Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 939030 (CVE-2022-1325) - media-libs/cimg: Denial of service via RAM exhaustion
Summary: media-libs/cimg: Denial of service via RAM exhaustion
Status: CONFIRMED
Alias: CVE-2022-1325
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://github.com/GreycLab/CImg/issu...
Whiteboard: ~3 [ebuild]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2024-09-04 07:42 UTC by Filip Kobierski
Modified: 2024-09-08 08:45 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Filip Kobierski 2024-09-04 07:42:24 UTC
Via a maliciously crafted pandore or bmp file with modified dx and dy header field values it is possible to trick the application into allocating huge buffer sizes like 64 Gigabyte upon reading the file from disk or from a virtual buffer.

I have created a PR fixing this:
https://github.com/gentoo/gentoo/pull/38411
Comment 1 Hans de Graaff gentoo-dev Security 2024-09-08 08:25:23 UTC
Based on the referenced pull request upstream this is fixed in 3.4.2.
Comment 2 Hans de Graaff gentoo-dev Security 2024-09-08 08:26:21 UTC
Adjusting whiteboard status given that there are no stable versions of this package.