djvulibre - Debian Package Tracker

general

source: djvulibre (main)
version: 3.5.28-2
maintainer: Barak A. Pearlmutter (DMD) (LowNMU)
uploaders: Leon Bottou [DMD]
arch: all any
std-ver: 4.5.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 3.5.27.1-7
o-o-sec: 3.5.27.1-7+deb9u2
oldstable: 3.5.27.1-10
stable: 3.5.28-2
testing: 3.5.28-2
unstable: 3.5.28-2

versioned links

3.5.27.1-7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.5.27.1-7+deb9u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.5.27.1-10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.5.28-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

djview (1 bugs: 0, 0, 1, 0)
djview3
djvulibre-bin (9 bugs: 0, 5, 4, 0)
djvulibre-desktop
djvuserve
libdjvulibre-dev
libdjvulibre-text
libdjvulibre21 (2 bugs: 0, 2, 0, 0)

action needed

11 security issues in buster high

There are 11 open security issues in buster.

5 important issues:

CVE-2021-32490: A flaw was found in djvulibre-3.5.28 and earlier. An out of bounds write in function DJVU::filter_bv() via crafted djvu file may lead to application crash and other consequences.
CVE-2021-32491: A flaw was found in djvulibre-3.5.28 and earlier. An integer overflow in function render() in tools/ddjvu via crafted djvu file may lead to application crash and other consequences.
CVE-2021-32492: A flaw was found in djvulibre-3.5.28 and earlier. An out of bounds read in function DJVU::DataPool::has_data() via crafted djvu file may lead to application crash and other consequences.
CVE-2021-32493: A flaw was found in djvulibre-3.5.28 and earlier. A heap buffer overflow in function DJVU::GBitmap::decode() via crafted djvu file may lead to application crash and other consequences.
CVE-2021-3630: An out-of-bounds write vulnerability was found in DjVuLibre in DJVU::DjVuTXT::decode() in DjVuText.cpp via a crafted djvu file which may lead to crash and segmentation fault. This flaw affects DjVuLibre versions prior to 3.5.28.

6 issues left for the package maintainer to handle:

CVE-2019-15142: (needs triaging) In DjVuLibre 3.5.27, DjVmDir.cpp in the DJVU reader component allows attackers to cause a denial-of-service (application crash in GStringRep::strdup in libdjvu/GString.cpp caused by a heap-based buffer over-read) by crafting a DJVU file.
CVE-2019-15143: (needs triaging) In DjVuLibre 3.5.27, the bitmap reader component allows attackers to cause a denial-of-service error (resource exhaustion caused by a GBitmap::read_rle_raw infinite loop) by crafting a corrupted image file, related to libdjvu/DjVmDir.cpp and libdjvu/GBitmap.cpp.
CVE-2019-15144: (needs triaging) In DjVuLibre 3.5.27, the sorting functionality (aka GArrayTemplate<TYPE>::sort) allows attackers to cause a denial-of-service (application crash due to an Uncontrolled Recursion) by crafting a PBM image file that is mishandled in libdjvu/GContainer.h.
CVE-2019-15145: (needs triaging) DjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack (application crash via an out-of-bounds read) by crafting a corrupted JB2 image file that is mishandled in JB2Dict::JB2Codec::get_direct_context in libdjvu/JB2Image.h because of a missing zero-bytes check in libdjvu/GBitmap.h.
CVE-2019-18804: (needs triaging) DjVuLibre 3.5.27 has a NULL pointer dereference in the function DJVU::filter_fv at IW44EncodeCodec.cpp.
CVE-2021-3500: (needs triaging) A flaw was found in djvulibre-3.5.28 and earlier. A Stack overflow in function DJVU::DjVuDocument::get_djvu_file() via crafted djvu file may lead to application crash and other consequences.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2021-08-15 00:00

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2021-08-14 Last update: 2021-09-27 11:00

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 3.5.28-3, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 8a7c7253ad2a1a8c64f09c81d4b72fd0d8e28024
Author: Barak A. Pearlmutter <barak+git@pearlmutter.net>
Date:   Thu Sep 2 14:17:17 2021 +0100

    bump policy

commit d0b5e196b0417cce836ce606df9dd5691f1fe2d1
Merge: 2bec685 2ad2b70
Author: Barak A. Pearlmutter <barak+git@pearlmutter.net>
Date:   Fri Jul 23 14:14:49 2021 +0100

    Merge remote-tracking branch 'upstream/master' into debian

commit 2ad2b702d864d1974f0c569a7594b27e67c64a40
Author: Leon Bottou <leon@bottou.org>
Date:   Sun Jul 11 09:38:52 2021 -0400

    fixed typo in previous commit

commit 254b3f3f3824960eb1eed5f3d5683c30365ff95c
Author: Leon Bottou <leon@bottou.org>
Date:   Sun Jul 11 08:48:31 2021 -0400

    Tentative fix for bug #302

commit 9d00916b06a54bb8ce2807f2d6faeb4f1a6aa118
Author: Leon Bottou <leon@bottou.org>
Date:   Tue Jun 15 18:38:23 2021 -0400

    tentative fix for incorrect resolution in tiff tags

commit eec7b7228d2c4d8f95d824fc3911f2a5ff57ffa9
Author: Leon Bottou <leon@bottou.org>
Date:   Wed Jun 2 09:50:37 2021 -0400

    DjVuToPS fix for images without foreground.

commit 2bec685223379e3ab590318f0d2600d822f78aca
Author: Barak A. Pearlmutter <barak+git@pearlmutter.net>
Date:   Fri May 28 11:37:56 2021 +0100

    All Hail the Multiarch Hinter Toad!

commit 0a984511acc1e7cbfa34bcee23d9fdd3de07febb
Author: Barak A. Pearlmutter <barak+git@pearlmutter.net>
Date:   Tue May 11 23:13:07 2021 +0100

    remove upstreamed or unnecessary patches

commit 5613eca9d98aa7a2eaf2143f415dd7294db6b646
Merge: 098c818 cd8b5c9
Author: Barak A. Pearlmutter <barak+git@pearlmutter.net>
Date:   Tue May 11 23:08:08 2021 +0100

    Merge remote-tracking branch 'upstream/master' into debian

commit cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6
Author: Leon Bottou <leon@bottou.org>
Date:   Tue May 11 14:44:09 2021 -0400

    Reviewed Fedora patches and adopted some of them (or variants thereof)
    
     - Patch0: djvulibre-3.5.22-cdefs.patch                  (forward ported)
    Does not make imuch sense. GSmartPointer.h already includes "stddef.h"
     - Patch6: djvulibre-3.5.27-export-file.patch              (forward ported)
    Incorrect: inkscape command is --export-png, not --export-filename.
     - Patch8: djvulibre-3.5.27-check-image-size.patch         (forward ported)
    Correct: adopted a variant of this
     - Patch9: djvulibre-3.5.27-integer-overflow.patch         (forward ported)
    Correct: adopted a variant of this
     - Patch10: djvulibre-3.5.27-check-input-pool.patch        (forward ported)
    Adopted: input validation never hurts
     - Patch11: djvulibre-3.5.27-djvuport-stack-overflow.patch (forward ported)
    Dubious: Instead I changed djvufile to prevent a file from including itself
    which is the only way I can imagine to create an file creation loop.
     - Patch12: djvulibre-3.5.27-unsigned-short-overflow.patch (forward ported)
    Adopted: but without including limits.h

Created: 2021-05-28 Last update: 2021-09-26 22:05

lintian reports 11 warnings normal

Lintian reports 11 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-01-27 Last update: 2021-05-27 22:03

Multiarch hinter reports 1 issue(s) low

There are issues with the multiarch metadata for this package.

djvulibre-desktop could be marked Multi-Arch: foreign

Created: 2016-09-14 Last update: 2021-09-27 06:37

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2018-11-03 Last update: 2018-11-03 08:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.0 instead of 4.5.1).

