libstb - Debian Package Tracker

general

source: libstb (main)
version: 0.0~git20240715.f7f20f39fe4f+ds-1
maintainer: Yangfl (DMD)
arch: any
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.0~git20180212.15.e6afb9c-1
o-o-sec: 0.0~git20180212.15.e6afb9c-1+deb10u1
oldstable: 0.0~git20200713.b42009b+ds-1
old-bpo: 0.0~git20220908.8b5f1f3+ds-1~bpo11+1
stable: 0.0~git20220908.8b5f1f3+ds-1
testing: 0.0~git20240715.f7f20f39fe4f+ds-1
unstable: 0.0~git20240715.f7f20f39fe4f+ds-1

versioned links

0.0~git20180212.15.e6afb9c-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.0~git20180212.15.e6afb9c-1+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.0~git20200713.b42009b+ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.0~git20220908.8b5f1f3+ds-1~bpo11+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.0~git20220908.8b5f1f3+ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.0~git20240715.f7f20f39fe4f+ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libstb-dev
libstb0t64

action needed

A new upstream version is available: 0.0~git20241109.5c20573 high

A new upstream version 0.0~git20241109.5c20573 is available, you should consider packaging it.

Created: 2024-07-31 Last update: 2025-01-20 11:00

16 security issues in trixie high

There are 16 open security issues in trixie.

16 important issues:

CVE-2023-43898: Nothings stb 2.28 was discovered to contain a Null Pointer Dereference via the function stbi__convert_format. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted pic file.
CVE-2023-45661: stb_image is a single file MIT licensed library for processing images. A crafted image file may trigger out of bounds memcpy read in `stbi__gif_load_next`. This happens because two_back points to a memory address lower than the start of the buffer out. This issue may be used to leak internal memory allocation information.
CVE-2023-45662: stb_image is a single file MIT licensed library for processing images. When `stbi_set_flip_vertically_on_load` is set to `TRUE` and `req_comp` is set to a number that doesn’t match the real number of components per pixel, the library attempts to flip the image vertically. A crafted image file can trigger `memcpy` out-of-bounds read because `bytes_per_pixel` used to calculate `bytes_per_row` doesn’t match the real image array dimensions.
CVE-2023-45663: stb_image is a single file MIT licensed library for processing images. The stbi__getn function reads a specified number of bytes from context (typically a file) into the specified buffer. In case the file stream points to the end, it returns zero. There are two places where its return value is not checked: In the `stbi__hdr_load` function and in the `stbi__tga_load` function. The latter of the two is likely more exploitable as an attacker may also control the size of an uninitialized buffer.
CVE-2023-45664: stb_image is a single file MIT licensed library for processing images. A crafted image file can trigger `stbi__load_gif_main_outofmem` attempt to double-free the out variable. This happens in `stbi__load_gif_main` because when the `layers * stride` value is zero the behavior is implementation defined, but common that realloc frees the old memory and returns null pointer. Since it attempts to double-free the memory a few lines below the first “free”, the issue can be potentially exploited only in a multi-threaded environment. In the worst case this may lead to code execution.
CVE-2023-45666: stb_image is a single file MIT licensed library for processing images. It may look like `stbi__load_gif_main` doesn’t give guarantees about the content of output value `*delays` upon failure. Although it sets `*delays` to zero at the beginning, it doesn’t do it in case the image is not recognized as GIF and a call to `stbi__load_gif_main_outofmem` only frees possibly allocated memory in `*delays` without resetting it to zero. Thus it would be fair to say the caller of `stbi__load_gif_main` is responsible to free the allocated memory in `*delays` only if `stbi__load_gif_main` returns a non null value. However at the same time the function may return null value, but fail to free the memory in `*delays` if internally `stbi__convert_format` is called and fails. Thus the issue may lead to a memory leak if the caller chooses to free `delays` only when `stbi__load_gif_main` didn’t fail or to a double-free if the `delays` is always freed
CVE-2023-45667: stb_image is a single file MIT licensed library for processing images. If `stbi__load_gif_main` in `stbi_load_gif_from_memory` fails it returns a null pointer and may keep the `z` variable uninitialized. In case the caller also sets the flip vertically flag, it continues and calls `stbi__vertical_flip_slices` with the null pointer result value and the uninitialized `z` value. This may result in a program crash.
CVE-2023-45675: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[len] = (char)'\0';`. The root cause is that if the len read in `start_decoder` is `-1` and `len + 1` becomes 0 when passed to `setup_malloc`. The `setup_malloc` behaves differently when `f->alloc.alloc_buffer` is pre-allocated. Instead of returning `NULL` as in `malloc` case it shifts the pre-allocated buffer by zero and returns the currently available memory block. This issue may lead to code execution.
CVE-2023-45676: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[i] = get8_packet(f);`. The root cause is an integer overflow in `setup_malloc`. A sufficiently large value in the variable `sz` overflows with `sz+7` in and the negative value passes the maximum available memory buffer check. This issue may lead to code execution.
CVE-2023-45677: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[len] = (char)'\0';`. The root cause is that if `len` read in `start_decoder` is a negative number and `setup_malloc` successfully allocates memory in that case, but memory write is done with a negative index `len`. Similarly if len is INT_MAX the integer overflow len+1 happens in `f->vendor = (char*)setup_malloc(f, sizeof(char) * (len+1));` and `f->comment_list[i] = (char*)setup_malloc(f, sizeof(char) * (len+1));`. This issue may lead to code execution.
CVE-2023-45678: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of buffer write in `start_decoder` because at maximum `m->submaps` can be 16 but `submap_floor` and `submap_residue` are declared as arrays of 15 elements. This issue may lead to code execution.
CVE-2023-45679: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory allocation failure in `start_decoder`. In that case the function returns early, but some of the pointers in `f->comment_list` are left initialized and later `setup_free` is called on these pointers in `vorbis_deinit`. This issue may lead to code execution.
CVE-2023-45680: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory allocation failure in `start_decoder`. In that case the function returns early, the `f->comment_list` is set to `NULL`, but `f->comment_list_length` is not reset. Later in `vorbis_deinit` it tries to dereference the `NULL` pointer. This issue may lead to denial of service.
CVE-2023-45681: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory write past an allocated heap buffer in `start_decoder`. The root cause is a potential integer overflow in `sizeof(char*) * (f->comment_list_length)` which may make `setup_malloc` allocate less memory than required. Since there is another integer overflow an attacker may overflow it too to force `setup_malloc` to return 0 and make the exploit more reliable. This issue may lead to code execution.
CVE-2023-45682: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds read in `DECODE` macro when `var` is negative. As it can be seen in the definition of `DECODE_RAW` a negative `var` is a valid value. This issue may be used to leak internal memory allocation information.
CVE-2023-47212: A heap-based buffer overflow vulnerability exists in the comment functionality of stb _vorbis.c v1.22. A specially crafted .ogg file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.

