CVE-2021-45340

NameCVE-2021-45340
DescriptionIn Libsixel prior to and including v1.10.3, a NULL pointer dereference in the stb_image.h component of libsixel allows attackers to cause a denial of service (DOS) via a crafted PICT file.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1004377, 1124956

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libsixel (PTS)bullseye1.8.6-2vulnerable
bookworm1.10.3-3vulnerable
forky, sid, trixie1.10.5-1fixed
libstb (PTS)bullseye0.0~git20200713.b42009b+ds-1vulnerable
bookworm0.0~git20220908.8b5f1f3+ds-1vulnerable
trixie0.0~git20241109.5c20573+ds-1vulnerable
forky, sid0.0~git20250907.fede005+ds-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libsixelsource(unstable)1.10.5-11004377
libstbsource(unstable)(unfixed)1124956

Notes

[bookworm] - libsixel <ignored> (Minor issue)
[bullseye] - libsixel <no-dsa> (Minor issue)
[buster] - libsixel <no-dsa> (Minor issue)
[stretch] - libsixel <no-dsa> (Minor issue)
[trixie] - libstb <no-dsa> (Minor issue)
[bookworm] - libstb <no-dsa> (Minor issue)
https://github.com/libsixel/libsixel/issues/51
Fixed by: https://github.com/libsixel/libsixel/pull/52
libsixel bundles libstb and has fixed this issue, but a patch in src:libstb is missing:
https://github.com/saitoha/libsixel/commit/1c58a6ea708b6fa793ffb5a10798ccfea36e8eed (v1.8.7)
Search for package or bug name: Reporting problems