From 2dfda9f70178a6aa05dff7cb9c3fc7ad3d68d989 Mon Sep 17 00:00:00 2001
From: yangxinyu <yangxinyu@nfschina.com>
Date: Mon, 13 Jan 2025 17:06:22 +0800
Subject: [PATCH] [CVE] fix cve-2021-32490 cve-2021-32491 cve-2021-32493 to
 #bug13460 #13461 #13458 fix cve-2021-32490 cve-2021-32491 cve-2021-32493
 Project: TC2024080204 Signed-off-by:yangxinyu <yangxinyu@nfschina.com>

---
 djvulibre-3.5.27-fix-cve-2021-32490.patch | 25 +++++++++++++++++++++++
 djvulibre.spec                            |  8 +++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 djvulibre-3.5.27-fix-cve-2021-32490.patch

diff --git a/djvulibre-3.5.27-fix-cve-2021-32490.patch b/djvulibre-3.5.27-fix-cve-2021-32490.patch
new file mode 100644
index 0000000..c7ed74a
--- /dev/null
+++ b/djvulibre-3.5.27-fix-cve-2021-32490.patch
@@ -0,0 +1,25 @@
+From de3f26190699c54423d170da6f78c537e06991eb Mon Sep 17 00:00:00 2001
+From: Super User <root@hebei.10.60.in-addr.arpa>
+Date: Mon, 13 Jan 2025 16:14:08 +0800
+Subject: [PATCH] cve-2021-32490
+
+---
+ libdjvu/DjVuFile.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libdjvu/DjVuFile.cpp b/libdjvu/DjVuFile.cpp
+index 143346b..2587491 100644
+--- a/libdjvu/DjVuFile.cpp
++++ b/libdjvu/DjVuFile.cpp
+@@ -576,6 +576,8 @@ DjVuFile::process_incl_chunk(ByteStream & str, int file_num)
+     GURL incl_url=pcaster->id_to_url(this, incl_str);
+     if (incl_url.is_empty())	// Fallback. Should never be used.
+       incl_url=GURL::UTF8(incl_str,url.base());
++    if (incl_url == url)        // Infinite loop avoidance
++      G_THROW( ERR_MSG("DjVuFile.malformed") );
+     
+     // Now see if there is already a file with this *name* created
+     {
+-- 
+2.41.0
+
diff --git a/djvulibre.spec b/djvulibre.spec
index a20f958..8939f9d 100644
--- a/djvulibre.spec
+++ b/djvulibre.spec
@@ -1,4 +1,4 @@
-%define anolis_release 1
+%define anolis_release 2
 %define         _hardened_build 1
 
 Summary: DjVu viewers, encoders, and utilities
@@ -17,6 +17,9 @@ Patch11: djvulibre-3.5.27-djvuport-stack-overflow.patch
 Patch12: djvulibre-3.5.27-unsigned-short-overflow.patch
 Patch14: djvulibre-3.5.27-out-of-bound-write-2.patch
 
+#https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6/
+Patch15: djvulibre-3.5.27-fix-cve-2021-32490.patch
+
 Requires(post): xdg-utils
 Requires(preun): xdg-utils
 BuildRequires:  gcc
@@ -174,5 +177,8 @@ fi
 %doc README NEWS
 
 %changelog
+* Mon Jan 13 2025 yangxinyu <yangxinyu@nfschina.com> - 3.5.28-2
+- fix cve-2021-32490/32491/32493
+
 * Tue Mar 28 2023 Zhongling He <zhonglingh@linux.alibaba.com> - 3.5.28-1
 - Init package from upstream
-- 
Gitee