Source: libstb Version: 0.0~git20190617.5.c72a95d-2 Severity: grave Tags: security upstream fixed-upstream Justification: user security hole
Hi, The following vulnerabilities were published for libstb. CVE-2019-13217[0]: | A heap buffer overflow in the start_decoder function in stb_vorbis | through 2019-03-04 allows an attacker to cause a denial of service or | execute arbitrary code by opening a crafted Ogg Vorbis file. CVE-2019-13218[1]: | Division by zero in the predict_point function in stb_vorbis through | 2019-03-04 allows an attacker to cause a denial of service by opening | a crafted Ogg Vorbis file. CVE-2019-13219[2]: | A NULL pointer dereference in the get_window function in stb_vorbis | through 2019-03-04 allows an attacker to cause a denial of service by | opening a crafted Ogg Vorbis file. CVE-2019-13220[3]: | Use of uninitialized stack variables in the start_decoder function in | stb_vorbis through 2019-03-04 allows an attacker to cause a denial of | service or disclose sensitive information by opening a crafted Ogg | Vorbis file. CVE-2019-13221[4]: | A stack buffer overflow in the compute_codewords function in | stb_vorbis through 2019-03-04 allows an attacker to cause a denial of | service or execute arbitrary code by opening a crafted Ogg Vorbis | file. CVE-2019-13222[5]: | An out-of-bounds read of a global buffer in the draw_line function in | stb_vorbis through 2019-03-04 allows an attacker to cause a denial of | service or disclose sensitive information by opening a crafted Ogg | Vorbis file. CVE-2019-13223[6]: | A reachable assertion in the lookup1_values function in stb_vorbis | through 2019-03-04 allows an attacker to cause a denial of service by | opening a crafted Ogg Vorbis file. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-13217 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13217 [1] https://security-tracker.debian.org/tracker/CVE-2019-13218 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13218 [2] https://security-tracker.debian.org/tracker/CVE-2019-13219 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13219 [3] https://security-tracker.debian.org/tracker/CVE-2019-13220 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13220 [4] https://security-tracker.debian.org/tracker/CVE-2019-13221 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13221 [5] https://security-tracker.debian.org/tracker/CVE-2019-13222 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13222 [6] https://security-tracker.debian.org/tracker/CVE-2019-13223 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13223 Please adjust the affected versions in the BTS as needed. Regards, Salvatore