1187869 – (CVE-2021-3630) VUL-0: CVE-2021-3630: djvulibre: out-of-bounds write in DJVU:DjVuTXT:decode() in DjVuText.cpp

Bug 1187869 (CVE-2021-3630) - VUL-0: CVE-2021-3630: djvulibre: out-of-bounds write in DJVU:DjVuTXT:decode() in DjVuText.cpp

Summary: VUL-0: CVE-2021-3630: djvulibre: out-of-bounds write in DJVU:DjVuTXT:decode()...

Status:	RESOLVED FIXED

Alias:	CVE-2021-3630

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/303207/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-3630:7.3:(AV:L...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2021-06-30 13:43 UTC by Gianluca Gabrielli
Modified:	2024-07-23 09:00 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gianluca Gabrielli 2021-06-30 13:43:49 UTC

An out-of-bounds write vulnerability was found in DjVuLibre in DJVU::DjVuTXT::decode() in DjVuText.cpp via a crafted djvu file which may lead to crash and segmentation fault. This flaw affects DjVuLibre versions prior to 3.5.28.

Reference:
https://sourceforge.net/p/djvu/bugs/302/

Upstream patch:
https://sourceforge.net/p/djvu/djvulibre-git/ci/7b0ef20690e08f1fe124aebbf42f6310e2f40f81/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1977427
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3630

Comment 1 Gianluca Gabrielli 2021-06-30 13:44:55 UTC

Affected packages:
 - SUSE:SLE-11:Update/djvulibre     3.5.21
 - SUSE:SLE-12:Update/djvulibre     3.5.25.3
 - SUSE:SLE-15-SP2:Update/djvulibre 3.5.27
 - SUSE:SLE-15:Update/djvulibre     3.5.27

Already patched:
 - openSUSE:Factory/djvulibre       3.5.28

Upstream patch [0].

[0] https://sourceforge.net/p/djvu/djvulibre-git/ci/7b0ef20690e08f1fe124aebbf42f6310e2f40f81/

Comment 2 Petr Gajdos 2021-07-01 11:01:18 UTC

Submitted for 15sp2,15,12,11/djvulibre.

Comment 4 Swamp Workflow Management 2021-07-02 19:19:23 UTC

SUSE-SU-2021:14761-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1187869
CVE References: CVE-2021-3630
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    djvulibre-3.5.21-3.15.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    djvulibre-3.5.21-3.15.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    djvulibre-3.5.21-3.15.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    djvulibre-3.5.21-3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 5 Liu Shukui 2021-07-05 10:22:55 UTC

(In reply to Gianluca Gabrielli from comment #0)
> An out-of-bounds write vulnerability was found in DjVuLibre in
> DJVU::DjVuTXT::decode() in DjVuText.cpp via a crafted djvu file which may
> lead to crash and segmentation fault. This flaw affects DjVuLibre versions
> prior to 3.5.28.
> 
> Reference:
> https://sourceforge.net/p/djvu/bugs/302/
> 
> Upstream patch:
> https://sourceforge.net/p/djvu/djvulibre-git/ci/
> 7b0ef20690e08f1fe124aebbf42f6310e2f40f81/
> 
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=1977427
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3630

it seems the bug is not fixed on sle15sp2 and sle15sp3:

s15sp3:~ # type djvutxt
djvutxt is hashed (/usr/bin/djvutxt)

s15sp3:~ # rpm -qf  /usr/bin/djvutxt 
djvulibre-3.5.27-11.9.1.x86_64

s15sp3:~ # djvutxt  DJVU\ DjVuTXT\ decode@DjVuText.cpp\ 348-20___SEGV_UNKNOW.cpp\ 348-20___SEGV_UNKNOW 
Segmentation fault (core dumped)

