Security update for djvulibre SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:1645-1 Final 1 1 2021-05-19T11:54:30Z current 2021-05-19T11:54:30Z 2021-05-19T11:54:30Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for djvulibre This update for djvulibre fixes the following issues: Security issues fixed: - CVE-2021-32491 [bsc#1185900]: Integer overflow in function render() in tools/ddjvu via crafted djvu file - CVE-2021-32492 [bsc#1185904]: Out of bounds read in function DJVU:DataPool:has_data() via crafted djvu file - CVE-2021-32493 [bsc#1185905]: Heap buffer overflow in function DJVU:GBitmap:decode() via crafted djvu file The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). HPE-Helion-OpenStack-8-2021-1645,SUSE-2021-1645,SUSE-OpenStack-Cloud-8-2021-1645,SUSE-OpenStack-Cloud-9-2021-1645,SUSE-OpenStack-Cloud-Crowbar-8-2021-1645,SUSE-OpenStack-Cloud-Crowbar-9-2021-1645,SUSE-SLE-SAP-12-SP3-2021-1645,SUSE-SLE-SAP-12-SP4-2021-1645,SUSE-SLE-SDK-12-SP5-2021-1645,SUSE-SLE-SERVER-12-SP2-BCL-2021-1645,SUSE-SLE-SERVER-12-SP3-2021-1645,SUSE-SLE-SERVER-12-SP3-BCL-2021-1645,SUSE-SLE-SERVER-12-SP4-LTSS-2021-1645,SUSE-SLE-SERVER-12-SP5-2021-1645 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20211645-1/ Link for SUSE-SU-2021:1645-1 https://lists.suse.com/pipermail/sle-security-updates/2021-May/008794.html E-Mail link for SUSE-SU-2021:1645-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1185900 SUSE Bug 1185900 https://bugzilla.suse.com/1185904 SUSE Bug 1185904 https://bugzilla.suse.com/1185905 SUSE Bug 1185905 https://www.suse.com/security/cve/CVE-2019-18804/ SUSE CVE CVE-2019-18804 page https://www.suse.com/security/cve/CVE-2021-32491/ SUSE CVE CVE-2021-32491 page https://www.suse.com/security/cve/CVE-2021-32492/ SUSE CVE CVE-2021-32492 page https://www.suse.com/security/cve/CVE-2021-32493/ SUSE CVE CVE-2021-32493 page HPE Helion OpenStack 8 SUSE Linux Enterprise Server 12 SP2-BCL SUSE Linux Enterprise Server 12 SP3-BCL SUSE Linux Enterprise Server 12 SP3-LTSS SUSE Linux Enterprise Server 12 SP4-LTSS SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9 libdjvulibre21-3.5.25.3-5.9.1 djvulibre-3.5.25.3-5.9.1 djvulibre-doc-3.5.25.3-5.9.1 libdjvulibre-devel-3.5.25.3-5.9.1 libdjvulibre21-3.5.25.3-5.9.1 as a component of HPE Helion OpenStack 8 libdjvulibre21-3.5.25.3-5.9.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL libdjvulibre21-3.5.25.3-5.9.1 as a component of SUSE Linux Enterprise Server 12 SP3-BCL libdjvulibre21-3.5.25.3-5.9.1 as a component of SUSE Linux Enterprise Server 12 SP3-LTSS libdjvulibre21-3.5.25.3-5.9.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS libdjvulibre21-3.5.25.3-5.9.1 as a component of SUSE Linux Enterprise Server 12 SP5 libdjvulibre21-3.5.25.3-5.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 libdjvulibre21-3.5.25.3-5.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 libdjvulibre21-3.5.25.3-5.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 libdjvulibre-devel-3.5.25.3-5.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 libdjvulibre21-3.5.25.3-5.9.1 as a component of SUSE OpenStack Cloud 8 libdjvulibre21-3.5.25.3-5.9.1 as a component of SUSE OpenStack Cloud 9 libdjvulibre21-3.5.25.3-5.9.1 as a component of SUSE OpenStack Cloud Crowbar 8 libdjvulibre21-3.5.25.3-5.9.1 as a component of SUSE OpenStack Cloud Crowbar 9 DjVuLibre 3.5.27 has a NULL pointer dereference in the function DJVU::filter_fv at IW44EncodeCodec.cpp. CVE-2019-18804 HPE Helion OpenStack 8:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server 12 SP2-BCL:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server 12 SP3-BCL:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server 12 