Debian Bug report logs -
#1059277
openbabel: CVE-2022-37331 CVE-2022-41793 CVE-2022-42885 CVE-2022-43467 CVE-2022-43607 CVE-2022-44451 CVE-2022-46280 CVE-2022-46289 CVE-2022-46290 CVE-2022-46291 CVE-2022-46292 CVE-2022-46293 CVE-2022-46294 CVE-2022-46295
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debichem Team <debichem-devel@lists.alioth.debian.org>:
Bug#1059277; Package src:openbabel.
(Fri, 22 Dec 2023 12:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debichem Team <debichem-devel@lists.alioth.debian.org>.
(Fri, 22 Dec 2023 12:09:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openbabel
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for openbabel.
It's unclear if these were ever properly reported upstream/fixed,
could you please sync up with the upstream developers?
CVE-2022-37331[0]:
| An out-of-bounds write vulnerability exists in the Gaussian format
| orientation functionality of Open Babel 3.1.1 and master commit
| 530dbfa3. A specially crafted malformed file can lead to arbitrary
| code execution. An attacker can provide a malicious file to trigger
| this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1672
CVE-2022-41793[1]:
| An out-of-bounds write vulnerability exists in the CSR format title
| functionality of Open Babel 3.1.1 and master commit 530dbfa3. A
| specially crafted malformed file can lead to arbitrary code
| execution. An attacker can provide a malicious file to trigger this
| vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1667
CVE-2022-42885[2]:
| A use of uninitialized pointer vulnerability exists in the GRO
| format res functionality of Open Babel 3.1.1 and master commit
| 530dbfa3. A specially crafted malformed file can lead to arbitrary
| code execution. An attacker can provide a malicious file to trigger
| this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1668
CVE-2022-43467[3]:
| An out-of-bounds write vulnerability exists in the PQS format
| coord_file functionality of Open Babel 3.1.1 and master commit
| 530dbfa3. A specially crafted malformed file can lead to arbitrary
| code execution. An attacker can provide a malicious file to trigger
| this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1671
CVE-2022-43607[4]:
| An out-of-bounds write vulnerability exists in the MOL2 format
| attribute and value functionality of Open Babel 3.1.1 and master
| commit 530dbfa3. A specially crafted malformed file can lead to
| arbitrary code execution. An attacker can provide a malicious file
| to trigger this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1664
CVE-2022-44451[5]:
| A use of uninitialized pointer vulnerability exists in the MSI
| format atom functionality of Open Babel 3.1.1 and master commit
| 530dbfa3. A specially crafted malformed file can lead to arbitrary
| code execution. An attacker can provide a malicious file to trigger
| this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1669
CVE-2022-46280[6]:
| A use of uninitialized pointer vulnerability exists in the PQS
| format pFormat functionality of Open Babel 3.1.1 and master commit
| 530dbfa3. A specially crafted malformed file can lead to arbitrary
| code execution. An attacker can provide a malicious file to trigger
| this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1670
CVE-2022-46289[7]:
| Multiple out-of-bounds write vulnerabilities exist in the ORCA
| format nAtoms functionality of Open Babel 3.1.1 and master commit
| 530dbfa3. A specially-crafted malformed file can lead to arbitrary
| code execution. An attacker can provide a malicious file to trigger
| this vulnerability.nAtoms calculation wrap-around, leading to a
| small buffer allocation
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1665
CVE-2022-46290[8]:
| Multiple out-of-bounds write vulnerabilities exist in the ORCA
| format nAtoms functionality of Open Babel 3.1.1 and master commit
| 530dbfa3. A specially-crafted malformed file can lead to arbitrary
| code execution. An attacker can provide a malicious file to trigger
| this vulnerability.The loop that stores the coordinates does not
| check its index against nAtoms
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1665
CVE-2022-46291[9]:
| Multiple out-of-bounds write vulnerabilities exist in the
| translationVectors parsing functionality in multiple supported
| formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially-
| crafted malformed file can lead to arbitrary code execution. An
| attacker can provide a malicious file to trigger this
| vulnerability.This vulnerability affects the MSI file format
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666
CVE-2022-46292[10]:
| Multiple out-of-bounds write vulnerabilities exist in the
| translationVectors parsing functionality in multiple supported
| formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially-
| crafted malformed file can lead to arbitrary code execution. An
| attacker can provide a malicious file to trigger this
| vulnerability.This vulnerability affects the MOPAC file format,
| inside the Unit Cell Translation section
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666
CVE-2022-46293[11]:
| Multiple out-of-bounds write vulnerabilities exist in the
| translationVectors parsing functionality in multiple supported
| formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially-
| crafted malformed file can lead to arbitrary code execution. An
| attacker can provide a malicious file to trigger this
| vulnerability.This vulnerability affects the MOPAC file format,
| inside the Final Point and Derivatives section
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666
CVE-2022-46294[12]:
| Multiple out-of-bounds write vulnerabilities exist in the
| translationVectors parsing functionality in multiple supported
| formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially-
| crafted malformed file can lead to arbitrary code execution. An
| attacker can provide a malicious file to trigger this
| vulnerability.This vulnerability affects the MOPAC Cartesian file
| format
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666
CVE-2022-46295[13]:
| Multiple out-of-bounds write vulnerabilities exist in the
| translationVectors parsing functionality in multiple supported
| formats of Open Babel 3.1.1 and master commit 530dbfa3. A specially-
| crafted malformed file can lead to arbitrary code execution. An
| attacker can provide a malicious file to trigger this
| vulnerability.This vulnerability affects the Gaussian file format
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-37331
https://www.cve.org/CVERecord?id=CVE-2022-37331
[1] https://security-tracker.debian.org/tracker/CVE-2022-41793
https://www.cve.org/CVERecord?id=CVE-2022-41793
[2] https://security-tracker.debian.org/tracker/CVE-2022-42885
https://www.cve.org/CVERecord?id=CVE-2022-42885
[3] https://security-tracker.debian.org/tracker/CVE-2022-43467
https://www.cve.org/CVERecord?id=CVE-2022-43467
[4] https://security-tracker.debian.org/tracker/CVE-2022-43607
https://www.cve.org/CVERecord?id=CVE-2022-43607
[5] https://security-tracker.debian.org/tracker/CVE-2022-44451
https://www.cve.org/CVERecord?id=CVE-2022-44451
[6] https://security-tracker.debian.org/tracker/CVE-2022-46280
https://www.cve.org/CVERecord?id=CVE-2022-46280
[7] https://security-tracker.debian.org/tracker/CVE-2022-46289
https://www.cve.org/CVERecord?id=CVE-2022-46289
[8] https://security-tracker.debian.org/tracker/CVE-2022-46290
https://www.cve.org/CVERecord?id=CVE-2022-46290
[9] https://security-tracker.debian.org/tracker/CVE-2022-46291
https://www.cve.org/CVERecord?id=CVE-2022-46291
[10] https://security-tracker.debian.org/tracker/CVE-2022-46292
https://www.cve.org/CVERecord?id=CVE-2022-46292
[11] https://security-tracker.debian.org/tracker/CVE-2022-46293
https://www.cve.org/CVERecord?id=CVE-2022-46293
[12] https://security-tracker.debian.org/tracker/CVE-2022-46294
https://www.cve.org/CVERecord?id=CVE-2022-46294
[13] https://security-tracker.debian.org/tracker/CVE-2022-46295
https://www.cve.org/CVERecord?id=CVE-2022-46295
Please adjust the affected versions in the BTS as needed.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debichem Team <debichem-devel@lists.alioth.debian.org>:
Bug#1059277; Package src:openbabel.
(Fri, 22 Dec 2023 12:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Banck <mbanck@debian.org>:
Extra info received and forwarded to list. Copy sent to Debichem Team <debichem-devel@lists.alioth.debian.org>.
(Fri, 22 Dec 2023 12:21:05 GMT) (full text, mbox, link).
Message #10 received at 1059277@bugs.debian.org (full text, mbox, reply):
forwarded 1059277 https://github.com/openbabel/openbabel/issues/2650
thanks
Hi,
On Fri, Dec 22, 2023 at 01:06:17PM +0100, Moritz Mühlenhoff wrote:
> Source: openbabel
> X-Debbugs-CC: team@security.debian.org
> Severity: important
> Tags: security
>
> Hi,
>
> The following vulnerabilities were published for openbabel.
>
> It's unclear if these were ever properly reported upstream/fixed,
> could you please sync up with the upstream developers?
Thanks, I checked, and it looks like Cisco disclosed it to the Openbabel
maintainers with some lead time, and they will fix them for the next
version.
Michael
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 22 Dec 2023 20:09:21 GMT) (full text, mbox, link).
Marked as found in versions openbabel/3.1.1+dfsg-9.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 22 Dec 2023 20:09:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Dec 23 08:19:23 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon