Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 711274 (CVE-2019-13217, CVE-2019-13218, CVE-2019-13219, CVE-2019-13220, CVE-2019-13221, CVE-2019-13222, CVE-2019-13223, CVE-2019-15058, CVE-2020-6617, CVE-2020-6618, CVE-2020-6619, CVE-2020-6620, CVE-2020-6621, CVE-2020-6622, CVE-2020-6623)

Summary: <dev-libs/stb-20200205: Multiple vulnerabilities (CVE-2019-{13217-13223,15058}, CVE-2020-{6617-6623})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: 3dprint, mathy, proxy-maint
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/nothings/stb/issues/790
See Also: https://github.com/gentoo/gentoo/pull/16263
https://github.com/gentoo/gentoo/pull/16264
Whiteboard: ~3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Sam James archtester gentoo-dev Security 2020-03-02 01:58:51 UTC
Description:
"stb_image.h (aka the stb image loader) 2.23 has a heap-based buffer over-read in stbi__tga_load, leading to Information Disclosure or Denial of Service."

No upstream fix yet.
Comment 1 Sam James archtester gentoo-dev Security 2020-03-02 02:40:50 UTC
Additional vulnerabilities:

2) CVE-2019-13217

Description:
"A heap buffer overflow in the start_decoder function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or execute arbitrary code by opening a crafted Ogg Vorbis file."

3) CVE-2019-13218

Description:
"Division by zero in the predict_point function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file."

4) CVE-2019-13219

Description:
"A NULL pointer dereference in the get_window function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file."

5) CVE-2019-13220

Description:
"Use of uninitialized stack variables in the start_decoder function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or disclose sensitive information by opening a crafted Ogg Vorbis file."

6) CVE-2019-13221

Description:
"A stack buffer overflow in the compute_codewords function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or execute arbitrary code by opening a crafted Ogg Vorbis file."

7) CVE-2019-13222

Description:
"An out-of-bounds read of a global buffer in the draw_line function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or disclose sensitive information by opening a crafted Ogg Vorbis file."

8) CVE-2019-13223

Description:
"A reachable assertion in the lookup1_values function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file."

---
Same patch for all: https://github.com/nothings/stb/commit/98fdfc6df88b1e34a736d5e126e6c8139c8de1a6
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2020-04-12 00:09:32 UTC
Adding a few more CVE's since this was not fixed. 

    CVE ID: CVE-2020-6623
   Summary: stb stb_truetype.h through 1.22 has an assertion failure in stbtt__cff_get_index.
 Published: 2020-01-08T23:15:00.000Z
--------------------------------------------------------------------------------
     State: NEW
      Bugs:

CVE-2020-6622
    CVE ID: CVE-2020-6622
   Summary: stb stb_truetype.h through 1.22 has a heap-based buffer over-read in stbtt__buf_peek8.
 Published: 2020-01-08T23:15:00.000Z
--------------------------------------------------------------------------------
     State: NEW
      Bugs:

CVE-2020-6621
    CVE ID: CVE-2020-6621
   Summary: stb stb_truetype.h through 1.22 has a heap-based buffer over-read in ttUSHORT.
 Published: 2020-01-08T23:15:00.000Z
--------------------------------------------------------------------------------
     State: NEW
      Bugs:

CVE-2020-6620
    CVE ID: CVE-2020-6620
   Summary: stb stb_truetype.h through 1.22 has a heap-based buffer over-read in stbtt__buf_get8.
 Published: 2020-01-08T23:15:00.000Z
--------------------------------------------------------------------------------
     State: NEW
      Bugs:

CVE-2020-6619
    CVE ID: CVE-2020-6619
   Summary: stb stb_truetype.h through 1.22 has an assertion failure in stbtt__buf_seek.
 Published: 2020-01-08T23:15:00.000Z
--------------------------------------------------------------------------------
     State: NEW
      Bugs:

CVE-2020-6618
    CVE ID: CVE-2020-6618
   Summary: stb stb_truetype.h through 1.22 has a heap-based buffer over-read in stbtt__find_table.
 Published: 2020-01-08T23:15:00.000Z
--------------------------------------------------------------------------------
     State: NEW
      Bugs:

CVE-2020-6617
    CVE ID: CVE-2020-6617
   Summary: stb stb_truetype.h through 1.22 has an assertion failure in stbtt__cff_int.
 Published: 2020-01-08T23:15:00.000Z
--------------------------------------------------------------------------------
     State: NEW
      Bugs:
Comment 3 Larry the Git Cow gentoo-dev 2020-07-01 06:39:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9049f05e1e9c725bb72e3769ba3f114c0d884c3a

commit 9049f05e1e9c725bb72e3769ba3f114c0d884c3a
Author:     Dennis Lamm <expeditioneer@gentoo.org>
AuthorDate: 2020-06-16 04:44:18 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-07-01 06:38:31 +0000

    dev-libs/stb: version bump 20200205
    
    Closes: https://bugs.gentoo.org/696726
    Bug: https://bugs.gentoo.org/711274
    
    Signed-off-by: Dennis Lamm <expeditioneer@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/16264
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 dev-libs/stb/Manifest            |  1 +
 dev-libs/stb/stb-20200205.ebuild | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 35 insertions(+)
Comment 4 Sam James archtester gentoo-dev Security 2020-07-01 20:18:34 UTC
Hm. Everything but the original vulnerability was fixed.

Let's use this bug for all the others, then come back and do the original in another bug, I guess.

@maintainer, let us know when ready to stable.
Comment 5 Sam James archtester gentoo-dev Security 2020-08-05 18:20:00 UTC
Any objections, or we'll stable?
Comment 6 Sam James archtester gentoo-dev Security 2020-08-15 04:05:02 UTC
Please cleanup.
Comment 7 Larry the Git Cow gentoo-dev 2020-09-17 23:26:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=47e175b2635de2e1eb7a48ccd06ee015f4aa397f

commit 47e175b2635de2e1eb7a48ccd06ee015f4aa397f
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-09-17 23:26:45 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-09-17 23:26:47 +0000

    dev-libs/stb: security cleanup
    
    Bug: https://bugs.gentoo.org/711274
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/stb/Manifest            |  1 -
 dev-libs/stb/stb-20180211.ebuild | 34 ----------------------------------
 2 files changed, 35 deletions(-)