Bug 1943685 (CVE-2021-3500)

Summary: CVE-2021-3500 djvulibre: Stack overflow in function DJVU::DjVuDocument::get_djvu_file() via crafted djvu file
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, caswilli, fcanogab, kaycoth, manisandro, mkaplan, mkasik, security-response-team, tuxmealux+redhatbz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in djvulibre-3.5.28 and earlier. A Stack overflow in function DJVU::DjVuDocument::get_djvu_file() via crafted djvu file may lead to application crash and other consequences.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-04 14:57:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1943411, 1946446, 1958164, 1958165    
Bug Blocks: 1943695, 1949947    

Description Pedro Sampaio 2021-03-26 19:57:56 UTC 
A flaw was found in latest djvulibre. A Stack overflow in function DJVU::DjVuDocument::get_djvu_file()  via crafted djvu file may lead to application crash and other consequences.

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1943411
Comment 2 Salvatore Bonaccorso 2021-04-30 08:22:26 UTC 
Is it possible to get more information/details on this issue? The referenced further bug seems restricted so far.

Is there a fix for this issue upstream?

Regards,
Salvatore
Comment 3 Gianluca Gabrielli 2021-05-04 09:34:01 UTC 
I agree with Salvatore, it would be nice if you can share technical details about this issue.

Thanks,
Gianluca
Comment 4 Marek Kašík 2021-05-04 17:11:58 UTC 
Hi,

I've just pushed an update which among others fixes this issue as well.

The issue here is that djvulibre tries to open a file inside a djvu file while already opening it and this goes on and on resulting in stack overflow.
I've broken this cycle by remembering which file it is opening. I've stored the name in DjVuPortcaster class since it is common to these actions.

I'm not aware of an upstream fix for this.

Regards
Comment 5 Michael Kaplan 2021-05-07 11:24:13 UTC 
Created djvulibre tracking bugs for this issue:

Affects: epel-7 [bug 1943411]
Comment 6 Michael Kaplan 2021-05-07 11:27:06 UTC 
Created djvulibre tracking bugs for this issue:

Affects: epel-7 [bug 1958164]


Created mingw-djvulibre tracking bugs for this issue:

Affects: fedora-all [bug 1958165]
Comment 7 Michael Kaplan 2021-05-10 17:10:37 UTC 
Acknowledgments:

Name: 1vanChen (NSFOCUS Security Team)
Comment 8 Gianluca Gabrielli 2021-05-11 10:44:17 UTC 
(In reply to Marek Kašík from comment #4)
> Hi,
> 
> I've just pushed an update which among others fixes this issue as well.
> 
> The issue here is that djvulibre tries to open a file inside a djvu file
> while already opening it and this goes on and on resulting in stack overflow.
> I've broken this cycle by remembering which file it is opening. I've stored
> the name in DjVuPortcaster class since it is common to these actions.
> 
> I'm not aware of an upstream fix for this.
> 
> Regards

Hi Marek,

I see similar bugs are public:

https://bugzilla.redhat.com/show_bug.cgi?id=1943408
https://bugzilla.redhat.com/show_bug.cgi?id=1943409
https://bugzilla.redhat.com/show_bug.cgi?id=1943410
https://bugzilla.redhat.com/show_bug.cgi?id=1943424

Since 1943411 is no longer embargoed, I'm wondering if you can open it to everybody?

Thanks,
Gianluca
Comment 9 Marek Kašík 2021-05-12 14:16:59 UTC 
Hi Gianluca,

I am probably not the person who should do this. I've forwarded your question to Michael.

Regards
Comment 10 Michael Kaplan 2021-05-12 18:25:49 UTC 
(In reply to Gianluca Gabrielli from comment #8)
> (In reply to Marek Kašík from comment #4)
> > Hi,
> > 
> > I've just pushed an update which among others fixes this issue as well.
> > 
> > The issue here is that djvulibre tries to open a file inside a djvu file
> > while already opening it and this goes on and on resulting in stack overflow.
> > I've broken this cycle by remembering which file it is opening. I've stored
> > the name in DjVuPortcaster class since it is common to these actions.
> > 
> > I'm not aware of an upstream fix for this.
> > 
> > Regards
> 
> Hi Marek,
> 
> I see similar bugs are public:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1943408
> https://bugzilla.redhat.com/show_bug.cgi?id=1943409
> https://bugzilla.redhat.com/show_bug.cgi?id=1943410
> https://bugzilla.redhat.com/show_bug.cgi?id=1943424
> 
> Since 1943411 is no longer embargoed, I'm wondering if you can open it to
> everybody?
> 
> Thanks,
> Gianluca

Hey Gianluca, It's Done.