Login
Newsletter
Werbung
Sicherheit: Mehrere Probleme in rlottie
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in rlottie
ID: USN-7198-1
Distribution: Ubuntu
Plattformen: Ubuntu 20.04 LTS, Ubuntu 22.04 LTS
Datum: Mi, 15. Januar 2025, 06:39
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31318
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31321
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31317
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31319
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31315
Applikationen: rlottie

Originalnachricht

 
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============8789519211525063953==
Content-Language: en-US
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="------------I3trrVX3WkOZx7ntwdYhiZqL"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------I3trrVX3WkOZx7ntwdYhiZqL
Content-Type: multipart/mixed;
 boundary="------------leAUjyHyLnCr1gE22dB0QlO9";
 protected-headers="v1"
From: Nico Campuzano <nicolas.campuzano@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <f0e8e8d1-0c88-441e-89bf-933f01837a54@canonical.com>
Subject: [USN-7198-1] rlottie vulnerabilities

--------------leAUjyHyLnCr1gE22dB0QlO9
Content-Type: multipart/mixed;
 boundary="------------r9b0KJUFCIHDKZuRKry6ke2L"

--------------r9b0KJUFCIHDKZuRKry6ke2L
Content-Type: multipart/alternative;
 boundary="------------RAYDstnFaLiHyp7RVLtWCXVg"

--------------RAYDstnFaLiHyp7RVLtWCXVg
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64

==========================================================================
Ubuntu Security Notice USN-7198-1
January 10, 2025

rlottie vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in rlottie.

Software Description:
- rlottie: library for rendering vector based animations and art

Details:

Paolo Giai discovered a series of stack-based overflow vulnerabilities in
the blit and gray_render_cubic functions of a custom fork of the rlottie
library. An attacker could possibly use this issue to leak sensitive
information. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04
LTS. (CVE-2021-31315, CVE-2021-31321)

Paolo Giai discovered a series of type confusion vulnerabilities in the
VDasher constructor and the LOTCompLayerItem::LOTCompLayerItem function
of a custom fork of the rlottie library. An attacker could possibly use
this issue to leak sensitive information. This issue only affected Ubuntu
20.04 LTS. (CVE-2021-31317, CVE-2021-31318)

Paolo Giai discovered an integer overflow vulnerability in the
LOTGradient::populate function of a custom fork of the rlottie library.
An attacker could possibly use this issue to leak sensitive information.
This issue only affected Ubuntu 20.04 LTS. (CVE-2021-31319)

Paolo Giai discovered a series of heap buffer overflow vulnerabilities
in the VGradientCache::generateGradientColorTable and
LOTGradient::populate functions of a custom fork of the rlottie library.

--------------RAYDstnFaLiHyp7RVLtWCXVg
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html>
<html>
  <head>

