Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libstb: CVE-2021-42715 CVE-2021-42716

Related Vulnerabilities: CVE-2021-42715   CVE-2021-42716  

Source

Debian Bug report logs - #1014532
libstb: CVE-2021-42715 CVE-2021-42716

Package: src:libstb; Maintainer for src:libstb is Yangfl <mmyangfl@gmail.com>;

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Thu, 7 Jul 2022 15:45:06 UTC

Severity: important

Tags: security

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Yangfl <mmyangfl@gmail.com>:
Bug#1014532; Package src:libstb. (Thu, 07 Jul 2022 15:45:09 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Yangfl <mmyangfl@gmail.com>. (Thu, 07 Jul 2022 15:45:09 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: submit@bugs.debian.org
Subject: libstb: CVE-2021-42715 CVE-2021-42716
Date: Thu, 7 Jul 2022 17:41:46 +0200
Source: libstb
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for libstb.

CVE-2021-42715[0]:
| An issue was discovered in stb stb_image.h 1.33 through 2.27. The HDR
| loader parsed truncated end-of-file RLE scanlines as an infinite
| sequence of zero-length runs. An attacker could potentially have
| caused denial of service in applications using stb_image by submitting
| crafted HDR files.

https://github.com/nothings/stb/issues/1224
https://github.com/nothings/stb/pull/1223

CVE-2021-42716[1]:
| An issue was discovered in stb stb_image.h 2.27. The PNM loader
| incorrectly interpreted 16-bit PGM files as 8-bit when converting to
| RGBA, leading to a buffer overflow when later reinterpreting the
| result as a 16-bit buffer. An attacker could potentially have crashed
| a service using stb_image, or read up to 1024 bytes of non-consecutive
| heap data without control over the read location.

https://github.com/nothings/stb/issues/1166
https://github.com/nothings/stb/issues/1225
https://github.com/nothings/stb/pull/1223

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-42715
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42715
[1] https://security-tracker.debian.org/tracker/CVE-2021-42716
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42716

Please adjust the affected versions in the BTS as needed.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jul 8 13:15:56 2022; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started