[Git][security-tracker-team/security-tracker][master] 4 commits: CVE-2019-15058/CVE-2019-20056: Add notes about possible regression in upstream issue

Adrian Bunk (@bunk) bunk at debian.org
Tue Jan 31 22:07:01 GMT 2023



Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ab739933 by Adrian Bunk at 2023-01-31T23:56:41+02:00
CVE-2019-15058/CVE-2019-20056: Add notes about possible regression in upstream issue

- - - - -
ab24b059 by Adrian Bunk at 2023-01-31T23:56:58+02:00
CVE-2021-37789: Link to commit that fixed it

- - - - -
2757676f by Adrian Bunk at 2023-01-31T23:48:29+02:00
CVE-2021-42716 does not affect buster or bullseye

- - - - -
57d0c7cb by Adrian Bunk at 2023-01-31T23:51:40+02:00
Reserve DLA-3305-1 for libstb

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -68238,13 +68238,11 @@ CVE-2022-28043
 CVE-2022-28042 (stb_image.h v2.27 was discovered to contain an heap-based use-after-fr ...)
 	- libstb <unfixed> (bug #1014531)
 	[bullseye] - libstb <no-dsa> (Minor issue)
-	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/1289
 	NOTE: https://github.com/nothings/stb/pull/1297
 CVE-2022-28041 (stb_image.h v2.27 was discovered to contain an integer overflow via th ...)
 	- libstb <unfixed> (bug #1014531)
 	[bullseye] - libstb <no-dsa> (Minor issue)
-	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/1292
 	NOTE: https://github.com/nothings/stb/pull/1297
 CVE-2022-28040
@@ -99938,15 +99936,16 @@ CVE-2021-42717 (ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON
 	NOTE: Fixed by: https://github.com/SpiderLabs/ModSecurity/commit/ac79c1c29b7e6323e26cc984ad4f76ef62c731cd (v3.0.6)
 CVE-2021-42716 (An issue was discovered in stb stb_image.h 2.27. The PNM loader incorr ...)
 	- libstb <unfixed> (bug #1014532)
-	[bullseye] - libstb <no-dsa> (Minor issue)
-	[buster] - libstb <no-dsa> (Minor issue)
+	[bullseye] - libstb <not-affected> (Vulnerable code introduced later)
+	[buster] - libstb <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/nothings/stb/issues/1166
 	NOTE: https://github.com/nothings/stb/issues/1225
 	NOTE: https://github.com/nothings/stb/pull/1223
+	NOTE: 16-bin PNM support was added in
+	NOTE: https://github.com/nothings/stb/commit/8befa752b005da174b2429c1ffaafffe452b2997
 CVE-2021-42715 (An issue was discovered in stb stb_image.h 1.33 through 2.27. The HDR  ...)
 	- libstb <unfixed> (bug #1014532)
 	[bullseye] - libstb <no-dsa> (Minor issue)
-	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/1224
 	NOTE: https://github.com/nothings/stb/pull/1223
 CVE-2021-42714 (Splashtop Remote Client (Business Edition) through 3.4.8.3 creates a T ...)
@@ -113925,6 +113924,7 @@ CVE-2021-37789 (stb_image.h 2.27 has a heap-based buffer over in stbi__jpeg_load
 	- libstb <unfixed> (bug #1023693)
 	[bullseye] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/1178
+	NOTE: https://github.com/nothings/stb/commit/5ba0baaa269b3fd681828e0e3b3ac0f1472eaf40
 CVE-2021-37788 (A vulnerability in the web UI of Gurock TestRail v5.3.0.3603 could all ...)
 	NOT-FOR-US: Gurock TestRail
 CVE-2021-37787
@@ -138840,7 +138840,6 @@ CVE-2021-28022 (Blind SQL injection in the login form in ServiceTonic Helpdesk s
 CVE-2021-28021 (Buffer overflow vulnerability in function stbi__extend_receive in stb_ ...)
 	- libstb 0.0~git20220908.8b5f1f3+ds-1 (bug #1014530)
 	[bullseye] - libstb <no-dsa> (Minor issue)
-	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/1108
 	NOTE: https://github.com/nothings/stb/commit/86b7570cfba845e8209c6aec2d15e487bb1d8bb4
 CVE-2021-28020
@@ -230831,6 +230830,8 @@ CVE-2019-20056 (stb_image.h (aka the stb image loader) 2.23, as used in libsixel
 	NOTE: libsixel patch: https://github.com/saitoha/libsixel/commit/814f831555ea2492d442e784ab5d594f6a8e2e8d
 	NOTE: libstb PR: https://github.com/nothings/stb/issues/886
 	NOTE: libstb patch: https://github.com/nothings/stb/commit/bfaccab17a648b315543d366c63aee575a0756b7
+	NOTE: Fix might cause a regression:
+	NOTE: https://github.com/nothings/stb/pull/960#pullrequestreview-615017993
 CVE-2019-20055 (LuquidPixels LiquiFire OS 4.8.0 allows SSRF via the call%3Durl substri ...)
 	NOT-FOR-US: LuquidPixels LiquiFire OS
 CVE-2019-20053 (An invalid memory address dereference was discovered in the canUnpack  ...)
@@ -253507,6 +253508,8 @@ CVE-2019-15058 (stb_image.h (aka the stb image loader) 2.23 has a heap-based buf
 	NOTE: https://github.com/nothings/stb/issues/790
 	NOTE: Potentially also affects libsixel, mame, libsfml, love, zynaddsubfx, yquake2, ccextractor, zam-plugins, osgearth, catimg, darknet, gem, retroarch, renderdoc, goxel
 	NOTE: https://github.com/nothings/stb/commit/bfaccab17a648b315543d366c63aee575a0756b7
+	NOTE: Fix might cause a regression:
+	NOTE: https://github.com/nothings/stb/pull/960#pullrequestreview-615017993
 CVE-2019-15057
 	RESERVED
 CVE-2019-15056
@@ -260543,37 +260546,30 @@ CVE-2019-13224 (A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6
 	NOTE: https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55
 CVE-2019-13223 (A reachable assertion in the lookup1_values function in stb_vorbis thr ...)
 	- libstb 0.0~git20190817.1.052dce1-1 (bug #934966)
-	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/commit/98fdfc6df88b1e34a736d5e126e6c8139c8de1a6
 	NOTE: Potentially affects liblivemedia, retroarch, godot, yquake2, pax-britannica, libxmp, faudio
 CVE-2019-13222 (An out-of-bounds read of a global buffer in the draw_line function in  ...)
 	- libstb 0.0~git20190817.1.052dce1-1 (bug #934966)
-	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/commit/98fdfc6df88b1e34a736d5e126e6c8139c8de1a6
 	NOTE: Potentially affects liblivemedia, retroarch, godot, yquake2, pax-britannica, libxmp, faudio
 CVE-2019-13221 (A stack buffer overflow in the compute_codewords function in stb_vorbi ...)
 	- libstb 0.0~git20190817.1.052dce1-1 (bug #934966)
-	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/commit/98fdfc6df88b1e34a736d5e126e6c8139c8de1a6
 	NOTE: Potentially affects godot, libxmp, pax-britannica, faudio, retroarch, yquake2
 CVE-2019-13220 (Use of uninitialized stack variables in the start_decoder function in  ...)
 	- libstb 0.0~git20190817.1.052dce1-1 (bug #934966)
-	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/commit/98fdfc6df88b1e34a736d5e126e6c8139c8de1a6
 	NOTE: Potentially affects liblivemedia, retroarch, godot, yquake2, pax-britannica, libxmp, faudio
 CVE-2019-13219 (A NULL pointer dereference in the get_window function in stb_vorbis th ...)
 	- libstb 0.0~git20190817.1.052dce1-1 (bug #934966)
-	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/commit/98fdfc6df88b1e34a736d5e126e6c8139c8de1a6
 	NOTE: Potentially affects liblivemedia, retroarch, godot, yquake2, pax-britannica, libxmp, faudio
 CVE-2019-13218 (Division by zero in the predict_point function in stb_vorbis through 2 ...)
 	- libstb 0.0~git20190817.1.052dce1-1 (bug #934966)
-	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/commit/98fdfc6df88b1e34a736d5e126e6c8139c8de1a6
 	NOTE: Potentially affects godot, libxmp, pax-britannica, faudio, retroarch, yquake2
 CVE-2019-13217 (A heap buffer overflow in the start_decoder function in stb_vorbis thr ...)
 	- libstb 0.0~git20190817.1.052dce1-1 (bug #934966)
-	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/commit/98fdfc6df88b1e34a736d5e126e6c8139c8de1a6
 	NOTE: Potentially affects liblivemedia, retroarch, godot, yquake2, pax-britannica, libxmp, faudio
 CVE-2019-13216
@@ -304933,7 +304929,6 @@ CVE-2018-16982 (Open Chinese Convert (OpenCC) 1.0.5 allows attackers to cause a
 	NOT-FOR-US: Open Chinese Convert (OpenCC)
 CVE-2018-16981 (stb stb_image.h 2.19, as used in catimg, Emscripten, and other product ...)
 	- libstb 0.0~git20190617.5.c72a95d-1
-	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/656
 	NOTE: https://github.com/nothings/stb/commit/50b1bfba583b12ceb23ef949567bdd914461e524
 	NOTE: Potentially affects libsixel, libsfml, love, mame, darknet, gem, ccextractor, zynaddsubfx, osgearth, goxel, yquake2, renderdoc, catimg, libstb, zam-plugins, retroarch


