Reported

March 6, 2021

Issued

March 6, 2021 (last modified: June 13, 2023)

Package

fltk (crates.io)

Type

Vulnerability

Keywords

#undefined_behavior

Aliases

• CVE-2021-28306
• CVE-2021-28307
• CVE-2021-28308
• GHSA-5pg8-h4gv-m3p8
• GHSA-7qcc-g2m9-8533
• GHSA-vjmg-pc8h-p6p8

References

• https://github.com/MoAlyousef/fltk-rs/issues/519

Patched

• >=0.15.3

Affected Functions

Version

fltk::image::Pixmap::new

• <0.15.2, >=0.14.12

fltk::prelude::WidgetExt::set_label_type

• <0.15.2

fltk::prelude::WindowExt::set_icon

• <0.14.12

Description

Affected versions contain multiple memory safety issues, such as:

• Setting a multi label type where an image doesn't exist would lead to a NULL pointer dereference.
• Setting a window icon using a non-raster image (which FLTK rasterizes lazily) would lead to a NULL dereference.
• Pixmap constructor would not check for correct pixmaps which could lead to out-of bound reads.

Advisory available under CC0-1.0 license.