Amazon Linux 2 Security Advisory: ALAS2MATE-DESKTOP1.X-2025-010
Advisory Released Date: 2025-07-30
Advisory Updated Date: 2025-07-30
DjVuLibre is a GPL implementation of DjVu, a web-centric format for distributing documents and images. Prior to version 3.5.29, the MMRDecoder::scanruns method is affected by an OOB-write vulnerability, because it does not check that the xr pointer stays within the bounds of the allocated buffer. This can lead to writes beyond the allocated memory, resulting in a heap corruption condition. An out-of-bounds read with pr is also possible for the same reason. This issue has been patched in version 3.5.29. (CVE-2025-53367)
Affected Packages:
djvulibre
Note:
This advisory is applicable to Amazon Linux 2 - Mate-desktop1.x Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update djvulibre to update your system.
aarch64:
djvulibre-3.5.27-30.amzn2.0.4.aarch64
djvulibre-libs-3.5.27-30.amzn2.0.4.aarch64
djvulibre-devel-3.5.27-30.amzn2.0.4.aarch64
djvulibre-debuginfo-3.5.27-30.amzn2.0.4.aarch64
i686:
djvulibre-3.5.27-30.amzn2.0.4.i686
djvulibre-libs-3.5.27-30.amzn2.0.4.i686
djvulibre-devel-3.5.27-30.amzn2.0.4.i686
djvulibre-debuginfo-3.5.27-30.amzn2.0.4.i686
src:
djvulibre-3.5.27-30.amzn2.0.4.src
x86_64:
djvulibre-3.5.27-30.amzn2.0.4.x86_64
djvulibre-libs-3.5.27-30.amzn2.0.4.x86_64
djvulibre-devel-3.5.27-30.amzn2.0.4.x86_64
djvulibre-debuginfo-3.5.27-30.amzn2.0.4.x86_64