- Package:
- src:allegro4.4
- Source:
- src:allegro4.4
- Submitter:
- Moritz Mühlenhoff
- Date:
- 2026-06-08 16:21:02 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for allegro4.4. CVE-2021-36489[0]: | Buffer Overflow vulnerability in Allegro through 5.2.6 allows | attackers to cause a denial of service via crafted PCX/TGA/BMP files | to allegro_image addon. https://github.com/liballeg/allegro5/issues/1251 https://github.com/liballeg/allegro5/pull/1253 These fixes landed in Allegro 5.2.8.0: https://github.com/liballeg/allegro5/commit/3f2dbd494241774d33aaf83910fd05b2a590604a (5.2.8.0) https://github.com/liballeg/allegro5/commit/cca179bc16827f358153060cd10ac73d394e758c (5.2.8.0) https://github.com/liballeg/allegro5/commit/a2c93939f6997a96ecac1865dbb4fa3f66b5e1b7 (5.2.8.0) https://github.com/liballeg/allegro5/commit/0294e28e6135292eab4b2916a7d2223b1bb6843e (5.2.8.0) In allegro 4.4, code is in src/[pcx|tga].c instead If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-36489 https://www.cve.org/CVERecord?id=CVE-2021-36489 Please adjust the affected versions in the BTS as needed.
tags 1032670 - fixed-upstream thanks It's not fixed upstream in allegro4 - it is in allegro5, but not in allegro4.
Hey I just tried to reproduce this now on the version of Allegro 4.4 in Debian, and using the crash file as mentioned in https://github.com/liballeg/allegro5/issues/1251 I cannot reproduce the crash on 4.4. Can you still reproduce the crash on allegro4.4 from the debian package? For me when running './ex_bitmap crash' I get a dialog "Error reading bitmap file 'crash'", but no crash of the program best /Andreas gusnan@debian.org
I never tried to reproduce these, but reproducability of a given PoC made against
a current version not working with an older version doesn't mean the old version
isn't affected. From a quick glance the equivalent of the checks added in 5 are
also needed in 4.4, e.g. rle_tga_read8() lacks a check for w overstepping c.
Given that all these image files are typically read from a trusted location/source
shipped by a given game it's not a big deal, but I'd suggest to keep the bug
open until 4.4 has been fully phased out or the fixes backported.
Cheers,
Moritz
On Sun, 24 Mar 2024 21:46:40 +0100 Moritz Muehlenhoff <jmm@inutil.org> wrote: ----------------------------- 8< ----------------------------- Yeah, I believe that upstream isn't interested either in 4.4, but focus pretty much fully on 5.x now - and my interest is basically on 5.x. Previously my interest in 4.4 was because of alex4, but since that package has turned out to be non-free and moved there, my interest in it has waned, and consequently, in allegro4.4 too. I believe a big part of Tobias Hansens interest in Allegro 4 was due to Aseprite, which have turned to a license that cannot be packaged in Debian (but I don't want to claim that I 100% know Tobias reasoning). If anyone really wants to have allegro 4.4 still in Debian, my suggestion would be to step up and help out with the package (but since I believe upstream has no interest in it, I don't know how doable it is). I am considering removing myself from the allegro 4.4 package, but still keep working on the 5.x one. There I soon have a upload coming, I am just waiting for [1] to get solved (Fixing multiarch stuff for cmake package config). Of course, removing 4.4 would mean removal of quite some small nice little games, but sometimes you just have to endure the negative. /Andreas Rönnquist gusnan@debian.org 1: https://github.com/liballeg/allegro5/pull/1543
Fixes for this has been committed upstream in allegro4 at https://github.com/liballeg/allegro4/commit/09d6855a150e24b731dd595b73b4a4323daa3c24 and https://github.com/liballeg/allegro4/commit/49461ca71352c750246d6a5baf0429c6f8d52906 if anyone want to cherry-pick those. /Andreas
We believe that the bug you reported is fixed in the latest version of allegro4.4, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1032670@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sébastien Noel <twolife@debian.org> (supplier of updated allegro4.4 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Mon, 08 Jun 2026 17:14:52 +0200 Source: allegro4.4 Architecture: source Version: 2:4.4.3.1-8 Distribution: unstable Urgency: medium Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org> Changed-By: Sébastien Noel <twolife@debian.org> Closes: 1032670 Changes: allegro4.4 (2:4.4.3.1-8) unstable; urgency=medium . * Team upload * Cherry-pick upstream patches to fix CVE-2021-36489 (Closes: #1032670) * Bump debhelper compat level to 13 Checksums-Sha1: 5f36714cf587ade285ba5e461291d21abb396d57 2541 allegro4.4_4.4.3.1-8.dsc e54b78149d61dfe81f76b4c48b308f80a89615f6 58900 allegro4.4_4.4.3.1-8.debian.tar.xz 572b334d1f25219a3679e3133554bebaff455424 13802 allegro4.4_4.4.3.1-8_amd64.buildinfo Checksums-Sha256: 5949fd15ad2e2007ba7e3d471398dc7504f464f025285366ef7b65a79bfa8a27 2541 allegro4.4_4.4.3.1-8.dsc f7bfc38464b41c3465f97988ac0f20d38d6f6f9270f277294b59b7e95f0d4d60 58900 allegro4.4_4.4.3.1-8.debian.tar.xz cb14e19053358e53f4492b0f090765f13493c33c4e1f2cc94dd08a2d70c493b1 13802 allegro4.4_4.4.3.1-8_amd64.buildinfo Files: 580870e7ae18b66e3669ac52957ff271 2541 devel optional allegro4.4_4.4.3.1-8.dsc 75f29629c78a932354a9c1cddce0349f 58900 devel optional allegro4.4_4.4.3.1-8.debian.tar.xz 09ae04d6f1740649081715e8f8c4a95b 13802 devel optional allegro4.4_4.4.3.1-8_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQFHBAEBCgAxFiEEdlP6my3wO8aMe9FCrKAIuMk0p9QFAmom5mYTHHR3b2xpZmVA ZGViaWFuLm9yZwAKCRCsoAi4yTSn1D3GB/4k1BCj8L7b963hDKQRzIZxBA7dCJxx SZaxaN8RFVV6uegfPOqq0KXuK6f6266eWDxkwOcA4mfa0uXRUEkGAFPbNDWOMS+V zJUKN0gx1wqAy+Zk6GocVe++QE5gyZwxrIcv2ito49qtXoS2TlnFGC9vVfkt2QlE HUN4xlF94tfxJ3iYOc6rinMTdEFPCTs4vZ2WQ/1zymANjelVDd1ii2V9ypMRXG1B iyqfu5pK0WDQe9w8qt1HvewGIeeHSgNEIMd4RbXR21Bii0MByuiW3okkKqiUEG+0 x1TWpQEsrT/manCoI69H9xfid1jPkmzA9hIs1id54oVgj1D9EXraHgdI =vesy -----END PGP SIGNATURE-----