Am Wed, Aug 25, 2021 at 09:23:37PM +0200 schrieb Salvatore Bonaccorso:
> Source: plib
> Version: 1.8.5-8
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Forwarded: https://sourceforge.net/p/plib/bugs/55/
> X-Debbugs-Cc: car...@debian.org, Debian Security Team
> <t...@security.debian.org>
>
> Hi,
>
> The following vulnerability was published for plib.
>
> CVE-2021-38714[0]:
> | In Plib through 1.85, there is an integer overflow vulnerability that
> | could result in arbitrary code execution. The vulnerability is found
> | in ssgLoadTGA() function in src/ssg/ssgLoadTGA.cxx file.
>
> The severity of the this bug is set op purpose higher as it is
> probably warranted. There is the following reason for that: plib is
> orphaned in Debian for a while, it is obsoleted and unmaintained
> upstream as well. Ideally it get's removed from Debian from the next
> release, but thee would be some revers dependencies issues to be
> solved, making it imposssible for now to remove the package:
>
> | Checking reverse dependencies...
> | # Broken Depends:
> | crrcsim: crrcsim [amd64 arm64 armhf i386 mips64el mipsel ppc64el s390x]
> | flightgear: flightgear
> | openuniverse: openuniverse
> | stormbaancoureur: stormbaancoureur
> | torcs: torcs
> |
> | # Broken Build-Depends:
> | crrcsim: libplib-dev
> | flightgear: libplib-dev
> | torcs: libplib-dev
> |
> | Dependency problem found.
These are all games, which load their data from a trusted source/the deb
(and plib is specifically a game lib).
One option to fix this would be to simply disable SSG (a simple scene
graph based on OpenGL), OpenSUSE did this by passing
--enable-ssg=no --enable-ssgaux=no
to the configure flags. I needs to be tested if any of the reverse deps
need SSG, though.
Cheers,
Moritz
