Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN422 _____________________________________________________________________ DATE : 08/07/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running DjVuLibre versions prior to 3.5.29. ===================================================================== https://securitylab.github.com/advisories/GHSL-2025-055_DjVuLibre/ _____________________________________________________________________ GHSL-2025-055: OOB Write in MMRDecoder::scanruns() in DjVuLibre - CVE-2025-53367 Coordinated Disclosure Timeline 2025-07-01: Reported via email to the authors: Léon Bottou, Bill Riemers, Yann LeCun. 2025-07-01: Responses received from Bill Riemers and Léon Bottou. 2025-07-02: Fix commit added by Léon Bottou: https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196593d70bd5e37f55b63886c31c82c3da/ 2025-07-03: DjVuLibre version 3.5.29 released: https://sourceforge.net/p/djvu/www-git/ci/9748b43794440aff40bae066132aa5c22e7fd6a3/ Summary MMRDecoder::scanruns() has an out-of-bounds write vulnerability which can cause memory corruption. Project DjVuLibre Tested Version 3.5.28 Details OOB-Write in MMRDecoder (GHSL-2025-055) The MMRDecoder::scanruns method is affected by an OOB-write vulnerability, because it doesn’t check that the xr pointer stays within the bounds of the allocated buffer. During the decoding process, run-length encoded data is written into two buffers: lineruns and prevruns: //libdjvu/MMRDecoder.h class DJVUAPI MMRDecoder : public GPEnabled { ... public: unsigned short *lineruns; ... unsigned short *prevruns; ... } The variables named pr, xr point to the current locations in those buffers. scanruns does not check that those pointers remain within the bounds of the allocated buffers (lineruns and prevruns). //libdjvu/MMRDecoder.cpp const unsigned short * MMRDecoder::scanruns(const unsigned short **endptr) { ... // Swap run buffers unsigned short *pr = lineruns; unsigned short *xr = prevruns; prevruns = pr; lineruns = xr; ... for(a0=0,rle=0,b1=*pr++;a0 < width;) { ... *xr = rle; xr++; rle = 0; ... *xr = rle; xr++; rle = 0; ... *xr = inc+rle-a0; xr++; } This can lead to writes beyond the allocated memory, resulting in a heap corruption condition. An out-of-bounds read with pr is also possible for the same reason. Impact This out-of-bounds write could be used to gain arbitrary code execution in an application that uses DjVuLibre. For example, DjVuLibre is used by the default document viewer on many Linux distributions. @kevinbackhouse (Kevin Backhouse) has developed a PoC exploit for Ubuntu 25.04. CWEs CWE-787: Out-of-bounds Write CWE-125: Out-of-bounds Read CVE CVE-2025-53367 Credit This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales). Contact You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2025-055 in any communication regarding this issue. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================