CVE-2020-25693

NameCVE-2020-25693
DescriptionA flaw was found in CImg in versions prior to 2.9.3. Integer overflows leading to heap buffer overflows in load_pnm() can be triggered by a specially crafted input file processed by CImg, which can lead to an impact to application availability or data integrity.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2462-1
Debian Bugs973770

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cimg (PTS)bullseye2.9.4+dfsg-2fixed
bookworm3.2.1+dfsg-1fixed
sid, trixie3.5.2+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cimgsourcestretch1.7.9+dfsg-1+deb9u2DLA-2462-1
cimgsourcebuster2.4.5+dfsg-1+deb10u1
cimgsource(unstable)2.9.4+dfsg-2973770

Notes

https://github.com/dtschump/CImg/pull/295
https://bugs.launchpad.net/ubuntu/+source/cimg/+bug/1900983
Fixed by: https://github.com/dtschump/CImg/commit/4f184f89f9ab6785a6c90fd238dbaa6d901d3505
Search for package or bug name: Reporting problems