CVE-2025-53367

Publication date 4 July 2025

Last updated 9 July 2025

Ubuntu priority

Description

DjVuLibre is a GPL implementation of DjVu, a web-centric format for distributing documents and images. Prior to version 3.5.29, the MMRDecoder::scanruns method is affected by an OOB-write vulnerability, because it does not check that the xr pointer stays within the bounds of the allocated buffer. This can lead to writes beyond the allocated memory, resulting in a heap corruption condition. An out-of-bounds read with pr is also possible for the same reason. This issue has been patched in version 3.5.29.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
djvulibre	25.10 questing	Not affected
	25.04 plucky	Fixed 3.5.28-2ubuntu0.25.04.1
	24.10 oracular	Ignored end of life
	24.04 LTS noble	Fixed 3.5.28-2ubuntu0.24.04.1
	22.04 LTS jammy	Fixed 3.5.28-2ubuntu0.22.04.1
	20.04 LTS focal	Needs evaluation
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
djvulibre	Upstream: https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196593d70bd5e37f55b63886c31c82c3da/

References

Related Ubuntu Security Notices (USN)

USN-7631-1
DjVuLibre vulnerability
9 July 2025