Student requesting some information/assistance in regards to reproducing the CVE-2025-53367 PoC #913

narella1 · 2025-11-24T16:36:47Z

narella1
Nov 24, 2025

I'm currently attempting to reproduce the PoC, but I seem to be coming up short.
I'm working with a fresh install of Plucky Puffin using an iso downloaded from the Ubuntu website, and I'm following the information provided in this repository corresponding to the CVE to reproduce it.
During each step I would usually fail because I was missing some library but that was easy enough to rectify by downloading it and redoing the step at which I failed. Eventually I managed what seemed to be a full installation of DjVuLibre with the patch applied although it was missing a mime folder in the share folder I believe. At the very least it mentioned having to update it in the terminal which I obviously couldn't do when it didn't exist in the first place.
After creating the plucky.pdf file I opened it and the chrome window with Mr. Astley did not open as expected.
I know this isn't much information to go off of, but any suggestions or advice would be appreciated. I'll gladly provide additional information as well.

@kevinbackhouse

Answered by kevinbackhouse

Nov 25, 2025

Hi @narella1. I recommend building the package with Ubuntu's build tools. Linux distros like Ubuntu often make minor modifications to the source code, so if you try to use the original source code from the git repo then you're going to end up with a slightly different version of the binary. And an exploit like this depends very heavily on the binary being exactly as expected.

Here's how to build DjVuLibre from source on Ubuntu Plucky:

mkdir ~/djvulibre-src
cd ~/djvulibre-src
apt-get source djvulibre-bin
cd djvulibre-3.5.28
emacs -nw libdjvu/MMRDecoder.cpp # edit the file to revert the bugfix
debuild -i -uc -us -b

Now install it:

cd ~/djvulibre-src
sudo dpkg -i *.deb

You can get the poc, p…

View full answer

kevinbackhouse · 2025-11-25T09:43:48Z

kevinbackhouse
Nov 25, 2025
Maintainer

Hi @narella1. I recommend building the package with Ubuntu's build tools. Linux distros like Ubuntu often make minor modifications to the source code, so if you try to use the original source code from the git repo then you're going to end up with a slightly different version of the binary. And an exploit like this depends very heavily on the binary being exactly as expected.

Here's how to build DjVuLibre from source on Ubuntu Plucky:

mkdir ~/djvulibre-src
cd ~/djvulibre-src
apt-get source djvulibre-bin
cd djvulibre-3.5.28
emacs -nw libdjvu/MMRDecoder.cpp # edit the file to revert the bugfix
debuild -i -uc -us -b

Now install it:

cd ~/djvulibre-src
sudo dpkg -i *.deb

You can get the poc, plucky.pdf, from here: https://github.com/github/securitylab/tree/main/SecurityExploits/DjVuLibre/MMRDecoder_scanruns_CVE-2025-53367

I can't guarantee that it'll work, because the poc is going to be very sensitive to the binary being just right. It was very reliable before Ubuntu released the fix, because the binary was downloaded rather than built from source.

1 reply

narella1 Nov 27, 2025
Author

Sorry for the delayed response. I followed the steps you listed, installing libraries as needed and editing MMRDecoder, and got the poc to work. Thank you very much for taking the time to lay out this process!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Student requesting some information/assistance in regards to reproducing the CVE-2025-53367 PoC #913

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Student requesting some information/assistance in regards to reproducing the CVE-2025-53367 PoC #913

Uh oh!

narella1 Nov 24, 2025

Replies: 1 comment · 1 reply

Uh oh!

kevinbackhouse Nov 25, 2025 Maintainer

Uh oh!

narella1 Nov 27, 2025 Author

narella1
Nov 24, 2025

Replies: 1 comment 1 reply

kevinbackhouse
Nov 25, 2025
Maintainer

narella1 Nov 27, 2025
Author