Package: libsixel X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for libsixel. AFAICS upstream didn't act on them yet (see issues links). CVE-2018-19756[0]: | There is a heap-based buffer over-read at stb_image.h (function: | stbi__tga_load) in libsixel 1.8.2 that will cause a denial of service. CVE-2018-19757[1]: | There is a NULL pointer dereference at function | sixel_helper_set_additional_message (status.c) in libsixel 1.8.2 that | will cause a denial of service. CVE-2018-19759[2]: | There is a heap-based buffer over-read at stb_image_write.h (function: | stbi_write_png_to_mem) in libsixel 1.8.2 that will cause a denial of | service. CVE-2018-19761[3]: | There is an illegal address access at fromsixel.c (function: | sixel_decode_raw_impl) in libsixel 1.8.2 that will cause a denial of | service. CVE-2018-19762[4]: | There is a heap-based buffer overflow at fromsixel.c (function: | image_buffer_resize) in libsixel 1.8.2 that will cause a denial of | service or possibly unspecified other impact. CVE-2018-19763[5]: | There is a heap-based buffer over-read at writer.c (function: | write_png_to_file) in libsixel 1.8.2 that will cause a denial of | service. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-19756 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19756 https://github.com/saitoha/libsixel/issues/80 [1] https://security-tracker.debian.org/tracker/CVE-2018-19757 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19757 https://github.com/saitoha/libsixel/issues/79 [2] https://security-tracker.debian.org/tracker/CVE-2018-19759 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19759 https://github.com/saitoha/libsixel/issues/77 [3] https://security-tracker.debian.org/tracker/CVE-2018-19761 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19761 https://github.com/saitoha/libsixel/issues/78 [4] https://security-tracker.debian.org/tracker/CVE-2018-19762 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19762 https://github.com/saitoha/libsixel/issues/81 [5] https://security-tracker.debian.org/tracker/CVE-2018-19763 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19763 https://github.com/saitoha/libsixel/issues/82 Please adjust the affected versions in the BTS as needed. Cheers! Sylvain Beucler, Debian LTS team
