Debian Bug report logs -
#1054911
libstb: CVE-2023-45661 CVE-2023-45662 CVE-2023-45663 CVE-2023-45664 CVE-2023-45666 CVE-2023-45667 CVE-2023-45675 CVE-2023-45676 CVE-2023-45677 CVE-2023-45678 CVE-2023-45679 CVE-2023-45680 CVE-2023-45681 CVE-2023-45682
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, unknown-package@qa.debian.org:
Bug#1054911; Package src:important.
(Sat, 28 Oct 2023 14:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, unknown-package@qa.debian.org.
Your message specified a Severity: in the pseudo-header, but
the severity value libstb was not recognised.
The default severity normal is being used instead.
The recognised values are: critical, grave, serious, important, normal, minor, wishlist, fixed.
(Sat, 28 Oct 2023 14:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: important
X-Debbugs-CC: team@security.debian.org
Severity: libstb
Tags: security
Hi,
The following vulnerabilities were published for important.
CVE-2023-45661[0]:
| stb_image is a single file MIT licensed library for processing
| images. A crafted image file may trigger out of bounds memcpy read
| in `stbi__gif_load_next`. This happens because two_back points to a
| memory address lower than the start of the buffer out. This issue
| may be used to leak internal memory allocation information.
https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 1)
https://github.com/nothings/stb/issues/1538
https://github.com/nothings/stb/pull/1539
CVE-2023-45662[1]:
| stb_image is a single file MIT licensed library for processing
| images. When `stbi_set_flip_vertically_on_load` is set to `TRUE` and
| `req_comp` is set to a number that doesn’t match the real number of
| components per pixel, the library attempts to flip the image
| vertically. A crafted image file can trigger `memcpy` out-of-bounds
| read because `bytes_per_pixel` used to calculate `bytes_per_row`
| doesn’t match the real image array dimensions.
https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 2)
https://github.com/nothings/stb/issues/1540
https://github.com/nothings/stb/pull/1541
CVE-2023-45663[2]:
| stb_image is a single file MIT licensed library for processing
| images. The stbi__getn function reads a specified number of bytes
| from context (typically a file) into the specified buffer. In case
| the file stream points to the end, it returns zero. There are two
| places where its return value is not checked: In the
| `stbi__hdr_load` function and in the `stbi__tga_load` function. The
| latter of the two is likely more exploitable as an attacker may also
| control the size of an uninitialized buffer.
https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 3)
https://github.com/nothings/stb/issues/1542
https://github.com/nothings/stb/pull/1543
CVE-2023-45664[3]:
| stb_image is a single file MIT licensed library for processing
| images. A crafted image file can trigger
| `stbi__load_gif_main_outofmem` attempt to double-free the out
| variable. This happens in `stbi__load_gif_main` because when the
| `layers * stride` value is zero the behavior is implementation
| defined, but common that realloc frees the old memory and returns
| null pointer. Since it attempts to double-free the memory a few
| lines below the first “free”, the issue can be potentially exploited
| only in a multi-threaded environment. In the worst case this may
| lead to code execution.
https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 4)
https://github.com/nothings/stb/issues/1542
https://github.com/nothings/stb/pull/1545
CVE-2023-45666[4]:
| stb_image is a single file MIT licensed library for processing
| images. It may look like `stbi__load_gif_main` doesn’t give
| guarantees about the content of output value `*delays` upon failure.
| Although it sets `*delays` to zero at the beginning, it doesn’t do
| it in case the image is not recognized as GIF and a call to
| `stbi__load_gif_main_outofmem` only frees possibly allocated memory
| in `*delays` without resetting it to zero. Thus it would be fair to
| say the caller of `stbi__load_gif_main` is responsible to free the
| allocated memory in `*delays` only if `stbi__load_gif_main` returns
| a non null value. However at the same time the function may return
| null value, but fail to free the memory in `*delays` if internally
| `stbi__convert_format` is called and fails. Thus the issue may lead
| to a memory leak if the caller chooses to free `delays` only when
| `stbi__load_gif_main` didn’t fail or to a double-free if the
| `delays` is always freed
https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 6)
https://github.com/nothings/stb/issues/1548
https://github.com/nothings/stb/pull/1549
CVE-2023-45667[5]:
| stb_image is a single file MIT licensed library for processing
| images. If `stbi__load_gif_main` in `stbi_load_gif_from_memory`
| fails it returns a null pointer and may keep the `z` variable
| uninitialized. In case the caller also sets the flip vertically
| flag, it continues and calls `stbi__vertical_flip_slices` with the
| null pointer result value and the uninitialized `z` value. This may
| result in a program crash.