Created: 2023-10-04 Last update: 2024-10-29 22:00

16 security issues in sid high

There are 16 open security issues in sid.

16 important issues:

CVE-2023-43898: Nothings stb 2.28 was discovered to contain a Null Pointer Dereference via the function stbi__convert_format. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted pic file.
CVE-2023-45661: stb_image is a single file MIT licensed library for processing images. A crafted image file may trigger out of bounds memcpy read in `stbi__gif_load_next`. This happens because two_back points to a memory address lower than the start of the buffer out. This issue may be used to leak internal memory allocation information.
CVE-2023-45662: stb_image is a single file MIT licensed library for processing images. When `stbi_set_flip_vertically_on_load` is set to `TRUE` and `req_comp` is set to a number that doesn’t match the real number of components per pixel, the library attempts to flip the image vertically. A crafted image file can trigger `memcpy` out-of-bounds read because `bytes_per_pixel` used to calculate `bytes_per_row` doesn’t match the real image array dimensions.
CVE-2023-45663: stb_image is a single file MIT licensed library for processing images. The stbi__getn function reads a specified number of bytes from context (typically a file) into the specified buffer. In case the file stream points to the end, it returns zero. There are two places where its return value is not checked: In the `stbi__hdr_load` function and in the `stbi__tga_load` function. The latter of the two is likely more exploitable as an attacker may also control the size of an uninitialized buffer.
CVE-2023-45664: stb_image is a single file MIT licensed library for processing images. A crafted image file can trigger `stbi__load_gif_main_outofmem` attempt to double-free the out variable. This happens in `stbi__load_gif_main` because when the `layers * stride` value is zero the behavior is implementation defined, but common that realloc frees the old memory and returns null pointer. Since it attempts to double-free the memory a few lines below the first “free”, the issue can be potentially exploited only in a multi-threaded environment. In the worst case this may lead to code execution.
CVE-2023-45666: stb_image is a single file MIT licensed library for processing images. It may look like `stbi__load_gif_main` doesn’t give guarantees about the content of output value `*delays` upon failure. Although it sets `*delays` to zero at the beginning, it doesn’t do it in case the image is not recognized as GIF and a call to `stbi__load_gif_main_outofmem` only frees possibly allocated memory in `*delays` without resetting it to zero. Thus it would be fair to say the caller of `stbi__load_gif_main` is responsible to free the allocated memory in `*delays` only if `stbi__load_gif_main` returns a non null value. However at the same time the function may return null value, but fail to free the memory in `*delays` if internally `stbi__convert_format` is called and fails. Thus the issue may lead to a memory leak if the caller chooses to free `delays` only when `stbi__load_gif_main` didn’t fail or to a double-free if the `delays` is always freed
CVE-2023-45667: stb_image is a single file MIT licensed library for processing images. If `stbi__load_gif_main` in `stbi_load_gif_from_memory` fails it returns a null pointer and may keep the `z` variable uninitialized. In case the caller also sets the flip vertically flag, it continues and calls `stbi__vertical_flip_slices` with the null pointer result value and the uninitialized `z` value. This may result in a program crash.
CVE-2023-45675: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[len] = (char)'\0';`. The root cause is that if the len read in `start_decoder` is `-1` and `len + 1` becomes 0 when passed to `setup_malloc`. The `setup_malloc` behaves differently when `f->alloc.alloc_buffer` is pre-allocated. Instead of returning `NULL` as in `malloc` case it shifts the pre-allocated buffer by zero and returns the currently available memory block. This issue may lead to code execution.
CVE-2023-45676: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[i] = get8_packet(f);`. The root cause is an integer overflow in `setup_malloc`. A sufficiently large value in the variable `sz` overflows with `sz+7` in and the negative value passes the maximum available memory buffer check. This issue may lead to code execution.
CVE-2023-45677: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[len] = (char)'\0';`. The root cause is that if `len` read in `start_decoder` is a negative number and `setup_malloc` successfully allocates memory in that case, but memory write is done with a negative index `len`. Similarly if len is INT_MAX the integer overflow len+1 happens in `f->vendor = (char*)setup_malloc(f, sizeof(char) * (len+1));` and `f->comment_list[i] = (char*)setup_malloc(f, sizeof(char) * (len+1));`. This issue may lead to code execution.
CVE-2023-45678: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of buffer write in `start_decoder` because at maximum `m->submaps` can be 16 but `submap_floor` and `submap_residue` are declared as arrays of 15 elements. This issue may lead to code execution.
CVE-2023-45679: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory allocation failure in `start_decoder`. In that case the function returns early, but some of the pointers in `f->comment_list` are left initialized and later `setup_free` is called on these pointers in `vorbis_deinit`. This issue may lead to code execution.
CVE-2023-45680: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory allocation failure in `start_decoder`. In that case the function returns early, the `f->comment_list` is set to `NULL`, but `f->comment_list_length` is not reset. Later in `vorbis_deinit` it tries to dereference the `NULL` pointer. This issue may lead to denial of service.
CVE-2023-45681: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory write past an allocated heap buffer in `start_decoder`. The root cause is a potential integer overflow in `sizeof(char*) * (f->comment_list_length)` which may make `setup_malloc` allocate less memory than required. Since there is another integer overflow an attacker may overflow it too to force `setup_malloc` to return 0 and make the exploit more reliable. This issue may lead to code execution.
CVE-2023-45682: stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds read in `DECODE` macro when `var` is negative. As it can be seen in the definition of `DECODE_RAW` a negative `var` is a valid value. This issue may be used to leak internal memory allocation information.
CVE-2023-47212: A heap-based buffer overflow vulnerability exists in the comment functionality of stb _vorbis.c v1.22. A specially crafted .ogg file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.

Created: 2023-10-04 Last update: 2024-10-29 22:00

18 security issues in buster high

There are 18 open security issues in buster.

1 important issue:

CVE-2023-47212: A heap-based buffer overflow vulnerability exists in the comment functionality of stb _vorbis.c v1.22. A specially crafted .ogg file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.

