Bug 2017908 (CVE-2021-42715) - CVE-2021-42715 stb: DoS in stb_image HDR loader via a crafted file
Summary: CVE-2021-42715 stb: DoS in stb_image HDR loader via a crafted file
Status: NEW
Alias: CVE-2021-42715
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2018009 2017910 2017911
Blocks: 2017916
TreeView+ depends on / blocked
Reported: 2021-10-27 17:08 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-10-29 18:18 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-10-27 17:08:03 UTC
An issue was discovered in stb stb_image.h 1.33 through 2.27. The HDR loader parsed truncated end-of-file RLE scanlines as an infinite sequence of zero-length runs. An attacker could potentially have caused denial of service in applications using stb_image by submitting crafted HDR files.


Upstream patch:

Comment 1 Guilherme de Almeida Suckevicz 2021-10-27 17:08:22 UTC
Created stb tracking bugs for this issue:

Affects: epel-all [bug 2017910]
Affects: fedora-all [bug 2017911]

Comment 2 Ben Beasley 2021-10-27 17:19:37 UTC
Updates applying the fix (PR#1223) are already in Rawhide and are in testing for stable releases. I have aligned all stable releases and EPELs so that stb_image >= 2.27-0.7 contain patches for CVE-2021-28021, CVE-2021-42715, and CVE-2021-42716. I will modify these updates to associate the appropriate newly-created bugs.

Since stb_image is a header-only library, dependent packages need to be rebuilt to benefit from the fix. I have created buildroot overrides to allow this while updates are still in testing, and some dependent packages have already been updated in some releases.

Since stb_image is designed to be bundled, there are probably a number of packages containing bundled copies that are affected. Many of these are likely undeclared (missing Provides: bundled(stb) or Provides: bundled(stb_image)).

Comment 4 Owen Taylor 2021-10-28 16:34:45 UTC
To clarify the status for cogl and clutter:

The cogl library contains an old version of stb_image.c, however this is only compiled in when cogl in when gdk-pixbuf support is disabled. cogl as shipped in  RHEL and Fedora uses gdk-pixbuf, so is not affected by this vulnerability.  This also applies to the bundled copy of cogl inside clutter in RHEL 6 and very old versions of Fedora.

Note You need to log in before you can comment on or make changes to this bug.