libsixel - Debian Package Tracker

general

source: libsixel (main)
version: 1.8.6-2
maintainer: NOKUBI Takatsugu (DMD)
arch: all any
std-ver: 4.1.5
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.5.2-2+deb9u1
oldstable: 1.8.2-1+deb10u1
stable: 1.8.6-2
testing: 1.8.6-2
unstable: 1.8.6-2

versioned links

1.5.2-2+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.8.2-1+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.8.6-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libsixel-bin
libsixel-dev (1 bugs: 0, 1, 0, 0)
libsixel-examples
libsixel1

action needed

22 security issues in stretch high

There are 22 open security issues in stretch.

5 important issues:

CVE-2020-21048: An issue in the dither.c component of libsixel prior to v1.8.4 allows attackers to cause a denial of service (DOS) via a crafted PNG file.
CVE-2020-21049: An invalid read in the stb_image.h component of libsixel prior to v1.8.5 allows attackers to cause a denial of service (DOS) via a crafted PSD file.
CVE-2020-21050: Libsixel prior to v1.8.3 contains a stack buffer overflow in the function gif_process_raster at fromgif.c.
CVE-2020-21547: Libsixel 1.8.2 contains a heap-based buffer overflow in the dither_func_fs function in tosixel.c.
CVE-2020-21548: Libsixel 1.8.3 contains a heap-based buffer overflow in the sixel_encode_highcolor function in tosixel.c.

17 issues postponed or untriaged:

CVE-2019-19635: (needs triaging) An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19636: (needs triaging) An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.
CVE-2019-19637: (needs triaging) An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638: (needs triaging) An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
CVE-2019-19777: (needs triaging) stb_image.h (aka the stb image loader) 2.23, as used in libsixel and other products, has a heap-based buffer over-read in stbi__load_main.
CVE-2019-19778: (needs triaging) An issue was discovered in libsixel 1.8.2. There is a heap-based buffer over-read in the function load_sixel at loader.c.
CVE-2019-20022: (needs triaging) An invalid memory address dereference was discovered in load_pnm in frompnm.c in libsixel before 1.8.3.
CVE-2019-20023: (needs triaging) A memory leak was discovered in image_buffer_resize in fromsixel.c in libsixel 1.8.4.
CVE-2019-20024: (needs triaging) A heap-based buffer overflow was discovered in image_buffer_resize in fromsixel.c in libsixel before 1.8.4.
CVE-2019-20056: (needs triaging) stb_image.h (aka the stb image loader) 2.23, as used in libsixel and other products, has an assertion failure in stbi__shiftsigned.
CVE-2019-20094: (needs triaging) An issue was discovered in libsixel 1.8.4. There is a heap-based buffer overflow in the function gif_init_frame at fromgif.c.
CVE-2019-20140: (needs triaging) An issue was discovered in libsixel 1.8.4. There is a heap-based buffer overflow in the function gif_out_code at fromgif.c.
CVE-2019-20205: (needs triaging) libsixel 1.8.4 has an integer overflow in sixel_frame_resize in frame.c.
CVE-2020-11721: (needs triaging) load_png in loader.c in libsixel.a in libsixel 1.8.6 has an uninitialized pointer leading to an invalid call to free, which can cause a denial of service.
CVE-2020-19668: (needs triaging) Unverified indexs into the array lead to out of bound access in the gif_out_code function in fromgif.c in libsixel 1.8.6.
CVE-2020-21677: (needs triaging) A heap-based buffer overflow in the sixel_encoder_output_without_macro function in encoder.c of Libsixel 1.8.4 allows attackers to cause a denial of service (DOS) via converting a crafted PNG file into Sixel format.
CVE-2020-36120: (postponed; to be fixed through a stable update) Buffer Overflow in the "sixel_encoder_encode_bytes" function of Libsixel v1.8.6 allows attackers to cause a Denial of Service (DoS).

Created: 2021-09-15 Last update: 2021-09-19 07:30

3 security issues in sid high

There are 3 open security issues in sid.

3 important issues:

CVE-2020-11721: load_png in loader.c in libsixel.a in libsixel 1.8.6 has an uninitialized pointer leading to an invalid call to free, which can cause a denial of service.
CVE-2020-19668: Unverified indexs into the array lead to out of bound access in the gif_out_code function in fromgif.c in libsixel 1.8.6.
CVE-2020-36120: Buffer Overflow in the "sixel_encoder_encode_bytes" function of Libsixel v1.8.6 allows attackers to cause a Denial of Service (DoS).

