ArchLinux: 202106-13: zint: arbitrary code execution

Advisories

Arch Linux Security Advisory ASA-202106-13
==========================================

Severity: Medium
Date    : 2021-06-01
CVE-ID  : CVE-2021-27799
Package : zint
Type    : arbitrary code execution
Remote  : No
Link    : https://security.archlinux.org/AVG-1625

Summary
=======

The package zint before version 2.9.1-2 is vulnerable to arbitrary code
execution.

Resolution
==========

Upgrade to 2.9.1-2.

# pacman -Syu "zint>=2.9.1-2"

The problem has been fixed upstream but no release is available yet.

Workaround
==========

None.

Description
===========

ean_leading_zeroes in backend/upcean.c in Zint Barcode Generator 2.9.1
has a stack-based buffer overflow that is reachable from the C API
through an application that includes the Zint Barcode Generator library
code.

Impact
======

An attacker could execute arbitrary code by supplying crafted input to
generate an EAN barcode.

References
==========

https://bugs.archlinux.org/task/70051
https://sourceforge.net/p/zint/tickets/218/
https://sourceforge.net/p/zint/code/ci/7f8c8114f31c09a986597e0ba63a49f96150368a/
https://security.archlinux.org/CVE-2021-27799

ArchLinux: 202106-13: zint: arbitrary code execution

June 3, 2021
The package zint before version 2.9.1-2 is vulnerable to arbitrary code execution

Summary

ean_leading_zeroes in backend/upcean.c in Zint Barcode Generator 2.9.1 has a stack-based buffer overflow that is reachable from the C API through an application that includes the Zint Barcode Generator library code.

Resolution

Upgrade to 2.9.1-2.
# pacman -Syu "zint>=2.9.1-2"
The problem has been fixed upstream but no release is available yet.

References

https://bugs.archlinux.org/task/70051 https://sourceforge.net/p/zint/tickets/218/ https://sourceforge.net/p/zint/code/ci/7f8c8114f31c09a986597e0ba63a49f96150368a/ https://security.archlinux.org/CVE-2021-27799

Severity
CVE-ID : CVE-2021-27799
Package : zint
Type : arbitrary code execution
Remote : No
Link : https://security.archlinux.org/AVG-1625

Impact

An attacker could execute arbitrary code by supplying crafted input to generate an EAN barcode.

Workaround

None.

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.