Bug#1032670: allegro4.4: CVE-2021-36489
On Sun, 24 Mar 2024 21:46:40 +0100 Moritz Muehlenhoff wrote: - 8< - > > I never tried to reproduce these, but reproducability of a given PoC > made against a current version not working with an older version > doesn't mean the old version isn't affected. From a quick glance the > equivalent of the checks added in 5 are also needed in 4.4, e.g. > rle_tga_read8() lacks a check for w overstepping c. > > Given that all these image files are typically read from a trusted > location/source shipped by a given game it's not a big deal, but I'd > suggest to keep the bug open until 4.4 has been fully phased out or > the fixes backported. > Yeah, I believe that upstream isn't interested either in 4.4, but focus pretty much fully on 5.x now - and my interest is basically on 5.x. Previously my interest in 4.4 was because of alex4, but since that package has turned out to be non-free and moved there, my interest in it has waned, and consequently, in allegro4.4 too. I believe a big part of Tobias Hansens interest in Allegro 4 was due to Aseprite, which have turned to a license that cannot be packaged in Debian (but I don't want to claim that I 100% know Tobias reasoning). If anyone really wants to have allegro 4.4 still in Debian, my suggestion would be to step up and help out with the package (but since I believe upstream has no interest in it, I don't know how doable it is). I am considering removing myself from the allegro 4.4 package, but still keep working on the 5.x one. There I soon have a upload coming, I am just waiting for [1] to get solved (Fixing multiarch stuff for cmake package config). Of course, removing 4.4 would mean removal of quite some small nice little games, but sometimes you just have to endure the negative. /Andreas Rönnquist gus...@debian.org 1: https://github.com/liballeg/allegro5/pull/1543
Bug#1032670: allegro4.4: CVE-2021-36489
On Thu, Mar 21, 2024 at 09:33:51PM +0100, Andreas Rönnquist wrote: > On Fri, 10 Mar 2023 18:04:23 +0100 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= > wrote: > > Source: allegro4.4 > > X-Debbugs-CC: t...@security.debian.org > > Severity: important > > Tags: security > > > > Hi, > > > > The following vulnerability was published for allegro4.4. > > > > CVE-2021-36489[0]: > > | Buffer Overflow vulnerability in Allegro through 5.2.6 allows > > | attackers to cause a denial of service via crafted PCX/TGA/BMP files > > | to allegro_image addon. > > > > https://github.com/liballeg/allegro5/issues/1251 > > https://github.com/liballeg/allegro5/pull/1253 > > > > These fixes landed in Allegro 5.2.8.0: > > https://github.com/liballeg/allegro5/commit/3f2dbd494241774d33aaf83910fd05b2a590604a > > (5.2.8.0) > > https://github.com/liballeg/allegro5/commit/cca179bc16827f358153060cd10ac73d394e758c > > (5.2.8.0) > > https://github.com/liballeg/allegro5/commit/a2c93939f6997a96ecac1865dbb4fa3f66b5e1b7 > > (5.2.8.0) > > https://github.com/liballeg/allegro5/commit/0294e28e6135292eab4b2916a7d2223b1bb6843e > > (5.2.8.0) > > > > In allegro 4.4, code is in src/[pcx|tga].c instead > > > > Hey > > I just tried to reproduce this now on the version of Allegro 4.4 in > Debian, and using the crash file as mentioned in > https://github.com/liballeg/allegro5/issues/1251 > > I cannot reproduce the crash on 4.4. > > Can you still reproduce the crash on allegro4.4 from the debian package? > > For me when running './ex_bitmap crash' I get a dialog "Error reading > bitmap file 'crash'", but no crash of the program I never tried to reproduce these, but reproducability of a given PoC made against a current version not working with an older version doesn't mean the old version isn't affected. From a quick glance the equivalent of the checks added in 5 are also needed in 4.4, e.g. rle_tga_read8() lacks a check for w overstepping c. Given that all these image files are typically read from a trusted location/source shipped by a given game it's not a big deal, but I'd suggest to keep the bug open until 4.4 has been fully phased out or the fixes backported. Cheers, Moritz
Bug#1032670: allegro4.4: CVE-2021-36489
On Fri, 10 Mar 2023 18:04:23 +0100 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= wrote: > Source: allegro4.4 > X-Debbugs-CC: t...@security.debian.org > Severity: important > Tags: security > > Hi, > > The following vulnerability was published for allegro4.4. > > CVE-2021-36489[0]: > | Buffer Overflow vulnerability in Allegro through 5.2.6 allows > | attackers to cause a denial of service via crafted PCX/TGA/BMP files > | to allegro_image addon. > > https://github.com/liballeg/allegro5/issues/1251 > https://github.com/liballeg/allegro5/pull/1253 > > These fixes landed in Allegro 5.2.8.0: > https://github.com/liballeg/allegro5/commit/3f2dbd494241774d33aaf83910fd05b2a590604a > (5.2.8.0) > https://github.com/liballeg/allegro5/commit/cca179bc16827f358153060cd10ac73d394e758c > (5.2.8.0) > https://github.com/liballeg/allegro5/commit/a2c93939f6997a96ecac1865dbb4fa3f66b5e1b7 > (5.2.8.0) > https://github.com/liballeg/allegro5/commit/0294e28e6135292eab4b2916a7d2223b1bb6843e > (5.2.8.0) > > In allegro 4.4, code is in src/[pcx|tga].c instead > Hey I just tried to reproduce this now on the version of Allegro 4.4 in Debian, and using the crash file as mentioned in https://github.com/liballeg/allegro5/issues/1251 I cannot reproduce the crash on 4.4. Can you still reproduce the crash on allegro4.4 from the debian package? For me when running './ex_bitmap crash' I get a dialog "Error reading bitmap file 'crash'", but no crash of the program best /Andreas gus...@debian.org
Bug#1032670: allegro4.4: CVE-2021-36489
Source: allegro4.4 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for allegro4.4. CVE-2021-36489[0]: | Buffer Overflow vulnerability in Allegro through 5.2.6 allows | attackers to cause a denial of service via crafted PCX/TGA/BMP files | to allegro_image addon. https://github.com/liballeg/allegro5/issues/1251 https://github.com/liballeg/allegro5/pull/1253 These fixes landed in Allegro 5.2.8.0: https://github.com/liballeg/allegro5/commit/3f2dbd494241774d33aaf83910fd05b2a590604a (5.2.8.0) https://github.com/liballeg/allegro5/commit/cca179bc16827f358153060cd10ac73d394e758c (5.2.8.0) https://github.com/liballeg/allegro5/commit/a2c93939f6997a96ecac1865dbb4fa3f66b5e1b7 (5.2.8.0) https://github.com/liballeg/allegro5/commit/0294e28e6135292eab4b2916a7d2223b1bb6843e (5.2.8.0) In allegro 4.4, code is in src/[pcx|tga].c instead If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-36489 https://www.cve.org/CVERecord?id=CVE-2021-36489 Please adjust the affected versions in the BTS as needed.
