-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.0594
                          libstb security update
                              1 February 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libstb
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-28042 CVE-2022-28041 CVE-2021-42715
                   CVE-2021-37789 CVE-2021-28021 CVE-2019-13223
                   CVE-2019-13222 CVE-2019-13221 CVE-2019-13220
                   CVE-2019-13219 CVE-2019-13218 CVE-2019-13217
                   CVE-2018-16981  

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2023/01/msg00045.html

Comment: CVSS (Max):  8.8 CVE-2022-28042 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-3305-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/        Adrian Bunk <bunk@debian.org>
January 31, 2023                              https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : libstb
Version        : 0.0~git20180212.15.e6afb9c-1+deb10u1
CVE ID         : CVE-2018-16981 CVE-2019-13217 CVE-2019-13218 CVE-2019-13219 
                 CVE-2019-13220 CVE-2019-13221 CVE-2019-13222 CVE-2019-13223 
                 CVE-2021-28021 CVE-2021-37789 CVE-2021-42715 CVE-2022-28041 
                 CVE-2022-28042
Debian Bug     : 934966 1014530 1023693 1014531 1014532

Several vulnerabilities have been fixed in the libstb library.

CVE-2018-16981

    Heap-based buffer overflow in stbi__out_gif_code().

CVE-2019-13217

    Heap buffer overflow in the Vorbis start_decoder().

CVE-2019-13218

    Division by zero in the Vorbis predict_point().

CVE-2019-13219

    NULL pointer dereference in the Vorbis get_window().

CVE-2019-13220

    Uninitialized stack variables in the Vorbis start_decoder().

CVE-2019-13221

    Buffer overflow in the Vorbis compute_codewords().

CVE-2019-13222

    Out-of-bounds read of a global buffer in the Vorbis draw_line().

CVE-2019-13223

    Reachable assertion in the Vorbis lookup1_values().

CVE-2021-28021

    Buffer overflow in stbi__extend_receive().

CVE-2021-37789

    Heap-based buffer overflow in stbi__jpeg_load().

CVE-2021-42715

    The HDR loader parsed truncated end-of-file RLE scanlines as an 
    infinite sequence of zero-length runs.

CVE-2022-28041

    Integer overflow in stbi__jpeg_decode_block_prog_dc().

CVE-2022-28042

    Heap-based use-after-free in stbi__jpeg_huff_decode().

For Debian 10 buster, these problems have been fixed in version
0.0~git20180212.15.e6afb9c-1+deb10u1.

We recommend that you upgrade your libstb packages.

For the detailed security status of libstb please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libstb

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmPZj1IACgkQiNJCh6LY
mLH+lA/8DtWLi71FsiGFnOVokrZsHnR8eVDQiK5ldjmLgiynRzEeZfNMwYjG86xH
hsmk6SVeFI8CEKeXzJq36BOcP2VCpq/lR4WYfPkl7U2txnheTQTUjIn7mXG4GQOB
M5XtW2EZTKyh5E/ei51cVRQBOCssKMPGpV1VkPSA1DmWZjPN9c0OOJEwsJzq3tHZ
2HqtNzyzFruk8oHDRfATJCko1N+6LtKVMEu8sgJTrwVNSetY2YjBikoJP4BvCxFb
gHB90EBh7ezvvgCQ2152YRtTTuLcK0C1cUgVu+47JRPVBkciVj49hHN6QgoHZPpa
EvJr7tFKkAW9oKVF2N8bM+NH4GIRtNpwpWXCiQn7TXLXEPAtJzr2HE7TLX4hQcry
i04SfrPXiTlvHjNXx7h81B5q7ZmWncNsIXAr9f2nmrEMP8s4zUtujJ3d7qs94bFp
Rf09VPlWfw/ZVBMvSd3xz8u/igKvKC1GlVz8nrcRdWYeyUWSIKSnJP/f4coTPmXI
6zweAyWRVYQgh7Em7fKXRw1Q9w8JqBMPVXRqfRMjodgKG3gKA2OafIgMOhERr0CQ
aiVj0v4Ln9guDTkJpfSI4nmfmU6EGldfE5K7SMB8NrExWiebjN3y5JBM7hzB3aKe
4TKx3dppa0hHd5e4jdlY/AepKtjSBgWgSc38OqA8C1/fGk1qNzc=
=Qh3l
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY9neSskNZI30y1K9AQi0BhAAhqKp17+wblFLjqPA2i8AvXKNWZSq/kVG
soqJ1S9nVgzJl4wd4U1piVg3kmQL3lBb/YTz2Z6AD4tppOz3fYYjuAmCouh8m56f
UnXSjKBjePPbn4QK/a02l6fYHI9f/nDfmSjzXhtp65U91ntfOjEcX2GxdXZlBGYC
nxXJFgDeCTUsBvYYCKRsz2nLbUyzmpcjbl5VoUIyLixHt+yjHZugwaVX4rjZ6U7I
o9fl4ThdFRvaTE9Hk3lfmiTKlTpRvWRXvLxSvfZueTzCJz1ujUSkcijWrAH3707l
yhtd4forPQD1P4bCH6DOETPfLTnwf/VXLiOtvCMGbHgEOlwKW71XR8/zc4AOqfxP
BheXKniEREe/P6fTPrACXXNkDOgfVJZNzxdAnRBRBNbKRYxwtiiPz/rPUeRRpBOD
OrdRW21M/OMPgSLYbFSHURfVloVULOWYRWp7f/nUNYCNfOwOW+ddpuyXLZBPDozP
Ixznghyzr3wWeGNd7vGTzadjH0ADsxMDxaySkvbo8Yi6KQgUmbJH3Eua+2Rnz7Ii
rjvmx1cveORxTyPjM/9pn/RUTENS/MoTrTmvMOeYYotHXTi+GBSj4IVvqB1Uzvh7
gN9azm2+yieU4hglLNZwNyUqBjiazPGyEl4UsQlFAqqVHsyQ/3kQ8ZpUH6SN9Q86
ZsHVZXpAbUM=
=KGjK
-----END PGP SIGNATURE-----