    <meta http-equiv=3D"Content-Type" content=3D"text/html;
 charset=3DUTF=
-8">
  </head>
  <body>
    <p><span
 class=3D"im">=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<wbr>=3D=3D=3D=3D=3D=3D=3D=3D=3D
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<wbr>=3D=3D
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
        Ubuntu Security Notice USN-7198-1<br>
        January 10, 2025<br>
        <br>
        rlottie vulnerabilities<br>
        =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D<wbr>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<wbr>=3D=3D=3D=3D=3D=3D=3D=3D
=
=3D=3D=3D=3D=3D=3D<br>
        <br>
        A security issue affects these releases of Ubuntu and its
        derivatives:<br>
        <br>
        - Ubuntu 22.04 LTS<br>
        - Ubuntu 20.04 LTS<br>
        <br>
        Summary:<br>
        <br>
        Several security issues were fixed in rlottie.<br>
        <br>
        Software Description:<br>
        - rlottie: library for rendering vector based animations and art<=
br>
        <br>
        Details:<br>
        <br>
        Paolo Giai discovered a series of stack-based overflow
        vulnerabilities in<br>
        the blit and gray_render_cubic functions of a custom fork of the
        rlottie<br>
      </span>
      library. An attacker could possibly use this issue to leak
      sensitive <br>
      information. This issue only affected Ubuntu 20.04 LTS and Ubuntu
      22.04<span class=3D"im"><br>
        LTS. (CVE-2021-31315, CVE-2021-31321)<br>
        <br>
        Paolo Giai discovered a series of type confusion vulnerabilities
        in the<br>
        VDasher constructor and the <a
 class=3D"moz-txt-link-freetext" hr=
ef=3D"LOTCompLayerItem::LOTCompLayer">LOTCompLayerItem::LOTCompLayer</a><
=
wbr>Item
        function<br>
        of a custom fork of the rlottie library. An attacker could
        possibly use<br>
      </span>
      this issue to leak sensitive information. This issue only affected
      Ubuntu<span class=3D"im"><br>
        20.04 LTS. (CVE-2021-31317, CVE-2021-31318)<br>
        <br>
        Paolo Giai discovered an integer overflow vulnerability in the <b=
r>
        <a class=3D"moz-txt-link-freetext"
 href=3D"LOTGradient::populate"=
>LOTGradient::populate</a> function of a custom fork of the rlottie
        library.<br>
      </span>
      An attacker could possibly use this issue to leak sensitive
      information.<span class=3D"im"><br>
        This issue only affected Ubuntu 20.04 LTS. (CVE-2021-31319)<br>
        <br>
        Paolo Giai discovered a series of heap buffer overflow
        vulnerabilities<br>
        in the <a class=3D"moz-txt-link-freetext"
 href=3D"VGradientCache:=
:generateGradie">VGradientCache::generateGradie</a><wbr>ntColorTable and<
=
br>
        <a class=3D"moz-txt-link-freetext"
 href=3D"LOTGradient::populate"=
>LOTGradient::populate</a> functions of a custom fork of the rlottie
        library.</span></p>
  </body>
</html>

