[Git][security-tracker-team/security-tracker][master] 4 commits: CVE-2019-15058/CVE-2019-20056: Add notes about possible regression in upstream issue
Adrian Bunk (@bunk)
bunk at debian.org
Tue Jan 31 22:07:01 GMT 2023
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ab739933 by Adrian Bunk at 2023-01-31T23:56:41+02:00
CVE-2019-15058/CVE-2019-20056: Add notes about possible regression in upstream issue
- - - - -
ab24b059 by Adrian Bunk at 2023-01-31T23:56:58+02:00
CVE-2021-37789: Link to commit that fixed it
- - - - -
2757676f by Adrian Bunk at 2023-01-31T23:48:29+02:00
CVE-2021-42716 does not affect buster or bullseye
- - - - -
57d0c7cb by Adrian Bunk at 2023-01-31T23:51:40+02:00
Reserve DLA-3305-1 for libstb
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -68238,13 +68238,11 @@ CVE-2022-28043
CVE-2022-28042 (stb_image.h v2.27 was discovered to contain an heap-based use-after-fr ...)
- libstb <unfixed> (bug #1014531)
[bullseye] - libstb <no-dsa> (Minor issue)
- [buster] - libstb <no-dsa> (Minor issue)
NOTE: https://github.com/nothings/stb/issues/1289
NOTE: https://github.com/nothings/stb/pull/1297
CVE-2022-28041 (stb_image.h v2.27 was discovered to contain an integer overflow via th ...)
- libstb <unfixed> (bug #1014531)
[bullseye] - libstb <no-dsa> (Minor issue)
- [buster] - libstb <no-dsa> (Minor issue)
NOTE: https://github.com/nothings/stb/issues/1292
NOTE: https://github.com/nothings/stb/pull/1297
CVE-2022-28040
@@ -99938,15 +99936,16 @@ CVE-2021-42717 (ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON
NOTE: Fixed by: https://github.com/SpiderLabs/ModSecurity/commit/ac79c1c29b7e6323e26cc984ad4f76ef62c731cd (v3.0.6)
CVE-2021-42716 (An issue was discovered in stb stb_image.h 2.27. The PNM loader incorr ...)
- libstb <unfixed> (bug #1014532)
- [bullseye] - libstb <no-dsa> (Minor issue)
- [buster] - libstb <no-dsa> (Minor issue)
+ [bullseye] - libstb <not-affected> (Vulnerable code introduced later)
+ [buster] - libstb <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/nothings/stb/issues/1166
NOTE: https://github.com/nothings/stb/issues/1225
NOTE: https://github.com/nothings/stb/pull/1223
+ NOTE: 16-bin PNM support was added in
+ NOTE: https://github.com/nothings/stb/commit/8befa752b005da174b2429c1ffaafffe452b2997
CVE-2021-42715 (An issue was discovered in stb stb_image.h 1.33 through 2.27. The HDR ...)
- libstb <unfixed> (bug #1014532)
[bullseye] - libstb <no-dsa> (Minor issue)
- [buster] - libstb <no-dsa> (Minor issue)
NOTE: https://github.com/nothings/stb/issues/1224
NOTE: https://github.com/nothings/stb/pull/1223
CVE-2021-42714 (Splashtop Remote Client (Business Edition) through 3.4.8.3 creates a T ...)
@@ -113925,6 +113924,7 @@ CVE-2021-37789 (stb_image.h 2.27 has a heap-based buffer over in stbi__jpeg_load
- libstb <unfixed> (bug #1023693)
[bullseye] - libstb <no-dsa> (Minor issue)
NOTE: https://github.com/nothings/stb/issues/1178
+ NOTE: https://github.com/nothings/stb/commit/5ba0baaa269b3fd681828e0e3b3ac0f1472eaf40
CVE-2021-37788 (A vulnerability in the web UI of Gurock TestRail v5.3.0.3603 could all ...)
NOT-FOR-US: Gurock TestRail
CVE-2021-37787
@@ -138840,7 +138840,6 @@ CVE-2021-28022 (Blind SQL injection in the login form in ServiceTonic Helpdesk s
CVE-2021-28021 (Buffer overflow vulnerability in function stbi__extend_receive in stb_ ...)
