#VU21450 Heap-based buffer overflow in DjVuLibre - CVE-2019-15142


Vulnerability identifier: #VU21450

Vulnerability risk: Low

CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-15142

CWE-ID: CWE-122

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
DjVuLibre
Client/Desktop applications / Multimedia software

Vendor: DjVu

Description

The vulnerability allows a remote attacker to perform denial of service attack.

The vulnerability exists due to a boundary error when processing DJVU files in DjVmDir.cpp in DjVuLibre. A remote attacker can create a specially crafted DJVU, trick the victim into opening it, trigger heap-based buffer overflow and crash the application using the affected library.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

DjVuLibre: 3.5.27

External links
https://sourceforge.net/p/djvu/bugs/296/
https://sourceforge.net/p/djvu/djvulibre-git/ci/970fb11a296b5bbdc5e8425851253d2c5913c45e/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Debian update for djvulibre
openEuler update for djvulibre
Gentoo update for DjVu
Ubuntu update for DjVuLibre
Fedora 30 update for mingw-djvulibre
Fedora 31 update for mingw-djvulibre
Fedora 30 update for djvulibre
Fedora EPEL 6 update for djvulibre
Fedora EPEL 7 update for djvulibre
Fedora 31 update for djvulibre