stb_image.h v2.27 was discovered to contain an integer overflow via the function stbi__jpeg_decode_block_prog_dc. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors. Reference: https://github.com/nothings/stb/issues/1292 Upstream patch: https://github.com/nothings/stb/pull/1297
Created stb tracking bugs for this issue: Affects: epel-all [bug 2077021] Affects: fedora-all [bug 2077020]
Created PR for sdrpp: https://src.fedoraproject.org/rpms/sdrpp/pull-request/2
Created PR for gamescope: https://src.fedoraproject.org/rpms/gamescope/pull-request/2
Created PR for zxing-cpp: https://src.fedoraproject.org/rpms/zxing-cpp/pull-request/2
Created PR for mlpack: https://src.fedoraproject.org/rpms/mlpack/pull-request/5
Created PR for CuraEngine: https://src.fedoraproject.org/rpms/CuraEngine/pull-request/21 Created PR for assimp: https://src.fedoraproject.org/rpms/assimp/pull-request/5 That should generally cover the dependent packages that build with header-only stb_image from the stb package. There are a couple of others (SOIL, SFML) that are based on forks of older stb_image versions or have otherwise never been adjusted to use an external stb_image.
FEDORA-2022-bc606b86f4 has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2022-cc64b21327 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2022-0125d9cd29 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.