Bugzilla – Bug 1214672
VUL-1: CVE-2021-46312: djvulibre: divide by zero in IW44EncodeCodec.cpp
Last modified: 2023-09-25 12:30:02 UTC
CVE-2021-46312 An issue was discovered IW44EncodeCodec.cpp in djvulibre 3.5.28 in allows attackers to cause a denial of service via divide by zero. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46312 https://bugzilla.redhat.com/show_bug.cgi?id=2234736 https://www.cve.org/CVERecord?id=CVE-2021-46312 https://sourceforge.net/p/djvu/bugs/344/
TW,15,12/djvulibre :/ # c44 214672/POC > /dev/null Floating point exception (core dumped) :/ #
(In reply to Petr Gajdos from comment #1) > TW,15,12/djvulibre > > :/ # c44 214672/POC > /dev/null > Floating point exception (core dumped) > :/ # We also have djvulibre in SUSE:SLE-15-SP2:Update and SUSE:ALP:Source:Standard:1.0.
(In reply to Carlos López from comment #2) > (In reply to Petr Gajdos from comment #1) > > TW,15,12/djvulibre > > > > :/ # c44 214672/POC > /dev/null > > Floating point exception (core dumped) > > :/ # > > We also have djvulibre in SUSE:SLE-15-SP2:Update and > SUSE:ALP:Source:Standard:1.0. Yeah, thanks.
BEFORE TW,15sp2,15,12/djvulibre :/ # c44 214672/POC > /dev/null Floating point exception (core dumped) :/ # PATCH https://sourceforge.net/p/djvu/bugs/344/#bcb7 Add similar checks as in IW44Image.cpp, see https://sourceforge.net/p/djvu/bugs/345/ AFTER TW,15sp2,15,12/djvulibre :/ # c44 214672/POC > /dev/null *** IWBitmap: zero size image (corrupted file?) *** (IW44EncodeCodec.cpp:1429) *** 'void DJVU::IWBitmap::Encode::init(const DJVU::GBitmap&, DJVU::GP<DJVU::GBitmap>)' :/ #
Submitted for TW,ALP,15sp2,15,12/djvulibre. I believe all fixed.
This is an autogenerated message for OBS integration: This bug (1214672) was mentioned in https://build.opensuse.org/request/show/1107914 Factory / djvulibre
SUSE-SU-2023:3520-1: An update that solves two vulnerabilities can now be installed. Category: security (low) Bug References: 1214670, 1214672 CVE References: CVE-2021-46310, CVE-2021-46312 Sources used: openSUSE Leap 15.4 (src): djvulibre-3.5.27-150200.11.14.1 openSUSE Leap 15.5 (src): djvulibre-3.5.27-150200.11.14.1 Desktop Applications Module 15-SP4 (src): djvulibre-3.5.27-150200.11.14.1 Desktop Applications Module 15-SP5 (src): djvulibre-3.5.27-150200.11.14.1 SUSE Package Hub 15 15-SP4 (src): djvulibre-3.5.27-150200.11.14.1 SUSE Package Hub 15 15-SP5 (src): djvulibre-3.5.27-150200.11.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3755-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1185895, 1214670, 1214672 CVE References: CVE-2021-32490, CVE-2021-46310, CVE-2021-46312 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): djvulibre-3.5.25.3-5.22.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): djvulibre-3.5.25.3-5.22.1 SUSE Linux Enterprise Server 12 SP5 (src): djvulibre-3.5.25.3-5.22.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): djvulibre-3.5.25.3-5.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.