https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 7)
https://github.com/nothings/stb/issues/1550
https://github.com/nothings/stb/pull/1551
CVE-2023-45675[6]:
| stb_vorbis is a single file MIT licensed library for processing ogg
| vorbis files. A crafted file may trigger out of bounds write in
| `f->vendor[len] = (char)'\0';`. The root cause is that if the len
| read in `start_decoder` is `-1` and `len + 1` becomes 0 when passed
| to `setup_malloc`. The `setup_malloc` behaves differently when
| `f->alloc.alloc_buffer` is pre-allocated. Instead of returning
| `NULL` as in `malloc` case it shifts the pre-allocated buffer by
| zero and returns the currently available memory block. This issue
| may lead to code execution.
https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 8)
https://github.com/nothings/stb/issues/1552
https://github.com/nothings/stb/pull/1553
CVE-2023-45676[7]:
| stb_vorbis is a single file MIT licensed library for processing ogg
| vorbis files. A crafted file may trigger out of bounds write in
| `f->vendor[i] = get8_packet(f);`. The root cause is an integer
| overflow in `setup_malloc`. A sufficiently large value in the
| variable `sz` overflows with `sz+7` in and the negative value passes
| the maximum available memory buffer check. This issue may lead to
| code execution.
https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 9)
https://github.com/nothings/stb/pull/1554
CVE-2023-45677[8]:
| stb_vorbis is a single file MIT licensed library for processing ogg
| vorbis files. A crafted file may trigger out of bounds write in
| `f->vendor[len] = (char)'\0';`. The root cause is that if `len` read
| in `start_decoder` is a negative number and `setup_malloc`
| successfully allocates memory in that case, but memory write is done
| with a negative index `len`. Similarly if len is INT_MAX the integer
| overflow len+1 happens in `f->vendor = (char*)setup_malloc(f,
| sizeof(char) * (len+1));` and `f->comment_list[i] =
| (char*)setup_malloc(f, sizeof(char) * (len+1));`. This issue may
| lead to code execution.
https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 10)
https://github.com/nothings/stb/pull/1555
CVE-2023-45678[9]:
| stb_vorbis is a single file MIT licensed library for processing ogg
| vorbis files. A crafted file may trigger out of buffer write in
| `start_decoder` because at maximum `m->submaps` can be 16 but
| `submap_floor` and `submap_residue` are declared as arrays of 15
| elements. This issue may lead to code execution.
https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 11)
https://github.com/nothings/stb/pull/1556
CVE-2023-45679[10]:
| stb_vorbis is a single file MIT licensed library for processing ogg
| vorbis files. A crafted file may trigger memory allocation failure
| in `start_decoder`. In that case the function returns early, but
| some of the pointers in `f->comment_list` are left initialized and
| later `setup_free` is called on these pointers in `vorbis_deinit`.
| This issue may lead to code execution.
https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 12)
https://github.com/nothings/stb/pull/1557
CVE-2023-45680[11]:
| stb_vorbis is a single file MIT licensed library for processing ogg
| vorbis files. A crafted file may trigger memory allocation failure
| in `start_decoder`. In that case the function returns early, the
| `f->comment_list` is set to `NULL`, but `f->comment_list_length` is
| not reset. Later in `vorbis_deinit` it tries to dereference the
| `NULL` pointer. This issue may lead to denial of service.
https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 13)
https://github.com/nothings/stb/pull/1558
CVE-2023-45681[12]:
| stb_vorbis is a single file MIT licensed library for processing ogg
| vorbis files. A crafted file may trigger memory write past an
| allocated heap buffer in `start_decoder`. The root cause is a
| potential integer overflow in `sizeof(char*) *
| (f->comment_list_length)` which may make `setup_malloc` allocate
| less memory than required. Since there is another integer overflow
| an attacker may overflow it too to force `setup_malloc` to return 0
| and make the exploit more reliable. This issue may lead to code
| execution.
