Bug#1032670: allegro4.4: CVE-2021-36489
Andreas Rönnquist
gusnan at debian.org
Thu Mar 21 20:33:51 GMT 2024
On Fri, 10 Mar 2023 18:04:23 +0100 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= <jmm at inutil.org> wrote:
> Source: allegro4.4
> X-Debbugs-CC: team at security.debian.org
> Severity: important
> Tags: security
>
> Hi,
>
> The following vulnerability was published for allegro4.4.
>
> CVE-2021-36489[0]:
> | Buffer Overflow vulnerability in Allegro through 5.2.6 allows
> | attackers to cause a denial of service via crafted PCX/TGA/BMP files
> | to allegro_image addon.
>
> https://github.com/liballeg/allegro5/issues/1251
> https://github.com/liballeg/allegro5/pull/1253
>
> These fixes landed in Allegro 5.2.8.0:
> https://github.com/liballeg/allegro5/commit/3f2dbd494241774d33aaf83910fd05b2a590604a (5.2.8.0)
> https://github.com/liballeg/allegro5/commit/cca179bc16827f358153060cd10ac73d394e758c (5.2.8.0)
> https://github.com/liballeg/allegro5/commit/a2c93939f6997a96ecac1865dbb4fa3f66b5e1b7 (5.2.8.0)
> https://github.com/liballeg/allegro5/commit/0294e28e6135292eab4b2916a7d2223b1bb6843e (5.2.8.0)
>
> In allegro 4.4, code is in src/[pcx|tga].c instead
>
Hey
I just tried to reproduce this now on the version of Allegro 4.4 in
Debian, and using the crash file as mentioned in
https://github.com/liballeg/allegro5/issues/1251
I cannot reproduce the crash on 4.4.
Can you still reproduce the crash on allegro4.4 from the debian package?
For me when running './ex_bitmap crash' I get a dialog "Error reading
bitmap file 'crash'", but no crash of the program
best
/Andreas
gusnan at debian.org
More information about the Pkg-games-devel
mailing list