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[31 Jan 2023] DLA-3305-1 libstb - security update
+	{CVE-2018-16981 CVE-2019-13217 CVE-2019-13218 CVE-2019-13219 CVE-2019-13220 CVE-2019-13221 CVE-2019-13222 CVE-2019-13223 CVE-2021-28021 CVE-2021-37789 CVE-2021-42715 CVE-2022-28041 CVE-2022-28042}
+	[buster] - libstb 0.0~git20180212.15.e6afb9c-1+deb10u1
 [31 Jan 2023] DLA-3304-1 fig2dev - security update
 	{CVE-2020-21529 CVE-2020-21531 CVE-2020-21532 CVE-2020-21676 CVE-2021-32280}
 	[buster] - fig2dev 1:3.2.7a-5+deb10u5


=====================================
data/dla-needed.txt
=====================================
@@ -116,9 +116,6 @@ libsdl2 (Markus Koschany)
   NOTE: 20221111: Programming language: C.
   NOTE: 20221111: Sync with jessie/stretch/bullseye (Beuc/front-desk)
 --
-libstb (Adrian Bunk)
-  NOTE: 20221111: Programming language: C.
---
 linux (Ben Hutchings)
   NOTE: 20230111: Programming language: C
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b0e3f13fb4faf085aa0b289c12895761c13c4a36...57d0c7cbd99b81d00a303b381af88f68728bfaaa

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b0e3f13fb4faf085aa0b289c12895761c13c4a36...57d0c7cbd99b81d00a303b381af88f68728bfaaa
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230131/d022d897/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list