USN-7198-1: rlottie vulnerabilities
10 January 2025
Several security issues were fixed in rlottie.
Releases
Packages
- rlottie - library for rendering vector based animations and art
Details
Paolo Giai discovered a series of stack-based overflow vulnerabilities in
the blit and gray_render_cubic functions of a custom fork of the rlottie
library. An attacker could possibly use this issue to leak sensitive
information. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04
LTS. (CVE-2021-31315, CVE-2021-31321)
Paolo Giai discovered a series of type confusion vulnerabilities in the
VDasher constructor and the LOTCompLayerItem::LOTCompLayerItem function
of a custom fork of the rlottie library. An attacker could possibly use
this issue to leak sensitive information. This issue only affected Ubuntu
20.04 LTS. (CVE-2021-31317, CVE-2021-31318)
Paolo Giai discovered an integer overflow vulnerability in the
LOTGradient::populate function of a custom fork of the rlottie library.
An attacker could possibly use this issue to leak sensitive information.
This issue only affected Ubuntu 20.04 LTS. (CVE-2021-31319)
Paolo Giai discovered a series of heap buffer overflow vulnerabilities
in the VGradientCache::generateGradientColorTable and
LOTGradient::populate functions of a custom fork of the rlottie library.
An attacker could possibly use this issue to achieve remote code execution.
This issue only affected Ubuntu 20.04 LTS. (CVE-2021-31320, CVE-2021-31322)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 22.04
Ubuntu 20.04
-
librlottie0-1
-
0~git20200305.a717479+dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.