--------------RAYDstnFaLiHyp7RVLtWCXVg--

--------------r9b0KJUFCIHDKZuRKry6ke2L
Content-Type: application/pgp-keys;
 name="OpenPGP_0x945CCA55E4D641EE.asc"
Content-Disposition: attachment;
 filename="OpenPGP_0x945CCA55E4D641EE.asc"
Content-Description: OpenPGP public key
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsFNBGczyMYBEADYxpX1o2OlzXE8GH0zFPOaJzN2NiNWihzpruUagrv+K0iOkVrk
L2cZwyPS0LXr6ztuhey6UBt29e3gqmip0a6qsL9fSdpunElPu2pCf1hZjazOWYEd
flenRp7gkvUz5xYypcXG3MpP5pfgOm8oRxXJE4yGuwsS/YsAd0XFfUEZCQZZiEpW
cbo46e+EZocrnb1aDCzxyPhvlgYdEHfIsnthcBa9JRTgJfyEulba7mpu89NLTvE/
T4J9QTWrDfb8VAw5JOoMZTbP7S4Ve4NEnoXY5Tbh94JSQgn3p7RnYDbRy0hiXBZr
BuzTU/Hd7Ogydg6vGCqs0AT2CoZXNwbiKXeg+08TQJkMLn91hTPyqcORPq8+ojuR
y8uKb713n68ko7ZdxXV1J+JNE+wgFMW1uWwuQTLXP/w1FUtOGOTT/PRtcKs2dNAh
IDF0TBcbTzfiCYsjAp/KlJMhFlWePg3Fq2KiXY0AEpcFVy/MgpdSVlMzgCVtmUCf
J6oAI+so1QJ8sUaH/byXvrRSN3CEnlecwBmUFGSzFWj25NUP4HaVdengzudxBTPJ
IyZx8kYtnwPRAMu1s4aa7eQ3iOA8NlU0YTccBdfnyvu8xd7zVd6U/dMeoBdpoH6O
C6SBJhboGrplZQVmclAGufB5HEroQzgcQejWTZShArMOtud0fEbW0GY5MwARAQAB
zTtOaWNvbGFzIENhbXB1emFubyBKaW1lbmV6IDxuaWNvbGFzLmNhbXB1emFub0Bj
YW5vbmljYWwuY29tPsLBkQQTAQoAOxYhBCpdQmj56NkMuPwFPJRcylXk1kHuBQJn
M8jGAhsDBQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEJRcylXk1kHuPBEQ
AK4SCs6z7l9RepNkOMa0UyEMpRqbPg2ozNPovttTOa1o0fsZP55/zoRO0JWrDtYN
/ANpXoHn7hUrvmWNicN8NYosk7jfcojgcg+awQf9Y7+bWshaq01MbXnXjjbadpsK
S4+6iJvD0R4Yb6dUtc4eTujCIdyUz62dvv8eL1Mv9fnPDDb44VVtBDb1G5CQHC3c
TFZanIaUvVkxtvK3YW5DmoJCxgsX3IYI/uNRsW5PiVYZVIST+yWNtkavyty3EhgR
qozDd+4TWi07DqJ5ZGeTvUboZLPhWWaflUc+BXzrcZl8EIbZxFrL4xZBeXyMYgKE
Pti1dkbhuosiRHevxWb4pQucnBKsmA1l0JcVLba2Czl3d7pilATM3qjBhmXe4+cC
jaBbWFsA2emLZArcI+nUywsUlgrgjDyn4EKBoMutxe9Z+NDahe9fgW06wjkY9NhY
OdlOMvSvFvJsYbl9oTnCOaQ+LGi7p47hqROnVV677AMnDlXERMd6vDb8OKakuiqz
6aQ66UoU9x91lqBZUSQ1LOvGqvnCVgADGgnYBzZD4oqrirB8Uq0WLr/Inw+IHzOu
4+e2uHnd17YezkbU1KvGjjVbUMaG/ZIFSf9CSj7dCBBV/zHncXSmPYZoY+4HZvGh
loUChaXBw4zLabvP4Y1+UovLBxHx7lINJUmhOnSD05XozsFNBGczyMYBEADZarOS
9ZAF00Q6uC+onnCCI7wEomVA1nopEmLXq6bqvYgoZP6VH9WGgd/N+coozYkVUT0w
ZlhkLQrwYlipWYhkxJlLSmLaM+hCMTwj6MTF+GFpR5a1Wh0uflBZDR2Y+4aqx1pU
bG6Xhhga3g5WBmQLrfisnOONbG0Xy8ngV1p4FbVez3iFyPxCSDq9Lf78HlR0HpGR
NYkQcXBBnQ19iQAJN0+EUIwONNhytRcmnp4MpfdIFbefvF/JjYy7rpmpe8QaRT/d
+QFZPVtCVfxwoxnz9nj3Ju3PneGJglAAnc/SyKxM4tXu+7U2zX4g9NxOT03sqVjl
gGk/PhLZspjsZxsuuGi5+LBiZ97OGesd8vuOD4LGOhj05beIHuZ8Svt34EdTvyJz
3Pcz+CCbqPdX6ZRUszlPr1VLSgA2vr4UhMrmvK4vRC5HoLygbSvIQzqRPPmgiXCs
+0G9GnmgOJtVwAfL4s7bmOwKBKeiEWAm+uyVKmJ8bRVFIxKnua6J+Ph0H47qvX0C
bi81EY9XAIXyzdYFM3oboXXdFDDFX/OwPJAatbxJVZiYwChX/pj/pT3aThLhW1y5
zBP7V+4GG19q7AMUjsR+h7z46+v8+8NMHyx9fwEniscrP9txVPqrhqM/mqpplGTo
FBvdnbhn5lLEUFokPnOM/uMVHB4ZZkLmygLqwQARAQABwsF2BBgBCgAgFiEEKl1C
aPno2Qy4/AU8lFzKVeTWQe4FAmczyMYCGwwACgkQlFzKVeTWQe5UQBAAi4eG6e4G
w5vLcDki2FVqah08xE5XJTAFg8Zc9dXrG/j2DD2FiPe+LMabiSQ93ZGxePIehSOx
QmDdGsE1lYlWL2NdNDoPZkHMIGH5EgcxUyEIY8zTVKxO6WGsMY1B3el8aoWzdPST
u+jjW6gBcuN3e3h9FKFz2eXRVGiD0YKGQo5WxJkRjjNWr8C9QUZmtI88Q/HRnV9j
grTj/pHHQlqkfM8P97vSc+YhVeprRD3Jtz/zZHUQG2tWiWsH8XHz6/WD3FoQIJY+
gKxsxGPw3hRVNrdJrYihs0M3IJm1BRX19eYyo5kO6AMhPsdUHgG+IZeVEpVFmRkm
NZOzj0PjBdTs3D7i8zAOyW/wFZsqVz/zwY9snryTZI2IkdMzUQBoeL7pDJDgJVoq
YJMXQmUS53PrgNLWM1W+Nli28NNfCgQyX5u5/N7Dy9FfqjN5+Uc7jP1mfYp5W66a
4xrRjLvACn65hi9a0B1jfDLpS96Yh4DgZRaqp9yiYxcwfHcWonyluyysvv7qExkI
bOwO4WVIygmoutFeJJh3JnhIZ+lnxBBQxdzTy7KwhzNgqKgE3rDMtUfq+Rym0yjM
ReWdD/tRjKzJJWldXY681rlnEc7ELBRV25NckO68njNjeBG16D9IZJe5nVYP/ud7
3L0Qt9MsQJBHumRxTZ7yqg6740Pi8AVhXl0=3D
=3D1C3W
-----END PGP PUBLIC KEY BLOCK-----