Comment 6 Liu Shukui 2021-07-05 10:23:54 UTC

> 
> it seems the bug is not fixed on sle15sp2 and sle15sp3:
> 
> s15sp3:~ # type djvutxt
> djvutxt is hashed (/usr/bin/djvutxt)
> 
> s15sp3:~ # rpm -qf  /usr/bin/djvutxt 
> djvulibre-3.5.27-11.9.1.x86_64
> 
> s15sp3:~ # djvutxt  DJVU\ DjVuTXT\ decode@DjVuText.cpp\
> 348-20___SEGV_UNKNOW.cpp\ 348-20___SEGV_UNKNOW 
> Segmentation fault (core dumped)

reproducer:
https://sourceforge.net/p/djvu/bugs/302/#ec3d

Comment 7 Liu Shukui 2021-07-08 11:47:01 UTC

(In reply to Liu Shukui from comment #5)
> (In reply to Gianluca Gabrielli from comment #0)
> > An out-of-bounds write vulnerability was found in DjVuLibre in
> > DJVU::DjVuTXT::decode() in DjVuText.cpp via a crafted djvu file which may
> > lead to crash and segmentation fault. This flaw affects DjVuLibre versions
> > prior to 3.5.28.
> > 
> > Reference:
> > https://sourceforge.net/p/djvu/bugs/302/
> > 
> > Upstream patch:
> > https://sourceforge.net/p/djvu/djvulibre-git/ci/
> > 7b0ef20690e08f1fe124aebbf42f6310e2f40f81/
> > 
> > References:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1977427
> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3630
> 
> it seems the bug is not fixed on sle15sp2 and sle15sp3:
> 
> s15sp3:~ # type djvutxt
> djvutxt is hashed (/usr/bin/djvutxt)
> 
> s15sp3:~ # rpm -qf  /usr/bin/djvutxt 
> djvulibre-3.5.27-11.9.1.x86_64
> 
> s15sp3:~ # djvutxt  DJVU\ DjVuTXT\ decode@DjVuText.cpp\
> 348-20___SEGV_UNKNOW.cpp\ 348-20___SEGV_UNKNOW 
> Segmentation fault (core dumped)

is there any progress?

Comment 9 Robert Frohl 2021-07-12 10:12:16 UTC

@Petr: could you have a look please ?

Comment 10 Liu Shukui 2021-07-23 11:51:42 UTC

is there any progress?

Comment 12 Petr Gajdos 2021-07-30 14:23:07 UTC

(In reply to Gianluca Gabrielli from comment #11)
> @Petr could you please share an update abut the progress of this submission?
> We need to ship the patched package.

Sure, now when I have after vacation, I can look at the issue.

Comment 13 Petr Gajdos 2021-07-30 15:15:51 UTC

P. S. you do not need to set needinfo on me when the bug is assigned to me.

Comment 14 Petr Gajdos 2021-07-30 16:46:22 UTC

Tumbleweed/djvulibre (3.5.28, plus several CVE fixes)

$ gdb --args djvutxt poc
[..]

(gdb) bt
#0  0x00007ffff7ef34cc in DJVU::DjVuTXT::decode (this=0x5555555fd340, gbs=...)
    at /usr/src/debug/djvulibre-3.5.28-0.x86_64/libdjvu/DjVuText.cpp:348
#1  0x00007ffff7ef3782 in DJVU::DjVuText::decode (this=0x5555555a62b0, gbs=...)
    at /usr/src/debug/djvulibre-3.5.28-0.x86_64/libdjvu/GSmartPointer.h:436
#2  0x00007ffff7f644df in ddjvu_document_get_pagetext (document=0x55555556e4c0, pageno=-6784, maxdetail=0x555555556049 "page")
    at /usr/src/debug/djvulibre-3.5.28-0.x86_64/libdjvu/GSmartPointer.h:436
#3  0x0000555555555ac2 in dopage (pageno=9) at /usr/src/debug/djvulibre-3.5.28-0.x86_64/tools/djvutxt.cpp:147
#4  0x0000555555555534 in parse_pagespec (dopage=0x555555555a70 <dopage(int)>, max_page=10, s=0x5555555560a4 "1-$")
    at /usr/src/debug/djvulibre-3.5.28-0.x86_64/tools/djvutxt.cpp:245
#5  main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/djvulibre-3.5.28-0.x86_64/tools/djvutxt.cpp:359
(gdb)


15sp2/djvulibre (3.5.27, plus several CVE fixes, without CVE-2021-3630 fix)

$ gdb --args djvutxt poc
[...]
(gdb) bt
#0  DJVU::DjVuTXT::decode (this=0x5555556a97b0, gbs=...) at DjVuText.cpp:348
#1  0x00007ffff7afbb7e in DJVU::DjVuText::decode (this=0x5555556ac5f0, gbs=...) at DjVuText.cpp:705
#2  0x00007ffff7b7ba06 in ddjvu_document_get_pagetext (document=0x55555561d110, pageno=pageno@entry=8, 
    maxdetail=maxdetail@entry=0x555555401e23 "page") at ddjvuapi.cpp:3623
#3  0x0000555555401732 in dopage (pageno=9) at djvutxt.cpp:147
#4  0x0000555555401c69 in parse_pagespec (s=0x555555401eab "1-$", max_page=10, dopage=dopage@entry=0x5555554016d0 <dopage(int)>)
    at djvutxt.cpp:245
#5  0x000055555540137a in main (argc=<optimized out>, argv=0x7fffffffe7e8) at djvutxt.cpp:359
(gdb) bt
#0  DJVU::DjVuTXT::decode (this=0x5555556a97b0, gbs=...) at DjVuText.cpp:348
#1  0x00007ffff7afbb7e in DJVU::DjVuText::decode (this=0x5555556ac5f0, gbs=...) at DjVuText.cpp:705
#2  0x00007ffff7b7ba06 in ddjvu_document_get_pagetext (document=0x55555561d110, pageno=pageno@entry=8, 
    maxdetail=maxdetail@entry=0x555555401e23 "page") at ddjvuapi.cpp:3623
#3  0x0000555555401732 in dopage (pageno=9) at djvutxt.cpp:147
#4  0x0000555555401c69 in parse_pagespec (s=0x555555401eab "1-$", max_page=10, dopage=dopage@entry=0x5555554016d0 <dopage(int)>)
    at djvutxt.cpp:245
#5  0x000055555540137a in main (argc=<optimized out>, argv=0x7fffffffe7e8) at djvutxt.cpp:359
(gdb)


15sp2/djvulibre (3.5.27, plus several CVE fixes, with CVE-2021-3630 fix)

(gdb) bt
#0  DJVU::DjVuTXT::decode (this=0x5555556c5a70, gbs=...) at DjVuText.cpp:348
#1  0x00007ffff7afbb7e in DJVU::DjVuText::decode (this=0x5555556ad090, gbs=...) at DjVuText.cpp:705
#2  0x00007ffff7b7ba16 in ddjvu_document_get_pagetext (document=0x55555561fdb0, pageno=pageno@entry=8, 
    maxdetail=maxdetail@entry=0x555555401e23 "page") at ddjvuapi.cpp:3623
#3  0x0000555555401732 in dopage (pageno=9) at djvutxt.cpp:147
#4  0x0000555555401c69 in parse_pagespec (s=0x555555401eab "1-$", max_page=10, dopage=dopage@entry=0x5555554016d0 <dopage(int)>)
    at djvutxt.cpp:245
#5  0x000055555540137a in main (argc=<optimized out>, argv=0x7fffffffe7c8) at djvutxt.cpp:359
(gdb)

This looks similarly to 3.5.28.

Adding 254b3f3f3824960eb1eed5f3d5683c30365ff95c and 2ad2b702d864d1974f0c569a7594b27e67c64a40, then:

beth:/187869 # djvutxt poc 
1/11/2019 
file:///home/fish/Desktop/cjoocjle/domato/pdf/fuzz-347.html 1/10 


1/11/2019 
file:///home/fish/Desktop/cjoocjle/domato/pdf/fuzz-347.html 2/10 


1/11/2019 
file:///home/fish/Desktop/google/domato/pdf/fuzz-347.html 3/10 


1/11/2019 
file:///home/fish/Desktop/google/domato/pdf/fuzz-347.html 4/10 


1/11/2019 
file:///home/fish/Desktop/google/domato/pdf/fuzz-347.html 5/10 


1/11/2019 
file:///home/fish/Desktop/google/domato/pdf/fuzz-347.html 6/10 


1/11/2019 
file:///home/fish/Desktop/google/domato/pdf/fuzz-347.html 7/10 


1/11/2019 
file:///home/fish/Desktop/google/domato/pdf/fuzz-347.html 8/10 


1/11/2019 
J 11YG9 
file:///home/fish/Desktop/google/domato/pdf/fuzz-347.html 10/10 


beth:/187869 #

Comment 15 Petr Gajdos 2021-07-30 16:56:23 UTC

Submitted again for 15sp2,15,12,11/djvulibre.

