[SECURITY] [DLA 4493-1] libstb security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4493-1] libstb security update
From: Abhijith PA <abhijith@debian.org>
Date: Thu, 26 Feb 2026 13:51:48 +0530
Message-id: <[🔎] aaACnODfPe6hcR2G@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4493-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Abhijith PA
February 26, 2026                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : libstb
Version        : 0.0~git20200713.b42009b+ds-1+deb11u1
CVE ID         : CVE-2021-28021 CVE-2021-37789 CVE-2021-42715 CVE-2022-28041 
                 CVE-2022-28042

Several vulnerabilities were discovered in libstb, single-file image
and audio processing libraries for C/C++.

CVE-2021-28021

    Buffer overflow vulnerability in function stbi__extend_receive in
    stb_image.h. Can be exploited with a crafted JPEG file.

CVE-2021-37789

    a heap-based buffer over in stbi__jpeg_load, leading to
    Information Disclosure or Denial of Service.

CVE-2021-42715

    The HDR loader parsed truncated end-of-file RLE scanlines as an
    infinite sequence of zero-length runs. An attacker could
    potentially have caused denial of service in applications using
    stb_image by submitting crafted HDR files.

CVE-2022-28041

    an integer overflow via the function
    stbi__jpeg_decode_block_prog_dc. This vulnerability allows
    attackers to cause a Denial of Service (DoS) via unspecified
    vectors.

CVE-2022-28042

     a heap-based use-after-free via the function
     stbi__jpeg_huff_decode.

For Debian 11 bullseye, these problems have been fixed in version
0.0~git20200713.b42009b+ds-1+deb11u1.

We recommend that you upgrade your libstb packages.

For the detailed security status of libstb please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libstb

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmmgApgACgkQhj1N8u2c
KO+cew/+Lb/dR7gd/OODsXHxzH6MVP83uQnyZUWpSAVsZb1ZY96I9YLtLRH2TKRG
ZKwrv4aJJMHxl6tEAN3n1NSzMo0pLi7qozig17qSv4ErNEtr4bTIeaxqnzGlphwV
1lH3o/HLhKQyUGyYRwk8Qqm4H/K0QFroZtCemGwsriD+RD6PvMRD+dped94cK87z
drqXcWo4OuFNYnvHJKmJMS9J9V8mz9UcwzL7IOQwI+98RMBo+QG22hMKCj46J69g
+WEmHOkuT0+GHVnKr+PQTvvBZFEqhdHyfV7IgCQ33/thKpcBM2Q7xA69HKP+Ct/H
ZVJqeAuFt3XKc4KPXPDod7PTdes8jtJkFUU9vnh0SVkesatVj0JoCa7gONPBIey0
LCwvE7XgMh4ja76P1EIsloeLMx0NQn+2MYnHp77TcP32oUWl0ZozdnjDw7C1rzi0
LvtFHjG/UNXk2rrO1mV+VppbU2AKk2/ON5dEscCf29N3l9YD+OfdOGL3a7OQLpAH
kTDVD4Sd9xw4d71rNDQkwsWV1sQ8KfpO5KpFFCywpGcuHL8p6mW57BoFk+R8Ekwa
Qb6sbm13qTMY+suXSaxlztrcU+IiBPHmkdrQ6wao8nEdSd92xZnsx5V/iE5nRD/j
htTrjrk5Dlls4+jO9QE5JdX8Mw8UxiUA21lQ+QOULoK3bXWC7iU=
=jSCp
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4492-1] gnutls28 security update
Next by Date: [SECURITY] [DLA 4494-1] orthanc security update
Previous by thread: [SECURITY] [DLA 4492-1] gnutls28 security update
Next by thread: [SECURITY] [DLA 4494-1] orthanc security update
Index(es):
- Date
- Thread