Created: 2021-02-19 Last update: 2021-09-19 07:30

22 security issues in buster high

There are 22 open security issues in buster.

5 important issues:

CVE-2020-21048: An issue in the dither.c component of libsixel prior to v1.8.4 allows attackers to cause a denial of service (DOS) via a crafted PNG file.
CVE-2020-21049: An invalid read in the stb_image.h component of libsixel prior to v1.8.5 allows attackers to cause a denial of service (DOS) via a crafted PSD file.
CVE-2020-21050: Libsixel prior to v1.8.3 contains a stack buffer overflow in the function gif_process_raster at fromgif.c.
CVE-2020-21547: Libsixel 1.8.2 contains a heap-based buffer overflow in the dither_func_fs function in tosixel.c.
CVE-2020-21548: Libsixel 1.8.3 contains a heap-based buffer overflow in the sixel_encode_highcolor function in tosixel.c.

17 issues left for the package maintainer to handle:

CVE-2019-19635: (needs triaging) An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19636: (needs triaging) An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.
CVE-2019-19637: (needs triaging) An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638: (needs triaging) An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
CVE-2019-19777: (needs triaging) stb_image.h (aka the stb image loader) 2.23, as used in libsixel and other products, has a heap-based buffer over-read in stbi__load_main.
CVE-2019-19778: (needs triaging) An issue was discovered in libsixel 1.8.2. There is a heap-based buffer over-read in the function load_sixel at loader.c.
CVE-2019-20022: (needs triaging) An invalid memory address dereference was discovered in load_pnm in frompnm.c in libsixel before 1.8.3.
CVE-2019-20023: (needs triaging) A memory leak was discovered in image_buffer_resize in fromsixel.c in libsixel 1.8.4.
CVE-2019-20024: (needs triaging) A heap-based buffer overflow was discovered in image_buffer_resize in fromsixel.c in libsixel before 1.8.4.
CVE-2019-20056: (needs triaging) stb_image.h (aka the stb image loader) 2.23, as used in libsixel and other products, has an assertion failure in stbi__shiftsigned.
CVE-2019-20094: (needs triaging) An issue was discovered in libsixel 1.8.4. There is a heap-based buffer overflow in the function gif_init_frame at fromgif.c.
CVE-2019-20140: (needs triaging) An issue was discovered in libsixel 1.8.4. There is a heap-based buffer overflow in the function gif_out_code at fromgif.c.
CVE-2019-20205: (needs triaging) libsixel 1.8.4 has an integer overflow in sixel_frame_resize in frame.c.
CVE-2020-11721: (needs triaging) load_png in loader.c in libsixel.a in libsixel 1.8.6 has an uninitialized pointer leading to an invalid call to free, which can cause a denial of service.
CVE-2020-19668: (needs triaging) Unverified indexs into the array lead to out of bound access in the gif_out_code function in fromgif.c in libsixel 1.8.6.
CVE-2020-21677: (needs triaging) A heap-based buffer overflow in the sixel_encoder_output_without_macro function in encoder.c of Libsixel 1.8.4 allows attackers to cause a denial of service (DOS) via converting a crafted PNG file into Sixel format.
CVE-2020-36120: (needs triaging) Buffer Overflow in the "sixel_encoder_encode_bytes" function of Libsixel v1.8.6 allows attackers to cause a Denial of Service (DoS).

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2021-09-19 07:30

3 security issues in bookworm high

There are 3 open security issues in bookworm.

3 important issues:

CVE-2020-11721: load_png in loader.c in libsixel.a in libsixel 1.8.6 has an uninitialized pointer leading to an invalid call to free, which can cause a denial of service.
CVE-2020-19668: Unverified indexs into the array lead to out of bound access in the gif_out_code function in fromgif.c in libsixel 1.8.6.
CVE-2020-36120: Buffer Overflow in the "sixel_encoder_encode_bytes" function of Libsixel v1.8.6 allows attackers to cause a Denial of Service (DoS).