17 issues postponed or untriaged:

CVE-2019-15058: (needs triaging) stb_image.h (aka the stb image loader) 2.23 has a heap-based buffer over-read in stbi__tga_load, leading to Information Disclosure or Denial of Service.
CVE-2019-20056: (needs triaging) stb_image.h (aka the stb image loader) 2.23, as used in libsixel and other products, has an assertion failure in stbi__shiftsigned.
CVE-2023-43898: (postponed; to be fixed through a stable update) Nothings stb 2.28 was discovered to contain a Null Pointer Dereference via the function stbi__convert_format. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted pic file.
CVE-2023-45661: (needs triaging) stb_image is a single file MIT licensed library for processing images. A crafted image file may trigger out of bounds memcpy read in `stbi__gif_load_next`. This happens because two_back points to a memory address lower than the start of the buffer out. This issue may be used to leak internal memory allocation information.
CVE-2023-45662: (needs triaging) stb_image is a single file MIT licensed library for processing images. When `stbi_set_flip_vertically_on_load` is set to `TRUE` and `req_comp` is set to a number that doesn’t match the real number of components per pixel, the library attempts to flip the image vertically. A crafted image file can trigger `memcpy` out-of-bounds read because `bytes_per_pixel` used to calculate `bytes_per_row` doesn’t match the real image array dimensions.
CVE-2023-45663: (needs triaging) stb_image is a single file MIT licensed library for processing images. The stbi__getn function reads a specified number of bytes from context (typically a file) into the specified buffer. In case the file stream points to the end, it returns zero. There are two places where its return value is not checked: In the `stbi__hdr_load` function and in the `stbi__tga_load` function. The latter of the two is likely more exploitable as an attacker may also control the size of an uninitialized buffer.
CVE-2023-45664: (needs triaging) stb_image is a single file MIT licensed library for processing images. A crafted image file can trigger `stbi__load_gif_main_outofmem` attempt to double-free the out variable. This happens in `stbi__load_gif_main` because when the `layers * stride` value is zero the behavior is implementation defined, but common that realloc frees the old memory and returns null pointer. Since it attempts to double-free the memory a few lines below the first “free”, the issue can be potentially exploited only in a multi-threaded environment. In the worst case this may lead to code execution.
CVE-2023-45666: (needs triaging) stb_image is a single file MIT licensed library for processing images. It may look like `stbi__load_gif_main` doesn’t give guarantees about the content of output value `*delays` upon failure. Although it sets `*delays` to zero at the beginning, it doesn’t do it in case the image is not recognized as GIF and a call to `stbi__load_gif_main_outofmem` only frees possibly allocated memory in `*delays` without resetting it to zero. Thus it would be fair to say the caller of `stbi__load_gif_main` is responsible to free the allocated memory in `*delays` only if `stbi__load_gif_main` returns a non null value. However at the same time the function may return null value, but fail to free the memory in `*delays` if internally `stbi__convert_format` is called and fails. Thus the issue may lead to a memory leak if the caller chooses to free `delays` only when `stbi__load_gif_main` didn’t fail or to a double-free if the `delays` is always freed
CVE-2023-45667: (needs triaging) stb_image is a single file MIT licensed library for processing images. If `stbi__load_gif_main` in `stbi_load_gif_from_memory` fails it returns a null pointer and may keep the `z` variable uninitialized. In case the caller also sets the flip vertically flag, it continues and calls `stbi__vertical_flip_slices` with the null pointer result value and the uninitialized `z` value. This may result in a program crash.
CVE-2023-45675: (needs triaging) stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[len] = (char)'\0';`. The root cause is that if the len read in `start_decoder` is `-1` and `len + 1` becomes 0 when passed to `setup_malloc`. The `setup_malloc` behaves differently when `f->alloc.alloc_buffer` is pre-allocated. Instead of returning `NULL` as in `malloc` case it shifts the pre-allocated buffer by zero and returns the currently available memory block. This issue may lead to code execution.
CVE-2023-45676: (needs triaging) stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[i] = get8_packet(f);`. The root cause is an integer overflow in `setup_malloc`. A sufficiently large value in the variable `sz` overflows with `sz+7` in and the negative value passes the maximum available memory buffer check. This issue may lead to code execution.
CVE-2023-45677: (needs triaging) stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[len] = (char)'\0';`. The root cause is that if `len` read in `start_decoder` is a negative number and `setup_malloc` successfully allocates memory in that case, but memory write is done with a negative index `len`. Similarly if len is INT_MAX the integer overflow len+1 happens in `f->vendor = (char*)setup_malloc(f, sizeof(char) * (len+1));` and `f->comment_list[i] = (char*)setup_malloc(f, sizeof(char) * (len+1));`. This issue may lead to code execution.
CVE-2023-45678: (needs triaging) stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of buffer write in `start_decoder` because at maximum `m->submaps` can be 16 but `submap_floor` and `submap_residue` are declared as arrays of 15 elements. This issue may lead to code execution.
CVE-2023-45679: (needs triaging) stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory allocation failure in `start_decoder`. In that case the function returns early, but some of the pointers in `f->comment_list` are left initialized and later `setup_free` is called on these pointers in `vorbis_deinit`. This issue may lead to code execution.
CVE-2023-45680: (needs triaging) stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory allocation failure in `start_decoder`. In that case the function returns early, the `f->comment_list` is set to `NULL`, but `f->comment_list_length` is not reset. Later in `vorbis_deinit` it tries to dereference the `NULL` pointer. This issue may lead to denial of service.
CVE-2023-45681: (needs triaging) stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory write past an allocated heap buffer in `start_decoder`. The root cause is a potential integer overflow in `sizeof(char*) * (f->comment_list_length)` which may make `setup_malloc` allocate less memory than required. Since there is another integer overflow an attacker may overflow it too to force `setup_malloc` to return 0 and make the exploit more reliable. This issue may lead to code execution.
CVE-2023-45682: (needs triaging) stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds read in `DECODE` macro when `var` is negative. As it can be seen in the definition of `DECODE_RAW` a negative `var` is a valid value. This issue may be used to leak internal memory allocation information.

