Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 799425 (CVE-2021-36083, OSV-2021-695) - <kde-frameworks/kimageformats-5.82.0: Stack buffer overflow (CVE-2021-36083)
Summary: <kde-frameworks/kimageformats-5.82.0: Stack buffer overflow (CVE-2021-36083)
Status: IN_PROGRESS
Alias: CVE-2021-36083, OSV-2021-695
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-01 05:31 UTC by Sam James
Modified: 2022-03-12 11:42 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-01 05:31:49 UTC
Description:
"KDE KImageFormats 5.70.0 through 5.81.0 has a stack-based buffer overflow in XCFImageFormat::loadTileRLE."


https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33742
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/kimageformats/OSV-2021-695.yaml
https://invent.kde.org/frameworks/kimageformats/commit/297ed9a2fe339bfe36916b9fce628c3242e5be0f 

Fix didn't seem to make it into 5.82.0.
Comment 1 Andreas Sturmlechner gentoo-dev 2021-07-01 07:58:25 UTC
https://mail.kde.org/pipermail/release-team/2021-May/012289.html

Nothing to do here.
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:21:16 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:29:24 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:37:22 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:45:27 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:53:32 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 18:01:26 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:09:47 UTC
Package list is empty or all packages have requested keywords.
Comment 9 Reva Denis 2022-03-12 11:42:20 UTC
The issue should be closed