| Name | CVE-2021-36489 |
| Description | Buffer Overflow vulnerability in Allegro through 5.2.6 allows attackers to cause a denial of service via crafted PCX/TGA/BMP files to allegro_image addon. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1032670 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| allegro4.4 (PTS) | jessie | 2:4.4.2-5 | vulnerable |
| stretch | 2:4.4.2-10 | vulnerable |
| buster | 2:4.4.2-13 | vulnerable |
| bullseye | 2:4.4.3.1-2 | vulnerable |
| bookworm | 2:4.4.3.1-3 | vulnerable |
| sid, trixie | 2:4.4.3.1-5 | vulnerable |
| allegro5 (PTS) | jessie | 2:5.0.10-3 | vulnerable |
| stretch | 2:5.2.2-1 | vulnerable |
| buster | 2:5.2.4.0-3 | vulnerable |
| bullseye | 2:5.2.6.0-3+deb11u1 | fixed |
| bookworm | 2:5.2.8.0+dfsg-1 | fixed |
| sid, trixie | 2:5.2.9.1+dfsg-2 | fixed |
The information below is based on the following data on fixed versions.
Notes
[bookworm] - allegro4.4 <ignored> (Minor issue)
[bullseye] - allegro4.4 <no-dsa> (Minor issue)
[buster] - allegro4.4 <no-dsa> (Minor issue)
[buster] - allegro5 <no-dsa> (Minor issue)
https://github.com/liballeg/allegro5/issues/1251
https://github.com/liballeg/allegro5/pull/1253
https://github.com/liballeg/allegro5/commit/3f2dbd494241774d33aaf83910fd05b2a590604a (5.2.8.0)
https://github.com/liballeg/allegro5/commit/cca179bc16827f358153060cd10ac73d394e758c (5.2.8.0)
https://github.com/liballeg/allegro5/commit/a2c93939f6997a96ecac1865dbb4fa3f66b5e1b7 (5.2.8.0)
https://github.com/liballeg/allegro5/commit/0294e28e6135292eab4b2916a7d2223b1bb6843e (5.2.8.0)
In allegro 4.4, code is in src/[pcx|tga].c instead