Source: godot Version: 3.2.3-stable-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for godot. CVE-2021-26825[0]: | An integer overflow issue exists in Godot Engine up to v3.2 that can | be triggered when loading specially crafted.TGA image files. The | vulnerability exists in ImageLoaderTGA::load_image() function at line: | const size_t buffer_size = (tga_header.image_width * | tga_header.image_height) * pixel_size; The bug leads to Dynamic stack | buffer overflow. Depending on the context of the application, attack | vector can be local or remote, and can lead to code execution and/or | system crash. CVE-2021-26826[1]: | A stack overflow issue exists in Godot Engine up to v3.2 and is caused | by improper boundary checks when loading .TGA image files. Depending | on the context of the application, attack vector can be local or | remote, and can lead to code execution and/or system crash. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-26825 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26825 [1] https://security-tracker.debian.org/tracker/CVE-2021-26826 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26826 Please adjust the affected versions in the BTS as needed. Regards, Salvatore

