Bug 2017913 (CVE-2021-42716)

Summary: CVE-2021-42716 stb: heap-based buffer overflow in stb_image PNM loader
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: code, mhroncok, otaylor, wtaymans
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2017914, 2017915, 2018008    
Bug Blocks: 2017916    

Description Guilherme de Almeida Suckevicz 2021-10-27 17:11:58 UTC 
An issue was discovered in stb stb_image.h 2.27. The PNM loader incorrectly interpreted 16-bit PGM files as 8-bit when converting to RGBA, leading to a buffer overflow when later reinterpreting the result as a 16-bit buffer. An attacker could potentially have crashed a service using stb_image, or read up to 1024 bytes of non-consecutive heap data without control over the read location.

References:
https://github.com/nothings/stb/issues/1225
https://github.com/nothings/stb/issues/1166

Upstream patch:
https://github.com/nothings/stb/pull/1223
Comment 1 Guilherme de Almeida Suckevicz 2021-10-27 17:12:16 UTC 
Created stb tracking bugs for this issue:

Affects: epel-all [bug 2017915]
Affects: fedora-all [bug 2017914]
Comment 2 Ben Beasley 2021-10-27 17:21:27 UTC 
Updates applying the fix (PR#1223) are already in Rawhide and are in testing for stable releases. I have aligned all stable releases and EPELs so that stb_image >= 2.27-0.7 contain patches for CVE-2021-28021, CVE-2021-42715, and CVE-2021-42716. I will modify these updates to associate the appropriate newly-created bugs.

Since stb_image is a header-only library, dependent packages need to be rebuilt to benefit from the fix. I have created buildroot overrides to allow this while updates are still in testing, and some dependent packages have already been updated in some releases.

Since stb_image is designed to be bundled, there are probably a number of packages containing bundled copies that are affected. Many of these are likely undeclared (missing Provides: bundled(stb) or Provides: bundled(stb_image)).
Comment 4 Owen Taylor 2021-10-28 16:34:30 UTC 
To clarify the status for cogl and clutter:

The cogl library contains an old version of stb_image.c, however this is only compiled in when cogl in when gdk-pixbuf support is disabled. cogl as shipped in  RHEL and Fedora uses gdk-pixbuf, so is not affected by this vulnerability.  This also applies to the bundled copy of cogl inside clutter in RHEL 6 and very old versions of Fedora.