Full Report
DjVuLibre has a vulnerability that could enable an attacker to gain code execution on a Linux Desktop system when the user tries to open a crafted document. The post CVE-2025-53367: An exploitable out-of-bounds write in DjVuLibre appeared first on The GitHub Blog.
Analysis Summary
# Vulnerability: Out-of-Bounds Write in DjVuLibre Leading to Code Execution
## CVE Details
- CVE ID: CVE-2025-53367
- CVSS Score: Not explicitly provided, but described as leading to code execution **(High Severity)**.
- CWE: Out-of-bounds Write (Implied, related to buffer handling).
## Affected Systems
- Products: DjVuLibre (used by document viewers like Evince and Papers).
- Versions: Prior to 3.5.29.
- Configurations: Linux Desktop systems where a user opens a maliciously crafted DjVu document (which may be disguised as a `.pdf` file).
## Vulnerability Description
The vulnerability resides in the `MMRDecoder::scanruns` method within DjVuLibre. An Out-of-Bounds (OOB) write occurs because the code fails to validate that the pointer `xr` remains within the bounds of the allocated buffer (`lineruns` or `prevruns`, depending on buffer swapping) when processing run-length encoded data. This memory corruption allows an attacker to potentially overwrite adjacent memory, leading to arbitrary code execution upon file processing.
## Exploitation
- Status: **PoC available**. A Proof of Concept (PoC) exploit was demonstrated achieving RCE on Ubuntu 25.04 (x86\_64) with standard security protections enabled. The PoC bypassed ASLR but was noted as unreliable in its initial form.
- Complexity: **Medium** (Requires crafting a specific DjVu document, but successfully triggers RCE on modern systems).
- Attack Vector: **Local** (Requires the user to open the crafted document).
## Impact
- Confidentiality: **High** (Code execution allows full system access).
- Integrity: **High** (Code execution allows arbitrary modification of system state/data).
- Availability: **High** (System compromise or crash).
## Remediation
### Patches
- **DjVuLibre version 3.5.29** fixes CVE-2025-53367 (GHSL-2025-055).
- Fix commit reference: `https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196593d70bd5e37f55b63886c31c82c3da/`
### Workarounds
- Immediately update DjVuLibre to version 3.5.29 or newer.
- Limit the opening of untrusted DjVu/PDF documents from unknown sources.
## Detection
- Indicators of Compromise: Unexpected process execution stemming from document viewers (e.g., `/usr/bin/papers` or `evince`) running arbitrary commands (e.g., the PoC triggered `system("google-chrome ...")`).
- Detection methods and tools: Monitor system calls for low-privilege applications (like document viewers) attempting to launch network-accessible programs or perform unexpected shell operations.
## References
- Vendor Advisory/Source: The GitHub Blog post: `https://github.com/github/securitylab` (General area for security research blog posts).