Debian Bug report logs - #992973
plib: CVE-2021-38714

version graph

Package: src:plib; Maintainer for src:plib is Debian Games Team <pkg-games-devel@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 25 Aug 2021 19:27:01 UTC

Severity: grave

Tags: security, upstream

Found in version plib/1.8.5-8

Fixed in versions plib/1.8.5-10, plib/1.8.5-8+deb11u1, plib/1.8.5-8+deb10u1

Done: Anton Gladky <gladk@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://sourceforge.net/p/plib/bugs/55/

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#992973; Package src:plib. (Wed, 25 Aug 2021 19:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian QA Group <packages@qa.debian.org>. (Wed, 25 Aug 2021 19:27:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: plib: CVE-2021-38714
Date: Wed, 25 Aug 2021 21:23:37 +0200
Source: plib
Version: 1.8.5-8
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://sourceforge.net/p/plib/bugs/55/
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for plib.

CVE-2021-38714[0]:
| In Plib through 1.85, there is an integer overflow vulnerability that
| could result in arbitrary code execution. The vulnerability is found
| in ssgLoadTGA() function in src/ssg/ssgLoadTGA.cxx file.

The severity of the this bug is set op purpose higher as it is
probably warranted. There is the following reason for that: plib is
orphaned in Debian for a while, it is obsoleted and unmaintained
upstream as well. Ideally it get's removed from Debian from the next
release, but thee would be some revers dependencies issues to be
solved, making it imposssible for now to remove the package:

| Checking reverse dependencies...
| # Broken Depends:
| crrcsim: crrcsim [amd64 arm64 armhf i386 mips64el mipsel ppc64el s390x]
| flightgear: flightgear
| openuniverse: openuniverse
| stormbaancoureur: stormbaancoureur
| torcs: torcs
| 
| # Broken Build-Depends:
| crrcsim: libplib-dev
| flightgear: libplib-dev
| torcs: libplib-dev
| 
| Dependency problem found.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-38714
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38714
[1] https://sourceforge.net/p/plib/bugs/55/

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#992973; Package src:plib. (Tue, 14 Sep 2021 19:33:09 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Tue, 14 Sep 2021 19:33:09 GMT) (full text, mbox, link).

Message #10 received at 992973@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 992973@bugs.debian.org
Subject: Re: plib: CVE-2021-38714
Date: Tue, 14 Sep 2021 21:31:46 +0200
Am Wed, Aug 25, 2021 at 09:23:37PM +0200 schrieb Salvatore Bonaccorso:
> Source: plib
> Version: 1.8.5-8
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Forwarded: https://sourceforge.net/p/plib/bugs/55/
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> 
> Hi,
> 
> The following vulnerability was published for plib.
> 
> CVE-2021-38714[0]:
> | In Plib through 1.85, there is an integer overflow vulnerability that
> | could result in arbitrary code execution. The vulnerability is found
> | in ssgLoadTGA() function in src/ssg/ssgLoadTGA.cxx file.
> 
> The severity of the this bug is set op purpose higher as it is
> probably warranted. There is the following reason for that: plib is
> orphaned in Debian for a while, it is obsoleted and unmaintained
> upstream as well. Ideally it get's removed from Debian from the next
> release, but thee would be some revers dependencies issues to be
> solved, making it imposssible for now to remove the package:
> 
> | Checking reverse dependencies...
> | # Broken Depends:
> | crrcsim: crrcsim [amd64 arm64 armhf i386 mips64el mipsel ppc64el s390x]
> | flightgear: flightgear
> | openuniverse: openuniverse
> | stormbaancoureur: stormbaancoureur
> | torcs: torcs
> | 
> | # Broken Build-Depends:
> | crrcsim: libplib-dev
> | flightgear: libplib-dev
> | torcs: libplib-dev
> | 
> | Dependency problem found.

These are all games, which load their data from a trusted source/the deb
(and plib is specifically a game lib).

One option to fix this would be to simply disable SSG (a simple scene
graph based on OpenGL), OpenSUSE did this by passing

--enable-ssg=no --enable-ssgaux=no

to the configure flags. I needs to be tested if any of the reverse deps
need SSG, though.

Cheers,
        Moritz

Reply sent to Anton Gladky <gladk@debian.org>:
You have taken responsibility. (Sat, 02 Oct 2021 12:33:02 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 02 Oct 2021 12:33:03 GMT) (full text, mbox, link).