Created: 2021-08-15 Last update: 2021-09-19 07:30

3 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 5850446f4a066b11d7ada8a1fd6572e16bb7e206
Author: NOKUBI Takatsugu <knok@daionet.gr.jp>
Date:   Thu Aug 19 18:39:37 2021 +0900

    New upstream version 1.9.0

commit a452cb89433ce79b949579ee46f719b8b43e3123
Merge: 40e4c83 37c2a09
Author: Takatsugu Nokubi <knok@debian.org>
Date:   Fri Sep 3 08:27:00 2021 +0000

    Merge branch 'master' into 'master'
    
    watch: update to version 4, use new libsixel fork
    
    See merge request debian/libsixel!2

commit 37c2a0947e8706c232b3282723b5fb599382509c
Author: nick black <dankamongmen@gmail.com>
Date:   Sat Jun 12 15:53:08 2021 -0400

    watch: update to version 4, use new libsixel fork

Created: 2021-09-03 Last update: 2021-09-17 19:05

lintian reports 3 warnings normal

Lintian reports 3 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2020-08-22 Last update: 2021-01-27 03:03

Multiarch hinter reports 1 issue(s) low

There are issues with the multiarch metadata for this package.

libsixel-examples could be marked Multi-Arch: foreign

Created: 2017-08-28 Last update: 2021-09-22 18:02

3 low-priority security issues in bullseye low

There are 3 open security issues in bullseye.

3 issues left for the package maintainer to handle:

CVE-2020-11721: (needs triaging) load_png in loader.c in libsixel.a in libsixel 1.8.6 has an uninitialized pointer leading to an invalid call to free, which can cause a denial of service.
CVE-2020-19668: (needs triaging) Unverified indexs into the array lead to out of bound access in the gif_out_code function in fromgif.c in libsixel 1.8.6.
CVE-2020-36120: (needs triaging) Buffer Overflow in the "sixel_encoder_encode_bytes" function of Libsixel v1.8.6 allows attackers to cause a Denial of Service (DoS).

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-08-14 Last update: 2021-09-19 07:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.0 instead of 4.1.5).

Created: 2018-08-20 Last update: 2021-08-18 14:03

news

[rss feed]

[2020-05-09] libsixel 1.8.6-2 MIGRATED to testing (Debian testing watch)
[2020-05-07] Accepted libsixel 1.8.6-2 (source) into unstable (NOKUBI Takatsugu)
[2020-03-10] libsixel 1.8.6-1 MIGRATED to testing (Debian testing watch)
[2020-03-05] Accepted libsixel 1.8.6-1 (source) into unstable (NOKUBI Takatsugu)
[2019-12-03] Accepted libsixel 1.5.2-2+deb9u1 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (NOKUBI Takatsugu)
[2019-11-09] Accepted libsixel 1.8.2-1+deb10u1 (source) into proposed-updates->stable-new, proposed-updates (NOKUBI Takatsugu)
[2019-09-23] libsixel 1.8.2-2.1 MIGRATED to testing (Debian testing watch)
[2019-09-20] Accepted libsixel 1.8.2-2.1 (source) into unstable (Boyuan Yang)
[2019-09-09] Accepted libsixel 1.8.2-2 (source amd64 all) into unstable (NOKUBI Takatsugu)
[2018-07-28] libsixel 1.8.2-1 MIGRATED to testing (Debian testing watch)
[2018-07-23] Accepted libsixel 1.8.2-1 (source amd64 all) into unstable (NOKUBI Takatsugu)
[2018-07-16] libsixel 1.8.1-1 MIGRATED to testing (Debian testing watch)
[2018-07-11] Accepted libsixel 1.8.1-1 (source amd64 all) into unstable (NOKUBI Takatsugu)
[2017-09-02] libsixel 1.7.3-1 MIGRATED to testing (Debian testing watch)
[2017-08-28] Accepted libsixel 1.7.3-1 (source amd64 all) into unstable, unstable (NOKUBI Takatsugu)
[2015-09-09] libsixel 1.5.2-2 MIGRATED to testing (Britney)
[2015-09-04] Accepted libsixel 1.5.2-2 (source i386) into unstable (NOKUBI Takatsugu)
[2015-09-01] Accepted libsixel 1.5.2-1 (source i386) into unstable (NOKUBI Takatsugu)
[2015-04-27] libsixel 1.4.2-1 MIGRATED to testing (Britney)
[2014-12-09] Accepted libsixel 1.4.2-1 (source i386) into unstable (NOKUBI Takatsugu)
[2014-12-09] Accepted libsixel 1.1.2-2 (source i386) into unstable (NOKUBI Takatsugu)
[2014-11-04] libsixel 1.1.2-1 MIGRATED to testing (Britney)
[2014-10-24] Accepted libsixel 1.1.2-1 (source i386) into unstable, unstable (NOKUBI Takatsugu)

bugs [bug history graph]

all: 7
RC: 0
I&N: 6
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 3)
buildd: logs, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.8.6-2