CVE-2021-42715

NameCVE-2021-42715
DescriptionAn issue was discovered in stb stb_image.h 1.33 through 2.27. The HDR loader parsed truncated end-of-file RLE scanlines as an infinite sequence of zero-length runs. An attacker could potentially have caused denial of service in applications using stb_image by submitting crafted HDR files.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3305-1
Debian Bugs1014532

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libstb (PTS)buster0.0~git20180212.15.e6afb9c-1vulnerable
buster (security)0.0~git20180212.15.e6afb9c-1+deb10u1fixed
bullseye0.0~git20200713.b42009b+ds-1vulnerable
bookworm0.0~git20220908.8b5f1f3+ds-1vulnerable
trixie, sid0.0~git20230129.5736b15+ds-1.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libstbsourcebuster0.0~git20180212.15.e6afb9c-1+deb10u1DLA-3305-1
libstbsource(unstable)0.0~git20230129.5736b15+ds-11014532

Notes

[bookworm] - libstb <no-dsa> (Minor issue)
[bullseye] - libstb <no-dsa> (Minor issue)
https://github.com/nothings/stb/issues/1224
https://github.com/nothings/stb/pull/1223

Search for package or bug name: Reporting problems