CVE-2019-6247

Name	CVE-2019-6247
Description	An issue was discovered in Anti-Grain Geometry (AGG) 2.4 as used in SVG++ (aka svgpp) 1.2.3. A heap-based buffer overflow bug in svgpp_agg_render may lead to code execution. In the render_scanlines_aa_solid function, the blend_hline function is called repeatedly multiple times. blend_hline is equivalent to a loop containing write operations. Each call writes a piece of heap data, and multiple calls overwrite the data in the heap.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severity	medium
Debian Bugs	919321

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
svgpp (PTS)	bullseye, sid, buster	1.2.3+dfsg1-6	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
svgpp	source	(unstable)	(unfixed)	unimportant		919321

Notes

https://github.com/svgpp/svgpp/issues/70
Issue only in src:svgpp which does not call the AGG-API in correct way.
No security impact, only used to build examples, see #921097