Created: 2021-08-18 Last update: 2021-08-18 14:02

news

[rss feed]

[2021-07-03] Accepted djvulibre 3.5.27.1-7+deb9u2 (source) into oldstable (Utkarsh Gupta)
[2021-05-26] Accepted djvulibre 3.5.27.1-7+deb9u1 (source) into oldstable (Sylvain Beucler)
[2021-05-16] djvulibre 3.5.28-2 MIGRATED to testing (Debian testing watch)
[2021-05-10] Accepted djvulibre 3.5.28-2 (source) into unstable (Barak A. Pearlmutter)
[2020-11-28] djvulibre 3.5.28-1 MIGRATED to testing (Debian testing watch)
[2020-11-23] Accepted djvulibre 3.5.28-1 (source) into unstable (Barak A. Pearlmutter)
[2020-07-28] djvulibre 3.5.27.1-15 MIGRATED to testing (Debian testing watch)
[2020-07-22] Accepted djvulibre 3.5.27.1-15 (source) into unstable (Barak A. Pearlmutter)
[2019-11-27] djvulibre 3.5.27.1-14 MIGRATED to testing (Debian testing watch)
[2019-11-21] Accepted djvulibre 3.5.27.1-14 (source) into unstable (Barak A. Pearlmutter)
[2019-11-08] Accepted djvulibre 3.5.25.4-4+deb8u2 (source amd64 all) into oldoldstable (Chris Lamb)
[2019-09-16] djvulibre 3.5.27.1-13 MIGRATED to testing (Debian testing watch)
[2019-09-11] Accepted djvulibre 3.5.27.1-13 (source) into unstable (Barak A. Pearlmutter)
[2019-08-29] Accepted djvulibre 3.5.25.4-4+deb8u1 (source amd64 all) into oldoldstable (Thorsten Alteholz)
[2019-08-15] djvulibre 3.5.27.1-12 MIGRATED to testing (Debian testing watch)
[2019-08-10] Accepted djvulibre 3.5.27.1-12 (source) into unstable (Barak A. Pearlmutter)
[2019-06-06] Accepted djvulibre 3.5.27.1-11 (source all amd64) into unstable (Barak A. Pearlmutter)
[2018-11-08] djvulibre 3.5.27.1-10 MIGRATED to testing (Debian testing watch)
[2018-11-02] Accepted djvulibre 3.5.27.1-10 (source all amd64) into unstable (Barak A. Pearlmutter)
[2018-05-06] djvulibre 3.5.27.1-9 MIGRATED to testing (Debian testing watch)
[2018-04-30] Accepted djvulibre 3.5.27.1-9 (source all amd64) into unstable (Barak A. Pearlmutter)
[2017-10-14] djvulibre 3.5.27.1-8 MIGRATED to testing (Debian testing watch)
[2017-10-09] Accepted djvulibre 3.5.27.1-8 (source all amd64) into unstable (Barak A. Pearlmutter)
[2016-11-09] djvulibre 3.5.27.1-7 MIGRATED to testing (Debian testing watch)
[2016-11-03] Accepted djvulibre 3.5.27.1-7 (source all amd64) into unstable (Barak A. Pearlmutter)
[2016-08-24] djvulibre 3.5.27.1-6 MIGRATED to testing (Debian testing watch)
[2016-08-18] Accepted djvulibre 3.5.27.1-6 (source all amd64) into unstable (Barak A. Pearlmutter)
[2015-11-30] djvulibre 3.5.27.1-5 MIGRATED to testing (Britney)
[2015-11-24] Accepted djvulibre 3.5.27.1-5 (source amd64 all) into unstable (Barak A. Pearlmutter)
[2015-11-03] djvulibre 3.5.27.1-4 MIGRATED to testing (Britney)

bugs [bug history graph]

all: 15
RC: 0
I&N: 8
M&W: 7
F&P: 0
patch: 2

links

homepage
lintian (0, 11)
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.5.28-2
6 bugs