https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 14)
https://github.com/nothings/stb/pull/1559
CVE-2023-45682[13]:
| stb_vorbis is a single file MIT licensed library for processing ogg
| vorbis files. A crafted file may trigger out of bounds read in
| `DECODE` macro when `var` is negative. As it can be seen in the
| definition of `DECODE_RAW` a negative `var` is a valid value. This
| issue may be used to leak internal memory allocation information.
https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 15)
https://github.com/nothings/stb/pull/1560
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-45661
https://www.cve.org/CVERecord?id=CVE-2023-45661
[1] https://security-tracker.debian.org/tracker/CVE-2023-45662
https://www.cve.org/CVERecord?id=CVE-2023-45662
[2] https://security-tracker.debian.org/tracker/CVE-2023-45663
https://www.cve.org/CVERecord?id=CVE-2023-45663
[3] https://security-tracker.debian.org/tracker/CVE-2023-45664
https://www.cve.org/CVERecord?id=CVE-2023-45664
[4] https://security-tracker.debian.org/tracker/CVE-2023-45666
https://www.cve.org/CVERecord?id=CVE-2023-45666
[5] https://security-tracker.debian.org/tracker/CVE-2023-45667
https://www.cve.org/CVERecord?id=CVE-2023-45667
[6] https://security-tracker.debian.org/tracker/CVE-2023-45675
https://www.cve.org/CVERecord?id=CVE-2023-45675
[7] https://security-tracker.debian.org/tracker/CVE-2023-45676
https://www.cve.org/CVERecord?id=CVE-2023-45676
[8] https://security-tracker.debian.org/tracker/CVE-2023-45677
https://www.cve.org/CVERecord?id=CVE-2023-45677
[9] https://security-tracker.debian.org/tracker/CVE-2023-45678
https://www.cve.org/CVERecord?id=CVE-2023-45678
[10] https://security-tracker.debian.org/tracker/CVE-2023-45679
https://www.cve.org/CVERecord?id=CVE-2023-45679
[11] https://security-tracker.debian.org/tracker/CVE-2023-45680
https://www.cve.org/CVERecord?id=CVE-2023-45680
[12] https://security-tracker.debian.org/tracker/CVE-2023-45681
https://www.cve.org/CVERecord?id=CVE-2023-45681
[13] https://security-tracker.debian.org/tracker/CVE-2023-45682
https://www.cve.org/CVERecord?id=CVE-2023-45682
Please adjust the affected versions in the BTS as needed.
Bug reassigned from package 'src:important' to 'libstb'.
Request was from Moritz Muehlenhoff <jmm@inutil.org>
to control@bugs.debian.org.
(Sat, 28 Oct 2023 14:57:03 GMT) (full text, mbox, link).
Severity set to 'important' from 'normal'
Request was from Moritz Muehlenhoff <jmm@inutil.org>
to control@bugs.debian.org.
(Sat, 28 Oct 2023 14:57:04 GMT) (full text, mbox, link).
Changed Bug title to 'libstb: CVE-2023-45661 CVE-2023-45662 CVE-2023-45663 CVE-2023-45664 CVE-2023-45666 CVE-2023-45667 CVE-2023-45675 CVE-2023-45676 CVE-2023-45677 CVE-2023-45678 CVE-2023-45679 CVE-2023-45680 CVE-2023-45681 CVE-2023-45682' from 'important: CVE-2023-45661 CVE-2023-45662 CVE-2023-45663 CVE-2023-45664 CVE-2023-45666 CVE-2023-45667 CVE-2023-45675 CVE-2023-45676 CVE-2023-45677 CVE-2023-45678 CVE-2023-45679 CVE-2023-45680 CVE-2023-45681 CVE-2023-45682'.
Request was from Moritz Muehlenhoff <jmm@inutil.org>
to control@bugs.debian.org.
(Sat, 28 Oct 2023 14:57:06 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 28 Oct 2023 15:24:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Oct 28 17:54:23 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon