Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 2077019 (CVE-2022-28041)

Summary: CVE-2022-28041 stb: integer overflow in stbi__jpeg_decode_block_prog_dc() can lead to DoS
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: code, mhroncok, otaylor, wtaymans
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2077020, 2077021, 2077054, 2083035    
Bug Blocks:    

Description Guilherme de Almeida Suckevicz 2022-04-20 13:48:32 UTC 
stb_image.h v2.27 was discovered to contain an integer overflow via the function stbi__jpeg_decode_block_prog_dc. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

Reference:
https://github.com/nothings/stb/issues/1292

Upstream patch:
https://github.com/nothings/stb/pull/1297
Comment 1 Guilherme de Almeida Suckevicz 2022-04-20 13:48:51 UTC 
Created stb tracking bugs for this issue:

Affects: epel-all [bug 2077021]
Affects: fedora-all [bug 2077020]
Comment 2 Ben Beasley 2022-04-23 15:25:37 UTC 
Created PR for sdrpp: https://src.fedoraproject.org/rpms/sdrpp/pull-request/2
Comment 3 Ben Beasley 2022-04-23 15:34:58 UTC 
Created PR for gamescope: https://src.fedoraproject.org/rpms/gamescope/pull-request/2
Comment 4 Ben Beasley 2022-04-23 17:04:35 UTC 
Created PR for zxing-cpp: https://src.fedoraproject.org/rpms/zxing-cpp/pull-request/2
Comment 5 Ben Beasley 2022-04-23 17:17:43 UTC 
Created PR for mlpack: https://src.fedoraproject.org/rpms/mlpack/pull-request/5
Comment 6 Ben Beasley 2022-04-23 17:46:18 UTC 
Created PR for CuraEngine: https://src.fedoraproject.org/rpms/CuraEngine/pull-request/21

Created PR for assimp: https://src.fedoraproject.org/rpms/assimp/pull-request/5

That should generally cover the dependent packages that build with header-only stb_image from the stb package. There are a couple of others (SOIL, SFML) that are based on forks of older stb_image versions or have otherwise never been adjusted to use an external stb_image.
Comment 7 Fedora Update System 2022-05-02 07:08:09 UTC 
FEDORA-2022-bc606b86f4 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 8 Fedora Update System 2022-05-02 07:30:37 UTC 
FEDORA-2022-cc64b21327 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 9 Fedora Update System 2022-05-07 04:30:27 UTC 
FEDORA-2022-0125d9cd29 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.