Headline
Gentoo Linux Security Advisory 202409-15
Gentoo Linux Security Advisory 202409-15 - Multiple vulnerabilities have been discovered in stb, the worst of which lead to a denial of service. Versions greater than or equal to 20240201 are affected.
Gentoo Linux Security Advisory GLSA 202409-15
https://security.gentoo.org/
Severity: Normal
Title: stb: Multiple Vulnerabilities
Date: September 22, 2024
Bugs: #818556
ID: 202409-15
Synopsis
Multiple vulnerabilities have been discovered in stb, the worst of which
lead to a denial of service.
Background
A set of single-file public domain (or MIT licensed) libraries for C/C++
Affected packages
Package Vulnerable Unaffected
dev-libs/stb < 20240201 >= 20240201
Description
Multiple vulnerabilities have been discovered in stb. Please review the
CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All stb users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose “>Þv-libs/stb-20240201”
Note that stb is included at compile time, so all packages that depend
on it should also be reinstalled. If you have app-portage/gentoolkit
installed you can use:
emerge --ask --verbose $( equery depends dev-libs/stb | sed ‘s/^/=/’ )
References
[ 1 ] CVE-2021-28021
https://nvd.nist.gov/vuln/detail/CVE-2021-28021
[ 2 ] CVE-2021-37789
https://nvd.nist.gov/vuln/detail/CVE-2021-37789
[ 3 ] CVE-2021-42715
https://nvd.nist.gov/vuln/detail/CVE-2021-42715
[ 4 ] CVE-2021-42716
https://nvd.nist.gov/vuln/detail/CVE-2021-42716
[ 5 ] CVE-2022-28041
https://nvd.nist.gov/vuln/detail/CVE-2022-28041
[ 6 ] CVE-2022-28042
https://nvd.nist.gov/vuln/detail/CVE-2022-28042
[ 7 ] CVE-2022-28048
https://nvd.nist.gov/vuln/detail/CVE-2022-28048
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202409-15
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
Related news
stb_image.h 2.27 has a heap-based buffer over in stbi__jpeg_load, leading to Information Disclosure or Denial of Service.
stb_image.h v2.27 was discovered to contain an integer overflow via the function stbi__jpeg_decode_block_prog_dc. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors.
stb_image.h v2.27 was discovered to contain an heap-based use-after-free via the function stbi__jpeg_huff_decode.
An issue was discovered in stb stb_image.h 1.33 through 2.27. The HDR loader parsed truncated end-of-file RLE scanlines as an infinite sequence of zero-length runs. An attacker could potentially have caused denial of service in applications using stb_image by submitting crafted HDR files.
Buffer overflow vulnerability in function stbi__extend_receive in stb_image.h in stb 2.26 via a crafted JPEG file.