Today, version 3.5.29 of DjVuLibre has been released, which includes a critical fix related to a vulnerability identified as CVE-2025-53367. This flaw allows unauthorized access to memory in the method MMRDecoder::scanruns, which could lead to the execution of malicious code on Linux Desktop systems when attempting to open a document designed to exploit this weakness.
DjVu is a file format primarily used for document visualization, similar to PDF. Many Linux distributions come with default viewers, such as Evince and Papers, that can automatically detect DjVu files—even if they have a .pdf extension—for processing through DjVuLibre.
The vulnerability was discovered by Antonio during his research on the Evince document reader using fuzzing techniques. Subsequently, Kev developed a proof of concept that demonstrates how this flaw can be exploited. In a demonstration, it was observed that a malicious DjVu document, disguised with a .pdf extension, could trigger the execution of a command that opens a Rick Astley video when loaded in the default viewer.
Although the presented exploit is capable of evading certain security measures, such as address space layout randomization (ASLR), its effectiveness is unreliable, as it may work several times and then suddenly stop. Nonetheless, developers believe that it is possible to create a more robust exploit that can consistently leverage this vulnerability.
It is important to note that the AppArmor security profile of the viewer prevents the launching of arbitrary processes, with the exception of Google Chrome. This situation led to the decision in the demonstration to play a video instead of opening a calculator. However, the AppArmor profile is not completely restrictive, allowing a determined attacker to execute malicious code under certain circumstances.
The release of this updated version occurred less than 48 hours after the vulnerability was reported to the software authors, demonstrating a rapid response from the development community. There are plans to publish the source code of the exploit in the coming weeks in an effort to raise awareness about this vulnerability and its potential exploitation.
Source: MiMub in Spanish
