Bug 1943685 (CVE-2021-3500) - CVE-2021-3500 djvulibre: Stack overflow in function DJVU::DjVuDocument::get_djvu_file() via crafted djvu file
Summary: CVE-2021-3500 djvulibre: Stack overflow in function DJVU::DjVuDocument::get_d...
Keywords:
Status: NEW
Alias: CVE-2021-3500
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1943411 1946446 1958164 1958165
Blocks: 1943695 1949947
TreeView+ depends on / blocked
 
Reported: 2021-03-26 19:57 UTC by Pedro Sampaio
Modified: 2021-09-29 18:28 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in djvulibre-3.5.28 and earlier. A Stack overflow in function DJVU::DjVuDocument::get_djvu_file() via crafted djvu file may lead to application crash and other consequences.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2021-03-26 19:57:56 UTC
A flaw was found in latest djvulibre. A Stack overflow in function DJVU::DjVuDocument::get_djvu_file()  via crafted djvu file may lead to application crash and other consequences.

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1943411

Comment 2 Salvatore Bonaccorso 2021-04-30 08:22:26 UTC
Is it possible to get more information/details on this issue? The referenced further bug seems restricted so far.

Is there a fix for this issue upstream?

Regards,
Salvatore

Comment 3 Gianluca Gabrielli 2021-05-04 09:34:01 UTC
I agree with Salvatore, it would be nice if you can share technical details about this issue.

Thanks,
Gianluca

Comment 4 Marek Kašík 2021-05-04 17:11:58 UTC
Hi,

I've just pushed an update which among others fixes this issue as well.

The issue here is that djvulibre tries to open a file inside a djvu file while already opening it and this goes on and on resulting in stack overflow.
I've broken this cycle by remembering which file it is opening. I've stored the name in DjVuPortcaster class since it is common to these actions.

I'm not aware of an upstream fix for this.

Regards

Comment 5 Michael Kaplan 2021-05-07 11:24:13 UTC
Created djvulibre tracking bugs for this issue:

Affects: epel-7 [bug 1943411]

Comment 6 Michael Kaplan 2021-05-07 11:27:06 UTC
Created djvulibre tracking bugs for this issue:

Affects: epel-7 [bug 1958164]


Created mingw-djvulibre tracking bugs for this issue:

Affects: fedora-all [bug 1958165]

Comment 7 Michael Kaplan 2021-05-10 17:10:37 UTC
Acknowledgments:

Name: 1vanChen (NSFOCUS Security Team)

Comment 8 Gianluca Gabrielli 2021-05-11 10:44:17 UTC
(In reply to Marek Kašík from comment #4)
> Hi,
> 
> I've just pushed an update which among others fixes this issue as well.
> 
> The issue here is that djvulibre tries to open a file inside a djvu file
> while already opening it and this goes on and on resulting in stack overflow.
> I've broken this cycle by remembering which file it is opening. I've stored
> the name in DjVuPortcaster class since it is common to these actions.
> 
> I'm not aware of an upstream fix for this.
> 
> Regards

Hi Marek,

I see similar bugs are public:

https://bugzilla.redhat.com/show_bug.cgi?id=1943408
https://bugzilla.redhat.com/show_bug.cgi?id=1943409
https://bugzilla.redhat.com/show_bug.cgi?id=1943410
https://bugzilla.redhat.com/show_bug.cgi?id=1943424

Since 1943411 is no longer embargoed, I'm wondering if you can open it to everybody?

Thanks,
Gianluca

Comment 9 Marek Kašík 2021-05-12 14:16:59 UTC
Hi Gianluca,

I am probably not the person who should do this. I've forwarded your question to Michael.

Regards

Comment 10 Michael Kaplan 2021-05-12 18:25:49 UTC
(In reply to Gianluca Gabrielli from comment #8)
> (In reply to Marek Kašík from comment #4)
> > Hi,
> > 
> > I've just pushed an update which among others fixes this issue as well.
> > 
> > The issue here is that djvulibre tries to open a file inside a djvu file
> > while already opening it and this goes on and on resulting in stack overflow.
> > I've broken this cycle by remembering which file it is opening. I've stored
> > the name in DjVuPortcaster class since it is common to these actions.
> > 
> > I'm not aware of an upstream fix for this.
> > 
> > Regards
> 
> Hi Marek,
> 
> I see similar bugs are public:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1943408
> https://bugzilla.redhat.com/show_bug.cgi?id=1943409
> https://bugzilla.redhat.com/show_bug.cgi?id=1943410
> https://bugzilla.redhat.com/show_bug.cgi?id=1943424
> 
> Since 1943411 is no longer embargoed, I'm wondering if you can open it to
> everybody?
> 
> Thanks,
> Gianluca

Hey Gianluca, It's Done.


Note You need to log in before you can comment on or make changes to this bug.