Created: 2024-05-02 Last update: 2024-05-07 13:55

24 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 821315293f7ec5d4aa3f183288d1deee6b3fafd6
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Sat Jul 27 09:09:20 2024 +0800

    debian: update to 0.0~git20240715.f7f20f39fe4f+ds

commit 5c941d33c2a8d632b8bbf36386768aa5e4690ebb
Merge: 85a0747 4f3228d
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Sat Jul 27 09:08:30 2024 +0800

    Merge tag 'upstream/0.0_git20240715.f7f20f39fe4f+ds'

commit 85a074776b3e5b40e7c947abc2edd8fd7c2c9df5
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Wed Jul 3 18:00:09 2024 +0800

    debian: update to 0.0~git20230129.5736b15+ds-1.2

commit 9017e921a5c3e9d669cc10a73a1bea56a3af2f37
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Wed Jul 3 17:59:22 2024 +0800

    debian: update to 0.0~git20230129.5736b15+ds-1.1

commit 90286151db35187e1efcd30aea823119cb39873a
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Thu Mar 16 05:43:31 2023 +0800

    debian: update to 0.0~git20230129.5736b15+ds

commit bf9ad6041218ea65c7228214d1077ad8b07502ab
Merge: 63aaadc abab6b2
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Thu Mar 16 05:42:32 2023 +0800

    Merge tag 'upstream/0.0_git20230129.5736b15+ds'

commit abab6b22c7a9340cd5c853ab1ec6c3a092379f64
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Thu Mar 16 02:12:37 2023 +0800

    Import Upstream version 0.0~git20230129.5736b15+ds

commit 63aaadc0dfef7887c27850c5b38e3f3b960c393a
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Tue Sep 27 19:14:31 2022 +0800

    debian: update to 0.0~git20220908.8b5f1f3+ds

commit e33ba30850fd960610ed3323d0485f339c3cb7ad
Merge: d65b382 1678823
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Tue Sep 27 19:12:35 2022 +0800

    Merge tag 'upstream/0.0_git20220908.8b5f1f3+ds'

commit 1678823bc819a0ff9b1b61c3496a5549bc5b6ed6
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Tue Sep 27 19:11:51 2022 +0800

    Import Upstream version 0.0~git20220908.8b5f1f3+ds

commit d65b38211e8932ff47d21bd5381cbe9b3cabe881
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Sun Jan 23 16:48:59 2022 +0800

    debian: update to 0.0~git20210910.af1a5bc+ds

commit e56706da14dd636d5f9f5d0e9ebb828768d9df38
Merge: b5ba864 c570e75
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Sun Jan 23 16:56:40 2022 +0800

    Merge tag 'upstream/0.0_git20210910.af1a5bc+ds'

commit c570e75cb4ed8b9fd357ae6bc4dcf840339fbcab
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Sun Jan 23 16:55:45 2022 +0800

    Import Upstream version 0.0~git20210910.af1a5bc+ds

commit b5ba864fbaa59972f232353dffd43472c0a26845
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Fri Feb 12 17:00:58 2021 +0800

    debian: update to 0.0~0.0~git20200713.b42009b+ds

commit f414b1bb497e358da8c4fc3a66300c9b439d85fd
Merge: 88d9bff 8c2a7bc
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Tue Feb 16 13:47:00 2021 +0800

    Merge tag 'upstream/0.0_git20200713.b42009b+ds'

commit 8c2a7bcfa47dc2daf1cd7d6f7647fc215f5aa95a
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Tue Feb 16 13:45:16 2021 +0800

    Import Upstream version 0.0~git20200713.b42009b+ds

commit 88d9bff0f9f4f5c12321670466136a2bef66ac87
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Tue Dec 8 15:08:47 2020 +0800

    debian: update to 0.0~0.0~git20200713.b42009b

commit 50266f772ce995c50842babba11c33e77af3e515
Merge: 6a4e920 b42009b
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Tue Dec 8 15:06:34 2020 +0800

    Merge tag 'upstream/0.0_git20200713.b42009b'

commit 6a4e9205061d5dcdbaa7b42cb22b1e3e27b0ab4d
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Fri Sep 20 00:23:39 2019 +0800

    debian: update to 0.0~git20190817.1.052dce1

commit cd40cdcec31351be8ecb2a4ee20ab3f316d069f5
Merge: 7e27ff1 052dce1
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Fri Sep 20 08:46:47 2019 +0800

    Merge branch 'upstream'

commit 7e27ff11f419bdbcfa758e81cab431c9964affcd
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Wed Jul 10 20:13:03 2019 +0800

    debian: update patches

commit c53fb6f35a67afcc69825c73b308f5fd1264f1e5
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Wed Mar 27 00:22:33 2019 +0800

    debian: update to 0.0~git20190617.5.c72a95d

commit 9b2b35011ccb6d30ade729516c9cbbebff99b30d
Merge: 6b65762 c72a95d
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Thu Jul 4 19:14:01 2019 +0800

    Merge branch 'upstream'

commit 6b65762b00393bc1c9d65b92848c0b31614d0e2d
Author: yangfl <yangfl@users.noreply.github.com>
Date:   Fri Nov 30 23:04:40 2018 +0800

    debian: init

Created: 2024-07-27 Last update: 2025-01-17 19:33

20 low-priority security issues in bookworm low

There are 20 open security issues in bookworm.

20 issues left for the package maintainer to handle:

