Bug#990527: kimageformats: CVE-2021-36083

To: submit@bugs.debian.org
Subject: Bug#990527: kimageformats: CVE-2021-36083
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Thu, 1 Jul 2021 13:28:55 +0200
Message-id: <[🔎] YN2m91eWYzXoot+v@pisco.westfalen.local>
Reply-to: Moritz Mühlenhoff <jmm@inutil.org>, 990527@bugs.debian.org

Source: kimageformats
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for kimageformats.

CVE-2021-36083[0]:
| KDE KImageFormats 5.70.0 through 5.81.0 has a stack-based buffer
| overflow in XCFImageFormat::loadTileRLE.

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33742
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/kimageformats/OSV-2021-695.yaml
https://invent.kde.org/frameworks/kimageformats/commit/297ed9a2fe339bfe36916b9fce628c3242e5be0f

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-36083
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36083

Please adjust the affected versions in the BTS as needed.

Reply to:

Follow-Ups:
- Bug#990527: kimageformats: CVE-2021-36083
  - From: Norbert Preining <norbert@preining.info>
- Bug#990527: marked as done (kimageformats: CVE-2021-36083)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Next by Date: Processed: found 990527 in 5.78.0-4, closing 990527
Next by thread: Bug#990527: kimageformats: CVE-2021-36083
Index(es):
- Date
- Thread