Source: libcaca Version: 0.99.beta20-5 Severity: important Tags: security upstream Forwarded: https://github.com/cacalabs/libcaca/issues/86 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for libcaca. CVE-2026-42046[0]: | libcaca is a colour ASCII art library. In 0.99.beta20 and earlier, | an integer overflow vulnerability in libcaca's canvas import | functionality allows an attacker to cause a controlled heap out-of- | bounds write (heap overflow) by supplying a crafted file in the | "caca" format. Depending on the build configuration and memory | allocator, this may lead to memory corruption or remote code | execution. This is the same vulnerability as CVE-2021-3410 but the | fix at that time was not fully correct. Commit | fb77acff9ba6bb01d53940da34fb10f20b156a23 fixes this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-42046 https://www.cve.org/CVERecord?id=CVE-2026-42046 [1] https://github.com/cacalabs/libcaca/issues/86 [2] https://github.com/cacalabs/libcaca/security/advisories/GHSA-4vvg-vrqv-m56w [3] https://github.com/cacalabs/libcaca/commit/fb77acff9ba6bb01d53940da34fb10f20b156a23 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