Message #15 received at 992973-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 992973-close@bugs.debian.org
Subject: Bug#992973: fixed in plib 1.8.5-10
Date: Sat, 02 Oct 2021 12:28:24 +0000
Source: plib
Source-Version: 1.8.5-10
Done: Anton Gladky <gladk@debian.org>

We believe that the bug you reported is fixed in the latest version of
plib, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 992973@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anton Gladky <gladk@debian.org> (supplier of updated plib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 02 Oct 2021 13:38:47 +0200
Source: plib
Architecture: source
Version: 1.8.5-10
Distribution: unstable
Urgency: medium
Maintainer: Anton Gladky <gladk@debian.org>
Changed-By: Anton Gladky <gladk@debian.org>
Closes: 992973
Changes:
 plib (1.8.5-10) unstable; urgency=medium
 .
   * [6a45ca2] Add .gitlab-ci.yml
   * [7284a82] Add autopkgtests
   * [820a8f6] Prevent integer overflow in ssgLoadTGA() function. CVE-2021-38714
               (Closes: #992973)
   * [b3dfe58] Trim trailing whitespace.
   * [53ad3b7] Update watch file format version to 4.
   * [11591a3] Avoid explicitly specifying -Wl,--as-needed linker flag.
   * [ee5f26d] Take the package
   * [d84e16c] Set compat-level 13. Standards-version: 4.6.0
   * [fd16cb9] Add not-installed (for .la-files)
Checksums-Sha1:
 e17ddd182dd6cd010a37125049a22b13214262b9 2015 plib_1.8.5-10.dsc
 14b7a941a1831fcad5f5a9ede31c7c8a01d9e2c6 11780 plib_1.8.5-10.debian.tar.xz
 dfb15ac8d0015b02a4e9fd96822ed465a84193f0 8269 plib_1.8.5-10_source.buildinfo
Checksums-Sha256:
 03bbc773cd827ccd75866bb04b7555fdf70cd2d62ef61b26ab0770d9e692d83e 2015 plib_1.8.5-10.dsc
 f659da51f9dd2599a84a0824966f96eea84b3a28a38c1661161a3927d43a5843 11780 plib_1.8.5-10.debian.tar.xz
 f09cbb8d023fb76ac8d694584df67f42b3c93a535be52d62738f9d7b58eb3b52 8269 plib_1.8.5-10_source.buildinfo
Files:
 463eaee6ab79865e4fef28974d0c497e 2015 devel optional plib_1.8.5-10.dsc
 cbdc25224185f17c080907ef1b928f0d 11780 devel optional plib_1.8.5-10.debian.tar.xz
 b13578f510a952ad0af0cfeac87909bf 8269 devel optional plib_1.8.5-10_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmFYRo0ACgkQ0+Fzg8+n
/wbJ2Q//XX648riAuYrjMufHNGnuFlb5pFOELHjTWvK83Xpb6jPG1eu+xA7TzWS8
AkWKp979ikzoEILgeuy3UGTKT0Tawwdp9GwM4wCY0k+1aQ8eKf2KBCs0G0JbESt8
7IircdRYtRq8GsVV76ZA1tC+CcLC4TRNaEqso2j6BNfbAsUIp/LfHkc7JCayP2zt
z4Vg2lj/ktUy35Egkml1ftDXZPnIRj680cHGwfiRAjbKTZX+keYsPtPWzDxehv6y
In5ct1avHSBgLnzkwF8YGP1UtHNLuTOvX0qmyhUBxVf+GO/9q2bPq2RW7xudFdA6
13tMT34CwbsVosxbQ1xF6vTwzxp50Jy165e7QIGIGgp5U48Q5fln7GRCGsFNvI2e
UJtFrDb0w5X35GGDS7ez62P+tmGsjnhXT4eNHEugqys8PVkmBjJ6KG7mq2MVJugc
IdeoqsEn0EPlOhSjFCBfB27VSCy3na4kfXPMFqKE2Y15ZyKqepWv1/cToYAaIxKm
AhmBeGLm4F+2tQWvf/Mur+HsWhp9x1eXWOlwYsrqN50x24XiYk9gMKnQhBXT8BLC
wRRxDzAQpOm0+ltrrY3plTiRPB5nKv/feCF0bCjPTC5EZY5lgAzgiKGTpupRTjdB
aM43eCtdyrL9TpR2GQzjwgNc/mOeYAEyHa+iHz9I2uoDYyF2IRE=
=JG6a
-----END PGP SIGNATURE-----

Reply sent to Anton Gladky <gladk@debian.org>:
You have taken responsibility. (Sat, 06 Nov 2021 19:21:05 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 06 Nov 2021 19:21:05 GMT) (full text, mbox, link).

Message #20 received at 992973-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 992973-close@bugs.debian.org
Subject: Bug#992973: fixed in plib 1.8.5-8+deb11u1
Date: Sat, 06 Nov 2021 19:17:31 +0000
Source: plib
Source-Version: 1.8.5-8+deb11u1
Done: Anton Gladky <gladk@debian.org>

We believe that the bug you reported is fixed in the latest version of
plib, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 992973@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anton Gladky <gladk@debian.org> (supplier of updated plib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 17 Oct 2021 14:56:13 +0200
Source: plib
Architecture: source
Version: 1.8.5-8+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Anton Gladky <gladk@debian.org>
Closes: 992973
Changes:
 plib (1.8.5-8+deb11u1) bullseye; urgency=medium
 .
   * Prevent integer overflow in ssgLoadTGA() function. CVE-2021-38714
     (Closes: #992973)
Checksums-Sha1:
 5ed00a405191a2f6f361c6032f3d12b71c8db5ad 2009 plib_1.8.5-8+deb11u1.dsc
 c2cf7e3e1e58f7b63dae4bb21e4fa82c3e4d4cfc 779133 plib_1.8.5.orig.tar.gz
 2500862838fb7f619653084a1448fcca2b6be180 11396 plib_1.8.5-8+deb11u1.debian.tar.xz
 5b110cd2674ae4b7fc06df4786bf6c79e1b8261e 8297 plib_1.8.5-8+deb11u1_source.buildinfo
Checksums-Sha256:
 a006a9fb967b799e05191df106da8f816c8d150c6a46ffb7517be8680dabd173 2009 plib_1.8.5-8+deb11u1.dsc
 485b22bf6fdc0da067e34ead5e26f002b76326f6371e2ae006415dea6a380a32 779133 plib_1.8.5.orig.tar.gz
 e50148877cebe2fcffb5f4fdf7e2b23b4447fe3e36b7aad74d1a219930b99baf 11396 plib_1.8.5-8+deb11u1.debian.tar.xz
 3b607ac360ecf93df395d23cc6116789ce9c772fbbe8f63fd9ebd053cf55e593 8297 plib_1.8.5-8+deb11u1_source.buildinfo
Files:
 989268b6e57368ae4884265b6e2a5b7d 2009 devel extra plib_1.8.5-8+deb11u1.dsc
 47a6fbf63668c1eed631024038b2ea90 779133 devel extra plib_1.8.5.orig.tar.gz
 03e682e78e83da411ea0c8d04eeb4497 11396 devel extra plib_1.8.5-8+deb11u1.debian.tar.xz
 108d2bb08c93ad5aa27ff09ce82f6acf 8297 devel extra plib_1.8.5-8+deb11u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmFsIAUACgkQ0+Fzg8+n
/warjw/+N1naIFcDrfNqR6XzT8GW9uR4FafTxlQSMgti3rzCCQe5ltyKY38bmHqJ
ga49uABrOTWqj0uQ0XxZEXLGOxCzfs8RrXTuqXAdipm0g5J5VFBJ+jTm31F+Qsmi
qs/jCZh47W/7EUvC+zy6TZ/TR5vF++68fPCPnYwng3rTXMiLSOsV5tPyov/eUpig
X0WP5wjHDd3QnOYgtGcXhtu/bity7hYr8NOLv3Ql1IbxcDlaPCgoEgIVYXFaa4N3
3CIWoc/l1JnxOo4ddbQN5adoheVukk8FvmMAVNiShlxWMdk5rFHYEz98d7L6JwHU
xRgW+LtVKttit4ufYq9VqRzv89/pRf1YO3/VWJsxh6phTm39Skcn7Y6aNv6bvh0a
SufDQaNGmm3PrY3EqMpzkX5Z3yS2nOu4rckpBpjHv1zSSKSW3Rjm6f93SkMtozJx
BlOagN94Aw6JQpOYLoZMymb9ZPM8xBinC6u+4UNtLDQupYx1ru4ql9e4rQ0iGU8o
cTqbU4VTCB8KWrACyv9Xz1kDbLz+Bpm1LjUocmyCJ7bFtKdOHaMCFWAPI0SoMPwK
U0nRCl333tBEX3P5j8vqkL3sPpMIBt1IKA/5ZRJJhIkbm6Xga/ED+i18iMSFHLoh
04Eb58J7dhx7y/0ppEoZ6/2Gbgx4uZuxSuAvj7EF6W5ltsYBarc=
=ywnw
-----END PGP SIGNATURE-----

Reply sent to Anton Gladky <gladk@debian.org>:
You have taken responsibility. (Sat, 06 Nov 2021 19:36:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 06 Nov 2021 19:36:03 GMT) (full text, mbox, link).

Message #25 received at 992973-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 992973-close@bugs.debian.org
Subject: Bug#992973: fixed in plib 1.8.5-8+deb10u1
Date: Sat, 06 Nov 2021 19:32:22 +0000
Source: plib
Source-Version: 1.8.5-8+deb10u1
Done: Anton Gladky <gladk@debian.org>

We believe that the bug you reported is fixed in the latest version of
plib, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 992973@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anton Gladky <gladk@debian.org> (supplier of updated plib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 17 Oct 2021 14:56:13 +0200
Source: plib
Architecture: source
Version: 1.8.5-8+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Anton Gladky <gladk@debian.org>
Closes: 992973
Changes:
 plib (1.8.5-8+deb10u1) buster; urgency=medium
 .
   * Prevent integer overflow in ssgLoadTGA() function. CVE-2021-38714
     (Closes: #992973)
Checksums-Sha1:
 ad89f666cb479e05049f7dc29aadfbb5de52d3d3 2009 plib_1.8.5-8+deb10u1.dsc
 c2cf7e3e1e58f7b63dae4bb21e4fa82c3e4d4cfc 779133 plib_1.8.5.orig.tar.gz
 404b0fcb0fe7baa1b9153c688648cd9ee63e4552 11392 plib_1.8.5-8+deb10u1.debian.tar.xz
 71635ac173ab2097e9c5879ceefd00330e2302fc 8297 plib_1.8.5-8+deb10u1_source.buildinfo
Checksums-Sha256:
 36ca02c4ede8fbf8c42a3d9b957cb29080acb4db76dd00cf4cf2123092f8c3bb 2009 plib_1.8.5-8+deb10u1.dsc
 485b22bf6fdc0da067e34ead5e26f002b76326f6371e2ae006415dea6a380a32 779133 plib_1.8.5.orig.tar.gz
 c6c89fda43270ddd4dff1a7a4510fe3c91ef7b82a7f55ca80a198c8f882382cd 11392 plib_1.8.5-8+deb10u1.debian.tar.xz
 084aef954ef296373fa62a431d61811a9b0748d3044360fcf010319c230b73d0 8297 plib_1.8.5-8+deb10u1_source.buildinfo
Files:
 b10f61b9cafb3f36df74705acd284402 2009 devel extra plib_1.8.5-8+deb10u1.dsc
 47a6fbf63668c1eed631024038b2ea90 779133 devel extra plib_1.8.5.orig.tar.gz
 6c16bd3d10233ff478c8df5999e91e24 11392 devel extra plib_1.8.5-8+deb10u1.debian.tar.xz
 0874ed3408018f706118ea4e71868952 8297 devel extra plib_1.8.5-8+deb10u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmFsIBAACgkQ0+Fzg8+n
/wbotQ/+PNW/WJuVANbDKMRInV0kYS3eMJ+Uyz0Y1j43geTjjzwnkw4c0wr6VR93
zfh9K6HhvBY+c0EDhIIJvwBZJAwuUvB9jkk0qmvdccy6BJ7V3bNNJIyOYAm+I+3T
f4BhbfnRjGBeXmjAZ70i4pnb7b7R9qx64DjWmp2wrAs6CSKzIV/EFQUii/DN2MY8
RPaLCh5MDelt2sdzscRWZAPoH30zttESjr5wBmdyHMFQsXg277OWChdVti02uX6M
8KkaxLj3QSZGd2GKsSKTSVoXg2Mo0HvXTUNXFvqaz4nkdXu/kPxHK5VTKY7y42fW
1FZ/j51Wk+SHGK8oG9htQpQf7GtNiRf2Lq9asIH6uM8c5+7WWQxLCZDCuIyWcCkx
O+ktD0LVw28fiZ4DQav+RDonHKSbQVJaAPEKYO47zazJVgzN3Bb/0bw07ze1WCF/
D75G0v6MXxrYyZpS107BxpNDg4wQbXOaBqyhc87k/R+aKhf39oWxOY4JxSCBz0tB
JoC7qDr3OY7ZScRvztxmqItHgXHgz/s8T7VaJccM75a00ImijtT7VereOT5RdktE
ku4uhqWFzTLE45HdmMLk0fRtvnn9iJOnYQY5JXVJkO+TwHcOubvbL/C1C+SAKbyp
i2GilN2rR/Cl2vll3vyDTYaTNUieTAmyDDwVyiyJ+yjppf52aF0=
=NaH9
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 19 Dec 2021 07:27:53 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Oct 19 10:21:26 2025; Machine Name: berlioz

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.