SP3-LTSS:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server 12 SP5:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Software Development Kit 12 SP5:libdjvulibre-devel-3.5.25.3-5.9.1 SUSE OpenStack Cloud 8:libdjvulibre21-3.5.25.3-5.9.1 SUSE OpenStack Cloud 9:libdjvulibre21-3.5.25.3-5.9.1 SUSE OpenStack Cloud Crowbar 8:libdjvulibre21-3.5.25.3-5.9.1 SUSE OpenStack Cloud Crowbar 9:libdjvulibre21-3.5.25.3-5.9.1 low 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211645-1/ https://www.suse.com/security/cve/CVE-2019-18804.html CVE-2019-18804 https://bugzilla.suse.com/1156188 SUSE Bug 1156188 A flaw was found in djvulibre-3.5.28 and earlier. An integer overflow in function render() in tools/ddjvu via crafted djvu file may lead to application crash and other consequences. CVE-2021-32491 HPE Helion OpenStack 8:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server 12 SP2-BCL:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server 12 SP3-BCL:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server 12 SP3-LTSS:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server 12 SP5:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Software Development Kit 12 SP5:libdjvulibre-devel-3.5.25.3-5.9.1 SUSE OpenStack Cloud 8:libdjvulibre21-3.5.25.3-5.9.1 SUSE OpenStack Cloud 9:libdjvulibre21-3.5.25.3-5.9.1 SUSE OpenStack Cloud Crowbar 8:libdjvulibre21-3.5.25.3-5.9.1 SUSE OpenStack Cloud Crowbar 9:libdjvulibre21-3.5.25.3-5.9.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211645-1/ https://www.suse.com/security/cve/CVE-2021-32491.html CVE-2021-32491 https://bugzilla.suse.com/1185900 SUSE Bug 1185900 A flaw was found in djvulibre-3.5.28 and earlier. An out of bounds read in function DJVU::DataPool::has_data() via crafted djvu file may lead to application crash and other consequences. CVE-2021-32492 HPE Helion OpenStack 8:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server 12 SP2-BCL:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server 12 SP3-BCL:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server 12 SP3-LTSS:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server 12 SP5:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Software Development Kit 12 SP5:libdjvulibre-devel-3.5.25.3-5.9.1 SUSE OpenStack Cloud 8:libdjvulibre21-3.5.25.3-5.9.1 SUSE OpenStack Cloud 9:libdjvulibre21-3.5.25.3-5.9.1 SUSE OpenStack Cloud Crowbar 8:libdjvulibre21-3.5.25.3-5.9.1 SUSE OpenStack Cloud Crowbar 9:libdjvulibre21-3.5.25.3-5.9.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211645-1/ https://www.suse.com/security/cve/CVE-2021-32492.html CVE-2021-32492 https://bugzilla.suse.com/1185904 SUSE Bug 1185904 A flaw was found in djvulibre-3.5.28 and earlier. A heap buffer overflow in function DJVU::GBitmap::decode() via crafted djvu file may lead to application crash and other consequences. CVE-2021-32493 HPE Helion OpenStack 8:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server 12 SP2-BCL:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server 12 SP3-BCL:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server 12 SP3-LTSS:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server 12 SP5:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:libdjvulibre21-3.5.25.3-5.9.1 SUSE Linux Enterprise Software Development Kit 12 SP5:libdjvulibre-devel-3.5.25.3-5.9.1 SUSE OpenStack Cloud 8:libdjvulibre21-3.5.25.3-5.9.1 SUSE OpenStack Cloud 9:libdjvulibre21-3.5.25.3-5.9.1 SUSE OpenStack Cloud Crowbar 8:libdjvulibre21-3.5.25.3-5.9.1 SUSE OpenStack Cloud Crowbar 9:libdjvulibre21-3.5.25.3-5.9.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211645-1/ https://www.suse.com/security/cve/CVE-2021-32493.html CVE-2021-32493 https://bugzilla.suse.com/1185905 SUSE Bug 1185905