Bugzilla – Bug 1198582
VUL-1: CVE-2022-28041, CVE-2022-28042, CVE-2022-28048: stb: stb_image.h v2.27 multiple issues
Last modified: 2022-04-19 08:18:08 UTC
CVE-2022-28041: stb_image.h v2.27 was discovered to contain an integer overflow via the function stbi__jpeg_decode_block_prog_dc. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors. CVE-2022-28042: stb_image.h v2.27 was discovered to contain an heap-based use-after-free via the function stbi__jpeg_huff_decode. CVE-2022-28048: STB v2.27 was discovered to contain an integer shift of invalid size in the component stbi__jpeg_decode_block_prog_ac. References: https://nvd.nist.gov/vuln/detail/CVE-2022-28041 https://nvd.nist.gov/vuln/detail/CVE-2022-28042 https://nvd.nist.gov/vuln/detail/CVE-2022-28048 Upstream: https://github.com/nothings/stb/issues/1289 https://github.com/nothings/stb/issues/1292 https://github.com/nothings/stb/issues/1293 https://github.com/nothings/stb/pull/1297
Affected: - openSUSE:Backports:SLE-15-SP3/stb - openSUSE:Backports:SLE-15-SP3:Update/stb - openSUSE:Backports:SLE-15-SP4/stb - openSUSE:Factory/stb - openSUSE:Factory:RISCV/stb