From: Volker Schlecht Subject: Re: Patch to fix CVE-2025-53367 in graphics/djvulibre To: ports@openbsd.org, Stuart Henderson Date: Sat, 18 Apr 2026 14:37:24 +0200 On 4/18/26 2:30 PM, Stuart Henderson wrote: > On 2026/04/18 14:00, Volker Schlecht wrote: >> On 4/18/26 11:43 AM, Stuart Henderson wrote: >>> On 2026/04/17 21:33, Volker Schlecht wrote: >>>> FWIW: It's CVE-2025-53367 >>>> >>>> Unbuntu has the best writeup I could find in 2 minutes: >>>> https://ubuntu.com/security/CVE-2025-53367 >>> >>> "This issue has been patched in version 3.5.29." >>> >>> I'm not seeing anything that looks particularly worrying in the >>> 3.5.28->3.5.29 diff, and there are some other improvements we don't >>> have in patches, want to give this a spin? >> >> Had that (sans AUTOCONF_VERSION) in my list of diffs for after release :-) >> >> Yesterday I shied back from confirming that some of the patches fixing >> security issues and which still apply, are all covered in 3.5.29 > Everything built ok, btw. > > The CVE numbers listed in the comments in old patches are listed as > being fixed in 3.5.29, though I see the DjVuPort.{cpp,h} changes are > not present upstream (and still carried in patches in Debian). > > However if I try the PoC from https://bugzilla.redhat.com/show_bug.cgi?id=1943411 > with any of (3.5.28 with current patches, 3.5.29 as sent, 3.5.29 with > DjVuPort patches reinstated) I get the same: > > ddjvu: [1-12517] Malformed INCL chunk. Slashes, backslashes, or colons are not allowed. > ddjvu: Unexpected End Of File. > ddjvu: Cannot decode document. It seems they didn't include all the patches verbatim, see comments here: https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6/