NULL Pointer Dereference Affecting djvulibre package, versions <3.5.27.1-10+deb10u1
Snyk CVSS
Attack Complexity
Low
Availability
High
Threat Intelligence
EPSS
0.54% (77th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN10-DJVULIBRE-481572
- published 10 Nov 2019
- disclosed 7 Nov 2019
Introduced: 7 Nov 2019
CVE-2019-18804 Open this link in a new tabHow to fix?
Upgrade Debian:10 djvulibre to version 3.5.27.1-10+deb10u1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream djvulibre package and not the djvulibre package as distributed by Debian.
See How to fix? for Debian:10 relevant fixed versions and status.
DjVuLibre 3.5.27 has a NULL pointer dereference in the function DJVU::filter_fv at IW44EncodeCodec.cpp.
References
- https://security-tracker.debian.org/tracker/CVE-2019-18804
- https://lists.debian.org/debian-lts-announce/2019/11/msg00004.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JO65AWU7LEWNF6DDCZPRFTR2ZPP5XK6L/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYPWP5T7TSUNZV4UEIRRCTVWO6VBZWJV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QUEME45HVGTMDOYODAZYQOGWSZ2CEFWZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SWT7E7BMWV5T33AMU6OGDPPTPIGCFFZF/
- https://github.com/TeamSeri0us/pocs/blob/master/djvulibre/DJVU__filter_fv%40IW44EncodeCodec.cpp_499-43___SEGV_UNKNOW.md
- https://sourceforge.net/p/djvu/bugs/309/
- https://lists.debian.org/debian-lts-announce/2021/05/msg00022.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00068.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00069.html
- https://usn.ubuntu.com/4198-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-18804
- https://www.debian.org/security/2021/dsa-5032
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JO65AWU7LEWNF6DDCZPRFTR2ZPP5XK6L/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYPWP5T7TSUNZV4UEIRRCTVWO6VBZWJV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUEME45HVGTMDOYODAZYQOGWSZ2CEFWZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWT7E7BMWV5T33AMU6OGDPPTPIGCFFZF/