW44Image_cpp --- patches/patch-libdjvu_IW44Image_cpp 11 Mar 2022 19:22:14 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,20 +0,0 @@ -Fix CVE-2021-32490: out of bounds write -https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6 - -Index: libdjvu/IW44Image.cpp ---- libdjvu/IW44Image.cpp.orig -+++ libdjvu/IW44Image.cpp -@@ -676,9 +676,13 @@ IW44Image::Map::image(signed char *img8, int rowsize, - // Allocate reconstruction buffer - short *data16; - size_t sz = bw * bh; -+ if (sz == 0) -+ G_THROW("IW44Image: image size is zero (corrupted file?)"); - if (sz / (size_t)bw != (size_t)bh) // multiplication overflow - G_THROW("IW44Image: image size exceeds maximum (corrupted file?)"); - GPBuffer gdata16(data16,sz); -+ if (data16 == 0) -+ G_THROW("IW44Image: unable to allocate image buffer"); - // Copy coefficients - int i; - short *p = data16; Index: patches/patch-libdjvu_MMRDecoder_cpp =================================================================== RCS file: patches/patch-libdjvu_MMRDecoder_cpp diff -N patches/patch-libdjvu_MMRDecoder_cpp --- patches/patch-libdjvu_MMRDecoder_cpp 17 Apr 2026 19:58:10 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,25 +0,0 @@ -Fix CVE-2025-53367: potential buffer overflow in MMRDecoder -https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196593d70bd5e37f55b63886c31c82c3da/ - -Index: libdjvu/MMRDecoder.cpp ---- libdjvu/MMRDecoder.cpp.orig -+++ libdjvu/MMRDecoder.cpp -@@ -589,6 +589,9 @@ MMRDecoder::scanruns(const unsigned short **endptr) - int a0,rle,b1; - for(a0=0,rle=0,b1=*pr++;a0 < width;) - { -+ // Check for buffer overflow -+ if (xr > lineruns+width+2 || pr > prevruns+width+2) -+ G_THROW(invalid_mmr_data); - // Process MMR codes - const int c=mrtable->decode(src); - switch ( c ) -@@ -714,7 +717,7 @@ - rle++; - a0++; - } -- if (a0 > width) -+ if (a0 > width || xr > lineruns+width+2) - G_THROW(invalid_mmr_data); - } - // Analyze uncompressed termination code. Index: patches/patch-libdjvu_miniexp_cpp =================================================================== RCS file: /cvs/ports/graphics/djvulibre/patches/patch-libdjvu_miniexp_cpp,v diff -u -p -r1.4 patch-libdjvu_miniexp_cpp --- patches/patch-libdjvu_miniexp_cpp 11 Mar 2022 19:22:14 -0000 1.4 +++ patches/patch-libdjvu_miniexp_cpp 18 Apr 2026 09:41:25 -0000 @@ -1,7 +1,7 @@ Index: libdjvu/miniexp.cpp --- libdjvu/miniexp.cpp.orig +++ libdjvu/miniexp.cpp -@@ -1300,7 +1300,7 @@ static int stdio_fputs(miniexp_io_t *io, const char *s +@@ -1326,7 +1326,7 @@ static int stdio_fputs(miniexp_io_t *io, const char *s static int true_stdio_fgetc(miniexp_io_t *io) { FILE *f = (io->data[0]) ? (FILE*)(io->data[0]) : stdin; Index: patches/patch-tools_ddjvu_cpp =================================================================== RCS file: patches/patch-tools_ddjvu_cpp diff -N patches/patch-tools_ddjvu_cpp --- patches/patch-tools_ddjvu_cpp 11 Mar 2022 19:22:14 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,20 +0,0 @@ -Fix CVE-2021-32491: Integer Overflow Leading to Heap-Based Buffer Overflow -https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6 - -Index: tools/ddjvu.cpp ---- tools/ddjvu.cpp.orig -+++ tools/ddjvu.cpp -@@ -393,8 +393,11 @@ render(ddjvu_page_t *page, int pageno) - } else if (style == DDJVU_FORMAT_GREY8) - rowsize = rrect.w; - else -- rowsize = rrect.w * 3; -- if (! (image = (char*)malloc(rowsize * rrect.h))) -+ rowsize = rrect.w * 3; -+ size_t bufsize = (size_t)rowsize * rrect.h; -+ if (bufsize / rowsize != rrect.h) -+ die(i18n("Integer overflow when allocating image buffer for page %d"), pageno); -+ if (! (image = (char*)malloc(bufsize))) - die(i18n("Cannot allocate image buffer for page %d"), pageno); - - /* Render */