Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: allegro5@packages.debian.org Control: affects -1 + src:allegro5 User: release.debian.org@packages.debian.org Usertags: pu [ Reason ] Older versions of Allegro5 contains a no-dsa security vulnerability (CVE-2021-36489, https://security-tracker.debian.org/tracker/CVE-2021-36489 ) fixed in later versions of allegro5, and also still present in allegro4.4 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032670 I would like to fix this in allegro5 in bullseye, patch containing four commits cherry-picked from upstream attached. [ Tests ] Running an example with a provided file crashes allegro with a buffer overflow, as in https://github.com/liballeg/allegro5/issues/1251 With the fix, the result is an error message and not the crash. [ Risks ] The code is applied upstream in later version (5.2.8.0, already provided in later versions of Debian). [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Four commits cherry-picked from upstream, providing better checks if the image provided is invalid. [ Other info ] debdiff attached.
Attachment:
CVE-2021-36489.debdiff
Description: Binary data