CVE-2021-42715: (needs triaging) An issue was discovered in stb stb_image.h 1.33 through 2.27. The HDR loader parsed truncated end-of-file RLE scanlines as an infinite sequence of zero-length runs. An attacker could potentially have caused denial of service in applications using stb_image by submitting crafted HDR files.
CVE-2021-42716: (needs triaging) An issue was discovered in stb stb_image.h 2.27. The PNM loader incorrectly interpreted 16-bit PGM files as 8-bit when converting to RGBA, leading to a buffer overflow when later reinterpreting the result as a 16-bit buffer. An attacker could potentially have crashed a service using stb_image, or read up to 1024 bytes of non-consecutive heap data without control over the read location.
CVE-2022-28041: (needs triaging) stb_image.h v2.27 was discovered to contain an integer overflow via the function stbi__jpeg_decode_block_prog_dc. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors.
CVE-2022-28042: (needs triaging) stb_image.h v2.27 was discovered to contain an heap-based use-after-free via the function stbi__jpeg_huff_decode.
CVE-2023-43898: (needs triaging) Nothings stb 2.28 was discovered to contain a Null Pointer Dereference via the function stbi__convert_format. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted pic file.
CVE-2023-45661: (postponed; to be fixed through a stable update) stb_image is a single file MIT licensed library for processing images. A crafted image file may trigger out of bounds memcpy read in `stbi__gif_load_next`. This happens because two_back points to a memory address lower than the start of the buffer out. This issue may be used to leak internal memory allocation information.
CVE-2023-45662: (postponed; to be fixed through a stable update) stb_image is a single file MIT licensed library for processing images. When `stbi_set_flip_vertically_on_load` is set to `TRUE` and `req_comp` is set to a number that doesn’t match the real number of components per pixel, the library attempts to flip the image vertically. A crafted image file can trigger `memcpy` out-of-bounds read because `bytes_per_pixel` used to calculate `bytes_per_row` doesn’t match the real image array dimensions.
CVE-2023-45663: (postponed; to be fixed through a stable update) stb_image is a single file MIT licensed library for processing images. The stbi__getn function reads a specified number of bytes from context (typically a file) into the specified buffer. In case the file stream points to the end, it returns zero. There are two places where its return value is not checked: In the `stbi__hdr_load` function and in the `stbi__tga_load` function. The latter of the two is likely more exploitable as an attacker may also control the size of an uninitialized buffer.
CVE-2023-45664: (postponed; to be fixed through a stable update) stb_image is a single file MIT licensed library for processing images. A crafted image file can trigger `stbi__load_gif_main_outofmem` attempt to double-free the out variable. This happens in `stbi__load_gif_main` because when the `layers * stride` value is zero the behavior is implementation defined, but common that realloc frees the old memory and returns null pointer. Since it attempts to double-free the memory a few lines below the first “free”, the issue can be potentially exploited only in a multi-threaded environment. In the worst case this may lead to code execution.
CVE-2023-45666: (postponed; to be fixed through a stable update) stb_image is a single file MIT licensed library for processing images. It may look like `stbi__load_gif_main` doesn’t give guarantees about the content of output value `*delays` upon failure. Although it sets `*delays` to zero at the beginning, it doesn’t do it in case the image is not recognized as GIF and a call to `stbi__load_gif_main_outofmem` only frees possibly allocated memory in `*delays` without resetting it to zero. Thus it would be fair to say the caller of `stbi__load_gif_main` is responsible to free the allocated memory in `*delays` only if `stbi__load_gif_main` returns a non null value. However at the same time the function may return null value, but fail to free the memory in `*delays` if internally `stbi__convert_format` is called and fails. Thus the issue may lead to a memory leak if the caller chooses to free `delays` only when `stbi__load_gif_main` didn’t fail or to a double-free if the `delays` is always freed
