Bug#1032670: allegro4.4: CVE-2021-36489

Sun, 24 Mar 2024 13:51:20 -0700 

On Thu, Mar 21, 2024 at 09:33:51PM +0100, Andreas Rönnquist wrote:
> On Fri, 10 Mar 2023 18:04:23 +0100 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= 
> <j...@inutil.org> wrote:
> > Source: allegro4.4
> > X-Debbugs-CC: t...@security.debian.org
> > Severity: important
> > Tags: security
> > 
> > Hi,
> > 
> > The following vulnerability was published for allegro4.4.
> > 
> > CVE-2021-36489[0]:
> > | Buffer Overflow vulnerability in Allegro through 5.2.6 allows
> > | attackers to cause a denial of service via crafted PCX/TGA/BMP files
> > | to allegro_image addon.
> > 
> > https://github.com/liballeg/allegro5/issues/1251
> > https://github.com/liballeg/allegro5/pull/1253
> > 
> > These fixes landed in Allegro 5.2.8.0:
> > https://github.com/liballeg/allegro5/commit/3f2dbd494241774d33aaf83910fd05b2a590604a
> >  (5.2.8.0)
> > https://github.com/liballeg/allegro5/commit/cca179bc16827f358153060cd10ac73d394e758c
> >  (5.2.8.0)
> > https://github.com/liballeg/allegro5/commit/a2c93939f6997a96ecac1865dbb4fa3f66b5e1b7
> >  (5.2.8.0)
> > https://github.com/liballeg/allegro5/commit/0294e28e6135292eab4b2916a7d2223b1bb6843e
> >  (5.2.8.0)
> > 
> > In allegro 4.4, code is in src/[pcx|tga].c instead
> > 
> 
> Hey
> 
> I just tried to reproduce this now on the version of Allegro 4.4 in
> Debian, and using the crash file as mentioned in
> https://github.com/liballeg/allegro5/issues/1251
> 
> I cannot reproduce the crash on 4.4.
> 
> Can you still reproduce the crash on allegro4.4 from the debian package?
> 
> For me when running './ex_bitmap crash' I get a dialog "Error reading
> bitmap file 'crash'", but no crash of the program

I never tried to reproduce these, but reproducability of a given PoC made 
against
a current version not working with an older version doesn't mean the old version
isn't affected. From a quick glance the equivalent of the checks added in 5 are
also needed in 4.4, e.g. rle_tga_read8() lacks a check for w overstepping c.

Given that all these image files are typically read from a trusted 
location/source
shipped by a given game it's not a big deal, but I'd suggest to keep the bug
open until 4.4 has been fully phased out or the fixes backported.

Cheers,
        Moritz

Reply via email to