Comment 17 Swamp Workflow Management 2021-08-04 16:25:16 UTC

SUSE-SU-2021:14773-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1187869
CVE References: CVE-2021-3630
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    djvulibre-3.5.21-3.18.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    djvulibre-3.5.21-3.18.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    djvulibre-3.5.21-3.18.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    djvulibre-3.5.21-3.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 Swamp Workflow Management 2021-08-05 13:45:11 UTC

SUSE-SU-2021:2621-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1187869
CVE References: CVE-2021-3630
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    djvulibre-3.5.25.3-5.19.2
SUSE OpenStack Cloud Crowbar 8 (src):    djvulibre-3.5.25.3-5.19.2
SUSE OpenStack Cloud 9 (src):    djvulibre-3.5.25.3-5.19.2
SUSE OpenStack Cloud 8 (src):    djvulibre-3.5.25.3-5.19.2
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    djvulibre-3.5.25.3-5.19.2
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    djvulibre-3.5.25.3-5.19.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    djvulibre-3.5.25.3-5.19.2
SUSE Linux Enterprise Server 12-SP5 (src):    djvulibre-3.5.25.3-5.19.2
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    djvulibre-3.5.25.3-5.19.2
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    djvulibre-3.5.25.3-5.19.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    djvulibre-3.5.25.3-5.19.2
SUSE Linux Enterprise Server 12-SP2-BCL (src):    djvulibre-3.5.25.3-5.19.2
HPE Helion Openstack 8 (src):    djvulibre-3.5.25.3-5.19.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 19 Swamp Workflow Management 2021-08-05 13:56:28 UTC

openSUSE-SU-2021:2619-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1187869
CVE References: CVE-2021-3630
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    djvulibre-3.5.27-11.11.1

Comment 20 Swamp Workflow Management 2021-08-05 13:59:22 UTC

SUSE-SU-2021:2619-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1187869
CVE References: CVE-2021-3630
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    djvulibre-3.5.27-11.11.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src):    djvulibre-3.5.27-11.11.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    djvulibre-3.5.27-11.11.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    djvulibre-3.5.27-11.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 21 Swamp Workflow Management 2021-08-10 04:16:35 UTC

openSUSE-SU-2021:1112-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1187869
CVE References: CVE-2021-3630
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    djvulibre-3.5.27-lp152.7.9.1

Comment 22 Swamp Workflow Management 2021-08-20 13:40:41 UTC

# maintenance_jira_update_notice
SUSE-SU-2021:2796-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1187869
CVE References: CVE-2021-3630
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    djvulibre-3.5.27-3.19.1
SUSE Manager Retail Branch Server 4.0 (src):    djvulibre-3.5.27-3.19.1
SUSE Manager Proxy 4.0 (src):    djvulibre-3.5.27-3.19.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    djvulibre-3.5.27-3.19.1
SUSE Linux Enterprise Server for SAP 15 (src):    djvulibre-3.5.27-3.19.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    djvulibre-3.5.27-3.19.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    djvulibre-3.5.27-3.19.1
SUSE Linux Enterprise Server 15-LTSS (src):    djvulibre-3.5.27-3.19.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    djvulibre-3.5.27-3.19.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    djvulibre-3.5.27-3.19.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    djvulibre-3.5.27-3.19.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    djvulibre-3.5.27-3.19.1
SUSE Enterprise Storage 6 (src):    djvulibre-3.5.27-3.19.1
SUSE CaaS Platform 4.0 (src):    djvulibre-3.5.27-3.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 23 OBSbugzilla Bot 2023-05-19 10:35:04 UTC

This is an autogenerated message for OBS integration:
This bug (1187869) was mentioned in
https://build.opensuse.org/request/show/1087909 Factory / djvulibre