| Name | CVE-2021-36489 |
| Description | Buffer Overflow vulnerability in Allegro through 5.2.6 allows attackers to cause a denial of service via crafted PCX/TGA/BMP files to allegro_image addon. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1032670 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| allegro4.4 (PTS) | buster | 2:4.4.2-13 | vulnerable |
| bullseye | 2:4.4.3.1-2 | vulnerable |
| bookworm | 2:4.4.3.1-3 | vulnerable |
| trixie | 2:4.4.3.1-4 | vulnerable |
| sid | 2:4.4.3.1-4.1 | vulnerable |
| allegro5 (PTS) | buster | 2:5.2.4.0-3 | vulnerable |
| bullseye | 2:5.2.6.0-3 | vulnerable |
| bookworm | 2:5.2.8.0+dfsg-1 | fixed |
| trixie | 2:5.2.9.1+dfsg-1 | fixed |
| sid | 2:5.2.9.1+dfsg-1.1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| allegro4.4 | source | (unstable) | (unfixed) | | | 1032670 |
| allegro5 | source | (unstable) | 2:5.2.8.0-1 | | | |
Notes
[bookworm] - allegro4.4 <no-dsa> (Minor issue)
[bullseye] - allegro4.4 <no-dsa> (Minor issue)
[buster] - allegro4.4 <no-dsa> (Minor issue)
[bullseye] - allegro5 <no-dsa> (Minor issue)
[buster] - allegro5 <no-dsa> (Minor issue)
https://github.com/liballeg/allegro5/issues/1251
https://github.com/liballeg/allegro5/pull/1253
https://github.com/liballeg/allegro5/commit/3f2dbd494241774d33aaf83910fd05b2a590604a (5.2.8.0)
https://github.com/liballeg/allegro5/commit/cca179bc16827f358153060cd10ac73d394e758c (5.2.8.0)
https://github.com/liballeg/allegro5/commit/a2c93939f6997a96ecac1865dbb4fa3f66b5e1b7 (5.2.8.0)
https://github.com/liballeg/allegro5/commit/0294e28e6135292eab4b2916a7d2223b1bb6843e (5.2.8.0)
In allegro 4.4, code is in src/[pcx|tga].c instead