818556 – (CVE-2021-28021, CVE-2021-37789, CVE-2021-42715, CVE-2021-42716, CVE-2022-28041, CVE-2022-28042, CVE-2022-28048) dev-libs/stb: multiple vulnerabilities

Bug 818556 (CVE-2021-28021, CVE-2021-37789, CVE-2021-42715, CVE-2021-42716, CVE-2022-28041, CVE-2022-28042, CVE-2022-28048) - dev-libs/stb: multiple vulnerabilities

Summary: dev-libs/stb: multiple vulnerabilities

Status:	CONFIRMED

Alias:	CVE-2021-28021, CVE-2021-37789, CVE-2021-42715, CVE-2021-42716, CVE-2022-28041, CVE-2022-28042, CVE-2022-28048

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://github.com/nothings/stb/issue...
Whiteboard:	B2 [upstream/ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2021-10-17 03:06 UTC by John Helmert III
Modified:	2022-11-02 14:53 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-10-17 03:06:04 UTC

CVE-2021-28021:

Buffer overflow vulnerability in function stbi__extend_receive in stb_image.h in stb 2.26 via a crafted JPEG file.

Comment 1 John Helmert III archtester

2021-10-22 21:52:12 UTC

CVE-2021-42715:

An issue was discovered in stb stb_image.h 1.33 through 2.27. The HDR loader parsed truncated end-of-file RLE scanlines as an infinite sequence of zero-length runs. An attacker could potentially have caused denial of service in applications using stb_image by submitting crafted HDR files.

PR Patch: https://github.com/nothings/stb/pull/1223

CVE-2021-42716:

An issue was discovered in stb stb_image.h 2.27. The PNM loader incorrectly interpreted 16-bit PGM files as 8-bit when converting to RGBA, leading to a buffer overflow when later reinterpreting the result as a 16-bit buffer. An attacker could potentially have crashed a service using stb_image, or read up to 1024 bytes of non-consecutive heap data without control over the read location.

PR Patch: https://github.com/nothings/stb/pull/1223

I'm absolutely baffled as to why these versions are in the CVE descriptions, only ALT Linux and something called "Rosa" seem to be using this scheme, but I don't see why they might be getting it from.

Neither patch is accepted yet.

Comment 2 John Helmert III archtester

2022-04-16 05:00:52 UTC

CVE-2022-28048 (https://github.com/nothings/stb/pull/1297):
https://github.com/nothings/stb/issues/1293

STB v2.27 was discovered to contain an integer shift of invalid size in the component stbi__jpeg_decode_block_prog_ac.

CVE-2022-28041 (https://github.com/nothings/stb/pull/1297):
https://github.com/nothings/stb/issues/1292

stb_image.h v2.27 was discovered to contain an integer overflow via the function stbi__jpeg_decode_block_prog_dc. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

CVE-2022-28042 (https://github.com/nothings/stb/issues/1289):
https://github.com/nothings/stb/pull/1297

stb_image.h v2.27 was discovered to contain an heap-based use-after-free via the function stbi__jpeg_huff_decode.


None of these patches accepted, either.

Comment 3 John Helmert III archtester

2022-11-02 14:53:12 UTC

CVE-2021-37789 (https://github.com/nothings/stb/issues/1178):

stb_image.h 2.27 has a heap-based buffer over in stbi__jpeg_load, leading to Information Disclosure or Denial of Service.