CVE-2023-45667: (postponed; to be fixed through a stable update) stb_image is a single file MIT licensed library for processing images. If `stbi__load_gif_main` in `stbi_load_gif_from_memory` fails it returns a null pointer and may keep the `z` variable uninitialized. In case the caller also sets the flip vertically flag, it continues and calls `stbi__vertical_flip_slices` with the null pointer result value and the uninitialized `z` value. This may result in a program crash.
CVE-2023-45675: (postponed; to be fixed through a stable update) stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[len] = (char)'\0';`. The root cause is that if the len read in `start_decoder` is `-1` and `len + 1` becomes 0 when passed to `setup_malloc`. The `setup_malloc` behaves differently when `f->alloc.alloc_buffer` is pre-allocated. Instead of returning `NULL` as in `malloc` case it shifts the pre-allocated buffer by zero and returns the currently available memory block. This issue may lead to code execution.
CVE-2023-45676: (postponed; to be fixed through a stable update) stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[i] = get8_packet(f);`. The root cause is an integer overflow in `setup_malloc`. A sufficiently large value in the variable `sz` overflows with `sz+7` in and the negative value passes the maximum available memory buffer check. This issue may lead to code execution.
CVE-2023-45677: (postponed; to be fixed through a stable update) stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[len] = (char)'\0';`. The root cause is that if `len` read in `start_decoder` is a negative number and `setup_malloc` successfully allocates memory in that case, but memory write is done with a negative index `len`. Similarly if len is INT_MAX the integer overflow len+1 happens in `f->vendor = (char*)setup_malloc(f, sizeof(char) * (len+1));` and `f->comment_list[i] = (char*)setup_malloc(f, sizeof(char) * (len+1));`. This issue may lead to code execution.
CVE-2023-45678: (postponed; to be fixed through a stable update) stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of buffer write in `start_decoder` because at maximum `m->submaps` can be 16 but `submap_floor` and `submap_residue` are declared as arrays of 15 elements. This issue may lead to code execution.
CVE-2023-45679: (postponed; to be fixed through a stable update) stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory allocation failure in `start_decoder`. In that case the function returns early, but some of the pointers in `f->comment_list` are left initialized and later `setup_free` is called on these pointers in `vorbis_deinit`. This issue may lead to code execution.
CVE-2023-45680: (postponed; to be fixed through a stable update) stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory allocation failure in `start_decoder`. In that case the function returns early, the `f->comment_list` is set to `NULL`, but `f->comment_list_length` is not reset. Later in `vorbis_deinit` it tries to dereference the `NULL` pointer. This issue may lead to denial of service.
CVE-2023-45681: (postponed; to be fixed through a stable update) stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory write past an allocated heap buffer in `start_decoder`. The root cause is a potential integer overflow in `sizeof(char*) * (f->comment_list_length)` which may make `setup_malloc` allocate less memory than required. Since there is another integer overflow an attacker may overflow it too to force `setup_malloc` to return 0 and make the exploit more reliable. This issue may lead to code execution.
CVE-2023-45682: (postponed; to be fixed through a stable update) stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds read in `DECODE` macro when `var` is negative. As it can be seen in the definition of `DECODE_RAW` a negative `var` is a valid value. This issue may be used to leak internal memory allocation information.
CVE-2023-47212: (postponed; to be fixed through a stable update) A heap-based buffer overflow vulnerability exists in the comment functionality of stb _vorbis.c v1.22. A specially crafted .ogg file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-06-10 Last update: 2024-10-29 22:00

debian/patches: 11 patches to forward upstream low

Among the 11 debian patches available in version 0.0~git20240715.f7f20f39fe4f+ds-1 of the package, we noticed the following issues:

11 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2024-07-27 21:44

news

[rss feed]

[2024-07-29] libstb 0.0~git20240715.f7f20f39fe4f+ds-1 MIGRATED to testing (Debian testing watch)
[2024-07-27] Accepted libstb 0.0~git20240715.f7f20f39fe4f+ds-1 (source) into unstable (Yangfl) (signed by: Boyuan Yang)
[2024-04-26] libstb 0.0~git20230129.5736b15+ds-1.2 MIGRATED to testing (Debian testing watch)
[2024-03-15] Accepted libstb 0.0~git20230129.5736b15+ds-1.2 (source) into unstable (Andrey Rakhmatullin) (signed by: Andrey Rahmatullin)
[2024-02-28] Accepted libstb 0.0~git20230129.5736b15+ds-1.1 (source) into unstable (Graham Inggs)
[2024-02-02] Accepted libstb 0.0~git20230129.5736b15+ds-1.1~exp1 (source) into experimental (Steve Langasek)
[2023-08-17] libstb 0.0~git20230129.5736b15+ds-1 MIGRATED to testing (Debian testing watch)
[2023-08-15] Accepted libstb 0.0~git20230129.5736b15+ds-1 (source) into unstable (Yangfl) (signed by: Boyuan Yang)
[2023-02-09] Accepted libstb 0.0~git20220908.8b5f1f3+ds-1~bpo11+1 (source amd64) into bullseye-backports (Debian FTP Masters) (signed by: Boyuan Yang)
[2023-01-31] Accepted libstb 0.0~git20180212.15.e6afb9c-1+deb10u1 (source) into oldstable (Adrian Bunk)
[2022-09-30] libstb 0.0~git20220908.8b5f1f3+ds-1 MIGRATED to testing (Debian testing watch)
[2022-09-27] Accepted libstb 0.0~git20220908.8b5f1f3+ds-1 (source) into unstable (Yangfl) (signed by: Boyuan Yang)
[2022-01-29] libstb 0.0~git20210910.af1a5bc+ds-1 MIGRATED to testing (Debian testing watch)
[2022-01-23] Accepted libstb 0.0~git20210910.af1a5bc+ds-1 (source) into unstable (Yangfl) (signed by: Boyuan Yang)
[2021-03-10] libstb 0.0~git20200713.b42009b+ds-1 MIGRATED to testing (Debian testing watch)
[2021-02-27] Accepted libstb 0.0~git20200713.b42009b+ds-1 (source) into unstable (Yangfl) (signed by: Boyuan Yang)
[2020-12-11] libstb 0.0~git20200713.b42009b-1 MIGRATED to testing (Debian testing watch)
[2020-12-08] Accepted libstb 0.0~git20200713.b42009b-1 (source) into unstable (Yangfl) (signed by: Boyuan Yang)
[2019-09-22] libstb 0.0~git20190817.1.052dce1-1 MIGRATED to testing (Debian testing watch)
[2019-09-20] Accepted libstb 0.0~git20190817.1.052dce1-1 (source) into unstable (Yangfl) (signed by: Boyuan Yang)
[2019-07-14] libstb 0.0~git20190617.5.c72a95d-2 MIGRATED to testing (Debian testing watch)
[2019-07-11] Accepted libstb 0.0~git20190617.5.c72a95d-2 (source) into unstable (Yangfl) (signed by: Boyuan Yang)
[2019-07-08] Accepted libstb 0.0~git20190617.5.c72a95d-1 (source) into unstable (Yangfl) (signed by: Boyuan Yang)
[2018-11-27] libstb 0.0~git20180212.15.e6afb9c-1 MIGRATED to testing (Debian testing watch)
[2018-11-22] Accepted libstb 0.0~git20180212.15.e6afb9c-1 (source amd64) into unstable, unstable (Yangfl) (signed by: Boyuan Yang)

bugs [bug history graph]

all: 3
RC: 0
I&N: 3
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.0~git20240715.f7f20f39fe4f+ds-1