--------------r9b0KJUFCIHDKZuRKry6ke2L--

--------------leAUjyHyLnCr1gE22dB0QlO9--

--------------I3trrVX3WkOZx7ntwdYhiZqL
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEKl1CaPno2Qy4/AU8lFzKVeTWQe4FAmeBLsAFAwAAAAAACgkQlFzKVeTWQe5n
YBAAjdDicoKTj0J1uIU3ai37DACxUQTvOgtMZQ2Bey0qE/8rFis0BoIWfqjNIDs55BeV1cQf9fxL
mDjbaPXeaBaP0wsZAflfT7AsKknRK+6kyWtzxfcXeVCoxhtlHp/LQ5tGi5lx2CjZ4Jkb+BuHRsEW
AotohqrtSntA6b+2OCT7lgu2HPj1oLOgZqCF8qIMHhwkF7cq7Rd+EmGfTlpVZVQs3JVAT/Pnmq3Q
q4sLNmzPEIAqpl0a9m4YCAtNC08GK/anhC5sJ6r8FjGRQwQ8AhvVrYO2DPnGm5MG3o+dr24IgL1E
Aax74bb693Xq7Aw4WzLcxbia+H5YLWUwjJByjKZw3xpD2KByfsy4dEUBDhdMbKXSzzzTGQjRGC4P
rgeJ5flzMYUTGV77oxWYeg4sB31notJZs2Wh+RfGFICUcA01O8Y81nCRXrg6A7MQLDU4SxkD9qFK
Fu1bCkHhwQIF6T15Vh5YCUmod0dnEMmGJ0NuKum7YMNX4ZIfE7d4cwirv1+2D2sO/uWbPL8k6Hst
Y6l8vhS8bq6U/40zfqS2N43oXFXT7/jGf+LqSgozLsKdFPb6yBBAJuKNyqAYUm13HKCcKEcyT98j
WBDrEF3Ag6AB51zV+mGFkkDA/dPG2FKHeeYqgvJF/7auaGIwTpITDcAI2ikGtbceMfhxi41Ugj3c
yRs=
=TZRX
-----END PGP SIGNATURE-----

--------------I3trrVX3WkOZx7ntwdYhiZqL--


--===============8789519211525063953==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

Cg==

--===============8789519211525063953==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung