Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 918556 (CVE-2021-32420, CVE-2021-32421, CVE-2021-32422, CVE-2021-33388, CVE-2021-33390)

Summary: media-gfx/dpic: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: tex
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [ebuild]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-25 20:15:36 UTC 
CVE-2021-32420 (https://gitlab.com/aplevich/dpic/-/issues/5):
https://gitlab.com/aplevich/dpic/-/commit/d317e4066c17f9ceb359b3af13264c32f6fb43cf

dpic 2021.01.01 has a Heap-based Buffer Overflow in thestorestring function in dpic.y.

CVE-2021-32421 (https://gitlab.com/aplevich/dpic/-/commit/d317e4066c17f9ceb359b3af13264c32f6fb43cf):
https://gitlab.com/aplevich/dpic/-/issues/7

dpic 2021.01.01 has a Heap Use-After-Free in thedeletestringbox() function in dpic.y.

CVE-2021-32422 (https://gitlab.com/aplevich/dpic/-/commit/d317e4066c17f9ceb359b3af13264c32f6fb43cf):
https://gitlab.com/aplevich/dpic/-/issues/6

dpic 2021.01.01 has a Global buffer overflow in theyylex() function in main.c and reads out of the bound array.

CVE-2021-33388 (https://gitlab.com/aplevich/dpic/-/issues/8):

dpic 2021.04.10 has a Heap Buffer Overflow in themakevar() function in dpic.y

CVE-2021-33390 (https://gitlab.com/aplevich/dpic/-/issues/10):

dpic 2021.04.10 has a use-after-free in thedeletestringbox() function in dpic.y. A different vulnerablility than CVE-2021-32421.

All issues closed, but I'm not certain they're all fixed without
references to fixes.