Arch Linux Security Advisory ASA-202103-26 ========================================== Severity: Medium Date : 2021-03-25 CVE-ID : CVE-2021-26825 CVE-2021-26826 Package : godot Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-1544 Summary ======= The package godot before version 3.2.3-2 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 3.2.3-2. # pacman -Syu "godot>=3.2.3-2" The problems have been fixed upstream but no release is available yet. Workaround ========== None. Description =========== - CVE-2021-26825 (arbitrary code execution) An integer overflow issue exists in Godot Engine version 3.2.3 that can be triggered when loading specially crafted TGA image files. The vulnerability exists in the ImageLoaderTGA::load_image() function in the line "const size_t buffer_size = (tga_header.image_width * tga_header.image_height) * pixel_size;" The bug leads to a dynamic stack buffer overflow. Depending on the context of the application, the attack vector can be local or remote, and can lead to code execution and/or a system crash. - CVE-2021-26826 (arbitrary code execution) A stack overflow issue exists in Godot Engine version 3.2.3 and is caused by improper boundary checks when loading TGA image files. Depending on the context of the application, the attack vector can be local or remote, and can lead to code execution and/or a system crash. Impact ====== A remote attacker who is able to supply a crafted TGA file to a client which subsequently gets loaded by the engine is able to execute arbitrary code on the affected host. References ========== https://bugs.archlinux.org/task/70057 https://github.com/godotengine/godot/pull/45702 https://github.com/godotengine/godot/commit/113b5ab1c45c01b8e6d54d13ac8876d091f883a8 https://security.archlinux.org/CVE-2021-26825 https://security.archlinux.org/CVE-2021-26826