- libstb 0.0~git20220908.8b5f1f3+ds-1 (bug #1014530)
[bullseye] - libstb <no-dsa> (Minor issue)
- [buster] - libstb <no-dsa> (Minor issue)
NOTE: https://github.com/nothings/stb/issues/1108
NOTE: https://github.com/nothings/stb/commit/86b7570cfba845e8209c6aec2d15e487bb1d8bb4
CVE-2021-28020
@@ -230831,6 +230830,8 @@ CVE-2019-20056 (stb_image.h (aka the stb image loader) 2.23, as used in libsixel
NOTE: libsixel patch: https://github.com/saitoha/libsixel/commit/814f831555ea2492d442e784ab5d594f6a8e2e8d
NOTE: libstb PR: https://github.com/nothings/stb/issues/886
NOTE: libstb patch: https://github.com/nothings/stb/commit/bfaccab17a648b315543d366c63aee575a0756b7
+ NOTE: Fix might cause a regression:
+ NOTE: https://github.com/nothings/stb/pull/960#pullrequestreview-615017993
CVE-2019-20055 (LuquidPixels LiquiFire OS 4.8.0 allows SSRF via the call%3Durl substri ...)
NOT-FOR-US: LuquidPixels LiquiFire OS
CVE-2019-20053 (An invalid memory address dereference was discovered in the canUnpack ...)
@@ -253507,6 +253508,8 @@ CVE-2019-15058 (stb_image.h (aka the stb image loader) 2.23 has a heap-based buf
NOTE: https://github.com/nothings/stb/issues/790
NOTE: Potentially also affects libsixel, mame, libsfml, love, zynaddsubfx, yquake2, ccextractor, zam-plugins, osgearth, catimg, darknet, gem, retroarch, renderdoc, goxel
NOTE: https://github.com/nothings/stb/commit/bfaccab17a648b315543d366c63aee575a0756b7
+ NOTE: Fix might cause a regression:
+ NOTE: https://github.com/nothings/stb/pull/960#pullrequestreview-615017993
CVE-2019-15057
RESERVED
CVE-2019-15056
@@ -260543,37 +260546,30 @@ CVE-2019-13224 (A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6
NOTE: https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55
CVE-2019-13223 (A reachable assertion in the lookup1_values function in stb_vorbis thr ...)
- libstb 0.0~git20190817.1.052dce1-1 (bug #934966)
- [buster] - libstb <no-dsa> (Minor issue)
NOTE: https://github.com/nothings/stb/commit/98fdfc6df88b1e34a736d5e126e6c8139c8de1a6
NOTE: Potentially affects liblivemedia, retroarch, godot, yquake2, pax-britannica, libxmp, faudio
CVE-2019-13222 (An out-of-bounds read of a global buffer in the draw_line function in ...)
- libstb 0.0~git20190817.1.052dce1-1 (bug #934966)
- [buster] - libstb <no-dsa> (Minor issue)
NOTE: https://github.com/nothings/stb/commit/98fdfc6df88b1e34a736d5e126e6c8139c8de1a6
NOTE: Potentially affects liblivemedia, retroarch, godot, yquake2, pax-britannica, libxmp, faudio
CVE-2019-13221 (A stack buffer overflow in the compute_codewords function in stb_vorbi ...)
- libstb 0.0~git20190817.1.052dce1-1 (bug #934966)
- [buster] - libstb <no-dsa> (Minor issue)
NOTE: https://github.com/nothings/stb/commit/98fdfc6df88b1e34a736d5e126e6c8139c8de1a6
NOTE: Potentially affects godot, libxmp, pax-britannica, faudio, retroarch, yquake2
CVE-2019-13220 (Use of uninitialized stack variables in the start_decoder function in ...)
- libstb 0.0~git20190817.1.052dce1-1 (bug #934966)
- [buster] - libstb <no-dsa> (Minor issue)
NOTE: https://github.com/nothings/stb/commit/98fdfc6df88b1e34a736d5e126e6c8139c8de1a6
NOTE: Potentially affects liblivemedia, retroarch, godot, yquake2, pax-britannica, libxmp, faudio
CVE-2019-13219 (A NULL pointer dereference in the get_window function in stb_vorbis th ...)
- libstb 0.0~git20190817.1.052dce1-1 (bug #934966)
- [buster] - libstb <no-dsa> (Minor issue)
NOTE: https://github.com/nothings/stb/commit/98fdfc6df88b1e34a736d5e126e6c8139c8de1a6
NOTE: Potentially affects liblivemedia, retroarch, godot, yquake2, pax-britannica, libxmp, faudio
CVE-2019-13218 (Division by zero in the predict_point function in stb_vorbis through 2 ...)
- libstb 0.0~git20190817.1.052dce1-1 (bug #934966)
- [buster] - libstb <no-dsa> (Minor issue)
NOTE: https://github.com/nothings/stb/commit/98fdfc6df88b1e34a736d5e126e6c8139c8de1a6
NOTE: Potentially affects godot, libxmp, pax-britannica, faudio, retroarch, yquake2
CVE-2019-13217 (A heap buffer overflow in the start_decoder function in stb_vorbis thr ...)
- libstb 0.0~git20190817.1.052dce1-1 (bug #934966)
- [buster] - libstb <no-dsa> (Minor issue)
NOTE: https://github.com/nothings/stb/commit/98fdfc6df88b1e34a736d5e126e6c8139c8de1a6
NOTE: Potentially affects liblivemedia, retroarch, godot, yquake2, pax-britannica, libxmp, faudio
CVE-2019-13216
@@ -304933,7 +304929,6 @@ CVE-2018-16982 (Open Chinese Convert (OpenCC) 1.0.5 allows attackers to cause a
NOT-FOR-US: Open Chinese Convert (OpenCC)
CVE-2018-16981 (stb stb_image.h 2.19, as used in catimg, Emscripten, and other product ...)
- libstb 0.0~git20190617.5.c72a95d-1
- [buster] - libstb <no-dsa> (Minor issue)
NOTE: https://github.com/nothings/stb/issues/656
NOTE: https://github.com/nothings/stb/commit/50b1bfba583b12ceb23ef949567bdd914461e524
NOTE: Potentially affects libsixel, libsfml, love, mame, darknet, gem, ccextractor, zynaddsubfx, osgearth, goxel, yquake2, renderdoc, catimg, libstb, zam-plugins, retroarch
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[31 Jan 2023] DLA-3305-1 libstb - security update
+ {CVE-2018-16981 CVE-2019-13217 CVE-2019-13218 CVE-2019-13219 CVE-2019-13220 CVE-2019-13221 CVE-2019-13222 CVE-2019-13223 CVE-2021-28021 CVE-2021-37789 CVE-2021-42715 CVE-2022-28041 CVE-2022-28042}
+ [buster] - libstb 0.0~git20180212.15.e6afb9c-1+deb10u1
[31 Jan 2023] DLA-3304-1 fig2dev - security update
{CVE-2020-21529 CVE-2020-21531 CVE-2020-21532 CVE-2020-21676 CVE-2021-32280}
[buster] - fig2dev 1:3.2.7a-5+deb10u5
=====================================
data/dla-needed.txt
=====================================
@@ -116,9 +116,6 @@ libsdl2 (Markus Koschany)
NOTE: 20221111: Programming language: C.
NOTE: 20221111: Sync with jessie/stretch/bullseye (Beuc/front-desk)
--
-libstb (Adrian Bunk)
- NOTE: 20221111: Programming language: C.
---
linux (Ben Hutchings)
NOTE: 20230111: Programming language: C
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b0e3f13fb4faf085aa0b289c12895761c13c4a36...57d0c7cbd99b81d00a303b381af88f68728bfaaa
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b0e3f13fb4faf085aa0b289c12895761c13c4a36...57d0c7cbd99b81d00a303b381af88f68728bfaaa
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230131/d022d897/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list